Skip to main content

Risk Management Handbook Chapter 2: Awareness and Training (AT)

RMH Chapter 2 provides information about the security controls associated with the Awareness & Training (AT) control family

Last reviewed: 2/15/2019

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

Introduction

This chapter of the Risk Management Handbook (RMH) covers the Awareness and Training (AT) family of controls. It describes procedures that help you meet the security and privacy requirements for this control family. Each procedure is labeled with the associated NIST controls using the control number from the CMS IS2P2.

Awareness and Training (AT) controls

Security Awareness Training (AT-2)

The purpose of Security and Privacy Awareness Training prepares users to manage security and privacy risks through a broad campaign that introduces them to the concepts, scenarios, and tools used to compromise information security and privacy protections. The content for security awareness training differs from organization to organization and is dependent on specific organizational requirements including personnel that have permissions to different types of data.

Common security awareness techniques include but are not limited to displaying informational posters, emails, office supplies with security reminders printed on them, security messages during logons, and conducting information security awareness events.

The table below outlines the CMS organizationally defined parameters (ODPs) for AT-2.

ControlControl requirementCMS parameter
AT-2The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): c. [Assignment: organization-defined frequency] thereafter.The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): c. Within every three hundred sixty-five (365) days thereafter.

CMS provides information security awareness training to all users with Enterprise User Administration (EUA) accounts, including managers, senior executives, and contractors, which is delivered through the Computer Based Training (CBT) system. Users without EUA access should contact their Contracting Officer (CO) or Contracting Officer Representative (COR) for direction.

The following steps detail CMS’ process for security awareness training:

Initial Certification

• Step 1: On the Employee Onsite Date (EOD), the User receives a CMS user ID activation Welcome email from Enterprise User Administration (EUA). Users are given seven (7) calendar days to complete CBT. (EUA sends reminder emails on a daily basis until certification is complete.)

• Step 2: The User logs in and completes the CBT.

• Step 3: Once CBT is completed, the EUA system tracks the completed training. An option to print the completion certificate is available, but it is not required.

Recertification

• Step 1: Recertification is to be completed annually on the User ID activation month. The EUA system sends an email notification to the user at forty-five (45) days in advance of the recertification due date. (Email reminders to complete recertification are sent at 15, 10, 5, 4, 3, 2, and 1 day(s) until revocation date.)

• Step 3: The User logs in to the EUA system and completes the CBT.

• Step 4: If the User does not complete the training within the recertification timeframe, revocation occurs on the first day of the month following their due date. In the event of a revocation, contact the CMS IT Service desk at 410-786-2580 or cms_it_service_desk@cms.hhs.gov.

Security Awareness Insider Threat (AT-2(2))

The purpose of Security Awareness Insider Threat is to ensure that security awareness training reinforces the identification and reporting of potential indicators of insider threat. Security awareness training includes how to communicate concerns from employees and management regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

Included in the security awareness and training (see AT-2 above) is identifying and reporting potential indicators of insider threats, such as:

  • Inordinate, long-term job dissatisfaction
  • Attempts to gain access to information not required for job performance
  • Unexplained access to financial resources
  • Bullying or sexual harassment of fellow employees
  • Workplace violence
  • Other serious violations of organizational policies, procedures, directives, rules, or practices

Role-based Security Training (AT-3)

The purpose of Role-Based Training (RBT) is to determine and complete the appropriate content of security and privacy training based on the assigned roles and responsibilities of individuals, the specific security requirements of the organization, and the information systems to which personnel have authorized access. A comprehensive role-based training program addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures.

CMS defines a role with significant information security and privacy responsibilities as any role that has the potential to adversely impact the security posture of one or more CMS systems when the system is operational.

CMS provides the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of CMS’ information security and privacy programs. Training on policies, procedures, tools, and artifacts for the organizational security and defined privacy roles are some examples provided in the training program. Role-based security and privacy training requirements also applies to contractors providing services to CMS.

The table below outlines the CMS organizationally defined parameters (ODPs) for AT-3.

ControlControl requirementCMS parameter
AT-3

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

c. [Assignment: organization-defined frequency] thereafter.

The organization provides role-based security training to personnel (both contractor and employee) with assigned information security and privacy roles and responsibilities (i.e., significant information security and privacy responsibilities):

c. Within sixty (60) days of entering a position that requires role-specific training, and within every 365 days thereafter.

The instructions for the identification of federal employees with significant information security and privacy responsibilities (SSR) and RBT requirements are detailed in data calls conducted by Office of Human Capital (OHC). CMS managers must participate in any such data calls.

The instructions for the identification of Contractors with SSR and RBT requirements are detailed in the following steps:

  • Step 1: Review the definition of SSR as provided in the CMS IS2P2.  
  • Step 2: Identify all positions that include duties involving SSR. Each of these positions with SSR requires (RBT).  
  • Step 3: For each job position, determine appropriate RBT by reviewing NIST SP 800-1815, the NICE Cybersecurity Workforce Framework. Select the NICE role(s) that aligns with each job position. Each position may receive no more than three (3) NICE roles and should be documented in the order in which the most critical function of the job is listed first; the next critical function of the job is listed next, and so on.  
  • Step 4: All personnel in a position with SSR are to be notified. This notice should include the NICE role assignments for the job position.  
  • Step 5: This process should be followed when new job positions are created, and when there are changes to an existing position that involve significant information privacy and security responsibilities.

RBT courses must focus on the knowledge, skills, and abilities to fulfill the IT and cybersecurity responsibilities for the specific role category. While Contractors are required to receive and track their own role-based security training, CMS must ensure RBT is available for personnel (both contractor and employee) with significant information security and privacy responsibilities.

CMS encourages personnel to leverage the training sessions that are offered in the form of briefings, forums, seminars, professional development workshops, conferences, and professional independent reading and research. Such training focuses on improving the information security and privacy skills and competencies of personnel managing, designing, developing, acquiring, and administering CMS’ resources.

Employees and Contractors can select CMS offered training by accessing the ISPG provided Cybersecurity and Privacy Training Catalog.

Employees and Contractors may additionally select other qualified training offerings available from government or industry. As training offerings are increasingly mapped to the NIST NICE Framework, employees and contractors can identify training aligned with NICE role assignments.

For training offerings that have not been mapped to the NIST NICE Framework, the following provides evaluation steps:

  • Step 1: Know the NICE role-based training ID that is to be trained.  
  • Step 2: Refer to the NIST SP 800-181, the NICE Cybersecurity Workforce Framework for a description of the specific role ID to include the Knowledge, Skills, Abilities (KSA) and Task associated with the role.  
  • Step 3: For the training under evaluation, collect all available descriptive information such as a course summary, outline, syllabus, and learning objectives, and keynote summaries that cover your Role-based training ID description. You may want to match up, KSAs and Tasks defined by your role to the course contents listed above to see if the training attended meets the annual role-based requirement.  
  • Step 4: Determine if the training description addresses some of the KSAs and Tasks associated with the desired NICE role.

The RBT Self-Assessment table below can be used as a guide to help determine if a training course/event meets the role-based training requirement. For example, measuring, or characterizing, the NICE Role ID’s associated description, KSA, Task and/or role descriptions against the training description. This will enable confirmation that a selected training event is relevant to the role-based training requirement.

RBT Self-Assessment Table (Example)
Training nameNICE role ID / descriptionKnowledgeSkillsAbilitiesTasks
Example training name(SAMPLE) OV-MGT-001Risk management processes, cybersecurity principlesCreating policies, evaluating suppliersIntegrate security into acquisition processAdvise senior management on risk levels, evaluate development efforts
      
      

Personnel wishing to receive credit, for any form of RBT taken from an organization external to CMS, in satisfaction of any CMS training requirement, to first seek review and approval from their supervisor (or for Contractors, from their employer).

CMS provides role-based training to federal employees identified with SSR, including managers, senior executives, that is delivered through the Computer Based Training (CBT) system.

While Contractors are responsible for ensuring that that their personnel who have significant information privacy and security responsibilities have training commensurate with their role, they may request a copy of this CMS training course for use in their role-based training program.