← All Domains

AT — Awareness and Training

new org

SPRS Score: -1203

Objective Progress 0 / 9 (0.0%)
CMMC Practices MET 0 / 3
Domain Score Impact -11

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

AT.L2-3.2.1 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.2.1[a] = Not Yet Assessed; 3.2.1[b] = Not Yet Assessed; 3.2.1[c] = Not Yet Assessed; 3.2.1[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.2.1[a]
    Determine if: security risks associated with organizational activities involving CUI are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.2.1[b]
    Determine if: policies, standards, and procedures related to the security of the system are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.2.1[c]
    Determine if: managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.2.1[d]
    Determine if: managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; security plan; training records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel composing the general system user community].
Test: [SELECT FROM: Mechanisms managing security awareness training; mechanisms managing role-based security training].
AT.L2-3.2.2 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.2.2[a] = Not Yet Assessed; 3.2.2[b] = Not Yet Assessed; 3.2.2[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.2.2[a]
    Determine if: information security-related duties, roles, and responsibilities are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.2.2[b]
    Determine if: information security-related duties, roles, and responsibilities are assigned to designated personnel.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.2.2[c]
    Determine if: personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; security plan; training records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for role-based security training; personnel with assigned system security roles and responsibilities].
Test: [SELECT FROM: Mechanisms managing role-based security training].
AT.L2-3.2.3 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.2.3[a] = Not Yet Assessed; 3.2.3[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.2.3[a]
    Determine if: potential indicators associated with insider threats are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.2.3[b]
    Determine if: security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; insider threat policy and procedures; security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel that participate in security awareness training; personnel with responsibilities for basic security awareness training; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms managing insider threat training].