AT Controls

 NIST 800-53 Rev 5: Awareness & Training Controls


The NIST 800-53 Rev 5 Awareness and Training (AT) control family sets requirements for cybersecurity education. I am a big fan of KnowBe4 for cybersecurity training because it tends to be more engaging and fun than other training I have used.



1. AT-1 Policy and Procedures


NIST Requirement: 

Organizations must develop, document, and disseminate policies and procedures for awareness and training programs.


KnowBe4 Solution: 

- Policy Management Platform: Allows creation, distribution, and tracking of policy acknowledgments.


Example: 

Use KnowBe4's template for an Acceptable Use Policy, customize it, and track employee acknowledgments through the platform.


2. AT-2 Literacy Training and Awareness


NIST Requirement: 

Provide basic cybersecurity awareness training to all system users.


KnowBe4 Solution:

- Kevin Mitnick Security Awareness Training - the 45-minute one covers the main security topics

- I also added Privacy training to the required for everyone list

- Insider Threat training - “The Inside Man” is my go-to series on this topic. Think insider threat meets telenovela - I am pretty sure there is a cult following at work…

- Phishing tests - can be specific templates or AI-based on each user (this also helps with other controls)


Specific Implementation: 

Assign the Kevin Mitinick 45 minutes course to all new employees and require annual refresher training.

Assign Privacy training to all new employees and require annual refresher training

Assign “The Inside Man” to all new employees and current employees (I do this with monthly training)

Send out monthly phishing tests to all employees


3. AT-3 Role-Based Training


NIST Requirement: 

Provide role-specific cybersecurity training.


KnowBe4 Solution:

- Role-Based Training Modules: Specialized content for IT staff, management, and other roles.

- Compliance Plus: Training specific to various regulatory requirements.

- Incident Response, Contingency Planning, and Supply Chain - there are modules on these specific topics to allow to meet role requirements


Example: 

Assign administrator training to all individuals with privileged access

Assign OWASP or other secure software development courses to engineers

Assign C-level training to VPs and C-levels

Assign the "HIPAA for IT" course to IT staff in healthcare organizations and "PCI DSS for Managers" to relevant supervisory staff.


4. AT-4 Training Records


NIST Requirement: 

Document and monitor individual training activities and retain records.


KnowBe4 Solution:

- Advanced Reporting: Detailed training completion records and analytics.

- User Management Console: Track individual user progress and compliance status.


Practical Application: 

Generate monthly reports on training completion rates and use the console to identify and follow up with non-compliant users.

KnowBe4 keeps records for all users (previous employees are held in their system as archived to maintain record retention requirements)


5. AT-5 Contacts with Security Groups and Associations


NIST Requirement: 

Establish and maintain contacts with security groups to stay current on security issues.


KnowBe4 Support:

- Weekly Cyberheist News: Provides updates on current threats and trends.

- Blog and Webinars: Offer insights from cybersecurity experts.


Implementation: 

Encourage IT security staff to subscribe to KnowBe4's newsletter and attend monthly webinars for continuous education.

Enroll in CISA alerts for staff and get alerts from 3rd party vendors


6. AT-6 Training Feedback


NIST Requirement: 

Obtain feedback on training effectiveness and make improvements.


KnowBe4 Solution:

- Training Survey Feature: Collect user feedback post-training.

- Analytics Dashboard: Assess training effectiveness through various metrics.


Specific Use: 

Implement a quarterly review of training feedback and phishing test results to identify areas for improvement in the training program.


Additional KnowBe4 Features Supporting NIST Compliance:


1. PhishER: Streamlines the process of reporting and analyzing suspected phishing emails, supporting incident response training requirements.


2. Security Culture Survey: Assess your organization's security culture, helping to identify areas where training can be improved to meet NIST standards.


3. AI-Driven Phishing: Use AI-generated phishing templates to test employees against sophisticated, current threats, ensuring training remains relevant to evolving risks.


By leveraging KnowBe4's comprehensive suite of tools, organizations can not only meet but exceed the awareness and training requirements outlined in NIST 800-53 Rev 5. 


Remember, while KnowBe4 provides many tools, it's vital to tailor the implementation to your organization's specific needs and risk profile to ensure full NIST compliance.​​​​​​​​​​​​​​​​ This usually requires updates, review of feedback, and review of new courses that are offered by KnowBe4.

Comments

Post a Comment

Popular posts from this blog

Understanding Protection (SC)

Understanding Protection (SC) These controls focus on protecting system boundaries, communications, and preventing unauthorized data exposure. Let's break down the key SC controls with examples. SC-1: Policy and Procedures This foundational control requires documented policies and procedures for system and communications protection. Example: SYSTEM AND COMMUNICATIONS PROTECTION POLICY Version: 2.1 Last Updated: 2025-01-02 1. PURPOSE This policy establishes requirements for protecting the organization’s cloud infrastructure and communications. 2. SCOPE Applies to all cloud systems within the authorization boundary. 3. POLICIES 3.1 Encryption Requirements - All data in transit must use TLS 1.2 or higher - All data at rest must use FIPS 140-2 validated encryption - Key rotation required every 365 days 3.2 Network Security - All external connections must traverse a DMZ - Firewall rules follow deny-by-default principle - Monthly review of access control lists 4. PROCEDURES 4.1 Firewall ...
Read more

Security Assessment (SA) Controls

The Security Assessment (SA) family of controls, derived from NIST 800-53 Revision 5, plays a pivotal role in keeping systems secure over time. What Are the Security Assessment (SA) Controls? The SA family of controls focuses on ensuring that security controls are assessed for their effectiveness and are continuously monitored throughout the life of the system. This means checking whether the security measures in place are not only effective but remain effective and up-to-date as time progresses. For FedRAMP Moderate, these controls are crucial because: They ensure security controls are evaluated regularly. They support continuous monitoring for vulnerabilities or weaknesses. They establish corrective actions when necessary. SA-1: Security Assessment and Authorization Policies and Procedures Control Overview SA-1 requires the development of security assessment and authorization (A&A) policies and procedures. These procedures outline the process for conducting security assessm...
Read more

FedRAMP Moderate Rev 5 SI Controls

  In this post, I'll break down each SI control in FedRAMP Moderate Rev 5 and provide tips.   SI-1: System and Information Integrity Policy and Procedures The key to a strong base is well-documented policies and procedures.  For SI-1, organizations must: - Develop and maintain system and information integrity policies that address purpose, scope, roles, and responsibilities - Define procedures for implementing security controls - Review and update these documents at least annually Example:  Create a System and Information Integrity Policy document that includes: - Malware protection requirements with procedures - System monitoring procedures - Software and firmware update processes - Security alert handling processes and procedures - Error handling protocols  SI-2: Flaw Remediation Flaw remediation is key for maintaining system security.  Organizations must: - Identify, report, and correct system flaws promptly - Test software updates before deployment...
Read more