Awareness and Training Plan

Approach basics → §4.x

Platforms and roles that anchor the rest of the plan.

LMS / training platform (one-liner) * Where awareness + role-based training is delivered (e.g., 'KnowBe4 (commercial)', 'DoD CyberAwareness Challenge via JKO', 'Internal Moodle deployment with SCORM courses').

Training-record system (one-liner) * Authoritative system for training records (often the LMS itself, or a separate HRMS module that aggregates LMS + classroom + external).

Insider-threat program reference Pointer to the org's insider-threat program — typically CISA-aligned for federal. Reference for AT-2(2) coordination.

Phishing-simulation program owner role Role accountable for phishing simulations (e.g., 'Security Awareness Lead under CISO', 'Enterprise SOC Phishing Operations').

Training-program lead role Senior role accountable for the awareness-and-training program (often Chief Learning Officer / CISO delegate).

Annual training cadence summary One-line summary of annual cadence (e.g., 'AT-2 baseline annually + on initial onboarding; AT-3 role-based at hire + annually + on role change'). Detail goes in the dedicated sub-section.

Literacy Training and Awareness (AT-2) → §4.x

Baseline security training that all users receive.

In-scope audience

Full-time employees Part-time employees Contractor staff with system access Subcontractor staff with system access Volunteer / unpaid associates Vendor maintenance staff (PS-7 / MA-5) Cleared visitors with regular access

Baseline curriculum topics

Acceptable use policy + Rules of Behavior Password / credential hygiene Phishing recognition (overlaps AT-2(3)) Suspicious-activity reporting Physical security + clean-desk policy CUI / PII / classified handling (per organization) Removable-media use (MP-7 cross-reference) Privacy / FIPPs Insider-threat indicators (overlaps AT-2(2)) Mobile-device security Telework security (PE-17 cross-reference) Records-retention awareness AI / LLM use policy (newer)

Delivery modalities

E-learning (SCORM / xAPI in LMS) Live virtual instructor-led In-person classroom Just-in-time micro-learning (e.g., security-tip-of-the-day) Video-based (recorded segments) Posters / passive awareness Newsletter / bulletin Gamified (CTF-style awareness exercises)

Delivery cadence (AT-2 ODV) When training is delivered (e.g., 'Within 5 business days of onboarding; annually thereafter; within 30 days of role change'). AT-2 ODV.

Completion criteria What counts as 'complete' (e.g., 'Module completion + 80% on knowledge check; failed attempt → retake').

Program-content review cadence How often the awareness curriculum is reviewed for currency (typical: 'Annually + on regulatory change'). AT-2 ODV.

Event-triggered updates (AT-2(1)) Per AT-2(1) — content updates triggered by significant events (incident affecting org, new threat, regulatory change). Even though AT-2(1) may not be in moderate baseline, this is good practice.

Insider-Threat Awareness (AT-2(2)) → §4.x

Per AT-2(2), training on indicators and reporting paths.

In-scope audience for AT-2(2)

All personnel (broadest interpretation) Personnel with elevated access Managers and supervisors Privileged-account holders Personnel with access to critical components (RA-9) Cleared personnel only

Indicators covered

Unusual data-access patterns After-hours work without business justification Persistent disregard for security controls Disgruntlement / personal-life stressors signaled Unauthorized devices / credentials Atypical financial behavior Foreign-contact disclosure obligations Recruitment / coercion approaches Intellectual-property exfiltration patterns

Reporting path How an observer reports a concern (anonymous hotline, ISSO direct, EAP-assisted referral). Reference org insider-threat program contact.

Protections for reporters Anti-retaliation policy, anonymity preservation. Reference org whistleblower policy.

Social-Engineering and Phishing (AT-2(3)) → §4.x

Per AT-2(3), training plus simulated exercises.

Phishing-simulation cadence How often phishing simulations are run (e.g., 'Quarterly broad-cast; monthly targeted'). AT-2(3) ODV.

Simulation difficulty progression How simulation difficulty escalates over time (e.g., 'Easy generic in Q1; spear-phishing tied to system context in Q3; voice-phishing exercises annually').

Topics covered

Email phishing (generic) Spear-phishing (targeted) Whaling (executive targets) Smishing (SMS phishing) Vishing (voice phishing) Pretexting (in-person social engineering) QR-code-based phishing Business-email-compromise (BEC) USB-drop attacks Tailgating (physical)

Response to simulation failure What happens when a user clicks / enters credentials in a simulation. Just-in-time micro-training, manager notification, repeated-failure escalation. Reference PS-8 only as last resort.

User report mechanism How users report suspected phishing in production (e.g., 'PhishAlarm button in Outlook; submitted to SOC for analysis').

Click-rate target / phish-report-rate target Targets for the program (e.g., 'Click rate <5%; report rate >40% on simulations within 60 minutes').

Role-Based Training (AT-3) → §4.x

Per AT-3, training tailored to the security responsibilities of each role.

Role-taxonomy source — Select — NIST SP 800-181 r1 (NICE Workforce Framework) DoD 8140.03 (DoD Cyberspace Workforce Framework) Internal role-mapping derived from NICE / 8140 Other industry framework (e.g., (ISC)² CISSP body of knowledge) Custom internal taxonomy

Roles in scope

System Owner ISSO / ISSM AO / AODR Privileged users (system administrators, DBAs) Software developers DevSecOps / pipeline engineers Network / security engineers Help desk + first-tier support Security-Operations-Center analysts Incident responders Auditors / assessors (CA family staff) Privacy-Act personnel / SAOP Records officers Personnel-security officers (PS family staff) Training-program staff Maintenance personnel (MA-5) Insider-threat investigators

Role-to-curriculum mapping Crosswalk from each role to required training (e.g., 'Privileged users: MIS-525 plus CompTIA Security+; Developers: SSDF familiarization + secure-coding + threat-modeling; Incident responders: SANS FOR-508 or equivalent'). Often summarized as a separate appendix.

Delivery cadence (AT-3 ODV) When AT-3 training is delivered (e.g., 'At hire / role assignment; annually thereafter; on significant role expansion'). AT-3 ODV.

Certification requirements Roles that require external certification (e.g., 'CISSP for ISSO; Security+ CE for privileged users per DoD 8140; OSCP for red-team members'). Time-to-attain after role start.

Continuing-education requirement How CE units are tracked (e.g., '40 hours per role per year; CISSP renewal at 120 CPEs / 3 years').

Training Records (AT-4) → §4.x

Per AT-4, recordkeeping requirements.

Required record fields

Personnel identifier Course / training event identifier Training type (AT-2 / AT-2(2) / AT-2(3) / AT-3) Date completed Completion score (if applicable) Modality (e-learning / classroom) Instructor (if classroom) External certification number + expiration CE units awarded Linked role at time of training

Record-retention period (AT-4 ODV) How long training records are retained. AT-4 ODV. Common: 'Per NARA records-retention schedule'; 'Length of employment + 5 years'.

Record-review cadence How often training records are reviewed for completeness / accuracy (e.g., 'Quarterly reconciliation against personnel roster').

Audit-trail requirement How changes to training records are themselves audited (immutable LMS log, separate audit table). Reference AU plan.

Training Scope and Coverage → §2.x

Quantitative scope numbers that anchor metrics later in the plan.

Total trainees in scope Approximate count of all personnel requiring AT-2 baseline training.

Personnel requiring role-based training Approximate count of personnel in AT-3 roles.

Distinct AT-3 roles defined Number of distinct role-based training tracks (e.g., '8 — System Owner, ISSO, Privileged User, Developer, IR Analyst, etc.').

Phishing-simulation user pool size Approximate count of users targeted in phishing simulations (typically all email-capable personnel).

Awareness-and-Training Metrics & KPIs → §6.x

Metrics tracked to demonstrate AT control effectiveness.

Tracked metrics

Add item

Suggested: + AT-2 baseline-training completion rate (current vs roster) + AT-2 mean-time-from-onboarding-to-completion + AT-3 role-based-training completion rate + AT-2(3) phishing-simulation click rate (trend down) + AT-2(3) phish-report rate (trend up) + AT-2(3) mean time to report (trend down) + AT-2(2) insider-threat-awareness completion rate + Overdue-training count + auto-suspended access count + Certification currency rate (CE units on track) + Training-program user satisfaction score (post-course survey) + Open POA&M items linked to AT controls

Training-Access Enforcement → §6.x

How training currency is tied to access.

Enforcement mechanism — Select — Auto-suspend access on overdue (typically privileged accounts only) Manager notification on overdue (warning) + escalation to suspension Manager notification only (no suspension) No automated enforcement (manual quarterly review)

Grace period before enforcement Days after due date before enforcement action (e.g., '14 days for privileged accounts; 30 days for standard').

Cross-references to other RMF artifacts → §7

Where this plan plugs into the broader RMF package.

SSP section reference Where in the SSP the AT control implementations are summarized (e.g., 'SSP §13.2').

POA&M ID prefix for AT findings Convention for AT-related POA&M items (e.g., 'POAM-AT-' for general).

PS handoff How PS-6 access agreements pair with AT-2 awareness training; PS-9 position descriptions cite AT-3 requirements.

IR handoff How AT-2(3) phishing-simulation results feed IR detection; insider-threat indicators escalate via the same path.

SA handoff How AT-3 developer-training underwrites SA-3 SDLC integration. Where the developer-training catalog lives.

PE handoff How AT delivers the visitor-escort and physical-security awareness PE-3 / PE-6 implicate.

CA handoff How CA-2 assessments validate AT outcomes (training-effectiveness assessment, knowledge-check sampling, behavioral metrics).

CA-7 continuous-monitoring strategy reference Pointer to the CA-7 monitoring strategy document tying AT continuous-monitoring metrics to the broader ConMon plan.