Phin Security

Meeting CMMC 2.0 SAT Requirements

The document explains that while Phin Security cannot fully satisfy CMMC 2.0 requirements, it can assist companies in meeting certain security awareness training components—such as annual and role-based training delivery and policy distribution—though comprehensive compliance also requires organization-specific, risk-focused training, policy change management, and tailored cybersecurity measures beyond general awareness efforts.

What is CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) was created by the U.S. Department of Defense (DoD) to set cybersecurity standards for companies working with them. CMMC has three levels of security requirements, with each level building on the previous one. Companies need to reach certain levels to qualify for DoD contracts.

For companies at levels 2 and 3, CMMC requires intermediate cybersecurity measures, which include making sure all employees are aware of security risks and best practices. Security awareness training is just one small part of a much larger picture when it comes to meeting the CMMC.

How Can Phin Security Help Partners Meet CMMC 2.0 Security Awareness Training Requirements?

The clear answer is that Phin Security alone cannot fully meet CMMC requirements. However, Phin Security can help address some of CMMC's security awareness and training requirements. Meeting CMMC requires companies to go beyond general security awareness training and combine it with organization-specific, role-based awareness, training, and policies tailored to job roles, industry standards, and internal systems.

Annual Security Awareness Training

  • Training must be provided to employees at least once a year. This can be delivered in smaller, regular intervals (monthly or weekly) to keep cybersecurity best practices top of mind.
  • Employees must be trained at initial hire, annually thereafter, and when training materials change due to shifts in the threat landscape.

Policy Distribution (but not Policy Change Management)

  • Phin Security's policy distribution tool ensures employees receive policies relevant to their roles.
  • Phin Security does not currently support defining, creating, reviewing, or tracking policy change management, which is required for CMMC compliance.

Risk-Focused Training

  • Training should include risk assessment, management, and reduction, especially for employees handling sensitive government data (CUI).
  • Phin's training library covers insider threats but does not include training on handling confidential unclassified information (CUI).
  • For CUI training, external resources are recommended:

Role-Based Training

  • Specialized cybersecurity training for technical employees should cover advanced security topics.
  • Phin offers a curriculum on "Security For Developers: OWASP's Top 10" and prebuilt curriculums for different roles (e.g., sales, administrative staff).
  • Prebuilt curriculums may or may not fully satisfy CMMC role-based training requirements.

Phishing & Smishing Simulation

  • Phin Security provides phishing simulation tools to test employees' ability to spot and report threats.
  • This is not considered penetration testing, which is required for CMMC levels 2 & 3.

Reporting

  • Detailed records of training activities (dates, content, attendance, evaluation, feedback) are essential for CMMC audits.
  • Phin's reporting and analytics tools can help document user training throughout the year.

What Does CMMC Require for Security Awareness Training?

To meet level 2 of the CMMC requirements, DoD contractors must have a Security Awareness Training (SAT) program that addresses the following areas:

AT.L2-3.2.1 Role-Based Risk Awareness

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

AT.L2-3.2.2 Role-Based Risk Training

Ensure that personnel are trained to carry out their assigned information (CUI) security-related duties and responsibilities.

AT.L2-3.2.3 Insider Threat Awareness

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

AT.L3-3.2.1E Advanced Threat Awareness (PTA)

Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

AT.L3-3.2.2E Practical Training Exercises

Include practical exercises in awareness training for all users, tailored by role to include general users, users with specialized roles, and privileged users. These exercises should be aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.

Knowledge Base

Phin updates its Knowledge Base with new features with every release. You can read about the platform and its updates at: https://www.phinsec.io/knowledge.

Feedback is encouraged to help shape the product's future. The development team welcomes all ideas and suggestions.