Skip to content
+1 512 696 1522
Facebook page opens in new windowTwitter page opens in new window
LUCY Security
LUCY Security
  • Home
  • Solution
    • Overview
    • Attack Simulation
    • Test Infrastructure
    • Awareness Training
    • Engage Employees
  • Editions
  • Resources
    • Custom Awareness Video
    • Partners
    • Distributors
    • Support
    • Video Library
    • Documents
    • Course Overview
  • About
    • About us
    • Contact
    • News and press
      • Dark Web Analysis
    • Connect 2020
    • Careers
    • Upcoming Events & Webinars
  • English (English)
    • Deutsch (German)
  • Home
  • Solution
    • Overview
    • Attack Simulation
    • Test Infrastructure
    • Awareness Training
    • Engage Employees
  • Editions
  • Resources
    • Custom Awareness Video
    • Partners
    • Distributors
    • Support
    • Video Library
    • Documents
    • Course Overview
  • About
    • About us
    • Contact
    • News and press
      • Dark Web Analysis
    • Connect 2020
    • Careers
    • Upcoming Events & Webinars
  • English (English)
    • Deutsch (German)

Blog post: Cyber Security Awareness NIST

Blog Post

Cyber Security Awareness NIST - Requirements, Commitments and Content

What must an organization do to achieve compliance with Cybersecurity Awareness NIST? What are the obligations, and what must be trained and tested? What are its degrees of freedom? What is its flexibility? Or customization?

Comprehensive View of NIST Cyber Security Training Guidelines: This article addresses employee cyber security awareness in the context of NIST [1], its Cyber Security Framework, and related publications. The article covers the following:

  • Cyber Security Awareness NIST: Definition of Terms
  • The Cyber Security Framework
  • Relevant publications and training content on Cyber Security Awareness NIST.
  • The Security Awareness Framework SAPF & NIST
  • LUCY as a software solution in the context of NIST
  • Publication references and downloads

Cyber Security Awareness NIST: Definition of Terms.

Cyber Security Awareness NIST is an employee awareness program intended for an organization that is aligned with NIST standards. NIST is the US standardization authority and is a global pioneer in cyber security. The so-called Cyber Security Framework (CSF) is the most widely used risk management standard for information security today.

 

The NIST Cyber Security Framework is a guideline, not a requirement

Already in 2016, 30% of all US companies [2] used NIST’s Cyber Security Framework. It is not only in the U.S. that the standard has achieved great relevance, but worldwide. Brazil has officially adopted the framework. A translation into Spanish now exists [3]. The CSF is also the basis for the risk management concepts of Swiss banks because the requirements of the Swiss Financial Market Supervisory Authority FINMA are NIST-based [4].

The Cyber Security Framework is a risk management model adaptive by criticality level with five functions (Identify, Protect, Detect, Respond, Recover). It is well understood and provides significant substance in the form of conceptual, organizational, and technical functions. The detailed content is outsourced to a significant number of subsidiary publication documents.

It is important to understand that Cyber Security Framework and almost all related NIST publications are ‘merely’ guidance for private companies. Thus, there is no compulsion to implement them. Therefore, there can be no NIST or Cyber Security Awareness NIST compliance in the strict sense.

 

1] National Institute of Standards and Technology https://www.nist.gov/

[2] https://www.nist.gov/video/cybersecurity-framework

[3] https://www.nist.gov/cyberframework/picking-frameworks-pace-internationally

[4] https://www.swiss-risk.org/files/2020/02/First_National_Cyber_Security_Event_FINMA.pdf

 

Relevant Publications on Cyber Security Awareness NIST

If one wants to build a Cyber Security Awareness program that follows the recommendations of NIST and the Cyber Security Framework, then one needs to consider several publications to do so. For a ‘Cyber Security Awareness NIST coverage’ the following documents are relevant:

  1. Risk Management Framework for Information Systems and Organizations
  2. Risk Management Framework Organization, Mission, and Information System
  3. Cyber Security Framework 1.1
  4. Security and Privacy Controls
  5. Control Baselines
  6. Building an Information Technology Security Awareness and Training Program (SP 800-50)
  7. Information Technology Security Training Requirements
  8. Minimum Security Requirements for Federal Systems (FIPS PUB 200)
Alt-Text: Cybersecurity Awareness NIST related Publications including CSF and SP800-50

Cybersecurity Awareness NIST related Publications including CSF and SP800-50

Please see the download links at the end of this article.

Most NIST publications provide rather general guidance. The ‘Minimum Requirements’ and ‘Building an IT Security Awareness Program’ documents are an exception. In this case, specific areas are addressed for which training is to be conducted. These two publications (SP800-50, PUB200) can be interpreted as cyber security awareness NIST guidelines, albeit without a mandatory character for private companies.

In the following chapters, each publication is briefly introduced and content is discussed that has specific relevance to the topic of employee awareness & training.

Risk Management Framework for Information Systems and Organizations (800-37)

Alt-Text: Stages in the NIST RMF

Stages in the NIST RMF

This is THE guideline for the NIST Risk Management Model (RMF). The document describes system elements, boundaries, and controls. Also included is a guide to building and implementing the RMF: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

In short: In this publication, the structure of the RMF and steps to build it are described.

From an awareness perspective, the topics include ‘fundamental cyber security awareness’, ‘situational awareness’, and ‘training & awareness’.

Although specific guidance regarding possible training content for the Cyber Security Awareness NIST may be lacking, the RMF is still highly relevant. For example, the training described in the publication TASK Select 4 (S-4) requires that security control implementations planned in the organization’s own risk management system be documented.

This means that a selection from a catalogue of training and awareness topics must be made and documented for Cyber Security Awareness NIST. This ultimately results in the training plan for Cyber Security Awareness NIST.

Is CISO responsible for Cyber Security Awareness NIST? – It seems particularly noteworthy to us that Appendix D explicitly mentions the “System Security or Privacy Officer” (CSO / CISO / Security Officer) for maintaining Cyber Security Training & Awareness.

Risk Management Framework for Information Systems & Organisations – Organization, Mission, and Information System View (800-39)

This basic paper deals with the system elements, boundaries, controls, and the other content components, so-called ‘tiers’ (layers). The content view is multi-layered and multi-dimensionally structured according to the Tiers

  • Organization
  • Business process and mission
  • Information system(s)

The document offers instructions on the process for each perspective: Which implementation steps are to be taken in each case from the perspective of organization / process / IT system in order to get the risk management of an organization up and running? This multidimensional lifecycle approach of a risk management system for IT security and data protection helps to lay the foundations for cyber security awareness NIST in an organization.

Also the central RMF publication (800-37, Appendix D), the CISO is identified as the primary cyber security awareness NIST officer.

  • Assistance on which areas to specifically sensitize employees is not available in this publication.

CSF – The Cyber Security Framework 1.1 (cswp.04162018)

This publication is the central document on the Cyber Security Framework (CSF). Organized into five functions and four ‘tiers’, the structure of the CSF is easy to understand and implement. The functions are: Identify, Protect, Detect, Respond, and Recover. The tiers, Partial, Risk-Informed, Repeatable, and Adaptive refer to the implementation strength of the Cyber Security Framework functions to be selected based on the classified criticality of the organization.

The Executive Summary of the publication already mentions that the CSF should not be interpreted as a mandatory policy. It is a guideline and a discussion around ‘framework compliance’ would instead lead to confusion (and is forbidden!).

Alt Text: Kategorie Awareness and Training in der Protect Funktion des CSF

Category Awareness and Training in the CSF Protect Function

PR.AT: From the perspective of the Cyber Security Awareness NIST, the so-called ‘Framework Core’ contains the central elements on the topic of training and awareness. The Awareness and Training category in the Protect function contains the most important statements on the topic.

The PR.AT 1-4 subcategories include the cyber security awareness targets. NIST:

  • All users are informed and trained (PR.AT-1)
  • Specific user groups understand their roles and responsibilities:
    • Privileged users (PR.AT-2)
    • External partners (customers, suppliers, etc) – (PR.AT-3)
    • the management (PR.AT-4)
    • Security and Cyber Security Personnel (PR.AT-5)
Alt-Text: Cyber Security Awareness NIST Training Subcategories

Cyber Security Awareness NIST Training Subcategories

The category targets are clear and comprehensible: The organization’s personnel and partners are provided cyber security awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.; such a target fits any cyber security awareness NIST program.

Implementation Approach – Chapter 3.2 recommends seven overarching steps to building and launching a cyber security program:

Step 1: Priorities and scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

Step 7: Implement Action Plan

Build a Dedicated Cyber Security Awareness Framework – The implementation steps described above for a cyber security risk management program are, of course, also suitable for building a stand-alone, separate cyber security awareness NIST program.

This makes more sense than one might think at first glance. The motivation for doing something like this itself is that awareness and training programs focus primarily on people, not on organization and technology. So it’s more of a people challenge with differing stakeholders and drivers. You can read more about this in the chapter ‘LUCY Security Awareness Framework SAPF & NIST’.

Methodologies and Recommendations for Training – Chapter 3.6 of the CSF recommends the following methodologies and measures for Cyber Security Awareness NIST:

  • Training of Policies: Applicable information from the organization’s privacy policies is included in training and awareness activities for cyber security staff.
  • Integration of All: Service providers who provide cyber security-related services to the organization are informed of the organization’s applicable privacy policies.

Overlays as extensions – The NIST Cyber Security Framework explicitly allows the further development of the model and its contents. With the help of so-called overlays, sector-specific extensions can be developed. For example, a CSF extension for the insurance industry or an overlay for SMEs from country X could be created.

Suggested Training Topics – Specific topics are not mentioned in the CSF publication. For a selection of specific awareness training activities and content consistent with the NIST recommendations, the publications

  • SP800-50 Building an Information Technology Security Awareness and Training Program and
  • FIPS PUB 200 Minimum Security Requirements for Federal Systems

can be used as an aid. See the following chapter.

Security and Privacy Controls for Information Systems and Organisations (800-53)

This publication provides a universal catalogue of security and privacy controls for information systems, organizations, and operations to protect against threats and risks. What is special about this organization is that one version is provided for ‘Federal Systems’ and a separate version is provided for the public. Further, there is Publication 800-53b (see subsequent chapter), into which the control baselines have been outsourced.

The controls (Security Controls) are flexible and customizable and are implemented as part of an organization-wide risk management process.

This addresses various requirements arising from business needs, laws, regulations, guidelines, standards, etc.

Awareness and Training Controls – The control structure, therefore, has the ‘Awareness and Training’ control family. If one wants to adhere to the NIST standard, at least the security controls listed below should be set up, implemented, and measured. For further information, please refer to chapter 3.2 of the publication:

AT-1   Policy and Procedures

AT-2   Literacy Training and Awareness (‘Basic Training’)

AT-2(1)          Practical Exercises

AT-2(2)          Insider Threat

AT-2(3)          Social Engineering and Mining

AT-2(4)          Suspicious Communications, Anomalous System Behaviour

AT-2(5)          Advanced Persistent Threat

AT-2(6)          Cyber Threat Environment

AT-3   Role-Based Training

AT-3(1)          Environmental Controls

AT-3(2)          Physical Security Controls

AT-3(3)          Practical Exercises

AT-3(4)          obsolete

AT-3(5)          Processing Personal Information

AT-4   Training Records

AT-5    obsolete

AT-6   Training feedback

This is in line with NIST Cyber Security Awareness. The above list already gives a good insight into the content with which the user should be trained.

Control Baselines for Information Systems and Organisations

This publication provides security and privacy control baselines for U.S. government agencies. In the U.S. government environment, NIST is not only recommending, but providing binding guidance. Therefore, one should study these directives if one wants to be Cyber Security Awareness NIST ‘compliant’.

There are three security control baselines (one for each system impact level – low, medium, and high impact). There is also a privacy baseline that is applied to systems regardless of impact level. Of course, there are baselines for the ‘Awareness and Training Family’, see table below:

 

Identifier Control Name Privacy

Baseline

Baseline
Low
Baseline
Moderate
Baseline
High
AT-1 Policy and Procedures x x x x
AT-2 Literacy Training and Awareness x x x x
AT-2(1) Literacy Training and Awareness | Practical Exercises
AT-2(2) Literacy Training and Awareness | Insider Threat X x x
AT-2(3) Literacy Training and Awareness | Social Engineering and Mining x x
AT-2(4) Literacy Training and Awareness | Suspicious Communications and Anomalous System Behaviour
AT-2(5) Literacy Training and Awareness | Advanced Persistent Threat
AT-2(6) Literacy Training and Awareness | Cyber Threat Environment
AT-3 Role-based training x x x x
AT-3(1) Role-based Training | Environmental Controls
AT-3(2) Role-based Training | Physical Security Controls
AT-3(3) Role-based Training | Practical Exercises
AT-3(5) Role-based Training | Processing Personally Identifiable Information x
AT-4 Training Records x x x x
AT-5 obsolete
AT-6 Training feedback        

 

It is worth noting that no matter at which level (Control Baseline Low to High) the organization classifies itself, training must be role-based and documented or logged for training everywhere. In short, Cyber Security Awareness NIST always recommends risk and role-based employee awareness training, which should be logged.

Building an Information Technology Security Awareness and Training Program (800-50)

This publication provides guidance for building an effective IT security program. The document predates the Cyber Security Framework CSF. However, it is still listed as an official NIST standard, and not for nothing, because an effective IT security program cannot be established without paying close attention to training IT users on specific security practices and techniques required to secure IT resources.

For Cyber Security Awareness NIST, Chapters 4.1 and 4.1.1 are of key importance.

In chapter 4.1. “Development of Awareness and Training Materials”, two clear objectives for security awareness and training are given. The material should be developed with the following points in mind:

  • What behavior do we want to reinforce? (Awareness); and
  • What skill(s) should users learn and apply? (Training).

In chapter “4.1.1 Selecting Awareness Topics” the following training contents are suggested:

  1. Company Policies (company’s own security guidelines)
  2. Password security
  3. Malware and malware protection
  4. E-Mail Security
  5. Safe web browsing
  6. Recognizing and dealing with spam
  7. Social Engineering (Including Phishing, Smishing, Vishing, etc)
  8. Relevance of backups
  9. Incident Response
  10. Shoulder Surfing
  11. Remote work, work from home (home office work), and travel security
  12. Mobile device security
  13. Patching and updates
  14. Unlicensed software
  15. Access controls (as well as least privilege and separation of duties)
  16. Personal responsibility for IT security
  17. External visitors
  18. Information classification (and confidentiality)

Templates and NIST ‘compliant’ reporting – The LUCY software offers ready-made training templates for all of the above training topics, which can be adapted to your own specific needs if necessary. Thus, with LUCY, there is no need to develop your own training from scratch. This also ensures the “monitoring compliance” per user group recommended in chapter 6. Thus, chapters 5ff of the publication for Cyber Security Awareness NIST are irrelevant if LUCY is chosen as the solution.

Information Technology and Security Training Requirements; a Role and Performance-Based Model (800-16)

This publication is about building training and awareness content on your own. If an organization is considering to create all cyber security awareness training content in-house, this 20+ year-old publication is still a good reference.

Due to the range of training courses available on the market today, it is no longer practical to build up your own IT security training material. Even today, highly specific cyber security training can be created using existing basic material. The LUCY software, for example, allows customization of any training content available in the product. This means that even videos can be adapted to specific needs, instead of building complex and costly individual training courses. Interoperability is a given: LUCY training content can be transferred to third-party systems using the SCORM standard.

Assistance on what specific topics to train employees on is sparse in this publication.

Minimum Security Requirements for Federal Systems (FIPS PUB 200)

The publication “Minimum Security Requirements for Federal Information and Information Systems” takes a special position in the topic of Cyber Security Awareness NIST. For U.S. government agencies, the document is a binding directive to maintain a minimum level of IT security.

What makes this document interesting is: what is the IT security minimum that the U.S. government sets for its government agencies? The minimum-security requirements in Chapter 3 cover 17 security-related areas for IT systems and organizations:

  1. Access control
  2. Awareness and training (sensitization and training)
  3. Audit and accountability
  4. Certification, accreditation, and safety assessments
  5. Configuration Management
  6. Contingency planning
  7. Identification and authentication
  8. Incident response
  9. Maintenance
  10. Media protection
  11. Physical protection and environmental protection
  12. Planning
  13. Personnel safety
  14. Risk assessment
  15. Procurement of systems and services
  16. System and communication protection and
  17. System and information integration.

Implementing all areas together results in a broad, balanced information security program that secures the management, operational, and technical aspects of protecting U.S. government and IT systems.

The above shows in which areas safety standards could be implemented and demonstrated. It is obvious that each area must also be trained!

Minimum security requirement for training – Item 2 of the above list includes Awareness and Training (AT). Thus, minimum security requirements are specified for the training itself. Organizations must ensure that:

  1. Managers and users of the organization’s information systems are made aware of the security risks associated with their activities, as well as the applicable security laws and any other regulations. By other regulations, we have meant security directives, guidelines, standards, or regulations concerning the organization’s information systems.
  2. the organization’s personnel are adequately trained to perform their assigned information security duties and responsibilities.

Demo Request /Request a Demo

LUCY Security Awareness Framework SAPF & NIST

As mentioned earlier, the NIST Cyber Security Framework can easily be used as a guide to build an awareness & training program in one’s own organization. However, experience has shown that a ‘completely NIST-aligned’ approach often results in a training program that is fraught with weaknesses. Why? In the integral NIST context, IT security is perceived as a technology, risk management, and information technology challenge. As a result, too little attention is paid to the human factor, which is central to the topic of awareness and training.

For this reason, it is recommended to outsource employee sensitization and training and to communicate and establish a separate, explicit awareness program. Of course, this can be implemented in line with NIST Cyber Security Awareness.

The LUCY Security Awareness Framework SAPF addresses these specific needs: the guide focuses on the employee and the training needs of the organization. At the same time, SAPF is a model for practitioners and it is consistent with NIST. In short, with the LUCY Security Awareness Program Framework, Cyber Security Awareness NIST can be implemented right off the bat.

Alt-Text: Cybersecurity Awareness Pogram Framework aligned with NIST

Cybersecurity Awareness Pogram Framework aligned with NIST

The LUCY software as a solution in the context of NIST.

The employee is at the center of the LUCY software. As a so-called 360° Awareness Suite, LUCY as a product contains the following functional groups:

  • Learning Management System (LMS),
  • Phishing Simulator,
  • Smishing Simulator,
  • Bad USB Simulator,
  • Malware and Ransomware Simulator,
  • Hundreds of key and attack templates (content),
  • Infrastructure assessments (e.g., mail and web filter test MFT),
  • Phishing report button,
  • Thread analysis and a
  • Sophisticated reporting.

 

Compliance with GDPR and CCPA requirements is given. This makes LUCY the ideal product for the customer organization to run Cyber Security Awareness NIST.

Alt-Text: LUCY Awareness Features supporting NIST Cybersecurity Awareness Framework

LUCY Awareness Features supporting NIST Cybersecurity Awareness Framework

NIST categories supported by LUCY software components:

  • Identify: LUCY Malware Simulation Toolkit / Ransomware Simulator / Mail and Web Filter Test
  • Protect: LUCY Awareness & Training Campaigns
  • Detect: Anomalies & Events with LUCY Risk Score and Mail Threat Analyse
  • Detect: Detection Processes with Phishing Incident Button
  • Detect: Detection Processes with Phishing Incident Button
  • Respond: Through the LUCY Thread Mitigator

 

NIST Reporting – LUCY’s integrated reporting also provides NIST compliant reporting. This includes not only training metrics, but also user reputation and the development of the respective maturity level of employees, organizational units, and the organization over time.

Alt-Text: NIST Compliant Training View

NIST Compliant Training View

Request a Demo

 

Publication references and downloads

  • Risk Management Framework (800-37) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Managing Information Security Risk (800-39) – Organization, Mission, and Information System
  • Cybersecurity Framework (CSF)
  • Security and Privacy Controls (800-53) for Information Systems and Organizations
  • Control Baselines (800-53b) for Information Systems and Organizations
  • Building an Information Technology Security Awareness and Training Program (800-50)
  • Minimum Security Requirements (FIPS PUB 200) for Federal Information and Information Systems,
  • Information Technology Security Training Requirements (800-16): a Role- and Performance-Based Model

 

Request a Demo

About Lucy Security

Founded in 2015, Lucy has transformed the ethical hacking experience of its founders into comprehensive training software that provides a 360° view of an organization’s IT security vulnerabilities. Lucy continues to receive numerous industry awards, including the ISPG Award 2020 for Best Cyber Security Education and Training and the Cybersecurity Excellence Awards 2020 for Best Anti-Phishing and Best Security Education Platform. The company is headquartered in Zug, Switzerland, with a U.S. office in Austin, TX. Further information can be found at www.lucysecurity.com

Categories: Blog, NewsBy adminMarch 29, 2021
Tags: Blog
Share this article
Share on FacebookShare on Facebook TweetShare on Twitter Pin itShare on Pinterest Share on LinkedInShare on LinkedIn Share on WhatsAppShare on WhatsApp

Author: admin

Post navigation

PreviousPrevious post:LUCY Security wins Cyber Security Awards in 2021NextNext post:Individual training libraries, personalized training structure, security compliance reporting and much more with the new LUCY version

Related Posts

New LUCY Security Release 4.8.4
January 3, 2022
LUCY Security presents User Awards 2021
December 27, 2021
LUCY Security presents international Partner Awards 2021
December 17, 2021
LUCY Software NOT affected by the Log4j Bug
December 13, 2021
New LUCY Security Release 4.8.3
November 10, 2021
LUCY Security Acclaimed by Frost & Sullivan for Developing Security Awareness Training (SAT) Solutions with Its E-learning Platform
November 9, 2021
Recent Posts
  • New LUCY Security Release 4.8.4
  • LUCY Security presents User Awards 2021
  • LUCY Security presents international Partner Awards 2021
  • LUCY Security at ASIS Europe 2022 in Prague from May 22-24
  • LUCY Software NOT affected by the Log4j Bug
Archives
  • January 2022
  • December 2021
  • November 2021
  • August 2021
  • May 2021
  • April 2021
  • March 2021
  • January 2021
  • December 2020
  • September 2020
  • June 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • July 2019
  • May 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • June 2018
  • March 2018
  • November 2017
Categories
  • Blog
  • Event
  • Local Event
  • News
  • Press
  • ReleaseNote
  • Resources
  • TechBlog
  • Video
CONTACTS

Address: Europe
Lucy Security AG
Chamerstr. 44 | 6300 Zug | Switzerland

Address: North America
LUCY Security USA
13785 Research Blvd
Suite 125
Austin, TX 78750

CONTACTS

Address: Europe
Lucy Security AG
Chamerstr. 44 | 6300 Zug | Switzerland

Address: North America
LUCY Security USA
13785 Research Blvd
Suite 125
Austin, TX 78750

SEARCH
CONNECT

Find us on:

Facebook page opens in new windowTwitter page opens in new windowYouTube page opens in new windowLinkedin page opens in new window
INFORMATION
  • Home
  • Solution
  • Editions
  • Resources
  • About us
  • Support Wiki
  • Contact
  • Demo request
LANGUAGE
  • English
    • Deutsch (German)
LUCY Security
All Rights Reserved 2022











Noted in the press

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Privacy PolicyCookie PolicyACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.