Blog Post
Cyber Security Awareness NIST - Requirements, Commitments and Content
What must an organization do to achieve compliance with Cybersecurity Awareness NIST? What are the obligations, and what must be trained and tested? What are its degrees of freedom? What is its flexibility? Or customization?
Comprehensive View of NIST Cyber Security Training Guidelines: This article addresses employee cyber security awareness in the context of NIST [1], its Cyber Security Framework, and related publications. The article covers the following:
- Cyber Security Awareness NIST: Definition of Terms
- The Cyber Security Framework
- Relevant publications and training content on Cyber Security Awareness NIST.
- The Security Awareness Framework SAPF & NIST
- LUCY as a software solution in the context of NIST
- Publication references and downloads
Cyber Security Awareness NIST: Definition of Terms.
Cyber Security Awareness NIST is an employee awareness program intended for an organization that is aligned with NIST standards. NIST is the US standardization authority and is a global pioneer in cyber security. The so-called Cyber Security Framework (CSF) is the most widely used risk management standard for information security today.
The NIST Cyber Security Framework is a guideline, not a requirement
Already in 2016, 30% of all US companies [2] used NIST’s Cyber Security Framework. It is not only in the U.S. that the standard has achieved great relevance, but worldwide. Brazil has officially adopted the framework. A translation into Spanish now exists [3]. The CSF is also the basis for the risk management concepts of Swiss banks because the requirements of the Swiss Financial Market Supervisory Authority FINMA are NIST-based [4].
The Cyber Security Framework is a risk management model adaptive by criticality level with five functions (Identify, Protect, Detect, Respond, Recover). It is well understood and provides significant substance in the form of conceptual, organizational, and technical functions. The detailed content is outsourced to a significant number of subsidiary publication documents.
It is important to understand that Cyber Security Framework and almost all related NIST publications are ‘merely’ guidance for private companies. Thus, there is no compulsion to implement them. Therefore, there can be no NIST or Cyber Security Awareness NIST compliance in the strict sense.
1] National Institute of Standards and Technology https://www.nist.gov/
[2] https://www.nist.gov/video/cybersecurity-framework
[3] https://www.nist.gov/cyberframework/picking-frameworks-pace-internationally
[4] https://www.swiss-risk.org/files/2020/02/First_National_Cyber_Security_Event_FINMA.pdf
Relevant Publications on Cyber Security Awareness NIST
If one wants to build a Cyber Security Awareness program that follows the recommendations of NIST and the Cyber Security Framework, then one needs to consider several publications to do so. For a ‘Cyber Security Awareness NIST coverage’ the following documents are relevant:
- Risk Management Framework for Information Systems and Organizations
- Risk Management Framework Organization, Mission, and Information System
- Cyber Security Framework 1.1
- Security and Privacy Controls
- Control Baselines
- Building an Information Technology Security Awareness and Training Program (SP 800-50)
- Information Technology Security Training Requirements
- Minimum Security Requirements for Federal Systems (FIPS PUB 200)
Cybersecurity Awareness NIST related Publications including CSF and SP800-50
Please see the download links at the end of this article.
Most NIST publications provide rather general guidance. The ‘Minimum Requirements’ and ‘Building an IT Security Awareness Program’ documents are an exception. In this case, specific areas are addressed for which training is to be conducted. These two publications (SP800-50, PUB200) can be interpreted as cyber security awareness NIST guidelines, albeit without a mandatory character for private companies.
In the following chapters, each publication is briefly introduced and content is discussed that has specific relevance to the topic of employee awareness & training.
Risk Management Framework for Information Systems and Organizations (800-37)
Stages in the NIST RMF
This is THE guideline for the NIST Risk Management Model (RMF). The document describes system elements, boundaries, and controls. Also included is a guide to building and implementing the RMF: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.
In short: In this publication, the structure of the RMF and steps to build it are described.
From an awareness perspective, the topics include ‘fundamental cyber security awareness’, ‘situational awareness’, and ‘training & awareness’.
Although specific guidance regarding possible training content for the Cyber Security Awareness NIST may be lacking, the RMF is still highly relevant. For example, the training described in the publication TASK Select 4 (S-4) requires that security control implementations planned in the organization’s own risk management system be documented.
This means that a selection from a catalogue of training and awareness topics must be made and documented for Cyber Security Awareness NIST. This ultimately results in the training plan for Cyber Security Awareness NIST.
Is CISO responsible for Cyber Security Awareness NIST? – It seems particularly noteworthy to us that Appendix D explicitly mentions the “System Security or Privacy Officer” (CSO / CISO / Security Officer) for maintaining Cyber Security Training & Awareness.
Risk Management Framework for Information Systems & Organisations – Organization, Mission, and Information System View (800-39)
This basic paper deals with the system elements, boundaries, controls, and the other content components, so-called ‘tiers’ (layers). The content view is multi-layered and multi-dimensionally structured according to the Tiers
- Organization
- Business process and mission
- Information system(s)
The document offers instructions on the process for each perspective: Which implementation steps are to be taken in each case from the perspective of organization / process / IT system in order to get the risk management of an organization up and running? This multidimensional lifecycle approach of a risk management system for IT security and data protection helps to lay the foundations for cyber security awareness NIST in an organization.
Also the central RMF publication (800-37, Appendix D), the CISO is identified as the primary cyber security awareness NIST officer.
- Assistance on which areas to specifically sensitize employees is not available in this publication.
CSF – The Cyber Security Framework 1.1 (cswp.04162018)
This publication is the central document on the Cyber Security Framework (CSF). Organized into five functions and four ‘tiers’, the structure of the CSF is easy to understand and implement. The functions are: Identify, Protect, Detect, Respond, and Recover. The tiers, Partial, Risk-Informed, Repeatable, and Adaptive refer to the implementation strength of the Cyber Security Framework functions to be selected based on the classified criticality of the organization.
The Executive Summary of the publication already mentions that the CSF should not be interpreted as a mandatory policy. It is a guideline and a discussion around ‘framework compliance’ would instead lead to confusion (and is forbidden!).
Category Awareness and Training in the CSF Protect Function
PR.AT: From the perspective of the Cyber Security Awareness NIST, the so-called ‘Framework Core’ contains the central elements on the topic of training and awareness. The Awareness and Training category in the Protect function contains the most important statements on the topic.
The PR.AT 1-4 subcategories include the cyber security awareness targets. NIST:
- All users are informed and trained (PR.AT-1)
- Specific user groups understand their roles and responsibilities:
- Privileged users (PR.AT-2)
- External partners (customers, suppliers, etc) – (PR.AT-3)
- the management (PR.AT-4)
- Security and Cyber Security Personnel (PR.AT-5)
Cyber Security Awareness NIST Training Subcategories
The category targets are clear and comprehensible: The organization’s personnel and partners are provided cyber security awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.; such a target fits any cyber security awareness NIST program.
Implementation Approach – Chapter 3.2 recommends seven overarching steps to building and launching a cyber security program:
Step 1: Priorities and scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and Prioritize Gaps
Step 7: Implement Action Plan
Build a Dedicated Cyber Security Awareness Framework – The implementation steps described above for a cyber security risk management program are, of course, also suitable for building a stand-alone, separate cyber security awareness NIST program.
This makes more sense than one might think at first glance. The motivation for doing something like this itself is that awareness and training programs focus primarily on people, not on organization and technology. So it’s more of a people challenge with differing stakeholders and drivers. You can read more about this in the chapter ‘LUCY Security Awareness Framework SAPF & NIST’.
Methodologies and Recommendations for Training – Chapter 3.6 of the CSF recommends the following methodologies and measures for Cyber Security Awareness NIST:
- Training of Policies: Applicable information from the organization’s privacy policies is included in training and awareness activities for cyber security staff.
- Integration of All: Service providers who provide cyber security-related services to the organization are informed of the organization’s applicable privacy policies.
Overlays as extensions – The NIST Cyber Security Framework explicitly allows the further development of the model and its contents. With the help of so-called overlays, sector-specific extensions can be developed. For example, a CSF extension for the insurance industry or an overlay for SMEs from country X could be created.
Suggested Training Topics – Specific topics are not mentioned in the CSF publication. For a selection of specific awareness training activities and content consistent with the NIST recommendations, the publications
- SP800-50 Building an Information Technology Security Awareness and Training Program and
- FIPS PUB 200 Minimum Security Requirements for Federal Systems
can be used as an aid. See the following chapter.
Security and Privacy Controls for Information Systems and Organisations (800-53)
This publication provides a universal catalogue of security and privacy controls for information systems, organizations, and operations to protect against threats and risks. What is special about this organization is that one version is provided for ‘Federal Systems’ and a separate version is provided for the public. Further, there is Publication 800-53b (see subsequent chapter), into which the control baselines have been outsourced.
The controls (Security Controls) are flexible and customizable and are implemented as part of an organization-wide risk management process.
This addresses various requirements arising from business needs, laws, regulations, guidelines, standards, etc.
Awareness and Training Controls – The control structure, therefore, has the ‘Awareness and Training’ control family. If one wants to adhere to the NIST standard, at least the security controls listed below should be set up, implemented, and measured. For further information, please refer to chapter 3.2 of the publication:
AT-1 Policy and Procedures
AT-2 Literacy Training and Awareness (‘Basic Training’)
AT-2(1) Practical Exercises
AT-2(2) Insider Threat
AT-2(3) Social Engineering and Mining
AT-2(4) Suspicious Communications, Anomalous System Behaviour
AT-2(5) Advanced Persistent Threat
AT-2(6) Cyber Threat Environment
AT-3 Role-Based Training
AT-3(1) Environmental Controls
AT-3(2) Physical Security Controls
AT-3(3) Practical Exercises
AT-3(4) obsolete
AT-3(5) Processing Personal Information
AT-4 Training Records
AT-5 obsolete
AT-6 Training feedback
This is in line with NIST Cyber Security Awareness. The above list already gives a good insight into the content with which the user should be trained.
Control Baselines for Information Systems and Organisations
This publication provides security and privacy control baselines for U.S. government agencies. In the U.S. government environment, NIST is not only recommending, but providing binding guidance. Therefore, one should study these directives if one wants to be Cyber Security Awareness NIST ‘compliant’.
There are three security control baselines (one for each system impact level – low, medium, and high impact). There is also a privacy baseline that is applied to systems regardless of impact level. Of course, there are baselines for the ‘Awareness and Training Family’, see table below:
| Identifier | Control Name | Privacy
Baseline |
Baseline Low |
Baseline Moderate |
Baseline High |
| AT-1 | Policy and Procedures | x | x | x | x |
| AT-2 | Literacy Training and Awareness | x | x | x | x |
| AT-2(1) | Literacy Training and Awareness | Practical Exercises | ||||
| AT-2(2) | Literacy Training and Awareness | Insider Threat | X | x | x | |
| AT-2(3) | Literacy Training and Awareness | Social Engineering and Mining | x | x | ||
| AT-2(4) | Literacy Training and Awareness | Suspicious Communications and Anomalous System Behaviour | ||||
| AT-2(5) | Literacy Training and Awareness | Advanced Persistent Threat | ||||
| AT-2(6) | Literacy Training and Awareness | Cyber Threat Environment | ||||
| AT-3 | Role-based training | x | x | x | x |
| AT-3(1) | Role-based Training | Environmental Controls | ||||
| AT-3(2) | Role-based Training | Physical Security Controls | ||||
| AT-3(3) | Role-based Training | Practical Exercises | ||||
| AT-3(5) | Role-based Training | Processing Personally Identifiable Information | x | |||
| AT-4 | Training Records | x | x | x | x |
| AT-5 | obsolete | ||||
| AT-6 | Training feedback |
It is worth noting that no matter at which level (Control Baseline Low to High) the organization classifies itself, training must be role-based and documented or logged for training everywhere. In short, Cyber Security Awareness NIST always recommends risk and role-based employee awareness training, which should be logged.
Building an Information Technology Security Awareness and Training Program (800-50)
This publication provides guidance for building an effective IT security program. The document predates the Cyber Security Framework CSF. However, it is still listed as an official NIST standard, and not for nothing, because an effective IT security program cannot be established without paying close attention to training IT users on specific security practices and techniques required to secure IT resources.
For Cyber Security Awareness NIST, Chapters 4.1 and 4.1.1 are of key importance.
In chapter 4.1. “Development of Awareness and Training Materials”, two clear objectives for security awareness and training are given. The material should be developed with the following points in mind:
- What behavior do we want to reinforce? (Awareness); and
- What skill(s) should users learn and apply? (Training).
In chapter “4.1.1 Selecting Awareness Topics” the following training contents are suggested:
- Company Policies (company’s own security guidelines)
- Password security
- Malware and malware protection
- E-Mail Security
- Safe web browsing
- Recognizing and dealing with spam
- Social Engineering (Including Phishing, Smishing, Vishing, etc)
- Relevance of backups
- Incident Response
- Shoulder Surfing
- Remote work, work from home (home office work), and travel security
- Mobile device security
- Patching and updates
- Unlicensed software
- Access controls (as well as least privilege and separation of duties)
- Personal responsibility for IT security
- External visitors
- Information classification (and confidentiality)
Templates and NIST ‘compliant’ reporting – The LUCY software offers ready-made training templates for all of the above training topics, which can be adapted to your own specific needs if necessary. Thus, with LUCY, there is no need to develop your own training from scratch. This also ensures the “monitoring compliance” per user group recommended in chapter 6. Thus, chapters 5ff of the publication for Cyber Security Awareness NIST are irrelevant if LUCY is chosen as the solution.
Information Technology and Security Training Requirements; a Role and Performance-Based Model (800-16)
This publication is about building training and awareness content on your own. If an organization is considering to create all cyber security awareness training content in-house, this 20+ year-old publication is still a good reference.
Due to the range of training courses available on the market today, it is no longer practical to build up your own IT security training material. Even today, highly specific cyber security training can be created using existing basic material. The LUCY software, for example, allows customization of any training content available in the product. This means that even videos can be adapted to specific needs, instead of building complex and costly individual training courses. Interoperability is a given: LUCY training content can be transferred to third-party systems using the SCORM standard.
Assistance on what specific topics to train employees on is sparse in this publication.
Minimum Security Requirements for Federal Systems (FIPS PUB 200)
The publication “Minimum Security Requirements for Federal Information and Information Systems” takes a special position in the topic of Cyber Security Awareness NIST. For U.S. government agencies, the document is a binding directive to maintain a minimum level of IT security.
What makes this document interesting is: what is the IT security minimum that the U.S. government sets for its government agencies? The minimum-security requirements in Chapter 3 cover 17 security-related areas for IT systems and organizations:
- Access control
- Awareness and training (sensitization and training)
- Audit and accountability
- Certification, accreditation, and safety assessments
- Configuration Management
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Physical protection and environmental protection
- Planning
- Personnel safety
- Risk assessment
- Procurement of systems and services
- System and communication protection and
- System and information integration.
Implementing all areas together results in a broad, balanced information security program that secures the management, operational, and technical aspects of protecting U.S. government and IT systems.
The above shows in which areas safety standards could be implemented and demonstrated. It is obvious that each area must also be trained!
Minimum security requirement for training – Item 2 of the above list includes Awareness and Training (AT). Thus, minimum security requirements are specified for the training itself. Organizations must ensure that:
- Managers and users of the organization’s information systems are made aware of the security risks associated with their activities, as well as the applicable security laws and any other regulations. By other regulations, we have meant security directives, guidelines, standards, or regulations concerning the organization’s information systems.
- the organization’s personnel are adequately trained to perform their assigned information security duties and responsibilities.
Demo Request /Request a Demo
LUCY Security Awareness Framework SAPF & NIST
As mentioned earlier, the NIST Cyber Security Framework can easily be used as a guide to build an awareness & training program in one’s own organization. However, experience has shown that a ‘completely NIST-aligned’ approach often results in a training program that is fraught with weaknesses. Why? In the integral NIST context, IT security is perceived as a technology, risk management, and information technology challenge. As a result, too little attention is paid to the human factor, which is central to the topic of awareness and training.
For this reason, it is recommended to outsource employee sensitization and training and to communicate and establish a separate, explicit awareness program. Of course, this can be implemented in line with NIST Cyber Security Awareness.
The LUCY Security Awareness Framework SAPF addresses these specific needs: the guide focuses on the employee and the training needs of the organization. At the same time, SAPF is a model for practitioners and it is consistent with NIST. In short, with the LUCY Security Awareness Program Framework, Cyber Security Awareness NIST can be implemented right off the bat.
Cybersecurity Awareness Pogram Framework aligned with NIST
The LUCY software as a solution in the context of NIST.
The employee is at the center of the LUCY software. As a so-called 360° Awareness Suite, LUCY as a product contains the following functional groups:
- Learning Management System (LMS),
- Phishing Simulator,
- Smishing Simulator,
- Bad USB Simulator,
- Malware and Ransomware Simulator,
- Hundreds of key and attack templates (content),
- Infrastructure assessments (e.g., mail and web filter test MFT),
- Phishing report button,
- Thread analysis and a
- Sophisticated reporting.
Compliance with GDPR and CCPA requirements is given. This makes LUCY the ideal product for the customer organization to run Cyber Security Awareness NIST.
LUCY Awareness Features supporting NIST Cybersecurity Awareness Framework
NIST categories supported by LUCY software components:
- Identify: LUCY Malware Simulation Toolkit / Ransomware Simulator / Mail and Web Filter Test
- Protect: LUCY Awareness & Training Campaigns
- Detect: Anomalies & Events with LUCY Risk Score and Mail Threat Analyse
- Detect: Detection Processes with Phishing Incident Button
- Detect: Detection Processes with Phishing Incident Button
- Respond: Through the LUCY Thread Mitigator
NIST Reporting – LUCY’s integrated reporting also provides NIST compliant reporting. This includes not only training metrics, but also user reputation and the development of the respective maturity level of employees, organizational units, and the organization over time.
NIST Compliant Training View
Publication references and downloads
- Risk Management Framework (800-37) for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy Managing Information Security Risk (800-39) – Organization, Mission, and Information System
- Cybersecurity Framework (CSF)
- Security and Privacy Controls (800-53) for Information Systems and Organizations
- Control Baselines (800-53b) for Information Systems and Organizations
- Building an Information Technology Security Awareness and Training Program (800-50)
- Minimum Security Requirements (FIPS PUB 200) for Federal Information and Information Systems,
- Information Technology Security Training Requirements (800-16): a Role- and Performance-Based Model
About Lucy Security
Founded in 2015, Lucy has transformed the ethical hacking experience of its founders into comprehensive training software that provides a 360° view of an organization’s IT security vulnerabilities. Lucy continues to receive numerous industry awards, including the ISPG Award 2020 for Best Cyber Security Education and Training and the Cybersecurity Excellence Awards 2020 for Best Anti-Phishing and Best Security Education Platform. The company is headquartered in Zug, Switzerland, with a U.S. office in Austin, TX. Further information can be found at www.lucysecurity.com
