ATO Documents

Security Awareness and Training Plan

Sec Awareness opener.

Change Log

This record shall be maintained throughout the life of the document. Each published update shall be recorded.

Date Version Author Changes Made
7-MAR-2018 Initial draft Shawn Wells [shawn@redhat.com] Initial draft

Amplifying Guidance

The vulnerability management process begins with vulnerabilities being identified or reported to Red Hat’s Product Security team.

Red Hat Product Security rates the impact of security issues found in Red Hat products using a four-point scale (Low, Moderate, Important, Critical), as well as Common Vulnerability Scoring System (CVSS) base scores. These provide a prioritized risk assessment to help you understand and schedule upgrades to your systems, enabling informed decisions on the risk each issue places on your unique environment.

The four-point scale tells you how serious Red Hat considers an issue to be, helping system operators judge the severity and determine what the most important updates are. The scale takes into account the potential risk based on a technical analysis of the exact flaw and its type, but not the current threat level; a given rating will not change if an exploit or worm is later released for a flaw, or if one is available before the release of a fix.

Severity Rating Description
Critical Impact This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise (arbitrary code execution) without requiring user interation. These are the types of vulnerabilities that can be exploited by worms. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical impact.
Important Impact This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the typos of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.
Moderate Impact This rating is given to flaws that may be more difficult to exploit but could still lead to some compromose of the confidentiality, integrity, or availability of resources, under certain circumstances. These are the typoes of vulneravilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
Low Impact This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where successful exploit would give minimal consequences.

Additional information on Red Hat’s Severity Ratings can be found at Understanding Red Hat security ratings.

Differences Between NVD and Red Hat Scores

For open source software shipped by multiple vendors, the CVSS base scores may vary for each vendor’s version, depending on the version they ship, how they ship it, the platform, and even how the software is compiled. This makes scoring of vulnerabilities difficult for third-party vulnerability databases, such as the NIST National Vulnerability Database (NIST NVD), who can only give a single CVSS base score to each vulnerability.

These differences can cause the scores to vary widely. For example, NVD rates Firefox flaws as having High impact metrics because the Firefox application is also available for Microsoft Windows, where it is common that the user is running Firefix with administrator privileges. For Red Hat Enterprise Linux, Low impact metrics are used, as Firefox is most likely to run as an unprivileged user.

For these reasons, it is recommended that, whenever possible, CVSS base scores provided by Red Hat are given preference over third party scoring.

Differences Between DISA IAVA and Red Hat Scores

tbd tbd tbd

Cyber Training

General User Training

IT has enabled the Department of Defense to transmit, communicate, collect, process, and store unprecedented amounts of information. Increasing dependence on information systems has focused attention on the need to ensure that these assets, and the information they process, are protected from actions that would jeopardize the DoD’s ability to effectively function. Responsibility for securing the information and systems lies within the Agency/Command components. The trained and aware user is the first and most vital line of defense.

Cyber training must be current, engaging, and relevant to the target audience to enhance its effectiveness. Its primary purpose is to educate and influence behavior. The focus must be on education and awareness of threats and vulnerabilities so users to not perform actions that lead to or enable exploitations of the Agency/Department’s information systems. Authorized users must understand that they are a critical link in their organization’s overall Information Assurance success.

DISA’s DoD Cyber Awareness Challenge is the DoD baseline standard. It meets all DoD level requirements for end user awareness training. DISA will ensure it provides distributive awareness content to address evolving requirements promulgated by Congress, the OMB under the ISS LoB for Tier I, or the Office of the Secretary of Defense.

The Agency/DoD components are required to use the DoD SCC as their Cyber Awareness Provider. The DoD Cyber Awareness Challenge will be used to meet the initial and annual training mandated by DoD regulations.

To ensure understanding of the critical importance of Cyber, all individuals with access to DoD IT systems are required to receive and complete initial Cyber awareness training before being granted access to the system(s) and annual Cyber awareness training to retain access.

All training is tracked at the Command level.

Privileged User Training

A privileged user is a user that is authorized (and therefore, trusted) to have elevated rights to perform security-relevant functions that ordinary users are not authorized to perform. A number of high profile security incidents over the last year have proven, yet again, that privileged users – administrators, contractors, and others with system-level access to IT infrastructure – are a critical element of the organzation’s overall risk profile.

In addition to signing a Privileged Access Agreement prior to account creation, individuals will take the Privileged User Training created by DISA.

All training is tracked at the Command level.

Role-Based Training

DISA has gathered inputs from the USCYBERCOM, National Initiative for Cyberspace Education (NICE) and other partners to provide a catalog of training resources that are categorized by cyber work roles. The work roles used on this site were taken from USCYBERCOM’s Joint Cyberspace Training & Certification Standard (JCT&CS) v1.2. As the cyber work role process matures it will be integrated into future policy and doctrine to better recruit, train, promote and retain a superior cyberspace workforce.

While the cyber work roles may correlate to military specialities and civilian occupational classifications, they are not intended to be synonymous with discrete job positions. Each work role is listed with the associated tasks that an individual may be expected to perform the requisite skill sets needed to perform the work role tasks as related to conducting missions that span the three Lines of Operations (LOO): DoD, DGO, DCO, and OCO. As noted below in the diagram a cyberspace professional needs to fill both a supporting and operational warfighting role when operating in the Joint Information Environment (JIE).

The cyber role tasks and skill associated sets establish a proficiency baseline for a workforce capable of integrating, sychronizing, and executing sustained cyber space operations designed to achieve strategic, operational and tactical objectives. Future cyber training assessments will ensure development of necessary knowledge and skills required for increased competency in accomplishing DoD individual, staff and collective tasks.

The following table contains training resources based on assigned role:

Cybersecurity Role Proficiency Level Specific Task or KSA
CND Analyst: Uses data collected from a variety of CND tools (including intrusion detection system alerts, firewall and network traffic logs, and host system logs) to analyze events that occur within their environments for the purposes of mitigating threats. Entry
Intermediate
Advanced
Tasks
KSAs
CND Auditor: Performs assessments of systems and networks within the NE or enclave and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. Entry
Intermediate
Advanced
Tasks
KSAs
CND Incident Responder: Investigates and analyzes all response activities related to cyber incidents within the network environment or enclave. Entry
Intermediate
Advanced
Tasks
KSAs
CND Infrastructure Support Specialist: Tests, implements, deploys, maintains, and administers the infrastructure hardware and software which are required to effectively manage the CND-SP network and resources. Entry
Intermediate
Advanced
Tasks
KSAs
CND Manager: Oversees the CND-SP operations within their organization. Entry
Intermediate
Advanced
Tasks
KSAs
Cyber Security Analyst Information Security Professional: Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and netwosk from threats. Entry
Intermediate
Advanced
Tasks
KSAs
Cyber Trainer:Develops, plans, coordinates, and evaluates cyber training courses, methods, and techniques. Develops training policy and plans for personnel involved in all facets of cyber operations. Entry
Intermediate
Advanced
Tasks
KSAs
IA Compliance Agent: Manages and administers the documentation, validation, and accreditation processes necessary to assure that new IT systems meet DoD IA requirements. Entry
Intermediate
Advanced
Tasks
KSAs
Network Infrastructure Specialists: Installs, configures, tests, and maintains networks including hardware (hubs, bridges, switches, multiplexers, and routers) and software that permit the sharing and transmission of information. Entry
Intermediate
Advanced
Tasks
KSAs
Network Operations Manager: Provides, management of network operations. Entry
Intermediate
Advanced
Tasks
KSAs
Server Administrator: Installs, configures, troubleshoots, and maintains server hardware and software to ensure their confidentiality, integrity, and availability. Entry
Intermediate
Advanced
Tasks
KSAs
System Security Analyst: Responsible for the integration, testing, operations, and maintenance of systems security. Entry
Intermediate
Advanced
Tasks
KSAs
Systems Architect: Responsible for the systems concepts and capabilities phases of the systems development lifecycle. Entry
Intermediate
Advanced
Tasks
KSAs
Technical Support Specialist: Provides technical support to customers who need assistance utilizing client level hardware and software. Entry
Intermediate
Advanced
Tasks
KSAs

Physical Security Training

Applicable Security Controls

The following physical security controls have been documented as required training:

Number Control Control Text Training Resource
PE-1 Physical and Environmental Protection Policy and Procedures This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the PE family. Polciy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Introduction to Physical Security
PE-2 Physical Access and Authorizations This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Authorization credentials include, for example, badges, identification cards, and smart cards. Physical Security Planning and Implementation
Implementing Effective Physical Security Countermeasures
PE-3 Physical Access Control This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with permanent physical access authorization credentials are not considered visitors. Physical access devices include, for example, keys, locks, combinations, and card readers. Lock and Key Systems
PE-6 Monitoring Physical Access Organizational incident response capabilities include investigations of and responses to detected physical security incidents. Security incidents include, for example, apparent security violations or suspicious physical access activities. Physical Security Measures

Personnel and Roles

The following roles have been identified as requiring physical security training:

  • Security Manager
  • Physical Security Manager
  • Base Security

Malicious Code Training

A well-maintained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect the organization against malicious code via email or web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by the organization.

DISA’s DoD Cyber Awareness Challenge contains the modules that meed the DoD requirement for malicious code training.

Detailed Compliance Matrix

The following table provides traceability between this document and the Assessment Procedures contained within NIST Special Publication 800-53 Revision 4A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations”.

Control Number Assessment Number CCI Assessment Procedures Reference
AT-1 AT-1(a) CCI-002048 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with security awareness and training capabilities.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(a) CCI-002049 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(a)(1) CCI-000100 DoD 8570.1 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DOD level policy, DoDD 8570.01.
Commend: The organization’s use of their higher command policy/procedures meets this requirement if more stringent.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(a)(1) CCI-000101 DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(a)(2) CCI-000103 DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01. Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(a)(2) CCI-000104 DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the roles as organizational personnel with security awareness and training responsibilities.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(b)(1) CCI-000102 DoD 8570.01 meets the DoD requirement for IA awareness training policy and procedures.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(b)(1) CCI-001564 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually – updated as appropriate but at least within 10 years of date of issuance.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(b)(2) CCI-000105 DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the frequency as annually.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-1 AT-1(b)(2) CCI-001565 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as reviewed annually – updated as appropriate.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-2 AT-2 CCI-001480 The organization being inspected/assessed is automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
DoD has defined the frequency as annually.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-2(1) AT-2(1) CCI-000107 DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA’s DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-2(2) AT-2(2) CCI-002055 The IA Awareness CBT, “Cyber Awareness Challenge,” and Virtual Training Environment (VTE) courses: “Introduction to Insider Threat” and “Monitoring for Insider Threat” available on the IASE website meet the DoD requirement to include security awareness training on recognizing and reporting potential indicators of inside threat.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level training available on the IASE website.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-2 AT-2(a) CCI-000106 DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA’s DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.02.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-2 AT-2(b) CCI-000112 DoD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA’s DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-2 AT-2(c) CCI-001479 DoD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA’s DoD IA awareness CBT is the DoD baseline standard.
DoD Components are automatically compliant with this CCI because they are covered by the DoD level policy, DoDD 8570.01.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-3(1) AT-3(1) CCI-001481 The organization conducting the inspection/assessment obtains and examines:
1. Documentation of environmental controls that require training.
2. Documented list of personnel defined in AT-3(1), CCI 2050.
3. Ensures identified personnel have received the initial training.
NIST has not allocated this AP. Therefore, this is AP is not applicable.
AT-3(1) AT-3(1) CCI-001482 The organization conducting the inspection/assessment obtains and examines:
1. Documentation of environmental controls that require training.
2. Documented list of personnel defined in AT-3(1), CCI 2050.
3. Ensures identified personnel have received training annually.
DoD has defined the frequency as annually.
NIST has not allocated this AP. Therefore, this AP is not applicable.
AT-3(1) AT-3(1) CCI-02050 The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom initial and refresher training in the employment and operation of environmental controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the Enterprise level.
NIST has not allocated this AP. Therefore, this AP is not applicable.
AT-3(1) AT-3(1) CCI-001483 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annual.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-3(2) AT-3(2) CCI-001566 The organization conducting the inspection/assessment obtains and examines:
1. Documentation of physical security controls that require training.
2. Documented list of personnel defined in AT-3(2), CCI 2051.
3. Ensures identified personnel have received the initial training.
Applicable Security Controls

Personnel and Roles
AT-3(2) AT-3(3) CCI-001567 The organization conducting the inspection/assessment obtains and examines:
1. Documentation of physical security controls that require training.
2. Documented list of personnel defined in AT-3(2), CCI 2051.
3. Ensures identified personnel have received training annually.
DoD has defined the frequency as annual.
Applicable Security Controls

Personnel and Roles
AT-3(2) AT-3(2) CCI-002051 The organization conducting the inspection/assessment obtains and examines the documented personnel or roles to ensure the organization being inspected/assessed defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.
DoD has determined the personnel or roles are not appropriate to define at the enterprise level.
Personnel and Roles
AT-3(2) AT-3(2) CCI-001568 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annual.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-3(3) AT-3(3) CCI-02052 The organization conducting the inspection/assessment obtains and examines the security training materials to ensure the organization being inspected/assessed includes practical exercises in security training that reinforce the training objectives. NIST has not allocated this AP, therefore this AP is not applicable.
AT-3(4) AT-3(4) CCI-002053 The organization conducting the inspection/assessment obtains and examines the training materials and indicators of malicious code defined in AT-3(4), CCI 2054 to ensure the organization being inspected/assessed provides users with the means to recognize suspicious communications and anomalous behavior in organizational information systems. Malicious Code Training
AT-3(4) AT-3(4) CCI-002054 The organization conducting the inspection/assessment obtains and examines the documented indicators to ensure the organization being inspected/assessed defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
DoD has determined the indicators are not appropriate to define at the Enterprise level.
Malicious Code Training](#malicious-code-training)
AT-3 AT-3(a) CCI-000108 DoDD 8570.01 meets the DoD requirement for IA awareness training policy and procedures. DISA’s DoD IA awareness CBT for privileged users is the DoD baseline standard.
DoD Components are automatically compliant with this control because they are covered by the DoD level policy, DoDD 8570.01.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-3 AT-3(b) CCI-000109 The organization conducting the inspection/assessment obtains and examines documented records (IAW AT-4) of their privileged users training. Privileged User Training
AT-3 AT-3(c) CCI-000110 The organization conducting the inspection/assessment obtains and examines records (IAW AT-4) of their privileged user training. Privileged User Training
AT-3 AT-3(c) CCI-000111 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as annually.
Automatically compliant with this CCI because they are covered at the DoD level.
AT-4 AT-4(a) CCI-000113 The organization conducting the inspection/assessment obtains and examines the security awareness training activities to ensure the organization being inspected/assessed documents training activities to include basic security awareness training (per AT-2) and role-based security related training (per AT-3) IAW DoD 8570.01M. General User Training

Role-Based Training
AT-4 AT-4(a) CCI-000114 The organization conducting the inspection/assessment obtains and examines records identifying personnel who have received training and the date the training was available. Externally available.
AT-4 AT-4(b) CCI-001336 The organization conducting the inspection/assessment obtains and examines training records to ensure records have been for at least 5 years or 5 years after completion of a specific training program.
DoD has defined the frequency of at least 5 years or 5 years after completion of a specific training program.
Externally available.
AT-4 AT-4(b) CCI-001337 The organization being inspected/assessed is automatically compliant with this CCI because they are covered at the DoD level.
DoD has defined the frequency as at least 5 years or 5 years after completion of a specific training program.
Automatically compliant with this CCI because they are covered at the DoD level.

Training Resources

The resources below have been compiled to assist with Security Awareness Training requirements. Additional, commercial-based training, may be used to supplement in-house organizational training.