NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
AC-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Control Family: Awareness and Training
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance:
N/A
CMMC Level(s):
AT.L2-3.2.3
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
AT-2(2)
NIST Supplemental Guidance:
[SP 800-181]
[SP 800-161]
Discussion:
Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices of organizations. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in behavior of team members, while training for employees may be focused on more general observations).
Upon assessment, assessors must determine if-
3.2.3[a] potential indicators associated with insider threats are identified.
3.2.3[b] security awareness training on recognizing and reporting potential indicators
of insider threat is provided to managers and employees
Assessors are instructed to-
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; insider threat policy and procedures; system security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel that participate in security awareness training; personnel with responsibilities for basic security awareness training; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms managing insider threat training].
Potential Solutions Based on Staffing
1-10 FTE |
10-49 FTE |
50-249 FTE |
250-999 FTE |
1000+ FTE |
|---|---|---|---|---|
| WatchGuard Firebox UTM | WatchGuard Firebox UTM | WatchGuard Firebox UTM | Multiple Options | Multiple Options |
| Netwrix Auditor | Netwrix Auditor | Netwrix Auditor | Netwrix Auditor | Netwrix Auditor |
| Microsoft Intune | Microsoft Intune | Microsoft Intune | Microsoft Intune | Microsoft Intune |
| DISA STIGs | DISA STIGs | Tripwire Enterprise | Tripwire Enterprise | Tripwire Enterprise |
| CIS Benchmarks | CIS Benchmarks | DISA STIGs | DISA STIGs | DISA STIGs |
| CIS SecureSuite | CIS SecureSuite | CIS Benchmarks | CIS Benchmarks | CIS Benchmarks |
| CIS SecureSuite | CIS SecureSuite | CIS SecureSuite |