Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include formal training; offering supplies inscribed with security reminders; generating email advisories or notices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events.  [SP 800-50] provides guidance on security awareness and training programs. 

Priority: High  

Category:  Security Awareness Training 

Services Associated with AWS:  

  • AWS Identity and Access Management (IAM), AWS Security Hub, AWS Security Training and Certification
  • AWS Identity and Access Management (IAM), AWS Security Hub, AWS Simple Email Service (SES)

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Role Based Access Control (RBAC) is properly & securely implemented
  • Administrative: supporting documentation of role-based security training being performed
  • Technical: screen shot of groups and membership assignment

Possible Technology Considerations :

  • Learning Management System (LMS) 

What needs to be answered : 

Do all employees receive general training? Is there initial training for new hires on security policies? Is there annual training for any changes made to policies or security?


  • Implement Security Awareness Training for Managers, Administrators, and Users
    Description This check ensures that managers, systems administrators, and users of organizational systems receive security awareness training to make them aware of the security risks associated with their activities. The training covers applicable policies, standards, and procedures related to the security of those systems. The content includes understanding the need for information security, user actions to maintain security, and how to respond to suspected security incidents.
  • Deploy Security Awareness Techniques
    Description This check verifies that security awareness techniques are deployed to reinforce security awareness among managers, administrators, and users. Techniques may include providing supplies with security reminders, sending email advisories or notices, displaying security awareness messages on login screens, showcasing security awareness posters, and conducting information security awareness events.

More Details:  

Policies in place regarding handling, storage, and transmission of sensitive information including CUI.