Skip to main content

SAT-02: Cybersecurity & Data Protection Awareness Training

SAT 8 — High Protect

Mechanisms exist to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.

Control Question: Does the organization provide all employees and contractors appropriate awareness education and training that is relevant for their job function?

General (55)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.4-POF7 CC2.2-POF12 CC2.2-POF8
CIS CSC 8.1 14.3 14.7 14.8
CIS CSC 8.1 IG1 14.3 14.7 14.8
CIS CSC 8.1 IG2 14.3 14.7 14.8
CIS CSC 8.1 IG3 14.3 14.7 14.8
CSA CCM 4 HRS-11 HRS-13
CSA IoT SCF 2 TRN-02
ENISA 2.0 SO7
GovRAMP Low AT-02
GovRAMP Low+ AT-02
GovRAMP Moderate AT-02
GovRAMP High AT-02
IMO Maritime Cyber Risk Management 3.5.3.6 3.5.4.2 3.5.5.3 3.5.6.2
ISO 22301 2019 7.3
ISO 27001 2022 (source) 7.4 7.4(a) 7.4(b) 7.4(c) 7.4(d)
ISO 27002 2022 6.3
ISO 27017 2015 7.2.2
MPA Content Security Program 5.1 OR-3.1 OR-3.2
NAIC Insurance Data Security Model Law (MDL-668) 4.D(5)
NIST AI 600-1 GV-6.1-002
NIST Privacy Framework 1.0 GV.AT-P1 GV.AT-P2 GV.AT-P3
NIST 800-53 R4 AT-2
NIST 800-53 R4 (low) AT-2
NIST 800-53 R4 (moderate) AT-2
NIST 800-53 R4 (high) AT-2
NIST 800-53 R5 (source) AT-2
NIST 800-53B R5 (privacy) (source) AT-2
NIST 800-53B R5 (low) (source) AT-2
NIST 800-53B R5 (moderate) (source) AT-2
NIST 800-53B R5 (high) (source) AT-2
NIST 800-82 R3 LOW OT Overlay AT-2
NIST 800-82 R3 MODERATE OT Overlay AT-2
NIST 800-82 R3 HIGH OT Overlay AT-2
NIST 800-161 R1 AT-2
NIST 800-171 R2 (source) 3.2.1
NIST 800-171A (source) 3.2.1[a] 3.2.1[b] 3.2.1[c] 3.2.1[d]
NIST 800-171 R3 (source) 03.01.22.a 03.02.01.a.01 03.02.01.a.02 03.02.01.a.03 03.02.01.b 03.06.04.a.03
NIST 800-171A R3 (source) A.03.02.01.ODP[03] A.03.02.01.ODP[04]
NIST CSF 2.0 (source) PR.AT PR.AT-01
PCI DSS 4.0.1 (source) 8.3.8 9.5.1 9.5.1.3 12.6 12.6.1 12.6.3 12.6.3.1
PCI DSS 4.0.1 SAQ A-EP (source) 8.3.8 12.6.1 12.6.3.1
PCI DSS 4.0.1 SAQ B (source) 9.5.1 9.5.1.3 12.6.1
PCI DSS 4.0.1 SAQ B-IP (source) 9.5.1 9.5.1.3 12.6.1
PCI DSS 4.0.1 SAQ C (source) 8.3.8 9.5.1 9.5.1.3 12.6.1 12.6.3.1
PCI DSS 4.0.1 SAQ C-VT (source) 12.6.1 12.6.3.1
PCI DSS 4.0.1 SAQ D Merchant (source) 8.3.8 9.5.1 9.5.1.3 12.6.1 12.6.3 12.6.3.1
PCI DSS 4.0.1 SAQ D Service Provider (source) 8.3.8 9.5.1 9.5.1.3 12.6.1 12.6.3 12.6.3.1
PCI DSS 4.0.1 SAQ P2PE (source) 9.5.1 9.5.1.3 12.6.1
SWIFT CSF 2023 7.2
TISAX ISA 6 2.1.3 8.2.3
SCF CORE Fundamentals SAT-02
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) SAT-02
SCF CORE ESP Level 1 Foundational SAT-02
SCF CORE ESP Level 2 Critical Infrastructure SAT-02
SCF CORE ESP Level 3 Advanced Threats SAT-02
US (39)
Framework Mapping Values
US C2M2 2.1 WORKFORCE-2.A.MIL1 WORKFORCE-2.B.MIL2 WORKFORCE-2.C.MIL2 WORKFORCE-2.D.MIL2 WORKFORCE-2.E.MIL3 WORKFORCE-2.F.MIL3 WORKFORCE-2.G.MIL3
US CERT RMM 1.2 GG2.GP5 OTA:SG2.SP1
US CISA CPG 2022 2.I
US CJIS Security Policy 5.9.3 (source) AT-2
US CMMC 2.0 Level 2 (source) AT.L2-3.2.1
US CMMC 2.0 Level 3 (source) AT.L2-3.2.1
US CMS MARS-E 2.0 AT-2
US DHS CISA TIC 3.0 3.UNI.UATRA
US FCA CRM 609.930(c)(4)
US FedRAMP R4 AT-2
US FedRAMP R4 (low) AT-2
US FedRAMP R4 (moderate) AT-2
US FedRAMP R4 (high) AT-2
US FedRAMP R4 (LI-SaaS) AT-2
US FedRAMP R5 (source) AT-2
US FedRAMP R5 (low) (source) AT-2
US FedRAMP R5 (moderate) (source) AT-2
US FedRAMP R5 (high) (source) AT-2
US FedRAMP R5 (LI-SaaS) (source) AT-2
US GLBA CFR 314 2023 (source) 314.4(e)(1)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(5)(i) 164.530(b)(2)(i) 164.530(b)(2)(i)(A) 164.530(b)(2)(i)(B) 164.530(b)(2)(i)(C) 164.530(b)(2)(ii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(5)(i)
US HIPAA HICP Small Practice 1.S.B 4.S.C
US HIPAA HICP Medium Practice 1.M.D
US HIPAA HICP Large Practice 1.M.D 1.L.C
US IRS 1075 2.D.1 AT-2
US NERC CIP 2024 (source) CIP-004-7 1.1 CIP-004-7 2.1.1 CIP-004-7 2.1.2 CIP-004-7 2.1.3 CIP-004-7 2.1.4 CIP-004-7 2.1.5 CIP-004-7 2.1.6 CIP-004-7 2.1.7 CIP-004-7 2.1.8 CIP-004-7 2.1.9 CIP-004-7 2.2 CIP-004-7 R2
US NISPOM 2020 8-101
US NNPI (unclass) 2.1 2.3
US NSTC NSPM-33 6.1
US SSA EIESR 8.0 5.7 5.10
US - CA CCPA 2025 7100(a) 7123(c)(12) 7123(c)(13)
US - MA 201 CMR 17.00 17.04(8) 17.03(2)(b)(1)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.10(a)(2)
US - NY SHIELD Act S5575B 4(2)(b)(ii)(A)(4)
US - TX DIR Control Standards 2.0 AT-2
US - TX TX-RAMP Level 1 AT-2
US - TX TX-RAMP Level 2 AT-2
US - VT Act 171 of 2018 2447(b)(2)(A) 2447(c)(8)
EMEA (13)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.4.7(49)
EMEA EU DORA 13.6
EMEA EU NIS2 Annex 8.1.1 8.1.2
EMEA Germany C5 2020 HR-03 DEV-04
EMEA Israel CDMO 1.0 20.2
EMEA Saudi Arabia IoT CGIoT-1 2024 1-9-1 1-9-2
EMEA Saudi Arabia ECC-1 2018 1-10-2 1-10-3 1-10-3-1 1-10-3-2 1-10-3-3 1-10-3-4
EMEA Saudi Arabia OTCC-1 2022 1-8
EMEA Saudi Arabia SACS-002 TPC-7
EMEA Spain CCN-STIC 825 8.2.3 [MP.PER.3] 8.2.4 [MP.PER.4]
EMEA UK CAF 4.0 B6
EMEA UK CAP 1850 B6
EMEA UK DEFSTAN 05-138 2600 2602 2603
APAC (4)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-0252 ISM-0824 ISM-1146 ISM-1740
APAC Japan ISMAP 4.5.2 4.5.3 4.5.3.1 7.2.2 7.2.2.19.PB
APAC New Zealand NZISM 3.6 9.1.5.C.01 9.1.5.C.02 9.1.6.C.01 9.1.6.C.02
APAC Singapore MAS TRM 2021 3.6.1
Americas (3)
Framework Mapping Values
Americas Canada CSAG 1.8 1.9
Americas Canada OSFI B-13 3.1.7
Americas Canada ITSP-10-171 03.01.22.A 03.02.01.A.01 03.02.01.A.02 03.02.01.A.03 03.02.01.B 03.06.04.A.03

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.

Level 1 — Performed Informally

Security Awareness & Training (SAT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Training activities are decentralized.
  • Security awareness and training methods are often generic, without organization-specific content.
  • IT/cybersecurity personnel self-manage their professional certification requirements to support their assigned duties.
  • Personnel management is mainly decentralized, with the responsibility for training users on new technologies and enforcing policies being assigned to users’ supervisors and managers.
Level 2 — Planned & Tracked

Security Awareness & Training (SAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security training and awareness activities. o Create/govern security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Self-manage their professional certification requirements to support their assigned duties.

  • Training and awareness activities are decentralized (e.g., a localized/regionalized function) and use non-standardized methods to implement secure, resilient and compliant practices.
  • The Human Resources (HR) department works with cybersecurity personnel to facilitate workforce development and awareness to help ensure secure practices are implemented.
  • Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Security Awareness & Training (SAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to security awareness and training. o Defines minimum cybersecurity training (including certifications) for personnel, based on their specific roles. o Creates/governs security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Identifies and implements industry-recognized HR practices related to security workforce development and awareness to help ensure secure practices are implemented in personnel management operations. o Documents, retains and monitors individual training activities, including basic security awareness training, ongoing awareness training and specific-system training. o Ensures that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements. o Ensures all employees and contractors receive awareness education and training that is relevant for their job function, including social engineering-related threats.

  • A Governance, Risk & Compliance (GRC) function, or similar function:
  • Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
  • The Human Resources (HR) department:
Level 4 — Quantitatively Controlled

Security Awareness & Training (SAT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provide all employees and contractors appropriate awareness education and training that is relevant for their job function.

Assessment Objectives

  1. SAT-02_A01 cybersecurity / data privacy literacy training is provided to system users (including managers, senior executives and contractors) as part of initial training for new users.
  2. SAT-02_A02 cybersecurity / data privacy literacy training is provided to system users (including managers, senior executives and contractors) organization-defined frequency thereafter.
  3. SAT-02_A03 cybersecurity / data privacy literacy training is provided to system users (including managers, senior executives and contractors) when required by system changes or following organization-defined events.
  4. SAT-02_A04 security risks associated with organizational activities involving sensitive / regulated data are identified.
  5. SAT-02_A05 policies, standards and procedures related to the security of the system are identified.
  6. SAT-02_A06 managers, systems administrators and users of the system are made aware of the security risks associated with their activities.
  7. SAT-02_A07 managers, systems administrators and users of the system are made aware of the applicable policies, standards and procedures related to the security of the system.
  8. SAT-02_A08 the frequency at which to provide cybersecurity / data privacy literacy training to system users (including managers, senior executives and contractors) after initial training is defined.
  9. SAT-02_A09 events that require cybersecurity / data privacy literacy training for system users are defined.
  10. SAT-02_A10 techniques to be employed to increase the cybersecurity / data privacy awareness of system users are defined.
  11. SAT-02_A11 events that require security literacy training for system users are defined.
  12. SAT-02_A12 events that require security literacy training content updates are defined.
  13. SAT-02_A13 awareness training is updated frequently or when there are significant changes to the threat.
  14. SAT-02_A14 organization-defined awareness techniques are employed to increase the cybersecurity / data privacy awareness of system users.
  15. SAT-02_A15 literacy training and awareness content is updated organization-defined frequency.
  16. SAT-02_A16 literacy training and awareness content is updated following organization-defined events.
  17. SAT-02_A17 lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.

Evidence Requirements

E-SAT-02 Initial User Training

Documented evidence of initial user training for cybersecurity and/ord ata privacy topics.

Education

Technology Recommendations

Micro/Small

  • Initial & annual cybersecurity and data privacy awareness training
  • KnowB4 (https://knowbe4.com)

Small

  • Initial & annual cybersecurity and data privacy awareness training
  • KnowB4 (https://knowbe4.com)

Medium

  • Initial & annual cybersecurity and data privacy awareness training
  • KnowB4 (https://knowbe4.com)

Large

  • Initial & annual cybersecurity and data privacy awareness training
  • KnowB4 (https://knowbe4.com)

Enterprise

  • Initial & annual cybersecurity and data privacy awareness training
  • KnowB4 (https://knowbe4.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free