SAT-03.6: Cyber Threat Environment
Mechanisms exist to provide role-based cybersecurity and data protection awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.
Control Question: Does the organization provide role-based cybersecurity and data protection awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations?
General (19)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF8 |
| IMO Maritime Cyber Risk Management | 3.5.3.6 3.5.4.2 |
| MPA Content Security Program 5.1 | OR-3.2 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 2.2 |
| NIST 800-53 R5 (source) | AT-2(6) |
| NIST 800-53 R5 (NOC) (source) | AT-2(6) |
| NIST 800-161 R1 | AT-2(6) |
| NIST 800-161 R1 Level 2 | AT-2(6) |
| NIST 800-171 R2 (source) | 3.2.3 |
| NIST 800-171A (source) | 3.2.3[a] 3.2.3[b] |
| NIST 800-171 R3 (source) | 03.02.01.a.03 |
| NIST 800-171A R3 (source) | A.03.02.01.a.03[01] A.03.02.01.a.03[02] |
| NIST CSF 2.0 (source) | ID.RA-03 |
| Shared Assessments SIG 2025 | P.4 |
| SPARTA | CM0052 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | SAT-03.6 |
| SCF CORE ESP Level 1 Foundational | SAT-03.6 |
| SCF CORE ESP Level 2 Critical Infrastructure | SAT-03.6 |
| SCF CORE ESP Level 3 Advanced Threats | SAT-03.6 |
US (11)
| Framework | Mapping Values |
|---|---|
| US CISA CPG 2022 | 2.I |
| US CJIS Security Policy 5.9.3 (source) | AT-2(2) |
| US CMMC 2.0 Level 2 (source) | AT.L2-3.2.3 |
| US CMMC 2.0 Level 3 (source) | AT.L3-3.2.1E AT.L3-3.2.2E |
| US FCA CRM | 609.930(c)(4) |
| US GLBA CFR 314 2023 (source) | 314.4(e)(1) |
| US HIPAA Administrative Simplification 2013 (source) | 164.308(a)(5)(ii)(A) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.308(a)(5)(ii)(A) |
| US NSTC NSPM-33 | 6.1 |
| US - CA CCPA 2025 | 7123(c)(12) 7123(c)(13) |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.10(a)(2) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 13.6 |
| EMEA EU NIS2 Annex | 8.1.2(b) 8.1.2(c) 8.2.3(b) |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-9-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 1-8-1 1-8-2 1-8-3 |
| EMEA UK DEFSTAN 05-138 | 2601 2602 2603 3106 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada CSAG | 1.7 1.8 1.9 |
| Americas Canada ITSP-10-171 | 03.02.01.A.01 03.02.01.A.02 03.02.01.A.03 03.02.01.B 03.02.02.A.01 03.02.02.A.02 03.02.02.B 03.06.04.A.02 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to provide role-based cybersecurity and data protection awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to provide role-based cybersecurity and data protection awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.
Level 2 — Planned & Tracked
Security Awareness & Training (SAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security training and awareness activities. o Create/govern security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Self-manage their professional certification requirements to support their assigned duties.
- Training and awareness activities are decentralized (e.g., a localized/regionalized function) and use non-standardized methods to implement secure, resilient and compliant practices.
- The Human Resources (HR) department works with cybersecurity personnel to facilitate workforce development and awareness to help ensure secure practices are implemented.
- Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
- IT/cybersecurity personnel:
Level 3 — Well Defined
Security Awareness & Training (SAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to security awareness and training. o Defines minimum cybersecurity training (including certifications) for personnel, based on their specific roles. o Creates/governs security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Identifies and implements industry-recognized HR practices related to security workforce development and awareness to help ensure secure practices are implemented in personnel management operations. o Documents, retains and monitors individual training activities, including basic security awareness training, ongoing awareness training and specific-system training. o Ensures that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements. o Ensures all employees and contractors receive awareness education and training that is relevant for their job function, including social engineering-related threats.
- A Governance, Risk & Compliance (GRC) function, or similar function:
- A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including security awareness and training.
- Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
- The Human Resources (HR) department:
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to provide role-based cybersecurity and data protection awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provide role-based cybersecurity and data protection awareness training that is current and relevant to the cyber threats that users might encounter in day-to-day business operations.
Assessment Objectives
- SAT-03.6_A01 literacy training on the cyber threat environment is provided.
- SAT-03.6_A02 system operations reflect current cyber threat information.
- SAT-03.6_A03 the frequency of providing awareness training is defined.
- SAT-03.6_A04 the frequency of updating awareness training is defined.
- SAT-03.6_A05 security literacy training is provided to system users when required by system changes or following <A.03.02.01.ODP[02]: events>.
- SAT-03.6_A06 security literacy training content is updated <A.03.02.01.ODP[03]: frequency>.
- SAT-03.6_A07 security literacy training content is updated following <A.03.02.01.ODP[04]: events>.
Evidence Requirements
- E-SAT-04 Recurring User Training
-
Documented evidence of recurring (e.g., annual) user training for cybersecurity and/or data privacy topics.
Education
Technology Recommendations
Micro/Small
- US-CERT mailing lists & feeds
- Internal newsletters
Small
- US-CERT mailing lists & feeds
- Internal newsletters
Medium
- US-CERT mailing lists & feeds
- Internal newsletters
- InfraGard (https://infragard.org)
Large
- US-CERT mailing lists & feeds
- Internal newsletters
- InfraGard (https://infragard.org)
Enterprise
- US-CERT mailing lists & feeds
- Internal newsletters
- InfraGard (https://infragard.org)