The Awareness and Training family is the second family of requirements in the NIST 800-171 standard. This family covers the requirements that address how employees, contractors, or others on your IT system are educated on your cybersecurity policy and procedures.


Why is Awareness and Training important?

Cyber attackers are always looking to exploit any weakness in our networks and systems. And, when it comes to cybersecurity, it is us humans who are the greatest weakness. We are the ones who will click on an infected link in a phishing email; we are the ones who will find a USB memory stick in the parking lot and plug it into our computers; we are the ones who will use the sticky note on the monitor system to remember our passwords. So, we are the ones who can unintentionally let an attack through. However, with upfront and regular training, we can also learn and adapt to become cyber-aware vigilants!


What is Awareness and Training about in NIST 800-171?

There are only three requirements in the Awareness and Training family but, don’t let that number distract you from the importance of this family. The main focus of this family is to keep employee cybersecurity education a priority. Key points addressed within this family are:

  1. Make all employees aware of the security risks of their actions–provide training during onboarding to introduce your company cybersecurity policy and provide an overview of good cybersecurity habits.
  2. Keep all employees aware of your cybersecurity policies and procedures–hold refresher training or share materials throughout the year.
  3. Include cybersecurity training as an ongoing part of your strategic planning–cybersecurity risks grow each year and so your employee education will need to be updated, too.


If you are looking for supporting materials for your employee education plan, consider the resources provided in the Cybersecurity Toolkit.


Check back for our next blog post and learn more about the Audit and Accountability family. You may also be interested in reading our last post on Access Control.


Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.