The Cybersecurity Maturity Model Certification (CMMC) program enforces the protection of sensitive unclassified information that the U.S. Department of Defense (DoD) shares with its contractors and subcontractors. You can learn more about the CMMC here.
In this blog post, we provide an overview of how Proofpoint Security Awareness training can help you meet CMMC 2.0 and 3.0 compliance requirements.
CMMC overviews for awareness and training (AT)
In this section, we’ll match compliance requirements with what’s provided by Proofpoint Security Awareness.
CMMC Level 2
- AT.L2-3.2.1 – Role-Based Risk Awareness
- AT.L2-3.2.2 – Role-Based Training
CMMC compliance requirement
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
How Proofpoint Security Awareness meets this need
We offer targeted training that is based on:
- User ability (basic, beginner, intermediate and advanced)
- Role and function (21 options)
- Which users are most targeted by threats
- Which users click the most (the riskiest users)
Proofpoint also offers training that is relevant for users in specific industries.
An overview of the 21 different role-based training dropdowns.
There are 13 industry training options offered by Proofpoint.
- AT.L2-3.2.3 – Insider Threat Awareness
CMMC compliance requirement
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
How Proofpoint Security Awareness meets this need
Insider threats are a security concern for businesses across industries. That’s why we offer more than 120 training modules on this critical topic.
A selected view of the more than 120 insider threat modules.
CMMC Level 3
- AT.L3-3.2.1e – Advanced Threat Awareness
CMMC compliance requirement
Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
How Proofpoint Security Awareness meets this need
Our Threat Alerts and phish simulations stem from our industry-leading threat intelligence program where Proofpoint protects 26% of the world’s email. We use our data to provide our customers with updates weekly, if not more often, on the threat landscape. Our Threat Alerts and phish simulation campaigns cover the following topics and much more:
- Social engineering
- QR codes
- Voicemail lures
- Telephone-oriented attack delivery TOAD) threats
- Advanced Persistent Threats (APTs)
- E-crime actors
- Impostor threats
Proofpoint Email Protection is updated hundreds of times daily as we see and block new threats. The Proofpoint Threat Intelligence team also works with the Proofpoint Security Awareness team to update the threat landscape weekly. Together, these teams ensure that cybersecurity training always reflects the latest threats.
- AT.L3-3.2.2e – Practical Training Exercises
CMMC compliance requirement
Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
How Proofpoint Security Awareness meets this need
Your users can be trained based on their role, experience level, vertical, “targeted-ness,” risky clicking behavior in the wild, and other factors. We can provide feedback to them right after they pass or fail a phishing test. We can also supply immediate or scheduled training for failures and repeat offenders. And we can alert managers to users’ failures, substandard and excellent performances, and more.
Additional security awareness for the federal government
Proofpoint Security Education features dozens of modules, assessments, and training and awareness materials that are related to federal government themes and needs. For example, you can access:
- Modules on controlled unclassified information (CUI) data handling, storage, marking and more
- Phish simulations and awareness materials that are based on threat actors’ spoofing of public agencies
We also offer a curriculum for NIST SP 800-53 awareness training. It features 34 modules that provide a complete curriculum for training managers.
Examples of the CUI modules and materials in our platform include posters, videos and GIFs.
A dashboard view of a CUI marking assessment from January 2024.
The NIST framework curriculum
The NIST SP 800-53 AT-2 Awareness and Training Control is a complete curriculum. Here are some views of our content.
NIST SP 800-53 Curriculum inside in the Proofpoint Security Awareness Dashboard Content Library.
An overview of the NIST SP 800-53 Curriculum Overview; 34 modules are available.
A view of some federal government-themed content in the Content Library.
A view of some federal government-themed lures in the Threat Alert tab.
Learn more
Proofpoint takes a holistic approach to cybersecurity education and awareness. We provide a proven framework that drives behavior change and real security outcomes. If you want to find out more or learn how we can tailor training to meet your needs, see the Proofpoint Security Awareness page.