Security Awareness Training Best Practices for Increasing User Engagement

How Proofpoint Can Help You Meet CMMC 2.0 and 3.0 Compliance Requirements 

Share with your network!

The Cybersecurity Maturity Model Certification (CMMC) program enforces the protection of sensitive unclassified information that the U.S. Department of Defense (DoD) shares with its contractors and subcontractors. You can learn more about the CMMC here

In this blog post, we provide an overview of how Proofpoint Security Awareness training can help you meet CMMC 2.0 and 3.0 compliance requirements. 

CMMC overviews for awareness and training (AT) 

In this section, we’ll match compliance requirements with what’s provided by Proofpoint Security Awareness.  

CMMC Level 2  

  • AT.L2-3.2.1 – Role-Based Risk Awareness 
  • AT.L2-3.2.2 – Role-Based Training 

CMMC compliance requirement 

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities. 

How Proofpoint Security Awareness meets this need 

We offer targeted training that is based on: 

  • User ability (basic, beginner, intermediate and advanced) 
  • Role and function (21 options) 
  • Which users are most targeted by threats 
  • Which users click the most (the riskiest users) 

Proofpoint also offers training that is relevant for users in specific industries. 

Figure 1

An overview of the 21 different role-based training dropdowns. 

Figure 2

There are 13 industry training options offered by Proofpoint. 

  • AT.L2-3.2.3 – Insider Threat Awareness 

CMMC compliance requirement 

Provide security awareness training on recognizing and reporting potential indicators of insider threat. 

How Proofpoint Security Awareness meets this need  

Insider threats are a security concern for businesses across industries. That’s why we offer more than 120 training modules on this critical topic. 

Figure 3

A selected view of the more than 120 insider threat modules. 

CMMC Level 3 

  • AT.L3-3.2.1e – Advanced Threat Awareness 

CMMC compliance requirement 

Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat. 

How Proofpoint Security Awareness meets this need 

Our Threat Alerts and phish simulations stem from our industry-leading threat intelligence program where Proofpoint protects 26% of the world’s email. We use our data to provide our customers with updates weekly, if not more often, on the threat landscape. Our Threat Alerts and phish simulation campaigns cover the following topics and much more: 

  • Social engineering 
  • QR codes 
  • Voicemail lures 
  • Telephone-oriented attack delivery TOAD) threats 
  • Advanced Persistent Threats (APTs)
  • E-crime actors 
  • Impostor threats 

Proofpoint Email Protection is updated hundreds of times daily as we see and block new threats. The Proofpoint Threat Intelligence team also works with the Proofpoint Security Awareness team to update the threat landscape weekly. Together, these teams ensure that cybersecurity training always reflects the latest threats. 

  • AT.L3-3.2.2e – Practical Training Exercises 

CMMC compliance requirement 

Include practical exercises in awareness training for all users, tailored by roles, to include general users, users with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors. 

How Proofpoint Security Awareness meets this need 

Your users can be trained based on their role, experience level, vertical, “targeted-ness,” risky clicking behavior in the wild, and other factors. We can provide feedback to them right after they pass or fail a phishing test. We can also supply immediate or scheduled training for failures and repeat offenders. And we can alert managers to users’ failures, substandard and excellent performances, and more. 

Additional security awareness for the federal government  

Proofpoint Security Education features dozens of modules, assessments, and training and awareness materials that are related to federal government themes and needs. For example, you can access: 

  • Modules on controlled unclassified information (CUI) data handling, storage, marking and more 
  • Phish simulations and awareness materials that are based on threat actors’ spoofing of public agencies 

We also offer a curriculum for NIST SP 800-53 awareness training. It features 34 modules that provide a complete curriculum for training managers. 

Figure 4

Examples of the CUI modules and materials in our platform include posters, videos and GIFs. 

Figure 5

A dashboard view of a CUI marking assessment from January 2024. 

The NIST framework curriculum  

The NIST SP 800-53 AT-2 Awareness and Training Control is a complete curriculum. Here are some views of our content.

Figure 6

NIST SP 800-53 Curriculum inside in the Proofpoint Security Awareness Dashboard Content Library. 

Figure 7

An overview of the NIST SP 800-53 Curriculum Overview; 34 modules are available. 

Figure 8

A view of some federal government-themed content in the Content Library. 

Figure 9

A view of some federal government-themed lures in the Threat Alert tab. 

Learn more 

Proofpoint takes a holistic approach to cybersecurity education and awareness. We provide a proven framework that drives behavior change and real security outcomes. If you want to find out more or learn how we can tailor training to meet your needs, see the Proofpoint Security Awareness page.