NIST 800-53 REV 5 • AWARENESS AND TRAINING

AT-2(1)Practical Exercises

Provide practical exercises in literacy training that simulate events and incidents.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.

Practitioner Notes

Do not just lecture people — give them hands-on exercises. Simulated phishing campaigns and tabletop exercises are far more effective than watching a video.

Example 1: Run monthly simulated phishing campaigns using KnowBe4 or Proofpoint. Vary the difficulty and themes (fake shipping notifications, fake IT helpdesk, fake CEO requests). Employees who click are automatically enrolled in remedial training. Track click rates over time to measure improvement.

Example 2: Conduct a quarterly tabletop exercise with your incident response team. Present a scenario (ransomware attack, insider threat, data breach) and walk through the response procedures. Document lessons learned and update your IR plan based on gaps identified during the exercise.

More Awareness and Training Controls

AT-1 Policy and Procedures AT-2 Literacy Training and Awareness AT-2(2) Insider Threat AT-2(3) Social Engineering and Mining