NIST 800-53 REV 5 • AWARENESS AND TRAINING

AT-3(3)Practical Exercises

Provide practical exercises in security and privacy training that reinforce training objectives.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments.

Practitioner Notes

Role-based training should include practical exercises — not just classroom learning. Hands-on practice builds skills that lectures alone cannot.

Example 1: Set up a cyber range (using tools like Hack The Box, TryHackMe, or a private range with DVWA and Metasploitable) for your security team. Assign monthly challenges that mirror real-world scenarios they might encounter. Track participation and performance.

Example 2: For incident responders, conduct quarterly IR drills. Inject a simulated incident (a test phishing email marked as a drill, a fake malware alert) into your SOC and have the team respond using your IR procedures. After the drill, conduct a hot wash to identify gaps and update procedures accordingly.

More Awareness and Training Controls

AT-1 Policy and Procedures AT-2 Literacy Training and Awareness AT-2(1) Practical Exercises AT-2(2) Insider Threat