Security Awareness & Training Policy¶
Document ID: AUL-POL-10 Version: 1.0 Classification: Internal Owner: Chief Technology Officer / ISSM Effective: TBD-YYYY-MM-DD Next Review: TBD-YYYY-MM-DD
1. Purpose¶
This policy establishes the security awareness and training program for Aulendur Labs, Inc. All personnel shall receive training sufficient to recognize threats, protect Controlled Unclassified Information (CUI), and fulfill their security responsibilities. This policy implements NIST SP 800-171 Rev. 3 controls 03.02.01 (Literacy Training and Awareness), 03.02.02 (Role-Based Training), and 03.02.03 (Insider Threat Awareness).
2. Scope¶
This policy applies to:
- Personnel: All employees, contractors, interns, and advisors with access to Aulendur information systems or data.
- Training topics: Security awareness, CUI handling, ITAR awareness, insider threat, phishing, incident reporting, and role-based security skills.
- Systems: Training records shall be maintained in the Training Records register (
registers/training-records.md, forthcoming).
3. Roles & Responsibilities¶
| Role | Responsibility |
|---|---|
| Chief Executive Officer (CEO) | Approves this policy; allocates training budget; completes required training. |
| Chief Technology Officer (CTO) / ISSM | Owns this policy; develops or selects training content; delivers or coordinates training; tracks completion; reports training metrics. |
| All Personnel | Complete assigned training within required timelines; apply training in daily work; report suspected threats. |
4. Policy Statements¶
4.1 General Security Awareness Training¶
4.1.1 All personnel shall complete initial security awareness training within 10 business days of their start date, before being granted access to systems processing Confidential or CUI data (NIST SP 800-171 R3 03.02.01).
4.1.2 All personnel shall complete annual security awareness refresher training. Refresher training shall be completed within 30 calendar days of the training anniversary date.
4.1.3 General security awareness training shall cover, at minimum:
- (a) Aulendur's information classification scheme (Public, Internal, Confidential, CUI, ITAR) and handling requirements per the Information Classification & Handling Policy.
- (b) Password and credential management (1Password Business, unique passwords, no sharing).
- (c) Multi-factor authentication (YubiKey FIDO2/WebAuthn usage and safeguarding).
- (d) Phishing and social engineering recognition and reporting procedures.
- (e) Acceptable use of Aulendur systems per the Acceptable Use Policy.
- (f) Incident reporting (what to report, when, and to whom — CTO/ISSM within 1 hour via Slack #security-incidents).
- (g) Physical security and clean desk practices.
- (h) Remote work security requirements.
- (i) Section 889 prohibited equipment awareness (no Huawei, ZTE, Hytera, Hikvision, Dahua).
4.1.4 Training format may include live briefings by the CTO/ISSM, recorded presentations, online training platforms, or a combination. At ~5 personnel, live briefings are the preferred format to allow interactive discussion.
[!NOTE] DECISION POINT: At ~5 personnel, a commercial Security Awareness Training (SAT) platform (e.g., KnowBe4, Proofpoint) may be cost-prohibitive. The CTO/ISSM may deliver training via internal briefings and documented slide decks, supplemented by free resources (CISA, SANS Securing the Human newsletters). When headcount exceeds 15 or a C3PAO assessment is imminent, a commercial SAT platform should be adopted for scalability and audit evidence.
4.2 CUI-Specific Training¶
4.2.1 Personnel with access to CUI shall complete CUI handling training before receiving CUI access. This training shall cover: (a) CUI marking per 32 CFR Part 2002 and DoD Instruction 5200.48, (b) CUI storage and transmission requirements, (c) CUI spillage recognition and reporting, (d) CUI destruction requirements, and (e) DFARS 252.204-7012 obligations including 72-hour DoD cyber incident reporting.
4.2.2 CUI training shall be refreshed annually and within 30 calendar days of significant changes to CUI handling procedures.
4.3 ITAR/EAR Awareness Training¶
4.3.1 Personnel with access to ITAR-controlled or EAR-controlled data shall complete export control awareness training before receiving access. This training shall cover: (a) ITAR/EAR fundamentals and the distinction between the two regimes, (b) the definition of "US Person" per 22 CFR 120.16, (c) deemed export rules, (d) prohibited transfers to non-US persons, (e) penalties for violations (up to $1,000,000 fine and 20 years imprisonment per ITAR violation under 22 USC 2778), and (f) reporting obligations for suspected violations.
4.3.2 ITAR/EAR training shall be refreshed annually.
4.4 Role-Based Training¶
4.4.1 Personnel with security-significant roles shall receive role-based training commensurate with their responsibilities (NIST SP 800-171 R3 03.02.02):
| Role | Additional Training Topics | Frequency |
|---|---|---|
| CTO/ISSM | CMMC assessment preparation, NIST 800-171 R3 controls, incident response leadership, DFARS reporting, risk management | Annual + as needed |
| System Administrators | System hardening (CIS benchmarks), log management, patch management, vulnerability scanning, secure configuration | Annual + as needed |
| Developers | Secure coding practices, OWASP Top 10, dependency management, code review security, CI/CD pipeline security | Annual + as needed |
| Data Owners | Data classification, CUI marking, access authorization, retention and disposal | Annual |
4.4.2 Role-based training shall be completed within 30 calendar days of role assignment and refreshed annually.
4.5 Insider Threat Awareness¶
4.5.1 All personnel shall receive insider threat awareness training as part of initial onboarding and annually thereafter (NIST SP 800-171 R3 03.02.03). This training shall cover: (a) indicators of insider threat behavior (unauthorized data exfiltration, access pattern anomalies, disgruntlement, policy violations), (b) reporting channels (CTO/ISSM, CEO), (c) protections for good-faith reporters (no retaliation per AUL-POL-06), and (d) the distinction between legitimate security reporting and unsubstantiated accusations.
4.6 Phishing Simulation¶
4.6.1 The CTO/ISSM should conduct phishing simulation exercises at least semi-annually to test personnel awareness. Results shall inform targeted remedial training.
4.6.2 Personnel who fail a phishing simulation (click a simulated malicious link or submit credentials) shall complete supplemental phishing awareness training within 10 business days. Repeated failures (3 or more in a 12-month period) shall be escalated to the CEO as a personnel performance concern.
4.7 Incident Response Training¶
4.7.1 All personnel shall understand their role in incident response as part of general awareness training: recognize, report, preserve evidence, do not attempt to independently investigate or remediate.
4.7.2 The CTO/ISSM and any personnel with incident response roles shall participate in at least one tabletop exercise annually, simulating a cyber incident involving CUI (NIST SP 800-171 R3 03.06.05).
4.8 Training Records and Metrics¶
4.8.1 The CTO/ISSM shall maintain training records documenting: (a) the individual's name and role, (b) training topic, (c) completion date, (d) training provider/method, and (e) pass/fail status (if applicable). Records shall be retained in the Training Records register (registers/training-records.md, forthcoming) for a minimum of 3 years.
4.8.2 The CTO/ISSM shall report training completion rates to the CEO quarterly. The target completion rate is 100% within required timelines.
4.8.3 Personnel who fail to complete required training within the specified timelines shall have their system access suspended until training is completed. Suspension shall be implemented within 5 business days of the deadline.
4.9 Training Content Review¶
4.9.1 The CTO/ISSM shall review and update training content at least annually, incorporating: (a) lessons learned from security incidents, (b) new threats relevant to the defense industrial base, (c) changes to Aulendur's technology stack or procedures, and (d) regulatory updates (NIST, DFARS, CMMC, ITAR).
5. Standards & Procedures Referenced¶
The following companion documents implement this policy:
- Information Classification & Handling Policy
- Acceptable Use Policy
- Code of Conduct & Ethics Policy
- Personnel Security Policy
- Onboarding & Offboarding Policy
- Insider Threat Program Policy (forthcoming)
- Phishing Reporting SOP (forthcoming)
- Training Records —
registers/training-records.md(forthcoming)
6. Compliance & Enforcement¶
Failure to complete required training within specified timelines shall result in suspension of system access. Deliberate avoidance of training or falsification of training records constitutes a policy violation and may result in disciplinary action up to and including termination. Suspected violations shall be reported to the CTO/ISSM.
7. Exceptions¶
Exceptions to training timelines (e.g., extended leave) require written approval per the Policy Exception & Waiver Policy. Training shall be completed within 10 business days of the individual's return.
8. Definitions¶
| Term | Definition |
|---|---|
| Security Awareness Training | Training designed to inform all personnel of cybersecurity threats and their responsibilities for protecting information assets. |
| Role-Based Training | Specialized training tailored to the security responsibilities of a specific role. |
| CUI | Controlled Unclassified Information, per 32 CFR Part 2002. |
| ITAR | International Traffic in Arms Regulations (22 CFR 120-130). |
| Insider Threat | The risk that a person with authorized access uses that access to harm the organization's information, systems, or mission. |
| Phishing Simulation | A controlled exercise that sends simulated phishing emails to personnel to test their ability to recognize and report social engineering. |
| Tabletop Exercise | A discussion-based exercise where participants walk through a simulated scenario to test plans and procedures. |
9. References¶
- NIST SP 800-171 Rev. 3, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations
- CMMC 2.0 Level 2, Cybersecurity Maturity Model Certification
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- 32 CFR Part 2002, Controlled Unclassified Information
- DoD Instruction 5200.48, Controlled Unclassified Information
- NIST SP 800-50 Rev. 1, Building an Information Technology Security Awareness and Training Program
- ITAR (22 CFR 120-130), International Traffic in Arms Regulations
10. Control Mappings¶
| Framework | Control ID | Control Title | Coverage |
|---|---|---|---|
| NIST SP 800-171 R3 | 03.02.01 | Literacy Training and Awareness | Full |
| NIST SP 800-171 R3 | 03.02.02 | Role-Based Training | Full |
| NIST SP 800-171 R3 | 03.02.03 | Insider Threat Awareness | Full |
| NIST SP 800-171 R3 | 03.06.05 | Incident Response Training | Partial — full coverage with AUL-POL-59 and AUL-PLN-02 |
| CMMC 2.0 L2 | AT.L2-3.2.1 | Role-Based Risk Awareness | Full |
| CMMC 2.0 L2 | AT.L2-3.2.2 | Role-Based Training | Full |
| CMMC 2.0 L2 | AT.L2-3.2.3 | Insider Threat Awareness | Full |
| NIST SP 800-53 R5 | AT-2 | Literacy Training and Awareness | Full |
| NIST SP 800-53 R5 | AT-3 | Role-Based Training | Full |
| NIST SP 800-53 R5 | AT-4 | Training Records | Full |
11. Revision History¶
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | TBD-YYYY-MM-DD | J. Gershenson | Initial issue. |
© Aulendur Labs, Inc. 2026. Internal use only unless otherwise classified.