The National Institute of Standards and Technology (NIST) Special Publication 800-171 lays out a framework for securing Controlled Unclassified Information (CUI) within nonfederal organizations. One crucial aspect of this framework is section 3.2, "Awareness and Training." This section outlines requirements to ensure everyone in the organization understands cybersecurity and their role in protecting information.

There are two main requirements within "Awareness and Training." The first mandates that all personnel, from managers and system administrators to everyday users, are aware of the security risks associated with their activities. This includes understanding how their actions can introduce vulnerabilities and the importance of following security policies. Employees should also be familiar with the specific procedures in place to safeguard information.

---

The second requirement focuses on providing training tailored to individual roles. Personnel need the knowledge and skills to fulfill their assigned information security responsibilities. This might involve training IT staff on secure system configuration or teaching employees how to identify and report phishing attempts. By ensuring everyone is informed and equipped to handle their security tasks, organizations can significantly reduce their cybersecurity risks.