Security Awareness Program

Security awareness is one of the few controls that touches every other cybersecurity control you run. C2M2’s expectation is simple and operational: you conduct cybersecurity awareness activities for personnel, and you do it in a way that is repeatable and provable. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path is to convert this requirement into three things you can manage: (1) a defined population (who must receive what), (2) a delivery cadence and content plan (how you will repeatedly reinforce safe behaviors), and (3) an evidence package that stands up in an assessment (what you can show without scrambling).

This page gives requirement-level implementation guidance: how to scope the program for an energy or critical infrastructure operator, how to execute awareness in a way operations teams will accept, what artifacts to retain, and what assessors tend to challenge. The goal is speed and durability: you should be able to stand up a defensible program quickly, then mature it without rework.

Regulatory text

Requirement (C2M2 WORKFORCE-1.D): “Cybersecurity awareness activities are conducted for personnel.” ¹

Operator interpretation:
You must run cybersecurity awareness activities that reach your workforce. “Personnel” is broader than employees; treat it as anyone who can access your environment, facilities, systems, or data through accounts, badges, shared workstations, OT consoles, remote access, or third-party connectivity. “Activities” implies more than a policy posted on an intranet; it means you deliver communications or training that reinforce behaviors and address current threats and expected practices. ¹

Plain-English interpretation (what this requirement is really asking)

A security awareness program requirement is satisfied when:

• People receive security awareness content relevant to their access and responsibilities.
• Activities recur often enough to stay current as threats and tooling change.
• You can demonstrate participation and governance with records, not narratives.

If you can’t answer “who received what, when, and how do you know,” you will struggle in an assessment even if you believe the culture is strong.

Who it applies to (entity + operational context)

Primary applicability: Energy sector organizations and critical infrastructure operators. ¹

Operationally, include these personnel categories:

• Employees (corporate and operations).
• Contractors and temps (especially those with facility access, OT access, maintenance roles, or remote access).
• Third-party personnel who access systems under your control (managed service providers, engineering firms, OEM support, integrators).
• Privileged users (admins, engineers, operators with elevated rights).
• Incident-facing roles (SOC, IT ops, OT ops, plant operations leadership, safety, legal/compliance, comms).

A common gap in critical infrastructure is treating OT operators and contractors as “outside scope” because they do not have email or LMS access. If they touch HMIs, engineering workstations, jump hosts, or removable media workflows, they are in scope.

What you actually need to do (step-by-step)

1) Define scope and ownership (make it governable)

• Name a program owner (often Security/GRC) and a delivery partner (HR/L&D, plant training, or operations training).
• Document the in-scope population rule: “Any person with logical or physical access to systems, networks, facilities, or data.”
• Create role groupings you can assign content to (examples below).

Practical role groupings

• General users (office staff, basic system access)
• OT operators / control room personnel
• Engineering (OT and IT)
• Privileged admins
• Executives / incident decision-makers
• Contractors / third parties (separate onboarding path)

2) Set minimum awareness expectations by role (keep it short and enforceable)

Write a one-page standard (or control description) that defines:

• Required awareness activities (e.g., onboarding training, recurring refreshers, targeted campaigns).
• Assignment rules (who gets what).
• Completion expectations (what “complete” means: watched module, passed quiz, acknowledged policy, attended toolbox talk).
• Escalation path for non-completion (manager notification, access gating where feasible).

Avoid turning this into a 20-page policy. Assessors want clarity and evidence, not prose.

3) Build an awareness content plan tied to your real risks

Your content should map to how compromise happens in your environment. For critical infrastructure, focus on:

• Phishing and credential theft (email and SMS where used)
• Remote access hygiene (VPN, jump hosts, MFA expectations)
• Password manager and credential handling expectations (where applicable)
• Removable media rules (especially OT)
• Reporting paths for suspicious activity (clear, single front door)
• Physical security and tailgating where facilities matter
• Data handling basics (sensitive operational data, diagrams, configs)

Keep a living backlog of “next awareness topics” driven by incidents, near misses, audit findings, and threat intel you actually receive.

4) Deliver recurring awareness activities (multiple channels)

C2M2 calls for “activities,” so use more than one format:

• Onboarding awareness for new joiners and new contractors before access is granted (or immediately upon granting).
• Short periodic refreshers via LMS, toolbox talks, shift briefings, or safety meetings.
• Targeted campaigns when risks spike (e.g., new phishing lure, new remote access tooling, major vendor incident affecting your stack).
• Just-in-time messaging embedded in workflows (banners on remote access portals, reminders at badge stations, posters in break rooms for non-email workers).

If your OT population does not have regular computer access, run supervisor-led briefings with attendance logs. Treat that as valid awareness evidence.

5) Track completion and manage exceptions (this is where programs fail)

You need a system of record that can answer:

• Who was assigned each activity
• Who completed it and when
• Who is overdue
• What exceptions were granted, by whom, and why

Where an LMS cannot cover contractors, use a controlled spreadsheet or third-party portal with basic controls: versioning, access restrictions, and manager attestation.

6) Measure effectiveness in a way you can defend

C2M2 does not prescribe metrics, but assessors commonly expect you to test whether awareness changes behavior. Use a small set of defensible indicators:

• Phishing simulation outcomes (if you run them)
• Volume/quality of user-reported suspicious messages
• Time from user observation to report
• Repeat offenders and targeted retraining completion
• Audit findings related to human error categories

Do not over-engineer metrics. Pick a few, review them, and show actions taken.

7) Review and update content based on changes

Have a lightweight review trigger list:

• Major incidents (internal or in your sector)
• New tooling (MFA rollout, new remote access)
• Material policy changes (data classification, removable media)
• Audit findings that point to awareness gaps

Record when you updated the content plan and why.

Required evidence and artifacts to retain (audit-ready)

Maintain an evidence package that can be produced quickly:

Governance

• Security awareness standard/control statement (scope, roles, requirements)
• Program owner assignment and responsibilities
• Annual/periodic content plan (topics and delivery methods)

Delivery & participation

• LMS reports (assignments, completion dates, quiz results if used)
• Attendance rosters for in-person/shift briefings and contractor sessions
• Copies of awareness communications (emails, posters, portal banners, talking points)
• Records showing targeted campaigns (what triggered them, when sent)

Exceptions & enforcement

• Exception register (who, why, compensating measures, approval)
• Escalation evidence for overdue training (tickets, manager notices)

Continuous improvement

• Metrics dashboard snapshots and meeting notes showing review/actions
• Post-incident lessons learned that resulted in awareness updates

Common exam/audit questions and hangups

Expect these questions and prepare “show me” answers:

• Who is included in “personnel”? Do you include contractors and third parties with access?
• How do you ensure OT/operators receive awareness if they lack email/LMS access?
• What is your minimum baseline content and how is it assigned by role?
• How do you track completion and handle non-completion?
• How do you keep content current with threats and changes?
• Show evidence from the last period: communications, attendance, completion reports, and updates.

Hangups usually appear where tracking is weak (contractors) or where “we do toolbox talks” exists but without consistent rosters and topics.

Frequent implementation mistakes (and how to avoid them)

1. Treating awareness as annual training only
   Fix: add recurring micro-activities and targeted campaigns tied to real events.

2. Excluding third parties or contractors from scope
   Fix: make access contingent on awareness completion, or require manager attestation with evidence before granting credentials/badges.

3. No role differentiation
   Fix: add a small set of role paths; privileged users and OT operators need different content than office staff.

4. In-person sessions without evidence
   Fix: require a standard sign-in sheet, topic identifier, date, instructor, and retention process.

5. No ownership for keeping content current
   Fix: assign a named owner and define review triggers tied to incidents and control changes.

Enforcement context and risk implications

No public enforcement cases were provided for this specific requirement in the source catalog, so you should treat this as a framework assessment expectation rather than a case-driven mandate. ¹

Practically, awareness failures increase the likelihood of credential compromise, unsafe remote access behavior, and delayed incident reporting. For critical infrastructure, delayed reporting and mishandled access pathways can translate into operational disruption. Your goal is not perfect user behavior; it is repeatable reinforcement and fast reporting pathways that reduce dwell time and stop small issues from becoming outages.

A practical 30/60/90-day execution plan

First 30 days (stand up the minimum viable program)

• Assign an owner and define “personnel” scope (include contractors/third parties with access).
• Define role groupings and minimum awareness expectations per role.
• Inventory delivery channels (LMS, email, shift briefs, contractor onboarding).
• Publish a one-page awareness standard and a simple evidence retention approach.
• Launch a first awareness activity that reaches the broadest audience.

Days 31–60 (close the tracking gaps)

• Implement completion tracking for all groups, including OT and contractors.
• Add an escalation workflow for overdue completion (manager notices, access gating where feasible).
• Build a quarterly topic plan based on your top risks and recent incidents.
• Create standard templates: briefing roster, campaign record, exception record.

Days 61–90 (make it durable and assessment-ready)

• Add targeted modules for privileged users and OT operators.
• Start effectiveness checks (lightweight metrics and review notes).
• Run a tabletop for the reporting pathway: can personnel report suspicious activity quickly, and do you capture it?
• Package evidence in a single folder structure that maps to your awareness standard.

Where Daydream fits naturally: If you struggle to chase evidence across HR, IT, plant training, and third-party onboarding, Daydream can centralize the control narrative and evidence requests so you can produce a clean awareness evidence packet without last-minute scraping.

Frequently Asked Questions

Does “security awareness program requirement” mean I need a formal written program?

You need a defined, repeatable approach and evidence that activities occurred for personnel. A short standard plus a content plan and completion/attendance records usually meets the intent. ¹

Are contractors and third parties in scope?

If they have physical or logical access to your environment, treat them as “personnel” for awareness purposes. Build an onboarding path and keep proof of completion or documented attestation before access is granted. ¹

Our OT operators don’t have email or LMS access. How do we comply?

Run supervisor-led briefings or safety-meeting add-ons with a consistent topic outline and attendance rosters. Store the rosters and the briefing content as your evidence package.

How often do awareness activities need to happen?

C2M2 requires that you conduct awareness activities, but it does not set a fixed cadence. Set a cadence you can sustain, then add targeted messages when threats, incidents, or tooling changes create new risk. ¹

What’s the minimum evidence an assessor will accept?

Show the defined requirement (scope and expectations), proof of delivery (materials), proof of participation (completion reports or rosters), and a method for tracking exceptions. If any population is handled differently (e.g., contractors), document that workflow.

Can phishing simulations count as awareness?

They can be part of awareness activities, especially if you provide follow-up guidance and track outcomes. Do not rely on simulations alone; include baseline training and communications so the program covers expected behaviors across roles.

Footnotes

1. Cybersecurity Capability Maturity Model v2.1