Safeguard 14.3: Train Workforce Members on Authentication Best Practices

To meet the safeguard 14.3: train workforce members on authentication best practices requirement, you need a role-appropriate training program that teaches secure login behavior (MFA use, password/passphrase hygiene, phishing-resistant methods where applicable) and produces durable proof of completion and understanding. Operationalize it by defining the standard, assigning training to the right populations, and capturing recurring evidence tied to your control narrative. ¹

Key takeaways:

• Training must be specific to authentication behaviors employees actually perform, not generic “security awareness.” ²
• Evidence matters as much as content: keep rosters, completion logs, and training artifacts on a recurring cadence. ³
• Treat workforce and third-party non-employees with access as in-scope “workforce members” in your operational model. ²

Safeguard 14.3 sits in the “Security Awareness and Skills Training” domain and focuses narrowly on authentication. Your auditors will not accept “we do annual security awareness” unless you can show that authentication best practices were explicitly taught, targeted to the right audiences, and reinforced with proof you can produce on demand. ¹

For most organizations, the fast path is to document a control statement that defines what “authentication best practices” means in your environment, publish it as a short standard, then implement training that maps directly to that standard. The second fast path is evidence: training content, assignment rules, completion reporting, exceptions handling, and a repeatable way to show coverage across employees, contractors, and other non-employees with accounts. ²

This page gives requirement-level guidance you can implement quickly: who is in scope, what training topics to include, how to deliver training without slowing operations, and what artifacts to retain so you can pass a CIS-aligned assessment (or support audits that crosswalk to CIS). Where helpful, it also highlights common examiner hangups and the failure modes that create real account-takeover risk.

Regulatory text

Framework requirement (excerpt): “CIS Controls v8 safeguard 14.3 implementation expectation (Train Workforce Members on Authentication Best Practices).” ¹

Operator interpretation: You must train workforce members on the authentication behaviors your organization expects, so that people can authenticate securely and consistently. The “implementation expectation” language means assessors will look for both (1) a defined practice (your standard) and (2) proof it runs in production (your training operations and evidence). ¹

Plain-English interpretation (what this really requires)

• Define what “good authentication” looks like at your company (examples: MFA required, no password reuse, password managers allowed/required, how to handle push prompts, how to report suspected compromise).
• Teach those expectations to everyone who authenticates to your systems, in a format they can absorb and apply.
• Prove it happened with reliable records, and repeat it on an established cadence that matches your risk. ¹

Who it applies to

In-scope entities

This applies to enterprises and technology organizations adopting CIS Controls v8 as a security baseline or assessment framework. ²

In-scope people (“workforce members” in practice)

Treat these groups as in scope if they authenticate to corporate or customer-impacting systems:

• Employees (full-time, part-time)
• Contractors/temps/interns
• Privileged users (IT admins, security engineers, cloud admins)
• Customer support and finance staff with access to sensitive systems
• Third-party personnel who have named accounts in your IAM/SSO (even if they are not “employees” legally)

In-scope systems and contexts

• SSO/IAM portals, VPN, VDI, email, collaboration suites
• Cloud consoles and CI/CD platforms
• Privileged access tooling
• Any system where credential compromise would cause material business impact (data exposure, fraud, ransomware entry point)

What you actually need to do (step-by-step)

Step 1: Write an “Authentication Best Practices Standard” (1–2 pages)

Keep it short and operational. Include:

• Approved authenticators: password/passphrase rules, MFA types allowed, FIDO2/passkeys if used
• Prohibited behaviors: password reuse, sharing accounts, storing passwords in plaintext notes, approving unexpected push prompts
• Password manager stance: allowed/required, approved tools, how to handle shared credentials if unavoidable
• Device and session basics: locking screens, logging out on shared devices
• Reporting path: where to report suspected credential compromise and how quickly

Artifact to produce: “Authentication Best Practices Standard vX.Y” with owner, version, and approval.

Step 2: Build training modules mapped to the standard

Create training that directly covers your standard’s requirements. Minimum content that auditors recognize as “authentication best practices” usually includes:

• Creating strong passwords or passphrases and avoiding reuse
• Recognizing credential phishing (fake login pages, OAuth consent scams) and how to verify URLs/domains
• MFA behaviors: deny unexpected prompts, what to do if you receive repeated prompts, and how attackers abuse push fatigue
• Secure recovery: what to do if locked out, how help desk should verify identity, and what users should never share with support
• Privileged user add-on: admin account separation, step-up authentication, and how to handle emergency access safely

Artifacts to produce: slide deck, LMS module, recorded session, or written training doc; include date/version.

Step 3: Assign training by population (role-based coverage)

Define assignment rules in your LMS or GRC tool:

• All workforce members: baseline authentication training on onboarding and recurring refresher
• Privileged users: enhanced module with admin-specific scenarios
• Help desk / service desk: identity verification and account recovery procedures (this group can bypass controls if not trained)
• Developers / platform teams (if applicable): secrets handling and API tokens as “authentication material” in daily work

Artifact to produce: training matrix that maps roles to modules and frequency.

Step 4: Deliver the training and enforce completion

Operational controls to make this stick:

• Automate assignment at hire and upon role change (HRIS-to-LMS integration if available).
• Escalate overdue training to managers; define an exception process for leave/extended absence.
• For critical roles, tie completion to access (for example, privileged access renewal requires training completion). Keep the rule practical so it doesn’t break operations.

Artifacts to produce: completion dashboards, overdue lists, manager attestations for exceptions.

Step 5: Test understanding and capture “proof of learning”

Add a short knowledge check that maps to your standard (example questions: “What do you do if you get an unexpected MFA push?”). Use pass/fail thresholds you can defend internally, and require retake if failed.

Artifacts to produce: quiz questions, completion results, and remediation evidence for non-passers.

Step 6: Operationalize recurring evidence capture (audit-ready)

CIS assessments often fail on “we did it” versus “show me.” Implement a recurring evidence packet:

• Training content version used in the period
• Roster of in-scope users (or a report by department/role)
• Completion report with timestamps
• Exception log with approvals
• Proof of privileged-user module completion for the privileged population

This maps to the recommended control approach: document control operation and collect recurring evidence tied to Safeguard 14.3. ¹

Step 7: Track metrics that indicate control health (qualitative is fine)

Avoid inventing performance numbers. Track what you can reliably report, such as:

• Who is overdue by role
• Repeat offenders (missed training multiple cycles)
• High-risk groups with lower completion (contractors, distributed teams)
• Help desk adherence to recovery scripts (spot checks)

Artifacts to produce: monthly or quarterly training status report and follow-up tickets.

Required evidence and artifacts to retain

Use this as an auditor-ready checklist:

Evidence	What it proves	Owner
Authentication Best Practices Standard (versioned)	Defined expectations for authentication behavior	Security/GRC
Training content (slides/module/recording)	Training actually covers authentication best practices	Security Awareness owner
Role-to-training matrix	Right people assigned the right training	GRC + HR/IT
LMS assignment rules/screenshots	Training is systematically assigned	HR/L&D or IT
Completion reports (with timestamps)	Workforce members completed training	L&D/GRC
Quiz results / knowledge checks	Understanding was evaluated	L&D/Security
Exception log + approvals	Exceptions are controlled and reviewed	GRC
Privileged user completion evidence	Higher-risk population covered	IAM/Security

Common exam/audit questions and hangups

1. “Show me where authentication is covered in your training.” Have a module outline and the standard. ²
2. “Who exactly is ‘workforce’?” Be ready to explain how you include contractors and third-party personnel with accounts.
3. “How do you ensure privileged users get extra training?” Produce the role-based matrix and completion proof.
4. “Is training current?” Show versioning and change history when MFA methods or SSO workflows change.
5. “How do you handle non-completion?” Produce escalation steps and exceptions with approvals.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Generic awareness training with one slide on passwords. Fix: make authentication a distinct module with explicit learning objectives tied to your standard. ²
• Mistake: No coverage for contractors or third-party users with accounts. Fix: drive training assignment from identity inventory (SSO directory groups) rather than payroll status.
• Mistake: Training says “use MFA,” but operations allow SMS-only or bypasses without control. Fix: align training statements with actual IAM policy; don’t promise what you don’t enforce.
• Mistake: Help desk recovery is unmanaged. Fix: train service desk on identity verification and prohibited “reset shortcuts,” then spot-check tickets.
• Mistake: Evidence is scattered. Fix: keep a single “Safeguard 14.3 evidence folder” per period; Daydream can act as the system of record for control narratives and evidence requests so you can produce consistent packets quickly. ¹

Enforcement context and risk implications

No public enforcement cases were provided for this requirement in the source catalog, so this page does not cite specific actions. Practically, weak authentication training increases the likelihood of account takeover via phishing, MFA prompt abuse, and social engineering of password resets. The business impact shows up as unauthorized access, fraud, and breach response costs. Your risk narrative should connect training to these failure modes, then show how your standard and training reduce them. ²

Practical 30/60/90-day execution plan

First 30 days (foundation)

• Draft and approve the Authentication Best Practices Standard.
• Inventory populations and systems: employees, contractors, privileged users, help desk.
• Select training delivery method (LMS module, live session + attestation, or hybrid).
• Build the role-to-training matrix and define exceptions workflow.

Days 31–60 (launch)

• Publish baseline training and privileged-user add-on.
• Implement automated assignment and escalation.
• Add knowledge checks and remediation workflow.
• Start collecting your first evidence packet (content version, rosters, completions).

Days 61–90 (stabilize and audit-proof)

• Close gaps: contractor coverage, new hires, role changes.
• Spot-check help desk recovery adherence and update training where real tickets show confusion.
• Produce an assessor-ready control narrative: what you do, who owns it, how often, and what evidence is produced.
• Move evidence collection into Daydream (or your GRC repository) with recurring tasks so the process survives team turnover. ¹

Frequently Asked Questions

Do we need separate training for MFA versus passwords?

You need training that covers the authentication methods your organization uses and the user behaviors that cause failures. If MFA is required, include MFA-specific scenarios (unexpected prompts, recovery, device loss) as explicit learning objectives. ²

Are contractors and consultants in scope for Safeguard 14.3?

If they have accounts and authenticate to your systems, treat them as in scope operationally and train them to the same authentication standard. Document any exceptions and compensating controls. ²

What evidence will an assessor ask for first?

Expect requests for the training content, proof of assignment rules, and completion reports with timestamps. Keep a single evidence packet per period so you can respond quickly and consistently. ³

How do we handle workforce members who fail the quiz?

Require a retake and track remediation completion, then retain the results as evidence. If failures cluster in one group, update the training or add a targeted micro-training for that role. ²

Can we satisfy 14.3 with a policy acknowledgment instead of training?

Acknowledgments help, but they rarely demonstrate that people learned authentication behaviors. Pair the standard with training content and a knowledge check to create defensible evidence of instruction and comprehension. ²

How should we document the control so it survives audits and staff turnover?

Write a short control narrative that ties Safeguard 14.3 to your standard, training operations, and recurring evidence capture, then store the narrative and artifacts in a system of record such as Daydream. ¹

Footnotes

1. CIS Controls v8; CIS Controls Navigator v8

2. CIS Controls v8

3. CIS Controls Navigator v8