CIS Controls 14.3: Authentication Best Practices Training
Human error remains a primary attack vector for credential compromise. CIS Controls 14.3 requires organizations to systematically train workforce members on authentication best practices, including multi-factor authentication (MFA), secure password composition, and credential management. This foundational control strengthens your security posture by building security awareness across your entire organization.
What this means
CIS Control 14.3 mandates that your organization develop and deliver training to all workforce members covering authentication security topics. This includes teaching employees how to create strong passwords, recognize phishing attempts targeting credentials, properly manage stored credentials, and understand the importance of multi-factor authentication. The control recognizes that technical security controls alone are insufficient without informed users who understand their role in protecting authentication mechanisms.
How to comply
- 1.Develop authentication training curriculum covering MFA setup, password composition rules, and credential handling procedures
- 2.Deliver initial training to all new workforce members during onboarding as part of security orientation
- 3.Conduct annual refresher training for existing employees to reinforce authentication best practices
- 4.Cover phishing awareness and credential harvesting tactics in training materials
- 5.Document training completion and maintain records of attendees and dates
- 6.Test knowledge retention through periodic assessments or quiz-based validation
- 7.Update training content annually to address emerging authentication threats and new organizational tools
Evidence auditors look for
- Training curriculum documentation with learning objectives for authentication topics
- Records of training delivery dates, attendee names, and completion confirmations
- Training presentation materials or recorded sessions covering MFA, password policies, and credential management
- New hire onboarding checklist showing authentication training as required step
- Annual training attendance logs demonstrating workforce-wide participation
- Assessment results or completion certificates showing knowledge validation
- Policy updates reflecting changes to authentication training requirements
- Training sign-off forms or learning management system (LMS) completion records
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates training assignment tracking and maintains audit-ready attendance records, eliminating manual spreadsheets and ensuring your authentication training completion evidence is instantly accessible during compliance reviews.
See how GRCWatch handles this control automatically
Start free trial