U.S. Flag Official website of the Department of Homeland Security
TLP:WHITE

BEHAVE: Manage Security Related Behavior FAQ

What is the Manage Security-Related Behavior (BEHAVE) security capability?

The BEHAVE security capability ensures authorized users are aware of and exhibit appropriate security-related behavior. These behaviors include actions that have been explained and “agreed to” by a user through methods such as training, user agreements, and job requirements. The security capability’s ability to verify appropriate security-related behavior is limited to checking for the existence of artifacts (e.g., completed training, passed tests) that demonstrate a user’s compliance to security-related behavior policy. Compliance to this policy is required for users to access systems or to perform their job duties.

What security results should we be able to achieve by implementing BEHAVE?

The BEHAVE security capability gives agencies insight into risks associated with authorized users not conforming to policy requirements for accessing systems and data. The most effective way to minimize these risks is to ensure that all authorized users, with or without special security responsibilities, exhibit the appropriate security-related behavior for their roles. The capability will also determine whether the risk from a current lack of training is higher than the level deemed acceptable by an agency.

What type of security issues are addressed by the BEHAVE security capability?

When agencies grant users access to facilities, systems, and information without the appropriate security training, demonstrated skill specialty knowledge, or certification, agencies increase their security risks. Poorly trained users—whether due to receiving access to sensitive data without security training, going through ineffective training, or not being assigned to the proper training—can engage in behaviors that compromise systems, expose sensitive data, or subvert security policies meant to mitigate risk.

What can I do to reduce my exposure to attacks exploiting poor security-related behavior?

The BEHAVE security capability ensures all users successfully complete the required training applicable to their role, demonstrate appropriate skills and knowledge, and complete any required retraining. It does so by verifying the following:

  • Only authorized users who exhibit appropriate security-related behavior are accessing facilities, systems, and information.
  • All authorized users have their security-related behavior validated and revalidated on a periodic basis.

How does the BEHAVE security capability define security-related behavior requirements?

The following are examples of how the BEHAVE security capability could define security-related behavior requirements:

  • If policy specifies that users complete awareness training at least annually, the BEHAVE security capability will identify individuals that have not completed required training at least annually.
  • If policy specifies that users complete role-based training, the BEHAVE security capability will identify individuals that have not successfully completed the required role-based training.
  • If policy specifies that users read and acknowledge a user agreement (e.g., acceptable use agreement), the BEHAVE security capability will identify individuals that have not completed the required agreements.
  • If policy specifies that users achieve a certain score to pass a test, the BEHAVE security capability will identify individuals that have not met the required passing score.

How does the BEHAVE security capability support ongoing automated assessments as defined by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations?

The BEHAVE security capability verifies users have been trained, have the skills and knowledge to perform their jobs, and have agreed to certain rules of behavior. This helps to fulfill the Awareness and Training (AT) and Planning (PL) families of controls in NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

What data should we collect to better prepare to implement the BEHAVE security capability?

Agencies should collect data associated with the following:

  • User roles;
  • Official security requirement policy for each role (e.g., how long a training activity is valid before it expires and a user must retake the training, how long grace periods are for each role); and
  • Documentation of users meeting security-related behavior requirements, including completed training and testing.

This will provide measurable data for the creation of automated security checks. These security checks provide the basis for automating the monitoring, reporting, and prioritization of security-related behavior deficiencies in an agency’s cyber environment. Continuous Diagnostics and Mitigation (CDM) will display deficiencies for review and action.

How can I assign managers for the BEHAVE security capability?

Agencies should collaborate with their designated CDM program point of contact (POC); Identity, Credential, and Access Management (ICAM) program management office; and training management office to identify proper managers for the BEHAVE security capability.

How can we prevent non-compliance of training requirements in the first place?

Agencies need to ensure that all authorized users are trained and aware of cybersecurity and information security policies and best practices and have basic knowledge of an attacker’s methodologies and goals. Here are some practices an agency can perform to improve security-related behavior:

  • Establish policies and procedures for identifying a user’s role and required training (e.g., supervisors should complete or authorize user access rights and privileges for employees, including contractors);
  • Reduce grace period duration (e.g., training requirements must be met within one month instead of three months);
  • Automatically disable accounts when training requirements are not met within a specified time frame;
  • Implement awareness training programs that provide ongoing awareness messaging, such as daily or weekly tips;
  • Ensure awareness training and role-based training material are relevant to current vulnerabilities and threats—keep material relevant to the end-user; and
  • Reduce preset time limits on updates to training requirement data pulls.

How does the BEHAVE security capability relate to or support other CDM capabilities?

The BEHAVE security capability supports other CDM security capabilities by providing actual state and desired state conditions related to training management within an agency. CDM can compare these conditions to determine risk areas that agencies need to address.

What is the Master User Record (MUR)?

Each CDM Phase 2 security capability requires data on user attributes (e.g., a user’s roles, security privileges, accounts) to enforce policy and identify defects regarding who is on the network. The MUR serves as a repository for user-related data collected from CDM tools and sensors, and contains a set of attributes or assertions about each user. The MUR stores information for each user that requests access to information, information systems, and facilities. It consolidates a user’s comprehensive set of job functions and system roles and their associated accesses and privileges in one place.

Back to Top