CMMCDocs.comThe Awareness and Training (AT) family in NIST SP 800-171 Rev 2 includes three requirements that apply to CMMC Level 2: AT.L2-3.2.1 (ensure personnel are aware of security risks associated with their activities), AT.L2-3.2.2 (ensure personnel are trained to carry out their security responsibilities), and AT.L2-3.2.3 (provide insider threat awareness training). Together, these requirements demand more than a once-a-year compliance video.
AT.L2-3.2.1 — Security Risk Awareness
This requirement ensures that all users of organizational systems understand the security risks associated with their activities and the applicable policies and procedures. In practice, this means security awareness training that covers your organization's specific risks, not generic content about password hygiene.
Effective training for this control covers: how CUI is defined and identified in your organization, your organization's acceptable use policies, social engineering and phishing recognition, safe browsing and email practices, incident reporting procedures (who to contact and how), removable media policies, and remote work security requirements.
AT.L2-3.2.2 — Role-Based Training
This requirement goes beyond general awareness to role-specific training. System administrators need training on secure configuration, patch management, and log review. Incident response team members need training on forensic procedures and the 72-hour reporting requirement. Managers need training on access review responsibilities and personnel security. The training must match the actual security responsibilities of each role.
Document who requires what training, when they received it, and when it is due for renewal. Maintain training records as evidence for your C3PAO assessment. An assessor will ask to see training completion records and may interview personnel to verify that the training was effective.
AT.L2-3.2.3 — Insider Threat Awareness
This is the requirement that most training programs miss. Generic cybersecurity training typically focuses on external threats — phishing, malware, hackers. Insider threat awareness training must explicitly cover indicators of insider threat behavior, reporting procedures for suspected insider threats, the organization's insider threat program (if applicable), and case studies of real insider threat incidents.
Insider threats are not limited to malicious actors. Negligent insiders — employees who mishandle CUI through carelessness rather than intent — are actually more common. Training should address both categories.
Building an Effective Program
Frequency: Annual training is the minimum for all personnel. Quarterly reinforcement through newsletters, phishing simulations, or short modules keeps security top of mind. New hire training should occur within the first week of employment, not the first month.
Content quality: Use training content that is relevant to your industry and your specific environment. Defense contractors face different threats than retailers. Customize where possible.
Measurement: Track completion rates, assessment scores, and phishing simulation click rates. Use these metrics to identify areas where additional training is needed. If 30% of your employees click simulated phishing links, your training is not working.
Documentation: Maintain detailed training records including the training content, date delivered, personnel who completed it, and any assessment results. These records are primary evidence for the AT controls during your CMMC assessment.