CMMCDocs.comAT.L2-3.2.1
Also known as: Security awareness training requirement
The NIST SP 800-171 requirement that mandates the contractor provide security awareness training to all users of in-scope systems.
AT.L2-3.2.1 requires the contractor to 'ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.'
In practice, this means an annual (at minimum) security awareness training program for every person with access to in-scope systems. The training should cover phishing recognition, password hygiene, CUI handling, incident reporting, acceptable use, and the contractor's specific policies.
A C3PAO will ask for the training curriculum, completion records by individual, and evidence that the training is current.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account