CMMC NUGGET #7

Security Awareness Training

This requirement applies to all personnel (not just the IT staff) understand the security risks associated with their day-to-day activities and the organizational policies that govern their behavior. It is the foundational awareness requirement: every person who touches your CUI environment must know what the risks are and what the rules are.

What assessors look for:

• A documented security awareness program covering the required content areas
• Evidence that all personnel completed training, not just that training was offered
• A defined and documented training frequency in organizational policy
• Employee acknowledgment sign-offs confirming understanding of policies and responsibilities
• Evidence of program effectiveness. Phishing simulations with documented outcomes are one example of how organizations demonstrate this, but they are not the only approach

Practical Tip: Whatever method your organization uses to demonstrate training effectiveness, document the outcomes. Metrics matter to assessors more than the specific method used.

This requirement goes beyond general awareness. It requires that individuals with specific security responsibilities receive training tailored to those responsibilities. This includes IT administrators, security personnel, CUI handlers, system owners, and anyone with privileged access.

What assessors look for:

• Role-specific training content tied to actual job responsibilities not just general cybersecurity awareness
• Evidence that training content matches the access level and responsibilities of the role
• Documentation showing which roles received which training
• Training content that addresses the specific systems, tools, and procedures the role uses

All personnel must receive training specifically focused on recognizing behaviors or indicators that may signal an insider threat and understanding how and where to report concerns. This is not satisfied simply by including a general reference to insider threats in broader awareness content. It requires deliberate, documented training on the topic.

What assessors look for:

• Training content that specifically addresses insider threat indicators, not just a passing mention within a broader module
• Coverage of reporting mechanisms, including any anonymous reporting options the organization provides
• Documentation that this content was delivered and completed by personnel

The following is an example of how an organization might structure a training program that addresses all three AT requirements. CMMC Level 2 does not prescribe a specific format, cadence, or delivery method. What matters is that your organization defines its approach in policy and can demonstrate that training is occurring, documented, and effective. There are many ways to build a compliant program.

Audience: All personnel upon receiving access to CUI systems

Timing: This example uses a 30-day onboarding window; your organization’s policy should define whatever timeframe it commits to

Example content areas:

• Overview of organizational security policies and procedures
• CUI identification: what it is, what categories your organization handles, and how to recognize it
• Common threats associated with user activities: phishing, social engineering, weak passwords, insecure file sharing
• Responsibilities for handling, protecting, and reporting CUI incidents
• Insider threat indicators and how to report concerns (AT 3.2.3)
• Incident reporting procedures including cyber incident reporting obligations

Format: Classroom, virtual, or e-learning — document completion regardless of format

Audience: System administrators, IT personnel, security staff, CUI handlers, privileged account users, and personnel with defined security responsibilities

Timing: This example uses an annual cadence; your organization’s policy should define the frequency it commits to

Example content areas:

• Technical security policies, configurations, and procedures relevant to the role
• System-specific training covering the tools and platforms the role administers or uses
• Advanced threat awareness appropriate to the access level
• Incident response procedures relevant to the role
• Insider threat recognition from a position of elevated access (AT 3.2.3)

Format: Virtual, hands-on labs, or documented walkthroughs with periodic knowledge assessments

Audience: All personnel

Timing: This example uses an annual minimum with supplemental touchpoints, your organization’s policy should define the frequency it and commit to it.

Example content areas:

• Recap of key security policies and any updates since last training cycle
• Current threat landscape including updates to phishing techniques and social engineering tactics
• Insider threat awareness refresher: indicators, reporting channels, anonymous reporting options (AT 3.2.3)
• Review of any incidents or near-misses from the prior period, sanitized as appropriate

Example supplemental touchpoints some organizations use:

• Monthly micro-training: short security tips via email or intranet
• Quarterly updates: review of recent incidents and evolving threats via webinar or lunch-and-learn format
• Periodic phishing simulations with documented results and follow-up training for those who engage with simulated threats

Training is one of the easiest domains to implement and one of the most commonly failed for documentation reasons. Assessors will ask for all of the following:

Record Retention: There is no regulatory minimum retention period specified under CMMC Level 2. Your organization should retain training records consistent with the retention period defined in your own documentation. What matters to assessors is that your records align with whatever period your policy commits to and that those records are available.

Assessors evaluating the AT domain are not just checking whether a training program exists,they are evaluating whether it is operational, documented, and effective. The three most common AT findings:

1. Training records don’t cover all personnel: Contractors, part-time staff, and personnel who joined mid-year are frequently missing
2. Role-specific training is generic: The same awareness video given to all employees does not satisfy AT.L2-3.2.2 for administrators and security personnel
3. No documented outcomes: Training happened but there are no records, sign-in sheets, or simulation results to prove it

The Annual Affirmation submitted by your Affirming Official (covered in Nugget #4) attests that all applicable CMMC security requirements are implemented and maintained. Your training records are among the artifacts that support that affirmation. A training program that exists on paper but cannot be evidenced undermines the affirmation and creates False Claims Act exposure.

AT 3.2.1, AT 3.2.2, and AT 3.2.3 must each be documented as separate control entries in the AT section of your SSP. For each, your SSP should describe:

• Who is responsible for the training program
• What the training content covers and how it satisfies the control objective
• The defined training frequency
• How completion is tracked and records are retained