CMMC Level 2 Implementation Guide July 3, 2026 · 11 min read

How to Implement CMMC Level 2 Awareness & Training (AT) Requirements

The AT domain only has three practices. That makes it easy to underestimate. In reality, 3.2.1 through 3.2.3 require an active, documented, role-specific training program, not a checkbox exercise. This guide breaks down each practice, what assessors look for, and how to build a training program that passes assessment and actually reduces your risk.

Why AT Gets More Scrutiny Than You'd Expect

Three practices. Sounds like a Tuesday. Then you discover that buying a KnowBe4 subscription and never actually deploying it is not a practice.

Three practices sounds like a short domain. But AT is one of the domains where assessors most consistently find gaps, because many organizations approach it by pointing to a training platform subscription and calling it done. The text of the practices is broader than that.

Practice 3.2.1 requires that all personnel are aware of the security risks associated with their activities. Practice 3.2.2 requires that personnel are trained to carry out their assigned security responsibilities. Practice 3.2.3 requires training on recognizing and reporting threats including social engineering and phishing. Together, these require a program that is documented, completed, tracked, and role-specific. Completion at 70% coverage is a finding. No documentation of what was trained is a finding. Training that covers phishing but not CUI handling is a gap.

The key distinction: "Awareness" means everyone understands their role in protecting the organization. "Training" means people with specific security responsibilities know how to execute those responsibilities. Your program needs both layers, not just one.

Practice 3.2.1: Security Risk Awareness for All Personnel

3.2.1

Every person with access to CUI systems must understand the security risks of their job

This is the foundational awareness requirement. It covers every employee, contractor, and third party who accesses systems within your CUI boundary. The training does not need to be technical, but it needs to be relevant. An accounts payable clerk who uses a shared drive where CUI is stored needs to understand what CUI is, how to handle it, and what to do if they receive a suspicious email. That is different from what your IT administrator needs to know.

What this requires in practice:

Common mistake: Training completion at 85-90% and calling it done. The outstanding 10-15% is not a rounding error to an assessor, it is a documented gap. Personnel who have not completed training should not have active access to CUI systems until they do. Build that into your onboarding and annual recertification process.

Practice 3.2.2: Role-Specific Training for Security Responsibilities

In other words: giving your firewall admin the same 15-minute phishing video as the front desk does not count as training for security responsibilities.

3.2.2

People with security duties need training specific to those duties

This practice moves beyond general awareness. If someone has a defined security responsibility, they need training that prepares them to execute it. General phishing awareness training does not satisfy this requirement for your system administrator, your incident response lead, or your CMMC compliance owner.

Role-specific training requirements by function:

IT Administrators

  • Secure configuration and hardening
  • Patch management and vulnerability response
  • Log review and monitoring
  • Incident containment and escalation
  • Access provisioning and de-provisioning

Security / Compliance Lead

  • NIST SP 800-171 controls and assessment process
  • CMMC assessment evidence management
  • POA&M tracking and reporting
  • CUI identification and handling
  • Vendor security assessment

Human Resources

  • Insider threat indicators and reporting
  • Personnel security screening procedures
  • Offboarding access revocation process
  • Security training program administration

Executive Leadership

  • Security governance and accountability
  • Cyber risk reporting and decision-making
  • CMMC contractual obligations
  • Incident response roles and notification requirements

Finance / Accounting

  • Business email compromise and wire fraud
  • Invoice fraud recognition
  • Dual authorization for financial transactions
  • CUI in financial documents (contract values, pricing)

Program / Contracts Management

  • CUI identification in contract deliverables
  • DFARS clause 252.204-7012 obligations
  • Subcontractor CMMC flow-down requirements
  • Incident notification to the DoD

How to document this: Maintain a training matrix that lists each role, the security responsibilities associated with that role, and the training that satisfies those responsibilities. This document becomes evidence during assessment.

Common mistake: Treating the IT administrator as the only person with security responsibilities and giving everyone else only general awareness training. Every department that touches CUI has specific security responsibilities that need to be trained. If your HR team runs the security training program, they have security responsibilities. If your program managers handle contract deliverables, they have CUI handling responsibilities.

Practice 3.2.3: Insider Threat and Social Engineering Awareness

3.2.3

Train personnel to recognize and report threats, including insider threats and phishing

This practice specifically calls out two threat vectors that are often underweighted in generic security training: insider threats and social engineering. Both require deliberate, specific coverage, not just a mention in an annual compliance module.

Phishing and social engineering training:

Insider threat awareness:

Common mistake: A 15-minute annual awareness video that mentions phishing in two slides is not enough to satisfy 3.2.3. Assessors will ask how often phishing simulations are run, what happens when someone fails, and how personnel report suspected incidents. If the answer to any of those questions is "we don't really do that," it is a gap.

Building a Training Program That Passes Assessment

The mechanics of a compliant AT program are not complicated, but they require deliberate setup:

Step 1: Choose a training platform

You need a platform that delivers training, tracks completion, and produces reports. The most common options for CMMC environments:

PlatformPhishing SimulationPrice RangeNotes
KnowBe4Yes$$Largest content library; most widely used in CMMC contexts
Proofpoint Security AwarenessYes$$Strong threat intelligence integration
Infosec IQYes$Good value for smaller organizations
Microsoft Security AwarenessYes (Attack Simulator)Included in M365Basic but sufficient for small orgs already in Microsoft ecosystem
SANS Security AwarenessYes$$High-quality content; strong for role-specific modules

Step 2: Define your training schedule and document it in policy

Your Security Awareness Training Policy needs to specify:

Once you document these requirements in policy, you are held to them. An assessor who sees a policy saying "quarterly phishing simulations" and finds no evidence of simulations in the last 18 months will write that as a finding. Set timelines you will actually follow.

Step 3: Maintain completion records

Records are evidence. You need to be able to show an assessor, for any point in the last year, who completed training and when. Modern platforms export these reports automatically. Keep them. The records should cover:

Step 4: Extend coverage to contractors

Every contractor with access to your CUI systems or data is subject to the same AT requirements. Your options are: include contractors in your own training program (they get accounts in your platform and complete the same modules), or require contractors to attest annually that they have completed equivalent training through their own organization and retain that attestation as evidence. The second option is common but requires you to actually follow up and collect the attestations (requirements in contracts that nobody enforces are an assessor's favorite finding).

Quick win: If you have Microsoft 365 Business Premium or E3/E5, you already have access to Microsoft Attack Simulator for phishing simulations and Microsoft Viva Learning for training content delivery. It is not as feature-rich as KnowBe4, but it satisfies the basic requirement and costs nothing incremental to what you're already paying.

What Evidence Assessors Expect

During your CMMC Level 2 assessment, the AT domain will be evaluated through documentation review, evidence review, and interviews. Plan for all three.

Documentation: Your Security Awareness and Training Policy is the anchor document. It must cover all three practices with specific language about training content, frequency, role-specific requirements, and the reporting process for threats.

Evidence: Training completion reports from your platform for the last 12 months. Phishing simulation reports showing simulation dates, scenarios used, and click/report rates. Role-specific training records for IT, HR, and other functions with defined responsibilities. Contractor attestations if you are using the attestation approach.

Interviews: Assessors will ask general employees how they report a suspicious email. (The most common answer at organizations without a real program is a long pause, followed by "I think... I'd email IT?") They will ask your IT team what training they completed. They will ask your compliance lead how the training program is administered and what triggers a mandatory reset of training completion. Inconsistency between what the policy says and what staff describe will generate findings.

Need the Policy Document?

Our CMMC Level 2 Security Awareness & Training Policy template covers all three AT practices in formal policy language. Includes role-based training matrix, phishing simulation requirements, new hire onboarding timeline, and contractor coverage provisions. Editable .docx, ready to customize in under an hour.

Download the AT Policy Template →

Frequently Asked Questions

NIST SP 800-171 does not specify a mandatory training frequency. Most assessors expect annual training at minimum, with new hire training completed within 30 days of start. The key is to document your training frequency in policy and follow it consistently. Whatever you write in your policy, you will be held to it.
Practice 3.2.3 requires training on recognizing and reporting threats including social engineering and phishing. Phishing simulations are not explicitly mandated by the text, but they are widely expected by C3PAO assessors as evidence of a working awareness program. Quarterly simulations with tracking and remedial training for failures is the standard expectation in mature programs.
Acceptable platforms include KnowBe4, Proofpoint Security Awareness Training, Microsoft Security Awareness, Infosec IQ, SANS Security Awareness, and similar. In-person training with documented attendance is also acceptable. Key requirements: content covers relevant security risks, completion is tracked, new hires complete training before or very shortly after CUI access, and records are retained to show during assessment.
Practice 3.2.2 requires training for personnel "to carry out assigned security responsibilities." IT administrators need training on secure configuration and incident response. HR needs training on insider threat indicators. Executives need training on security governance responsibilities. Program managers handling CUI need training on CUI handling and DFARS obligations. The training content should match what each role is actually expected to do.
Contractors and third-party personnel with access to your CUI systems are subject to the same AT requirements as employees. You can include them in your own training program or require annual attestations that they have completed equivalent training. If using attestations, you need to actually collect and retain them, not just require them in your contracts.

More Implementation Guides in This Series

🔒 Access Controls (AC) Read → 🚨 Incident Response (IR) Read → 👪 Identification & Authentication (IA) Read → 📊 Risk Assessment (RA) Read → 🔐 CMMC Password Requirements Read → How to Pass a CMMC Assessment Read →
📫

Get the Free CMMC Level 2 Practice Checklist

All 110 NIST SP 800-171 practices organized by domain - formatted for assessment prep. Free PDF, instant access.