The AT domain only has three practices. That makes it easy to underestimate. In reality, 3.2.1 through 3.2.3 require an active, documented, role-specific training program, not a checkbox exercise. This guide breaks down each practice, what assessors look for, and how to build a training program that passes assessment and actually reduces your risk.
Three practices. Sounds like a Tuesday. Then you discover that buying a KnowBe4 subscription and never actually deploying it is not a practice.
Three practices sounds like a short domain. But AT is one of the domains where assessors most consistently find gaps, because many organizations approach it by pointing to a training platform subscription and calling it done. The text of the practices is broader than that.
Practice 3.2.1 requires that all personnel are aware of the security risks associated with their activities. Practice 3.2.2 requires that personnel are trained to carry out their assigned security responsibilities. Practice 3.2.3 requires training on recognizing and reporting threats including social engineering and phishing. Together, these require a program that is documented, completed, tracked, and role-specific. Completion at 70% coverage is a finding. No documentation of what was trained is a finding. Training that covers phishing but not CUI handling is a gap.
The key distinction: "Awareness" means everyone understands their role in protecting the organization. "Training" means people with specific security responsibilities know how to execute those responsibilities. Your program needs both layers, not just one.
This is the foundational awareness requirement. It covers every employee, contractor, and third party who accesses systems within your CUI boundary. The training does not need to be technical, but it needs to be relevant. An accounts payable clerk who uses a shared drive where CUI is stored needs to understand what CUI is, how to handle it, and what to do if they receive a suspicious email. That is different from what your IT administrator needs to know.
What this requires in practice:
Common mistake: Training completion at 85-90% and calling it done. The outstanding 10-15% is not a rounding error to an assessor, it is a documented gap. Personnel who have not completed training should not have active access to CUI systems until they do. Build that into your onboarding and annual recertification process.
In other words: giving your firewall admin the same 15-minute phishing video as the front desk does not count as training for security responsibilities.
This practice moves beyond general awareness. If someone has a defined security responsibility, they need training that prepares them to execute it. General phishing awareness training does not satisfy this requirement for your system administrator, your incident response lead, or your CMMC compliance owner.
Role-specific training requirements by function:
How to document this: Maintain a training matrix that lists each role, the security responsibilities associated with that role, and the training that satisfies those responsibilities. This document becomes evidence during assessment.
Common mistake: Treating the IT administrator as the only person with security responsibilities and giving everyone else only general awareness training. Every department that touches CUI has specific security responsibilities that need to be trained. If your HR team runs the security training program, they have security responsibilities. If your program managers handle contract deliverables, they have CUI handling responsibilities.
This practice specifically calls out two threat vectors that are often underweighted in generic security training: insider threats and social engineering. Both require deliberate, specific coverage, not just a mention in an annual compliance module.
Phishing and social engineering training:
Insider threat awareness:
Common mistake: A 15-minute annual awareness video that mentions phishing in two slides is not enough to satisfy 3.2.3. Assessors will ask how often phishing simulations are run, what happens when someone fails, and how personnel report suspected incidents. If the answer to any of those questions is "we don't really do that," it is a gap.
The mechanics of a compliant AT program are not complicated, but they require deliberate setup:
You need a platform that delivers training, tracks completion, and produces reports. The most common options for CMMC environments:
| Platform | Phishing Simulation | Price Range | Notes |
|---|---|---|---|
| KnowBe4 | Yes | $$ | Largest content library; most widely used in CMMC contexts |
| Proofpoint Security Awareness | Yes | $$ | Strong threat intelligence integration |
| Infosec IQ | Yes | $ | Good value for smaller organizations |
| Microsoft Security Awareness | Yes (Attack Simulator) | Included in M365 | Basic but sufficient for small orgs already in Microsoft ecosystem |
| SANS Security Awareness | Yes | $$ | High-quality content; strong for role-specific modules |
Your Security Awareness Training Policy needs to specify:
Once you document these requirements in policy, you are held to them. An assessor who sees a policy saying "quarterly phishing simulations" and finds no evidence of simulations in the last 18 months will write that as a finding. Set timelines you will actually follow.
Records are evidence. You need to be able to show an assessor, for any point in the last year, who completed training and when. Modern platforms export these reports automatically. Keep them. The records should cover:
Every contractor with access to your CUI systems or data is subject to the same AT requirements. Your options are: include contractors in your own training program (they get accounts in your platform and complete the same modules), or require contractors to attest annually that they have completed equivalent training through their own organization and retain that attestation as evidence. The second option is common but requires you to actually follow up and collect the attestations (requirements in contracts that nobody enforces are an assessor's favorite finding).
Quick win: If you have Microsoft 365 Business Premium or E3/E5, you already have access to Microsoft Attack Simulator for phishing simulations and Microsoft Viva Learning for training content delivery. It is not as feature-rich as KnowBe4, but it satisfies the basic requirement and costs nothing incremental to what you're already paying.
During your CMMC Level 2 assessment, the AT domain will be evaluated through documentation review, evidence review, and interviews. Plan for all three.
Documentation: Your Security Awareness and Training Policy is the anchor document. It must cover all three practices with specific language about training content, frequency, role-specific requirements, and the reporting process for threats.
Evidence: Training completion reports from your platform for the last 12 months. Phishing simulation reports showing simulation dates, scenarios used, and click/report rates. Role-specific training records for IT, HR, and other functions with defined responsibilities. Contractor attestations if you are using the attestation approach.
Interviews: Assessors will ask general employees how they report a suspicious email. (The most common answer at organizations without a real program is a long pause, followed by "I think... I'd email IT?") They will ask your IT team what training they completed. They will ask your compliance lead how the training program is administered and what triggers a mandatory reset of training completion. Inconsistency between what the policy says and what staff describe will generate findings.
Our CMMC Level 2 Security Awareness & Training Policy template covers all three AT practices in formal policy language. Includes role-based training matrix, phishing simulation requirements, new hire onboarding timeline, and contractor coverage provisions. Editable .docx, ready to customize in under an hour.
Download the AT Policy Template →All 110 NIST SP 800-171 practices organized by domain - formatted for assessment prep. Free PDF, instant access.