Deretti Cyber Labs CMMC Desk · Domains · Awareness & Training

Awareness & training.

One of the smallest families, and the one most often skipped.

Awareness & Training is 3 of Level 2’s 110 requirements — one of the smallest families on this desk. It doesn’t configure a system or lock a door; it makes sure the people operating inside all the other families understand why the rules exist and what to watch for, including from inside the organization. A shop that treats AT as trivial usually finds out the hard way that the other 107 requirements depend on people who understand what they’re protecting.

This page explains the family. It does not replace the requirement text or assessment objectives.

01What this family protects

Awareness & Training protects the assumption every other family quietly depends on: that the people using and administering a system understand the security expectations placed on them, and would recognize a problem — including one caused by a colleague — if they saw it. Access controls, media handling, and incident response all work better when the humans inside the system know why the rules exist. AT doesn’t detect anything on its own; it makes detection by everyone else more likely.

02The rule says

All 3 requirements, condensed to their operative sentence. NIST SP 800-171 Rev. 2 §3.2 has the full text and discussion for each; Source Library covers when to open it.

The 3 Awareness & Training requirements of NIST SP 800-171 Revision 2
§Requirement
3.2.1Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
3.2.2Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
3.2.3Provide security awareness training on recognizing and reporting potential indicators of insider threat.

03In practice

Awareness for everyone, training for role (3.2.1–3.2.2). Every person with access to a system that touches CUI gets a baseline understanding of the risks tied to their own activities and the policies that apply — not a security certification, just enough to recognize why a control exists. People with security-specific duties — an IT admin managing accounts, someone doing configuration work — get training tailored to what they actually do, distinct from the general session everyone else gets.

Insider-threat awareness (3.2.3) is its own, smaller requirement: training on recognizing and reporting the behavioral signs of a colleague going wrong, not just external attackers. It’s a short, specific addition to the broader awareness requirement, easy to fold into the same annual session rather than standing up as its own program.

04Where it fails

AT is the family most likely to get done once, at hire, and never again. A new employee sits through an onboarding video in week one; two years and several policy changes later, nobody has refreshed what they were told. The requirement doesn’t specify an interval, but training that happened once, permanently, isn’t awareness — it’s a memory of awareness.

The insider-threat piece (3.2.3) is the one most often missing entirely, because most training programs default to external-threat framing — phishing, malware — and never mention that the same reporting channel applies to a colleague’s behavior.

05What evidence may look like

Day-to-day output, not a training-vendor certificate wall: a record of who completed awareness training and when (a spreadsheet, an LMS export, signed acknowledgment forms); the training content itself, showing it covers both general awareness and insider-threat indicators; and role-specific training records for anyone with security-related duties, showing what made their training different from the general session.

06At the shop

At the shop

Blanchard Tool & Machining is the desk’s fictional composite (any resemblance to an actual company is coincidental). Blanchard runs a 30-minute awareness session each January for the whole shop — phishing examples pulled from what actually landed in inboxes that year, a short segment on reporting a coworker’s odd behavior (unusual after-hours access and sudden financial-hardship stress are the two examples that stuck), and a one-page acknowledgment form. The two-person IT team gets an extra hour covering account-management specifics, since they’re the ones who’d actually action a report.

07Commonly confused with

Incident Response (IR). AT trains people to recognize and report a problem; IR is what happens once a report or alert becomes an actual response. AT feeds IR’s reporting channel; it doesn’t run the response itself. See Incident Response.

Personnel Security (PS). PS screens people before they get access and manages what happens at termination or transfer; AT trains people who already have access on what to watch for while they hold it. Screening happens once, at the edges of employment; awareness training runs continuously in between. See Personnel Security.

09Sources

Primary sources for the Awareness & Training family
DocumentWhat it’s for
NIST SP 800-171 Rev. 2, §3.2Full requirement text and discussion for all 3 AT requirements.
NIST SP 800-171AAssessment objectives — how an assessor determines MET for each AT requirement.
32 CFR 170.4Defines “CMMC Level 2 security requirement” and ties the 800-171 R2 families to the CMMC Program.