The Awareness and Training Domain: preparing personnel for the environment they operate in

What the Awareness and Training Domain Is For

The Awareness and Training domain defines how the contractor prepares its workforce to operate within a CMMC environment. It is one of the smaller domains in NIST SP 800-171, containing only three controls, and it is also one of the most frequently underbuilt. Many contractors assume that a single annual security awareness course administered through a learning management system satisfies the domain. Under CMMC Level 2 assessment expectations, it does not.

The three controls establish three distinct obligations. The first is general security awareness for all personnel who interact with the CMMC environment. The second is role-based training tailored to the specific responsibilities of individuals whose work touches security functions. The third is insider threat awareness, which is a narrower category with its own assessment objectives and evidence requirements. Each control has its own content, its own audience, and its own documentation standard.

During assessment, the C3PAO does not evaluate training as a single program. They evaluate whether each of the three controls is satisfied individually, with evidence that links content, delivery, and completion for every person in the assessable scope. The evidence threshold is higher than most contractors initially recognize, and the commonly cited commercial security awareness platforms provide only part of what is required.

The Three Controls

AT.L2-3.2.1Role-Based Risk Awareness

Managers, system administrators, and users of organizational systems must be made aware of the security risks associated with their activities and the applicable policies, standards, and procedures. The control is general in scope but specific in application. Content that addresses software developers but not machine operators, or that addresses office workers but not shop floor personnel, will leave gaps that the assessor can identify. The content must reach every person whose activity touches the CMMC environment, and the awareness must be reinforced over time rather than delivered once at onboarding.

AT.L2-3.2.2Role-Based Training

Personnel must be trained to carry out their assigned information security-related duties and responsibilities. This is the role-specific obligation. A system administrator receives training appropriate to administration. An incident response coordinator receives training appropriate to that role. The content is differentiated by duty, and the evidence must demonstrate that each role receives training that matches its responsibilities. The general security awareness content under 3.2.1 does not satisfy 3.2.2 for personnel with specific security duties.

AT.L2-3.2.3Insider Threat Awareness

Personnel must receive security awareness training on recognizing and reporting potential indicators of insider threat. This is a distinct content category with its own regulatory history, rooted in Executive Order 13587 and the associated federal insider threat program requirements. The content differs from general security awareness because it addresses a specific risk model: behavioral indicators, reporting procedures, and the distinction between concerning behavior and routine workplace conduct. Contractors often treat 3.2.3 as a subtopic within general awareness training, but the assessment objectives require evidence that the insider threat content was delivered and acknowledged separately.

Where Awareness and Training Intersects with Other Domains

Awareness and Training is an enabling domain. Its effectiveness shows up in how other domains perform in assessment.

The Personnel Security domain governs who is authorized to hold specific roles. AT governs how those personnel are prepared for the roles they hold. A PS record that shows an individual assigned to a security role is incomplete without AT evidence that the individual received training appropriate to that role.

The Incident Response domain assumes that personnel can recognize and report incidents, which is a direct product of AT content. If personnel do not know what constitutes a reportable event, the IR program cannot activate on the evidence it needs. The insider threat training under 3.2.3 is particularly relevant here, because insider threat indicators are frequently detected through routine personnel awareness rather than through technical monitoring alone.

The System and Information Integrity domain includes monitoring obligations that depend on personnel recognizing and acting on indicators. A user who ignores a phishing attempt, or who fails to report an unusual system behavior, undermines the SI controls that depend on human reporting as an evidence source.

The Media Protection and Physical Protection domains both include personnel-facing requirements that AT supports. The handling of CUI on portable media, and the reporting of physical security events, are both behaviors that emerge from training rather than from technical controls.

Common Implementation Pitfalls

Several patterns come up repeatedly in Awareness and Training readiness work.

Commercial awareness platforms used as the sole evidence source. The major security awareness training vendors provide substantial content and completion tracking, but their default offerings do not always map cleanly to the three controls. Contractors who rely exclusively on a vendor platform often find that role-based training under 3.2.2 is not satisfied by the generalized modules, and that insider threat content under 3.2.3 is either absent or treated as an optional topic. The vendor is part of the solution, not the whole solution.

Training records that cannot be tied to specific individuals and specific content. Assessors expect to see that a named person received specific content on a specific date. A bulk completion report that says the organization completed its annual training cycle does not answer the assessable question for each control. The evidence must be traceable to the individual level.

New hire training that is not reinforced. Awareness training provided only at onboarding satisfies neither the letter nor the intent of the domain. The controls contemplate ongoing awareness, and the evidence must show that training is refreshed on a defined cadence.

Role-based training that defaults to generic content. Personnel with security-relevant duties need training that matches those duties. A privileged system administrator needs content on privileged access hygiene and administrative separation. An incident handler needs content on incident response procedures. When every role receives the same generic course, the 3.2.2 obligation is not met.

Insider threat content conflated with general awareness. Insider threat training has its own regulatory lineage and its own expected content. Assessors will ask for evidence that the insider threat topics were delivered and acknowledged, and if those topics are buried inside a general awareness module without distinct evidence, the 3.2.3 control will not be satisfied.

Where to Start

The first step in AT readiness is to map the personnel who will be in assessment scope and identify the roles each holds. From that map, the training content can be structured to address general awareness for all, role-specific content for those with security duties, and insider threat content for everyone.

The second step is to verify that the delivery and recordkeeping system produces evidence that the assessor will accept. Per-individual completion records, content traceable to the control it supports, and a documented refresh cadence are the minimum. If the current system cannot produce this evidence, the gap needs to be closed before the assessment rather than discovered during it.

The third step is to integrate the domain into onboarding and offboarding workflows so that training coverage does not drift as personnel change. This is where AT interacts most directly with Personnel Security and where the evidence chain often breaks in organizations that treat training as a once-a-year event.