The Three Controls
Together, these three controls form a layered training architecture. AT.L2-3.2.2 ensures universal baseline awareness. AT.L2-3.2.1 adds specificity based on function. AT.L2-3.2.3 addresses the insider threat dimension. The practical result is that organizations must develop a general training program delivered to the entire workforce, supplemental role-specific training modules targeting defined groups, and dedicated insider threat content that applies across all roles.
Role-Based Training Tiers
The critical distinction is specificity. Shop floor workers do not need instruction on audit log analysis, and IT administrators do not need training on CNC media handling. Each group must receive content directly relevant to the risks they face in their specific operational context. This differentiation is what AT.L2-3.2.1 requires, and it is what a C3PAO assessor will verify.
| Role Tier | Primary Focus | Key Control Families | Delivery Method |
|---|---|---|---|
| Shop Floor | Physical security of CUI media, proper labeling and marking, media sanitization, secure handling of portable storage devices, insider threat indicators in the physical environment | Media Protection (MP), Physical Protection (PE), AT | Hands-on scenario exercises, practical demonstrations at workstation, supervised media handling drills |
| Office Personnel | CUI handling in digital formats, phishing recognition, remote access protocols, MFA compliance, acceptable use, insider threat reporting | Access Control (AC), Identification and Authentication (IA), AT | Online modules with scenario-based testing, annual refreshers, simulated phishing exercises |
| Privileged Users | System integrity monitoring, audit log review, incident response, configuration management, account management, insider threat detection through technical indicators | Audit and Accountability (AU), Incident Response (IR), Configuration Management (CM), SI | Technical workshops, tabletop incident response exercises, hands-on lab environments, peer review |
| Executive Management | Resource allocation for compliance, risk management, contractual obligations under DFARS, business impact of noncompliance, oversight of CMMC readiness | Risk Assessment (RA), Security Assessment (CA), AT | Briefings with quantified risk data, business case presentations, strategic planning sessions |
Executive management training warrants particular attention. Senior leaders are responsible for allocating the resources that make compliance possible. If leadership does not understand the contractual and operational consequences of noncompliance, the organization's compliance posture will be structurally underfunded. Training for this group should present CMMC requirements in terms of contract risk, competitive positioning, and the financial exposure associated with failure to achieve or maintain certification.
Personnel in dual-environment roles, such as testing and inspection staff who work on both the manufacturing floor and in the office, require training that covers both curricula. The organization should identify these overlapping roles during the training design phase and ensure those individuals receive the combined content.
Universal Requirements Across All Tiers
Certain training topics cut across every role and must be addressed in the general awareness curriculum. Malware and virus awareness applies equally to an executive reading email, an office worker downloading a file, and a shop floor operator inserting a USB drive. Facility security and visitor management represent another universal requirement: every employee must know how to challenge an unknown individual in a secure area and understand proper visitor procedures.
The requirement to remove CUI from plain view during visitor situations deserves specific emphasis because it applies in both the office and the manufacturing environment. In the office, this means clearing documents from desks, closing files on monitors, and erasing whiteboards. On the shop floor, the exposure is often more pervasive: travelers, route cards, inspection sheets, and engineering drawings may be posted at workstations, clipped to machines, or sitting on inspection tables. This is a practical, operational discipline that must be rehearsed and reinforced, not merely acknowledged in a training slide.
The Consultant and HR Collaboration Model
Effective CMMC training programs require coordination between two distinct competencies. The CMMC consultant is responsible for defining the technical scope and content: identifying which controls are relevant to each role, developing content at appropriate depth, and ensuring alignment with the CMMC Assessment Guide. Human Resources owns the administrative infrastructure: scheduling, tracking, retention of training records, and integration with the onboarding process.
For smaller contractors that do not maintain dedicated training staff, the consultant may design the entire program, develop the materials, and deliver instruction directly. This is a common operational reality in the defense industrial base, where many contractors are small and mid-sized manufacturers without internal resources to build a security training program from the ground up. Regardless of the delivery model, the division of responsibility should be documented in the organization's training policy, with the consultant identified as the technical authority and HR as the administrative authority.
Competency Testing
Delivering training is only half of the obligation. The organization must demonstrate that the training was effective and that personnel achieved a measurable level of understanding. Competency testing should use objective, scenario-based questions that assess whether the individual can apply the training content to realistic situations. Questions that test rote memorization of policy language do not demonstrate comprehension.
The minimum passing score should be defined in the organization's training policy and applied consistently. Industry practice typically sets the threshold at 80 percent. Individuals who fail must retake the training and retest within a defined timeframe. The policy should specify consequences for repeated failure, which may include restrictions on access to CUI until competency is demonstrated.
Records Management and the Artifact Trail
During a C3PAO assessment, the assessor will examine training records to verify that every individual within scope received the appropriate training, passed the competency test, and completed requirements within the required timeframe. At a minimum, the organization must maintain: the date training was completed, the specific version of the training material used, the test score achieved, the date of the next required refresher, and the signature or electronic acknowledgment confirming completion.
Version control of training materials is an additional requirement that organizations frequently overlook. When content is updated, the organization must demonstrate which version each individual received. The artifact trail must connect each individual's training record to a specific, dated version of the content.
How C3PAOs Assess Training
Onboarding and Lifecycle
Newly hired or assigned personnel represent a compliance vulnerability until they complete required training. The training policy must define a maximum timeframe for initial training, commonly within the first five business days of employment or assignment to a CUI-related role. During the period before training is completed, the organization must implement compensating measures: restricting system access, requiring direct supervision by trained personnel, or limiting physical access to secure areas.
The onboarding process should be integrated with account management and access control procedures. HR should coordinate with IT to ensure that system access provisioning is contingent on the completion of required training. This creates a procedural interlock that prevents the creation of a compliance gap: an individual cannot access CUI until the training record demonstrates that the prerequisite has been satisfied.
Refresher training must occur at least annually for all personnel. Organizations should establish a fixed annual training period rather than tracking individual anniversary dates. The training policy should also define triggers for supplemental training: material changes to security policy, introduction of new systems, significant security incidents, and changes to regulatory or contractual requirements.
Download the Full White Paper
Includes the complete regulatory framework analysis, detailed role-tier training specifications, MFA scenario training guidance, shop floor media protection training, competency testing design, records management requirements, and C3PAO assessment expectations.
We Build and Deliver the Training Your Organization Needs
For contractors that do not maintain dedicated training staff, we design the complete CMMC training program, develop the role-specific course materials, deliver instruction directly to employees at every tier, administer competency testing, and provide HR with the documented artifact trail that a C3PAO assessment requires. The program is built around your specific environment, your CUI workflows, and your operational realities rather than generic content adapted from a template.
To discuss a training engagement: dkoran@davidkoran.com | 802-335-2662
The CMMC Decision, Second Edition
Chapter 5 ("The Expertise Gap") examines the training mandate as part of the broader organizational competency challenge. Chapter 7 ("The Dress Rehearsal") addresses how C3PAO assessors interview personnel during mock and formal assessments.
Free Download →