Awareness And Training (AT) Guide for CMMC Level 2.0 Compliance

Achieving Awareness and Training (AT) for CMMC Level 2.0 Compliance is crucial for DoD contractors, and we understand how stressful the process can be. In this Achieving Awareness And Training guide, we focus on the requirements for Awareness and Training controls. We provide practical recommendations for each AT control, along with examples of the evidence you need during CMMC Level 2.0 audits.

If you’re a small to midsize business and need further guidance, our certified CMMC Experts are ready to help. If you find yourself stuck, Schedule a free consultation Now!

AT.L2-3.2.1 – ROLE-BASED RISK AWARENESS

“Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.”

Level Of Effort: Low

In your organization, everyone must know the security risks related to their jobs. This includes managers, systems admins, and regular users. They also need to know your security rules, standards, and how things are done. This is a crucial part of Awareness and Training.

Here's a plan to ensure this, and the proof you should have for compliance.

Recommendations:

• Teach your team about cybersecurity and CMMC:
  • Give new employees training about your company's rules and their job.
  • Every year, teach everyone about the dangers of insider threats (please see AT.L2-3.2.3 – INSIDER THREAT AWARENESS).
  • Each month, do security training. It usually costs around $2-5 for each person.
  • Test everyone with fake phishing attacks to see if they know what to do.
  • Use training programs from KnowBe4, Proofpoint, or SANS for these classes.
• Keep track of who finishes training: Have a way to check who's done their training.
• Make sure everyone knows and follows your security policy: Put your policies somewhere everyone can find them. Make sure they're part of the training. Check that everyone has read, understood, and agrees to follow these rules.

Evidence:

• Write down the training in your SSP: In your Security System Plan (SSP), include a part that talks about the training you do.
• Keep track of training completion: Have lists or reports that show who's finished their training.
• Proof that everyone knows the rules: Have documents that show you've shared your security rules with your team and that they can get to them. Also, have records that show everyone understands and agrees to these rules.

---

AT.L2-3.2.2 – ROLE-BASED TRAINING

“Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”

Level Of Effort: Medium

This part is more for your I.T. and security team, not for all your employees. You have to make sure they get the right training for using all the I.T. and security tools at work. Remember to write down all the training they do, even if it's watching videos alone. It's also a good idea to get them to go for I.T. and security certificates.

What our clients say

---

AT.L2-3.2.3 – INSIDER THREAT AWARENESS 

“Provide security awareness training on recognizing and reporting potential indicators of insider threat.”

Level Of Effort: Low

Teaching your team to notice and report signs of insider threats helps protect your workplace. This training is key to maintaining a secure environment. Here’s how to conduct this training and the evidence you need to show compliance.

Recommendations:

• Use the Department of Defense’s online training: Check out their free insider threat training at DoD's Insider Threat Awareness Course. It's a valuable resource at no cost.
• Create a clear reporting procedure: Ensure everyone knows the steps and channels for reporting any suspicious internal activities.

Evidence:

• Record of training attendance: Maintain a log of participants in the insider threat training, noting dates.
• Procedure documentation: Have clear, accessible documentation outlining how and where employees can report insider threats.

---

Need Help With Other Controls?

• Access Control (AC) Guide
• Audit and Accountability (AU) Guide
• Configuration Management (CM) Guide
• Identification and Authentication (IA) Guide
• Incident Response (IR) Guide
• Maintenance (MA) Guide
• Media Protection (MP) Guide
• Personnel Security (PS) Guide
• Physical Protection (PE) Guide
• Risk Assessment (RA) Guide
• Security Assessment (CA) Guide
• System and Communications Protection (SC) Guide
• System and Information Integrity (SI) Guide