CMMC Security Awareness Training: What AT.L2 Actually Requires

When contractors start working through CMMC Level 2, the training controls often get skipped or misunderstood in one of two ways: either they assume they need to hire an approved training vendor (they don't), or they treat it as a checkbox they'll handle later (assessors will notice). Here's exactly what the three AT controls require — and what you actually need to have ready when an assessor shows up.

The Three AT Controls You Need to Satisfy

CMMC Level 2 includes three practices in the Awareness & Training (AT) domain, all drawn from NIST SP 800-171:

The Big Myth: You Don't Need an Approved Training Vendor

A common and expensive misconception: contractors assume CMMC requires a certified or approved training provider for workforce training. It doesn't.

This matters because many contractors spend money they don't need to spend on third-party training subscriptions, when what they actually need to produce is better records from whatever training they already do.

What Assessors Actually Look For

A C3PAO assessor evaluating your AT controls isn't watching your training videos. They're looking for objective evidence that training happened. That means:

• Completion records per person — who completed which training, when, with what result. A spreadsheet with names and dates is the minimum. Quiz scores or certificates per person are better.
• Content coverage — evidence that the training actually covered what the control requires. For AT.L2-3.2.1: CUI handling, phishing, passwords, physical security, incident reporting. For AT.L2-3.2.3: specific insider threat indicators and reporting channels.
• Role mapping — for AT.L2-3.2.2, records showing which users have security duties and that those specific users received role-appropriate training.
• A documented training policy — a written policy that defines who must be trained, on what, how often, and what happens if they don't complete it. Without this, even perfect completion records look like a one-time event rather than a program.
• Cadence evidence — records from multiple years showing this is recurring, not a cram session before your assessment.

"Not documented = Not Met" is the most important phrase in CMMC. A training program with no records satisfies nothing. A simple training program with complete records satisfies the control."

What Counts as Acceptable Training Content

Assessors don't have a mandatory list of topics — they evaluate whether your training is consistent with the control's stated objective. In practice, acceptable content for each control looks like this:

AT.L2-3.2.1 — Security Awareness

• How to identify and handle CUI (Controlled Unclassified Information)
• Phishing and social engineering recognition
• Password policies and multi-factor authentication requirements
• Physical security in areas where CUI is accessed
• How to report a suspected security incident
• Acceptable use of company systems and data

AT.L2-3.2.2 — Role-Based Training

• Least privilege and need-to-know principles (for admins managing accounts)
• Account lifecycle procedures: provisioning, deprovisioning, access review
• System change control and configuration management
• Log review and security monitoring responsibilities
• Patch management obligations for IT staff

AT.L2-3.2.3 — Insider Threat Awareness

• Indicators of potential insider threat activity (unusual data access, external file transfers)
• The difference between an accidental insider and a malicious one
• How to report concerns — who to contact and when
• Why the defense industrial base is specifically targeted

How Often Does Training Need to Happen?

Annual training for all three controls is the widely accepted cadence and what most assessors expect to see. Beyond annual refreshes, training is also expected on role change — when a user takes on security duties they didn't previously have, role-based training should precede or accompany that change, not lag months behind it.

The key is that training must look like an ongoing program, not a one-time event. If your completion records are all from the same week three years ago, that's going to be a problem regardless of the content quality.

The Minimum Viable Training Setup for a Small Contractor

For a small defense sub with 10 or fewer employees, here's what actually satisfies all three controls without overengineering it:

• A written training policy that defines who must train, what they must cover, and how often
• Annual security awareness training for everyone — can be self-hosted slides with a short quiz
• A separate role-based module for anyone who has admin access or security responsibilities
• Insider threat awareness included in the annual training (can be a single module, not separate training)
• A completion log: name, date, module, pass/fail — kept for each cycle
• Records going back at least 12 months before your assessment date

That's it. You don't need an LMS, you don't need a training vendor, and you don't need to spend $10,000. You need records — and a program that will still be running next year.

What Happens If Your Training Records Are Missing

AT controls are among the more straightforward to satisfy — but also among the easiest to fail on evidence. If a control is scored "Not Met" at your C3PAO assessment, it goes into a POA&M (Plan of Action & Milestones). Under the current CMMC rules, you can still receive conditional certification with open POA&M items — but the items must be remediated within 180 days, and assessors can and do re-examine them.

The more practical problem: if you're missing training records going into your assessment, you can't retroactively create them for prior periods. You can start the program and document it going forward, but there's no substitute for records that predate the assessment by at least one full cycle.

Start the records now, even if the training itself is simple. The date on the records is what assessors are most interested in.