Level 2 demands annual awareness training, role-based training for admins, and insider threat awareness — with records an assessor can verify. CMMCMAP Pro builds all three courses in, and writes the evidence for you.
Start Free Trial →Three practices in the Awareness & Training (AT) family of NIST SP 800-171. Assessors verify each one with objective evidence — your training records.
All users must be made aware of the security risks of their activities and the policies and procedures that apply. In practice: annual training plus refresh on role change, covering CUI handling, phishing, passwords, physical security, and incident reporting.
Anyone with assigned security duties — system administrators, IT staff, supervisors — needs training matched to those duties: least privilege, account lifecycle, change control, log review, patching.
Users must be trained to recognize and report potential insider threat indicators. The DIB is a standing target for foreign intelligence collection — small subs included.
NIST SP 800-171 lets your organization define its own training content and delivery. What gets scored is the record: dated, named, role-tagged completions tied to your documented policies. The CMMC "approved training provider" ecosystem (CCP/CCA) applies only to people becoming assessors — never to your workforce. A documented in-house program with tracked completions fully satisfies the AT family.
Other tools track whether you bought training somewhere else. CMMCMAP just includes it.
No. The organization defines content and delivery under NIST SP 800-171. Assessors examine your training material, your policy mandating it, and your completion records. "Authorized training providers" exist only in the assessor-certification ecosystem (CCP/CCA candidates), not for contractor workforces.
The rule says "periodically." The cadence assessments consistently accept is annually, plus training before system access for new hires and refresh when roles change. CMMCMAP records carry a 12-month validity date and the app flags expirations ahead of time.
Typically: the training content itself, the policy that mandates it, and completion records showing each person — by name, date, and role — completed the right courses. CMMCMAP exports training records and policy acknowledgments straight into the audit bundle alongside your SSP and POA&M.
Yes — external training works fine for CMMC, and CMMCMAP's document and evidence tooling doesn't care where training happened. The built-in courses just mean one less subscription and records that flow into your evidence bundle automatically.
Level 1 has no explicit training practice, but training your team is still the cheapest risk reduction available — and if CUI ever enters your environment, you'll already meet the L2 AT family.
Three courses, every completion tracked, evidence exported — inside the same tool that writes your SSP.
Start Free Trial See Pricing