Awareness and Training 3.2.2 (3.2.2)

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to provide security training to all personnel based on their specific job duties and responsibilities. The training must be tailored to each person's role, whether they are administrators, developers, managers, or end users. Training content and frequency should match the security requirements of the systems people access and the sensitivity of information they handle. This ensures everyone understands their security responsibilities and how to fulfill them properly.

Control Intent

To ensure that all personnel understand and can properly execute their assigned information security duties and responsibilities through appropriate, role-based training.

Who This Control Applies To

  • All personnel with information security-related duties or responsibilities
  • System administrators and network administrators
  • Software developers and system developers
  • Security personnel and assessors
  • Management personnel with security oversight responsibilities
  • Personnel with access to CUI or systems processing CUI
  • Acquisition and procurement officials
  • Configuration management personnel
  • Personnel conducting audits or independent verification
  • Systems integrators and enterprise architects

Not Applicable When

  • Personnel have no assigned information security duties or responsibilities
  • Personnel have no access to CUI or systems processing CUI
  • Contractors or third parties are responsible for all security functions (though training requirements may still apply through contractual obligations)

Key Objectives

  • 1Personnel receive security training appropriate to their assigned duties and responsibilities.
  • 2Training content addresses the specific security requirements of systems and information personnel access.
  • 3Training frequency is sufficient to maintain personnel competency in security-related duties.
  • 4Role-based training covers management, operational, and technical security responsibilities.

Sample Self-Assessment Questions (Partial)

Do you provide security training to employees who handle sensitive information or have system access?

How often do employees receive security training?

Implementation Approaches (High-Level)

Role-Based Training Program with LMS Tracking

Establish a formal training program with role-specific modules delivered through a Learning Management System (LMS) that tracks completion and maintains records.

Documented Training Requirements with Manual Tracking

Define role-based training requirements in policy and track completion through manual records such as spreadsheets, sign-in sheets, or training certificates.

Vendor-Provided Training with Internal Supplementation

Leverage vendor-provided security training platforms supplemented with organization-specific training for unique systems, policies, or procedures.

Continuous Training Program with Microlearning

Implement ongoing security training through short, frequent microlearning modules delivered throughout the year rather than annual comprehensive training.

Blended Training Approach with Hands-On Components

Combine multiple training methods including classroom, online, hands-on labs, and simulations to address different learning styles and role requirements.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If formal training program does not exist, develop role-based training requirements and implementation plan with specific milestones If training is not role-based, create role matrix and map specific training requirements to each role within 90 days If training completion is not tracked, implement tracking system (LMS or manual) and document all historical training within 60 days If specialized technical training is missing, identify technical roles and develop or procure appropriate training within 120 days If training frequency is inadequate, establish training schedule with defined intervals and begin implementation immediately If training content is outdated, conduct content review and update within 90 days, then establish regular review cycle If training is not enforced, implement enforcement mechanism (e.g., access tied to training completion) within 60 days Interim compensating controls: Increase supervision of personnel without current training, implement additional monitoring, require documented acknowledgment of security responsibilities Document specific training gaps by role and prioritize based on risk and personnel access levels For small organizations, consider starting with vendor training platform while developing organization-specific supplemental content

Related CMMC Controls

3.2.13.2.33.1.13.1.23.12.4

Frequently Asked Questions

What is the difference between security awareness training (3.2.1) and role-based training (3.2.2)?

Security awareness training (3.2.1) provides general security knowledge to all personnel about threats, policies, and basic security practices. Role-based training (3.2.2) is more specific and tailored to the actual security duties and responsibilities of each person's job. For example, a system administrator would receive specialized training on secure configuration and access control management, while a general user would receive basic awareness training.

How often must security training be provided to personnel?

Training frequency must be based on the assigned duties, roles, and responsibilities of individuals and the security requirements of the organization. There is no single mandated frequency. Organizations must determine appropriate intervals based on risk, role criticality, and how quickly security requirements or threats change. Common approaches include annual training for general users and more frequent training (quarterly or semi-annual) for technical or high-risk roles.

Do all employees need the same level of security training?

No. Training must be tailored to each person's assigned information security-related duties and responsibilities. Personnel with more extensive security duties (like administrators or developers) require more detailed and technical training than general users. The control specifically requires that training content and depth match the role and the systems or information the person will access.

Can we use vendor-provided training to satisfy this control?

Yes, vendor-provided training can satisfy this control if it is appropriate for the assigned duties and responsibilities of your personnel and covers the security requirements of your organization and systems. However, vendor training should typically be supplemented with organization-specific training covering your unique policies, procedures, and systems. You must still track completion and ensure the training content meets your role-based requirements.

What happens if an employee does not complete required security training?

Organizations must enforce training requirements. Common approaches include preventing system access until training is completed, escalating to management, or implementing additional supervision as a compensating control. The specific enforcement mechanism should be defined in your training policy. During an assessment, assessors will verify that training requirements are actually enforced, not just documented.

Do contractors and third-party personnel need security training?

Yes, if contractors or third-party personnel have assigned information security-related duties or responsibilities, or if they have access to CUI or systems processing CUI, they must receive appropriate security training. This can be accomplished through your own training program or by requiring contractors to provide equivalent training and documentation. Training requirements for contractors should be included in contracts or agreements.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.