Awareness and Training 3.2.3 (3.2.3)

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to train employees on recognizing and reporting warning signs of insider threats—employees or contractors who might intentionally or unintentionally harm the organization. Training must cover behavioral indicators like unusual access requests, job dissatisfaction, policy violations, and workplace misconduct, and explain how to report concerns through proper channels. The goal is to create a workforce that can identify and escalate potential insider risks before they result in data breaches, sabotage, or other security incidents.

Control Intent

To establish a workforce capable of identifying behavioral and technical indicators that may signal insider threat activity, and to ensure employees know how to report concerns through appropriate organizational channels, thereby enabling early detection and mitigation of insider risks to CUI and organizational systems.

Who This Control Applies To

  • All employees, contractors, and third-party personnel with access to CUI or organizational systems
  • Managers and supervisors responsible for overseeing personnel with CUI access
  • Human resources personnel involved in personnel security and incident response
  • Security personnel responsible for monitoring and investigating insider threat indicators
  • New hires during onboarding and existing personnel during annual or periodic refresher training

Not Applicable When

  • The organization has no employees or contractors with access to CUI (extremely rare)
  • The organization operates entirely through automated systems with no human access to CUI (theoretical only)
  • Personnel have already received equivalent insider threat awareness training from another organization within the same training cycle, and documentation is available (inheritance scenario)

Key Objectives

  • 1Employees can recognize behavioral and technical indicators that may signal insider threat activity.
  • 2Employees understand how to report potential insider threat concerns through established organizational channels.
  • 3Training content is tailored to roles and responsibilities, with managers receiving guidance on team behavior changes and employees receiving general observation training.
  • 4The organization maintains awareness of insider threat risks across all personnel with access to CUI or organizational systems.

Sample Self-Assessment Questions (Partial)

Does your organization provide security awareness training that specifically covers insider threat indicators?

Does your training explain how employees should report suspected insider threat activity?

Implementation Approaches (High-Level)

Role-Based Insider Threat Awareness Training Program

Structured training program with separate modules for general employees and managers, covering behavioral and technical indicators, reporting procedures, and organizational response processes.

Integrated Insider Threat Awareness Campaign

Continuous awareness program combining formal training with ongoing communications, simulations, and real-world case studies to reinforce insider threat recognition and reporting.

Third-Party Insider Threat Training Integration

Leveraging externally developed insider threat training content from reputable providers, customized with organization-specific reporting procedures and policies.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If insider threat awareness training is not currently provided, develop a POA&M with milestones for creating or procuring training content, establishing reporting procedures, and delivering training to all personnel with CUI access within 6-12 months If training is provided but does not cover specific insider threat indicators or reporting procedures, develop a POA&M to update training content and re-train all personnel within 3-6 months If training completion is not tracked or enforced, develop a POA&M to implement tracking mechanisms and ensure all personnel with CUI access complete training within 3-6 months If training is not role-based (managers vs. employees), develop a POA&M to create differentiated training content and deliver role-specific training within 6-9 months If reporting procedures are unclear or not well-communicated, develop a POA&M to document and communicate reporting channels within 1-3 months If training is delivered only during onboarding with no periodic refresher, develop a POA&M to establish annual or periodic refresher training requirements and deliver initial refresher training within 6-12 months POA&M milestones should include specific deliverables such as training curriculum development, reporting procedure documentation, training delivery completion, and tracking system implementation POA&M should address both immediate gaps (e.g., training personnel who have not received insider threat awareness training) and systemic improvements (e.g., establishing ongoing training program and tracking mechanisms) Consider phased approach for large organizations, prioritizing personnel with highest CUI access or privileged system access for initial training delivery POA&M should include coordination with HR and legal functions to ensure reporting procedures align with organizational policies and legal requirements

Related CMMC Controls

3.2.13.2.23.3.13.3.23.3.83.3.93.4.13.5.13.5.23.11.13.11.23.12.13.12.23.13.13.13.53.14.63.14.7

Frequently Asked Questions

What specific insider threat indicators must be covered in the training?

Training must cover behavioral indicators such as inordinate job dissatisfaction, attempts to gain unauthorized access to information, unexplained access to financial resources, bullying or harassment, workplace violence, and serious policy violations. Training should also address technical indicators like abnormal system access patterns or data exfiltration attempts. The specific indicators covered should be tailored to the organization's environment and risk profile.

Do we need different training for managers versus general employees?

Yes, the supplemental guidance explicitly states that organizations may consider tailoring insider threat awareness topics to the role. Manager training should focus on specific changes in behavior of team members, while employee training may focus on more general observations. This role-based approach improves the effectiveness of insider threat detection by leveraging managers as first-line observers.

How often must insider threat awareness training be delivered?

The control does not specify a frequency, but industry best practice and CMMC assessment expectations typically require insider threat awareness training during onboarding and annually thereafter. Organizations should establish and document their training frequency in policy and ensure all personnel with CUI access receive training according to that schedule.

What constitutes adequate reporting procedures for insider threat concerns?

Adequate reporting procedures must provide clear, accessible channels for employees to report concerns (e.g., supervisor, HR, security team, anonymous hotline) and must be communicated to all personnel through training and ongoing awareness activities. Procedures should address confidentiality, non-retaliation, and what happens after a concern is reported to encourage employees to come forward with observations.

Can we use generic security awareness training to satisfy this control?

No, generic security awareness training that does not specifically address insider threat indicators and reporting procedures will not satisfy this control. The training must explicitly cover behavioral and technical indicators of insider threat and explain how to report concerns through organizational channels. Generic training focused only on external threats or technical security topics is insufficient.

What if an employee reports an insider threat concern that turns out to be unfounded?

Organizations should encourage reporting of potential insider threat indicators even if concerns turn out to be unfounded. Training should emphasize that employees will not face retaliation for good-faith reports, and the organization should investigate all reports professionally and confidentially. The goal is to create a culture where employees feel comfortable reporting concerns without fear of negative consequences.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.