CMMC Compliance
CMMC Security Awareness Training: Requirements, Frequency, and Evidence
CMMC security awareness training is a Level 2 requirement— not a Level 1 one — and it’s really three separate security requirements hiding under one phrase: general risk-and-policy awareness (AT.L2-3.2.1), role-based training for people with assigned security duties (AT.L2-3.2.2), and insider-threat recognition and reporting (AT.L2-3.2.3). The controlling sources don’t name a specific frequency at Level 2 — your organization decides and documents that — and the minimum evidence isn’t just completion records.
Two of those three requirements are worth 5 points each, and neither can be carried on a Plan of Action and Milestones. In plain terms, you can’t defer them and clean them up later — if either is still NOT MET when your result is finalized, you don’t qualify for even a Conditional Level 2 status. The third requirement is worth 1 point and can be deferred, within limits.
Which CMMC path needs security awareness training — the quick version
| Your CMMC path | Security awareness training answer |
|---|---|
| Level 1 (Self) — FCI only | No standalone Awareness and Training requirement |
| Level 2 (Self) — CUI, self-assessed | All three requirements apply (3.2.1, 3.2.2, 3.2.3) |
| Level 2 (C3PAO) — CUI, third-party assessed | The same three requirements; a C3PAO assesses and your evidence artifacts must be hashed |
| Level 3 (DIBCAC) — most sensitive CUI | Everything at Level 2, plus two enhanced requirements from NIST SP 800-172 |
Is this the “CMMC training” you’re actually looking for?
| What you’re after | Where to go |
|---|---|
| Employee/workforce Awareness & Training requirements | Stay on this page |
| CCP / CCA / CCI professional certification | CCP & CCA training paths guide (ISACA/CAICO) |
| Executive “what is CMMC” overview | CMMC Final Rule explainer |
What does CMMC security awareness training actually require?
AT.L2-3.2.1 — Risk and policy awareness
Managers, system administrators, and system users are made aware of the security risks of their activities andof your organization’s applicable policies, standards, and procedures. Two of its four assessment objectives are specifically about your rules — not abstract threats — which is exactly what generic content tends to skip.
AT.L2-3.2.2 — Role-based training
Personnel are trained to carry out the information-security duties assigned to them. This is the requirement a company-wide phishing course is least equipped to satisfy, because it isn’t about everyone — it’s about the specific people with security responsibilities (admins, account approvers, incident responders) being trained on their actual duties, tools, and procedures.
AT.L2-3.2.3 — Insider-threat awareness
Training covers recognizing and reporting the potential indicators of an insider threat. People need to know the indicators and know your reporting channel. The DoD Level 2 Assessment Guide is explicit that this does not require a separate insider-threat course; it can be integrated into your standard awareness program.
The CMMC Awareness & Training Compliance Matrix
| Requirement | What it requires (plain English) | Point value if NOT MET | Can it stay on a POA&M? | What an assessor may examine / interview / test | How it fails |
|---|---|---|---|---|---|
| AT.L2-3.2.1 | Managers, admins, and users know the risks of their activities and your applicable policies, standards, and procedures | 5 | No. POA&Ms are limited to 1-point requirements (170.21) | Examine: awareness policy, procedures, curriculum, role map, training records, SSP, refresher records. Interview: training owner, users, managers. Test: the training-management mechanism | Generic content that covers risks but not your specific policies; draft or unapproved policy as evidence |
| AT.L2-3.2.2 | People with assigned security duties are trained to actually perform them | 5 | No. Same rule | Examine: role/duty documentation, role-based training records, SSP. Interview: training owner and assigned security-role personnel. Test: the training-management mechanism | Everyone took the same course — no differentiated training for admins, approvers, or responders on their real tools |
| AT.L2-3.2.3 | Training covers recognizing and reporting insider-threat indicators | 1 | Potentially — 1 point, not in the six named exclusions; requires score ≥88 and closure in 180 days (170.21) | Examine: insider-threat awareness content, reporting procedure, records. Interview: training owner, managers, employees. Test: the insider-threat training mechanism | Explaining insider threat in the abstract without naming your specific reporting channel |
Which CMMC level requires security awareness training?
| Your CMMC path | Security awareness training answer | Assessed / entered where |
|---|---|---|
| Level 1 (Self) | No standalone Awareness and Training control. Level 1 is the 15 basic safeguards at 48 CFR 52.204-21(b)(1)(i)–(xv) — none is a training requirement. | Self-assessment result entered in SPRS |
| Level 2 (Self) | All three requirements (AT.L2-3.2.1, 3.2.2, 3.2.3) apply; you assess yourself | Self-assessment result entered in SPRS |
| Level 2 (C3PAO) | The same three requirements; a Certified Third-Party Assessment Organization (C3PAO) performs the assessment and your evidence artifacts must be hashed | C3PAO enters results in CMMC eMASS → transmitted to SPRS |
| Level 3 (DIBCAC) | Everything at Level 2, plus AT.L3-3.2.1e and AT.L3-3.2.2e | DIBCAC enters results in CMMC eMASS → transmitted to SPRS |
The DFARS clauses that actually govern this
- DFARS 252.204-7012 — Requires safeguarding of covered defense information, implementation of NIST SP 800-171, 72-hour cyber-incident reporting, and subcontract flow-down.
- DFARS 252.204-7019 — An offeror subject to NIST SP 800-171 must have a current DoD Assessment score posted in SPRS before award.
- DFARS 252.204-7020 — Requires cooperation with Government Medium or High NIST SP 800-171 DoD Assessments and governs score posting.
- DFARS 252.204-7021 — The contract clause — requires the contractor to maintain the inserted CMMC Status, complete and maintain annual affirmations in SPRS, and flow the appropriate CMMC requirement to covered subcontracts.
- DFARS 252.204-7025 — The solicitation provision where the contracting officer inserts the required level and assessment type. Effective November 10, 2025.
The part vendor pages skip: can training requirements go on a POA&M?
Under 32 CFR 170.21(a)(2), you can only reach a Conditional Level 2 status if two things are true: your assessment score divided by 110 is at least 0.8 (a minimum of 88 points), and none of the requirements left on your POA&M is worth more than 1 point.
| Requirement | Point value if NOT MET | Stays on a POA&M? | Can it be re-evaluated before the Findings Report? |
|---|---|---|---|
| AT.L2-3.2.1 | 5 | No | Yes — see the 10-day window below (C3PAO path) |
| AT.L2-3.2.2 | 5 | No | Yes — same window (C3PAO path) |
| AT.L2-3.2.3 | 1 | Potentially (score ≥88; closed in 180 days) | Yes — same window (C3PAO path) |
The 10-day re-evaluation window (C3PAO path only)
In a Level 2 C3PAO assessment, 32 CFR 170.17(c)(2) lets a NOT MET requirement be re-evaluated during the active assessment and for 10 business days afterward, if three conditions hold: additional evidence is available to show the requirement is MET, that evidence doesn’t reduce the effectiveness of another already-MET requirement, and the CMMC Assessment Findings Report hasn’t been delivered. A Level 2 self-assessment has no corresponding re-evaluation process.
The accurate takeaway: your risk-awareness and role-based training can’t remain NOT MET when the result is finalized. The 10-day window is for producing evidence that already exists — not for building a training program you never ran.
Free DoD resources can go further than most vendors admit
The DoD Cyber Awareness Challenge and CDSE’s free courses cover much of the general-awareness and insider-threat material, and the Assessment Guide lists posters, briefings, and advisories as legitimate awareness techniques. But free content can’t teach your company’s own policies (the back half of 3.2.1), train your specific security roles on your specific tools (3.2.2), or keep your records. Those are what an assessor scores.
How often is CMMC security awareness training required?
NIST SP 800-171 Rev. 2’s discussion for the AT family leaves content and frequency to the organization, and the DoD Level 2 Assessment Guide echoes it. So if a vendor tells you Level 2 requiresannual training — or monthly — they’re importing a rule that isn’t there. You set the cadence, then you’re assessed against your own policy plus the objectives.
| Program event | Binding Level 2 interval? | DCR recommended baseline |
|---|---|---|
| New user or manager onboarding | No fixed interval stated | Train before they independently use the in-scope system |
| Periodic refresher | Refresher contemplated; no interval set | At least annual, unless your risk assessment justifies otherwise — and document that reasoning |
| A person takes on a new security duty | Role-dependent, not a set interval | Train before they independently perform the new duty |
| Material change to a system or tool | Not an express interval | Retrain the affected roles when their procedure changes |
| Policy or reporting-route change | Not an express interval | Update and redistribute the affected content promptly |
| Significant cyber event | Explicit trigger at Level 3, not Level 2 | Consider targeted retraining if the event exposed a real gap |
Who has to take CMMC security awareness training?
The Role-to-Training Matrix
| Role / persona | Which requirements reach them | The organization-specific piece to train | Evidence that helps |
|---|---|---|---|
| General in-scope system user | 3.2.1 awareness; 3.2.3 insider awareness | Your acceptable-use, incident-reporting, and CUI-handling rules | Completion record + interview-ready understanding of your process |
| Manager | 3.2.1 and 3.2.3; 3.2.2 if assigned security duties | Policy enforcement, escalation, access-approval responsibilities | Manager curriculum, acknowledgment, interview notes |
| System / network administrator | 3.2.1 plus substantial 3.2.2 | Privileged access, configuration, logging, account management, incident steps — on your actual tools | Role description, tool-specific training, a demonstration |
| Help desk | 3.2.1; 3.2.2 if assigned identity/account/incident duties | Identity verification, password reset, escalation, suspicious-ticket handling | Procedure training, an observed workflow |
| Security / incident-response staff | 3.2.2 plus general and insider awareness | Monitoring, triage, reporting, containment, evidence handling | Role assignment, exercise or procedure evidence |
| Developer / integrator | 3.2.2 where duties affect in-scope systems | Secure configuration, change control, deployment procedure | Duty mapping, project/tool-specific training |
| Human resources | 3.2.3; 3.2.2 where assigned relevant duties | Insider-report intake, escalation, confidentiality | Defined role and reporting-process training |
| Contracts / program staff | 3.2.1 and 3.2.2 where duties touch CUI or flow-down | Contract markings, authorized sharing, flow-down escalation | Role curriculum, a scenario response |
| Shop-floor / CNC operator | Depends on system access, CUI handling, and role | Physical CUI, shared terminals, removable media, the reporting route | Shift-friendly delivery record + verbal/interview evidence |
| Temporary worker or contractor | Depends on access and duties, not payroll label | The same local rules and duties that apply to equivalent staff | Access-linked roster, acknowledgment, role training |
| Executive / owner | 3.2.1 and 3.2.3; 3.2.2 where assigned governance duties | Risk acceptance, policy approval, affirmation support | Approved policy, interview readiness |
What counts as role-based training under AT.L2-3.2.2?
The sequence that works: define the duty before you pick the training. Build a short role inventory — role name, the person or group assigned, the specific security duty, the relevant system or process, the governing policy, the training needed, the refresher trigger, and who owns the evidence. Once duties are defined and assigned, “adequately trained to perform them” becomes something you can demonstrate.
The distinction the Assessment Guide draws: awareness directs attention and influences behavior; role-based training provides the knowledge and skills for a specific job. A firewall administrator needs training on privileged-account use, secure configuration, logging, and your incident-escalation steps. A help-desk tech needs your identity-verification and account-recovery procedure. A manager needs your access-approval and policy-enforcement process. None of that comes from a company-wide phishing video.
What evidence will a CMMC assessor examine, interview, and test?
Examine
- Approved (final, not draft) awareness policy
- Implementation procedures
- Curriculum and materials
- Audience/role map
- Training records
- SSP references
- Refresher and change records
- Insider-threat reporting procedure
Interview
- Training program owner
- Person responsible for role-based training
- Security-role personnel
- Ordinary users
- Managers
- Administrators
Test
- How a person maps to a role
- How a changed duty triggers retraining
- How overdue training is flagged
- Assigned staffer walks the relevant procedure and reporting route
The retention rule that corrects a common mistake
The fields that make training evidence assessment-ready: name, role, content title and version, delivery method, completion date, proof of completion, policy-acknowledgment date, and the next-refresher date. A roster with those columns gives you a useful, retrievable core of the “examine” evidence — though it won’t, on its own, prove your policies, assigned duties, curriculum, SSP treatment, or every objective.
Does the free DoD Cyber Awareness Challenge count for CMMC?
A key records nuance the blanket “CDSE keeps no records” claim gets wrong: CDSE’s Security Awareness Hub does notretain completion records — users must save or print the certificate — while courses completed through STEPP are recorded in the user’s transcript and remain retrievable.
| Training source | 3.2.1 awareness | 3.2.2 role-based | 3.2.3 insider threat | Teaches your policies? | Keeps your records? | Typical cost |
|---|---|---|---|---|---|---|
| DoD Cyber Awareness Challenge (DS-IA106.06) | May support | No | May support | No | No — user saves certificate | $0 |
| CDSE Insider Threat Awareness (INT101.16) | Limited | No | May support | No | Hub: no · STEPP: yes (transcript) | $0 |
| CDSE Cybersecurity Awareness / general courses | May support | No | Limited | No | Depends on Hub vs. STEPP | $0 |
| Commercial SAT platforms (e.g., KnowBe4, Proofpoint, SANS — illustrative) | Typically | Partial (role modules exist; duty assignment is still yours) | Usually — confirm the module | Only if you upload custom content | Yes — LMS exports | Varies by seat count, term, and modules |
| MSP/RPO-bundled training | Typically | Typically | Typically | Yes, if built | Yes | Bundled into managed-service fees |
| DIY internal program | If built | If built | If built | Yes | Only if you build the discipline | Lowest cash, highest time |
Our editorial read: a small contractor can cover the contentof 3.2.1 and 3.2.3 at low or no cost with government courseware plus organization-specific material. But 3.2.2’s role-based training, your own policy content, your reporting process, and the records for all three are always organization-specific work no product fully absorbs. Buy a platform for what it genuinely does — delivery automation, phishing simulation, and clean records — not for a compliance result it can’t confer.
Do you need a “CMMC-approved” training vendor? Build vs. buy vs. managed
The quick routing map for the most common situations:
| If your situation is… | Consider | The gap to watch |
|---|---|---|
| Small team, low complexity, IT-literate owner | DIY with DoD/CDSE content + custom policy module + spreadsheet records | Role-based training and evidence discipline for all three requirements |
| You have a commercial SAT platform | Keep it; close the gaps it can't fill | Custom policy content, role-based training for security staff, records for offline workers |
| No security lead; still building | RPO or managed service with training included | Confirm they deliver all three requirements, not just a phishing platform |
| You already have an MSSP | Ask if the MSSP delivers 3.2.2 training, not just detection | 3.2.2 often falls between IT services and compliance — confirm ownership |
| Heading into a C3PAO assessment | Full readiness review before training is the last thing you fix | Evidence is hashed; confirm the C3PAO hasn't also been your readiness consultant |
What changes for CMMC Level 3 security awareness training?
| Element | Level 2 (AT.L2-3.2.1–3.2.3) | Level 3 additions (AT.L3-3.2.1e / 3.2.2e) |
|---|---|---|
| Cadence | Organization-defined | Initial hire, after a significant cyber event, and at least annually |
| Threat focus | General risks and policies | Social engineering, advanced persistent threats, breaches, suspicious behavior |
| Practical exercises | Not required | Required, tailored by role (general, specialized, privileged), aligned to current threats |
| Feedback | Not required | Required — to participants and their supervisors |
| Content updates | As the org determines | At least annually or when the threat picture shifts |
| Assessor | Self or C3PAO | DIBCAC only |
| Prerequisite | — | Final Level 2 (C3PAO) on an equal-or-subset scope |
Do CMMC training requirements flow down to subcontractors?
The practical points: the flow-down level isn’t automatically the prime’s level — it tracks the FCI/CUI the sub will actually handle. And DoD has said it will not share a subcontractor’s CMMC information with the prime, so subs post their own results and affirmations in SPRS. If you’re a sub, your training obligations are set by the level in your subcontract — confirm it, don’t assume it.
Do CMMC training records get uploaded to SPRS?
For Level 2 (Self), the organization enters the self-assessment result in SPRS. For Level 2 (C3PAO), the C3PAO enters assessment information — including the artifact names, hash values, and hashing algorithm — into the CMMC instantiation of eMASS, which transmits the applicable result to SPRS (32 CFR 170.17). In both cases, the contractor separately enters and maintains the annual affirmation in SPRS.
What does CMMC security awareness training cost?
- Courseware — $0 with DoD/CDSE resources, or a per-seat platform fee.
- Custom policy module — Your acceptable-use, incident-reporting, and CUI-handling content (labor).
- Role-based training — The 3.2.2 work for admins, approvers, and responders (labor, and the least compressible cost).
- Delivery — Including instructor-led or shift-based delivery for offline/production staff.
- Records administration — Rosters, versioning, retention (labor).
- Phishing simulation — Optional; a platform feature, not a requirement.
- Evidence maintenance — Keeping it final, current, and retrievable for six years.
- Managed support — If you outsource the program.
The mistakes that create assessment risk
- 1Treating one general course as all three requirements. Awareness (3.2.1) and role-based training (3.2.2) are different objectives with different audiences — and both are 5-point, non-deferrable. A single general-awareness video doesn't, on its own, demonstrate every objective unless it also addresses your policies, the relevant populations, assigned duties, insider-threat reporting, and the required evidence.
- 2No documented security-duty inventory. If duties aren't defined and assigned, you can't show the right people were trained to perform them. This is a high-consequence gap because 3.2.2 is worth five points and can't stay on a POA&M.
- 3Policy and records that disagree. Policy says annual but completion dates are older; policy covers contractors but the roster excludes them; the curriculum version is newer than the completion evidence.
- 4No local reporting route for insider threat. Explaining insider threat in the abstract is weak evidence if people can't name your approved reporting channel.
- 5Leaving out non-email or production staff. Shift workers, shared terminals, and CNC operators can be in scope by access — don't exclude them by default.
- 6Draft or unapproved documents. 170.24(b)(1) requires final evidence to support a MET finding.
- 7Confusing the annual affirmation with an annual training rule. The affirmation attests to continuing compliance; it doesn't set your Level 2 training cadence.
- 8Assuming the platform owns compliance. It doesn't. Responsibility stays with the assessed organization.
Frequently asked questions
Is security awareness training required for CMMC Level 1?
No. There is no standalone Awareness and Training control at Level 1, which consists of the 15 basic safeguards at 48 CFR 52.204-21(b)(1)(i)–(xv). Training may still be prudent or required by another contract or policy, but it isn’t a Level 1 CMMC requirement.
Is annual training mandatory for CMMC Level 2?
No fixed annual interval appears in the Level 2 requirement. The organization determines content and frequency based on its risks, roles, systems, and policies. Annual refreshers are a defensible baseline, and the explicit “at least annually” language is a Level 3 requirement, not a Level 2 one.
Does the annual affirmation mean annual training is required?
No. The annual affirmation under 32 CFR 170.22 is a yearly attestation of continuing compliance by an affirming official. It does not create or redefine a training frequency.
Do all employees need the same CMMC training?
No. AT.L2-3.2.1 names managers, administrators, and users; AT.L2-3.2.2 targets people with assigned security duties; AT.L2-3.2.3’s objectives address managers and employees. Map training by access and duty, and document your population decision.
Do contractors and temporary workers need training?
It depends on system access and assigned duties, not employment classification. If they touch the in-scope system or perform a security task and fall in your defined population, they’re in scope.
Do CNC or shop-floor workers need training?
If they access in-scope systems, handle CUI, or fall within your insider-threat awareness population, yes. The delivery method can differ — instructor-led, shift-based, kiosk, or printed — as long as you can prove delivery and understanding.
Does Security+, CISSP, or CCSP satisfy AT.L2-3.2.2?
Not by itself. A certification can support the evidence but doesn’t prove the person was trained on your organization’s assigned duties, tools, and procedures. Treat credentials as supporting evidence only.
Are phishing simulations required?
No requirement in these three controls mandates simulations. They’re one recognized awareness technique and can produce useful effectiveness evidence, but they’re optional.
Does KnowBe4 or another platform make us CMMC compliant?
No product alone confers CMMC status. A platform can support delivery, tracking, and records; your policies, role-based training, and evidence remain your responsibility.
Is a separate insider-threat course required?
No. The DoD Level 2 Assessment Guide expressly allows insider-threat material to be integrated into your standard awareness program.
Can free government training satisfy CMMC?
It can contribute useful content, but it doesn’t automatically create your local policies, role mapping, delivery records, or reporting procedures — and how records are retained depends on whether you use CDSE’s Security Awareness Hub (no records kept) or STEPP (transcript retained). Free is a head start, not a complete program.
How long must CMMC training evidence be retained?
Artifacts used as assessment evidence must be retained for six years from the CMMC Status Date, per 32 CFR 170.15–170.18. For a Level 2 (C3PAO) assessment, those artifacts must also be hashed for integrity. Don’t destroy at three years.
Can training requirements go on a POA&M?
AT.L2-3.2.1 and AT.L2-3.2.2 cannot — they’re 5-point requirements, and POA&Ms are limited to 1-point items. AT.L2-3.2.3 is 1 point and may be deferred if your overall score is at least 88 and you close it within 180 days. In a C3PAO assessment, a NOT MET finding can also be re-evaluated during the assessment and for 10 business days after, if additional evidence exists and the Findings Report hasn’t been delivered (32 CFR 170.17(c)(2)).
Are the requirements different for Level 2 Self versus Level 2 C3PAO?
The three security requirements are identical. What differs is who assesses you, where results are recorded, and — for the C3PAO path — that your evidence artifacts must be hashed. A self-assessment has no C3PAO re-evaluation process.
Does CMMC use NIST SP 800-171 Rev. 3 for training?
No. CMMC Level 2 currently maps to Revision 2 under 32 CFR 170.14. DoD would need further rulemaking to move to Revision 3 — and the June 2026 FAR CUI proposal’s use of Rev. 3 does not change what CMMC requires today.
Is this the same as CMMC assessor or practitioner training?
No. Workforce security awareness training is a compliance control for your personnel. CCP and CCA are professional certifications; RP (Registered Practitioner) is a separate ecosystem designation. All are administered outside the Awareness and Training family — CCP/CCA/CCI now through ISACA as the CAICO.
A note on what’s coming: the FAR CUI rule
The June 2026 proposal is nonbinding and does not amend 32 CFR Part 170. It incorporates and revises material from the earlier January 15, 2025 proposal (FAR Case 2017-016), would move CUI requirements into a reorganized FAR Part 40 with new clauses, and — notably — its updated text removed the earlier proposal’s express training requirements. If finalized, it could create separate government-wide FAR CUI obligations, but it would not by itself replace the current CMMC Level 2 Awareness and Training requirements. We’ll update this section when the status changes.
Where this leaves you
Three requirements. Two of them can’t remain unmet when your result is finalized — and can’t be deferred on a POA&M. A frequency you set yourself at Level 2, records you keep for six years, and a free content path that gets you partway but never all the way. The gap between “we do training” and “we can prove all three requirements” is organization-specific work — and it’s rarely the only gap a contractor finds once they start looking.
Need help deciding what type of CMMC provider you need?
The CMMC Path Framework maps your required level, FCI or CUI handling, assessment type, IT environment, and contract timeline to a provider category— not a guaranteed provider, score, or compliance outcome.
How this page was produced
Who: The Defense Compliance Report Editorial Team.
How:We read the CMMC Program Rule (32 CFR Part 170) directly in the eCFR — the Scoring Methodology (170.24), POA&M limits (170.21), re-evaluation window (170.17), artifact retention (170.15–170.18), affirmation requirement (170.22), and Level 3 selections (Table 1 to 170.14(c)(4)). We cross-checked requirements and assessment methods against the DoD CMMC Level 2 Assessment Guide and NIST SP 800-171A, confirmed DFARS mechanics on Acquisition.gov, and verified free DoD training pages, the ISACA/CAICO transition, and FAR Case 2026-001.
Why:Contractors are repeatedly sold “annual CMMC training” without being shown which level applies, what each requirement actually demands, which requirements can’t be deferred, or what the resulting evidence must prove. We have no compensation relationship with any security awareness training vendor named here.
Last verified: . Phase 1 runs November 10, 2025 through November 9, 2026; Phase 2 implementation begins November 10, 2026.
- CMMC Scoring Methodology (5-point list, 1-point residual rule, final-evidence rule) (32 CFR 170.24)
- POA&M eligibility (88-point / 180-day conditions; six named exclusions) (32 CFR 170.21)
- Level 2 C3PAO re-evaluation window and hashing (32 CFR 170.17)
- Six-year artifact retention (32 CFR 170.15–170.18)
- Level mapping (32 CFR 170.14)
- Annual affirmation (32 CFR 170.22)
- Awareness and Training requirements and assessment methods (DoD CMMC Level 2 Assessment Guide; NIST SP 800-171A; NIST SP 800-171 Rev. 2 (§3.2))
- ISACA as CAICO (transition complete April 1, 2026) (ISACA)
- FAR Case 2026-001 (proposed; comments close July 23, 2026) (Federal Register)
- DoD Cyber Awareness Challenge (DS-IA106.06) (CDSE)
- CDSE Insider Threat Awareness (INT101.16) (CDSE)
More from The Defense Compliance Report
- CMMC Final Rule timeline and what changed in 2026
- CMMC Level 2 requirements — all 110 controls
- CMMC provider categories: who to hire first
- CMMC Readiness Checklist — all 14 control families
- CCP & CCA training paths (ISACA/CAICO guide)
- 32 CFR Part 170 CMMC Program Rule explainer
- CMMC Incident Response Plan: requirements + free template
- DFARS 252.204-7012 clause breakdown
- Methodology
- Editorial Standards
- Corrections Policy