The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Compliance

CMMC Security Awareness Training: Requirements, Frequency, and Evidence

By The Defense Compliance Report Editorial Team · Last verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

CMMC security awareness training is a Level 2 requirement— not a Level 1 one — and it’s really three separate security requirements hiding under one phrase: general risk-and-policy awareness (AT.L2-3.2.1), role-based training for people with assigned security duties (AT.L2-3.2.2), and insider-threat recognition and reporting (AT.L2-3.2.3). The controlling sources don’t name a specific frequency at Level 2 — your organization decides and documents that — and the minimum evidence isn’t just completion records.

Two of those three requirements are worth 5 points each, and neither can be carried on a Plan of Action and Milestones. In plain terms, you can’t defer them and clean them up later — if either is still NOT MET when your result is finalized, you don’t qualify for even a Conditional Level 2 status. The third requirement is worth 1 point and can be deferred, within limits.

Which CMMC path needs security awareness training — the quick version

Your CMMC pathSecurity awareness training answer
Level 1 (Self) — FCI onlyNo standalone Awareness and Training requirement
Level 2 (Self) — CUI, self-assessedAll three requirements apply (3.2.1, 3.2.2, 3.2.3)
Level 2 (C3PAO) — CUI, third-party assessedThe same three requirements; a C3PAO assesses and your evidence artifacts must be hashed
Level 3 (DIBCAC) — most sensitive CUIEverything at Level 2, plus two enhanced requirements from NIST SP 800-172

Your contract sets which row you’re in — specifically, the solicitation provision DFARS 252.204-7025, where the contracting officer inserts the required level and assessment type. Not a checklist, and not a self-diagnosis.

What we actually verified for this page. On , we read the CMMC Scoring Methodology (32 CFR 170.24) and confirmed AT.L2-3.2.1 and AT.L2-3.2.2 in the 5-point list and AT.L2-3.2.3 under the 1-point residual rule; the POA&M limits (32 CFR 170.21) and the 10-business-day re-evaluation window (170.17(c)(2)); the six-year retention rule; both Level 3 additions; all five DFARS clauses; the ISACA/CAICO transition; the DoD Cyber Awareness Challenge and CDSE records paths; and FAR Case 2026-001. Primary sources listed at the bottom.

Is this the “CMMC training” you’re actually looking for?

“CMMC training” means three different things, and mixing them up wastes money. This page covers the workforce security awareness training the organization must implement and prove for compliance. It does not cover professional credentials that practitioners and assessors earn, and it does not cover executive overviews.
What you’re afterWhere to go
Employee/workforce Awareness & Training requirementsStay on this page
CCP / CCA / CCI professional certificationCCP & CCA training paths guide (ISACA/CAICO)
Executive “what is CMMC” overviewCMMC Final Rule explainer
Looking for CCP or CCA training instead? Compare current professional training paths in our CCP & CCA guide, updated for ISACA’s CAICO role. As of April 1, 2026, ISACA now serves as the official CMMC Assessor and Instructor Certification Organization (CAICO) and manages that training, examination, and credentialing pipeline.

What does CMMC security awareness training actually require?

Answer: CMMC Level 2 contains three Awareness and Training requirements, drawn word-for-word from NIST SP 800-171 Revision 2. They overlap in practice but aren’t interchangeable, and a single general-awareness video, on its own, won’t demonstrate all three.

AT.L2-3.2.1 — Risk and policy awareness

Managers, system administrators, and system users are made aware of the security risks of their activities andof your organization’s applicable policies, standards, and procedures. Two of its four assessment objectives are specifically about your rules — not abstract threats — which is exactly what generic content tends to skip.

AT.L2-3.2.2 — Role-based training

Personnel are trained to carry out the information-security duties assigned to them. This is the requirement a company-wide phishing course is least equipped to satisfy, because it isn’t about everyone — it’s about the specific people with security responsibilities (admins, account approvers, incident responders) being trained on their actual duties, tools, and procedures.

AT.L2-3.2.3 — Insider-threat awareness

Training covers recognizing and reporting the potential indicators of an insider threat. People need to know the indicators and know your reporting channel. The DoD Level 2 Assessment Guide is explicit that this does not require a separate insider-threat course; it can be integrated into your standard awareness program.

The CMMC Awareness & Training Compliance Matrix

A DCR original research asset assembled from 32 CFR 170.24, 32 CFR 170.21, NIST SP 800-171 Rev. 2, NIST SP 800-171A, and the DoD CMMC Level 2 Assessment Guide.

RequirementWhat it requires (plain English)Point value if NOT METCan it stay on a POA&M?What an assessor may examine / interview / testHow it fails
AT.L2-3.2.1
Risk & policy awareness
Managers, admins, and users know the risks of their activities and your applicable policies, standards, and procedures5No. POA&Ms are limited to 1-point requirements (170.21)Examine: awareness policy, procedures, curriculum, role map, training records, SSP, refresher records. Interview: training owner, users, managers. Test: the training-management mechanismGeneric content that covers risks but not your specific policies; draft or unapproved policy as evidence
AT.L2-3.2.2
Role-based training
People with assigned security duties are trained to actually perform them5No. Same ruleExamine: role/duty documentation, role-based training records, SSP. Interview: training owner and assigned security-role personnel. Test: the training-management mechanismEveryone took the same course — no differentiated training for admins, approvers, or responders on their real tools
AT.L2-3.2.3
Insider-threat awareness
Training covers recognizing and reporting insider-threat indicators1Potentially — 1 point, not in the six named exclusions; requires score ≥88 and closure in 180 days (170.21)Examine: insider-threat awareness content, reporting procedure, records. Interview: training owner, managers, employees. Test: the insider-threat training mechanismExplaining insider threat in the abstract without naming your specific reporting channel
The number that should reorder your to-do list: The Awareness and Training family accounts for 11 points (5+5+1), and 10 of the 11 sit in requirements that cannot stay on a POA&M. Under 32 CFR 170.24(b)(1), evidence supporting a MET finding must be in finalform — drafts, working papers, and unapproved policies don’t count.
The right CMMC provider isn’t the same for every contractor. The category you need depends on your level, CUI scope, assessment type, IT environment, and timeline. Use Find My CMMC Path to map your situation to the right provider category. Do not submit CUI, drawings, or sensitive contract details.

Which CMMC level requires security awareness training?

Answer: Level 1 has no standalone Awareness and Training requirement. Level 2 has all three. Level 3 has all three plus two enhanced requirements from NIST SP 800-172. Your contract — through the DFARS provision in your solicitation — sets which level applies.
Your CMMC pathSecurity awareness training answerAssessed / entered where
Level 1 (Self)No standalone Awareness and Training control. Level 1 is the 15 basic safeguards at 48 CFR 52.204-21(b)(1)(i)–(xv) — none is a training requirement.Self-assessment result entered in SPRS
Level 2 (Self)All three requirements (AT.L2-3.2.1, 3.2.2, 3.2.3) apply; you assess yourselfSelf-assessment result entered in SPRS
Level 2 (C3PAO)The same three requirements; a Certified Third-Party Assessment Organization (C3PAO) performs the assessment and your evidence artifacts must be hashedC3PAO enters results in CMMC eMASS → transmitted to SPRS
Level 3 (DIBCAC)Everything at Level 2, plus AT.L3-3.2.1e and AT.L3-3.2.2eDIBCAC enters results in CMMC eMASS → transmitted to SPRS

The DFARS clauses that actually govern this

  • DFARS 252.204-7012 Requires safeguarding of covered defense information, implementation of NIST SP 800-171, 72-hour cyber-incident reporting, and subcontract flow-down.
  • DFARS 252.204-7019 An offeror subject to NIST SP 800-171 must have a current DoD Assessment score posted in SPRS before award.
  • DFARS 252.204-7020 Requires cooperation with Government Medium or High NIST SP 800-171 DoD Assessments and governs score posting.
  • DFARS 252.204-7021 The contract clause — requires the contractor to maintain the inserted CMMC Status, complete and maintain annual affirmations in SPRS, and flow the appropriate CMMC requirement to covered subcontracts.
  • DFARS 252.204-7025 The solicitation provision where the contracting officer inserts the required level and assessment type. Effective November 10, 2025.

7025 is a provision (it puts you on notice before award); 7021 is the clause (it carries the ongoing obligation).

The part vendor pages skip: can training requirements go on a POA&M?

Answer: No, for two of the three. AT.L2-3.2.1 and AT.L2-3.2.2 are 5-point requirements, and a Plan of Action and Milestones can only carry 1-point requirements. AT.L2-3.2.3 is worth 1 point and can be deferred, but only if your overall score already clears the bar. This is the most consequential fact about CMMC training, and it’s the one the course-sellers rarely surface.

Under 32 CFR 170.21(a)(2), you can only reach a Conditional Level 2 status if two things are true: your assessment score divided by 110 is at least 0.8 (a minimum of 88 points), and none of the requirements left on your POA&M is worth more than 1 point.

RequirementPoint value if NOT METStays on a POA&M?Can it be re-evaluated before the Findings Report?
AT.L2-3.2.15NoYes — see the 10-day window below (C3PAO path)
AT.L2-3.2.25NoYes — same window (C3PAO path)
AT.L2-3.2.31Potentially (score ≥88; closed in 180 days)Yes — same window (C3PAO path)

The 10-day re-evaluation window (C3PAO path only)

In a Level 2 C3PAO assessment, 32 CFR 170.17(c)(2) lets a NOT MET requirement be re-evaluated during the active assessment and for 10 business days afterward, if three conditions hold: additional evidence is available to show the requirement is MET, that evidence doesn’t reduce the effectiveness of another already-MET requirement, and the CMMC Assessment Findings Report hasn’t been delivered. A Level 2 self-assessment has no corresponding re-evaluation process.

The accurate takeaway: your risk-awareness and role-based training can’t remain NOT MET when the result is finalized. The 10-day window is for producing evidence that already exists — not for building a training program you never ran.

Free DoD resources can go further than most vendors admit

The DoD Cyber Awareness Challenge and CDSE’s free courses cover much of the general-awareness and insider-threat material, and the Assessment Guide lists posters, briefings, and advisories as legitimate awareness techniques. But free content can’t teach your company’s own policies (the back half of 3.2.1), train your specific security roles on your specific tools (3.2.2), or keep your records. Those are what an assessor scores.

→ Start self-serve: Work through the CMMC Readiness Checklist, mapped to all 14 control families, to see where else you stand before you spend a dollar. No CUI required.

How often is CMMC security awareness training required?

Answer: At CMMC Level 2, the organization determines and documents its own training frequency. The Level 2 Assessment Guide leaves content and frequency to the organization, based on its risks, roles, systems, and policies. “Annual” is a defensible baseline — not a Level 2 rule. The explicit “at least annually” language people quote actually belongs to Level 3.

NIST SP 800-171 Rev. 2’s discussion for the AT family leaves content and frequency to the organization, and the DoD Level 2 Assessment Guide echoes it. So if a vendor tells you Level 2 requiresannual training — or monthly — they’re importing a rule that isn’t there. You set the cadence, then you’re assessed against your own policy plus the objectives.

Program eventBinding Level 2 interval?DCR recommended baseline
New user or manager onboardingNo fixed interval statedTrain before they independently use the in-scope system
Periodic refresherRefresher contemplated; no interval setAt least annual, unless your risk assessment justifies otherwise — and document that reasoning
A person takes on a new security dutyRole-dependent, not a set intervalTrain before they independently perform the new duty
Material change to a system or toolNot an express intervalRetrain the affected roles when their procedure changes
Policy or reporting-route changeNot an express intervalUpdate and redistribute the affected content promptly
Significant cyber eventExplicit trigger at Level 3, not Level 2Consider targeted retraining if the event exposed a real gap

Right-hand column is DCR editorial guidance derived from the organization-defined cadence language — not extra controls.

Two things fuel the “annual” myth. First, the annual affirmation— the yearly attestation of continuing compliance an affirming official submits to SPRS under 32 CFR 170.22 — is real, but it’s an attestation, not a training schedule. Second, Level 3’s AT.L3-3.2.1e genuinely does say “upon initial hire, following a significant cyber event, and at least annually.” That’s a Level 3 obligation. Choosing annual Level 2 refreshers is smart; citing the Level 3 sentence as proof that Level 2 requires it is inaccurate.

Who has to take CMMC security awareness training?

Answer: The three requirements don’t name one identical audience. AT.L2-3.2.1 names managers, system administrators, and users. AT.L2-3.2.2 targets the specific people with assigned security duties. AT.L2-3.2.3’s objectives address managers and employees. Who needs what depends on system access and assigned responsibilities — not payroll classification, and not whether someone has a company email.

The Role-to-Training Matrix

DCR editorial framework, derived from the assessment objectives in the DoD CMMC Level 2 Assessment Guide and NIST SP 800-171A.

Role / personaWhich requirements reach themThe organization-specific piece to trainEvidence that helps
General in-scope system user3.2.1 awareness; 3.2.3 insider awarenessYour acceptable-use, incident-reporting, and CUI-handling rulesCompletion record + interview-ready understanding of your process
Manager3.2.1 and 3.2.3; 3.2.2 if assigned security dutiesPolicy enforcement, escalation, access-approval responsibilitiesManager curriculum, acknowledgment, interview notes
System / network administrator3.2.1 plus substantial 3.2.2Privileged access, configuration, logging, account management, incident steps — on your actual toolsRole description, tool-specific training, a demonstration
Help desk3.2.1; 3.2.2 if assigned identity/account/incident dutiesIdentity verification, password reset, escalation, suspicious-ticket handlingProcedure training, an observed workflow
Security / incident-response staff3.2.2 plus general and insider awarenessMonitoring, triage, reporting, containment, evidence handlingRole assignment, exercise or procedure evidence
Developer / integrator3.2.2 where duties affect in-scope systemsSecure configuration, change control, deployment procedureDuty mapping, project/tool-specific training
Human resources3.2.3; 3.2.2 where assigned relevant dutiesInsider-report intake, escalation, confidentialityDefined role and reporting-process training
Contracts / program staff3.2.1 and 3.2.2 where duties touch CUI or flow-downContract markings, authorized sharing, flow-down escalationRole curriculum, a scenario response
Shop-floor / CNC operatorDepends on system access, CUI handling, and rolePhysical CUI, shared terminals, removable media, the reporting routeShift-friendly delivery record + verbal/interview evidence
Temporary worker or contractorDepends on access and duties, not payroll labelThe same local rules and duties that apply to equivalent staffAccess-linked roster, acknowledgment, role training
Executive / owner3.2.1 and 3.2.3; 3.2.2 where assigned governance dutiesRisk acceptance, policy approval, affirmation supportApproved policy, interview readiness

The test for contractors and temps is about access, not HR status: Do they touch the in-scope system? Do they perform an assigned security task? Are they in your defined population? Answer those, document the answers, and you’ve closed a gap that catches otherwise-solid programs.

What counts as role-based training under AT.L2-3.2.2?

Answer: Role-based training teaches a specific person to perform the security duties actually assigned to them, using your systems, tools, policies, and procedures. A general awareness module doesn’t prove it, and neither does a professional certification on its own. This is a 5-point, non-deferrable requirement.

The sequence that works: define the duty before you pick the training. Build a short role inventory — role name, the person or group assigned, the specific security duty, the relevant system or process, the governing policy, the training needed, the refresher trigger, and who owns the evidence. Once duties are defined and assigned, “adequately trained to perform them” becomes something you can demonstrate.

The distinction the Assessment Guide draws: awareness directs attention and influences behavior; role-based training provides the knowledge and skills for a specific job. A firewall administrator needs training on privileged-account use, secure configuration, logging, and your incident-escalation steps. A help-desk tech needs your identity-verification and account-recovery procedure. A manager needs your access-approval and policy-enforcement process. None of that comes from a company-wide phishing video.

Do Security+, CISSP, or CCSP count?They can support the evidence — they demonstrate real general or technical knowledge. But a certification does not, by itself, prove the person was trained to carry out your assigned duty with yourtools and procedures. Treat credentials as supporting evidence, not a substitute for role-based training on your environment. An assessor testing this control may ask an administrator to explain or demonstrate a real assigned task — and “I have a Security+” is not the answer that satisfies the objective.

What evidence will a CMMC assessor examine, interview, and test?

Answer: CMMC assessors work from three methods — examine, interview, and test — defined in NIST SP 800-171A. They select the methods and objects needed to reach a sufficient conclusion; they’re not required to use all three for every requirement.

Examine

Documents and records

  • Approved (final, not draft) awareness policy
  • Implementation procedures
  • Curriculum and materials
  • Audience/role map
  • Training records
  • SSP references
  • Refresher and change records
  • Insider-threat reporting procedure

Evidence for a MET finding must be final (32 CFR 170.24(b)(1)).

Interview

Can your people explain it consistently?

  • Training program owner
  • Person responsible for role-based training
  • Security-role personnel
  • Ordinary users
  • Managers
  • Administrators

A completion certificate proves attendance; an interview tests whether the person knows your policy and reporting route.

Test

Does the mechanism work?

  • How a person maps to a role
  • How a changed duty triggers retraining
  • How overdue training is flagged
  • Assigned staffer walks the relevant procedure and reporting route

DCR recommendations; the official test objects focus on the mechanisms that manage training.

The retention rule that corrects a common mistake

Artifacts used as evidence for a CMMC assessment must be retained for six years from the CMMC Status Date— not three, as older guidance still says. We confirmed this across 32 CFR 170.15, 170.16, 170.17, and 170.18. For a Level 2 (C3PAO) certification assessment, the evidence artifacts must also be hashedwith a NIST-approved algorithm, and the list of artifact names, hash values, and the algorithm goes into CMMC eMASS. Don’t destroy at three years.

The fields that make training evidence assessment-ready: name, role, content title and version, delivery method, completion date, proof of completion, policy-acknowledgment date, and the next-refresher date. A roster with those columns gives you a useful, retrievable core of the “examine” evidence — though it won’t, on its own, prove your policies, assigned duties, curriculum, SSP treatment, or every objective.

Does the free DoD Cyber Awareness Challenge count for CMMC?

Answer: Partially — and only with a records process you build yourself. The DoD Cyber Awareness Challenge and CDSE’s free courses can contribute much of your general-awareness and insider-threat content, but they don’t teach your company’s policies, they don’t cover role-based training, and record retention depends on which system you use.

A key records nuance the blanket “CDSE keeps no records” claim gets wrong: CDSE’s Security Awareness Hub does notretain completion records — users must save or print the certificate — while courses completed through STEPP are recorded in the user’s transcript and remain retrievable.

Training source3.2.1
awareness
3.2.2
role-based
3.2.3
insider threat
Teaches your policies?Keeps your records?Typical cost
DoD Cyber Awareness Challenge (DS-IA106.06)May supportNoMay supportNoNo — user saves certificate$0
CDSE Insider Threat Awareness (INT101.16)LimitedNoMay supportNoHub: no · STEPP: yes (transcript)$0
CDSE Cybersecurity Awareness / general coursesMay supportNoLimitedNoDepends on Hub vs. STEPP$0
Commercial SAT platforms (e.g., KnowBe4, Proofpoint, SANS — illustrative)TypicallyPartial (role modules exist; duty assignment is still yours)Usually — confirm the moduleOnly if you upload custom contentYes — LMS exportsVaries by seat count, term, and modules
MSP/RPO-bundled trainingTypicallyTypicallyTypicallyYes, if builtYesBundled into managed-service fees
DIY internal programIf builtIf builtIf builtYesOnly if you build the disciplineLowest cash, highest time

Control-mapping columns are DCR’s editorial read of potential content support — not an official DoD CMMC equivalency determination. Verify any course against every applicable assessment objective.

Our editorial read: a small contractor can cover the contentof 3.2.1 and 3.2.3 at low or no cost with government courseware plus organization-specific material. But 3.2.2’s role-based training, your own policy content, your reporting process, and the records for all three are always organization-specific work no product fully absorbs. Buy a platform for what it genuinely does — delivery automation, phishing simulation, and clean records — not for a compliance result it can’t confer.

Do you need a “CMMC-approved” training vendor? Build vs. buy vs. managed

Answer: No. Nothing in the CMMC rule, the incorporated NIST standard, or the assessment guidance designates a required commercial course or a “CMMC-approved” workforce-training vendor. You can build, buy, or combine — you remain responsible for proving every applicable objective either way. An off-the-shelf course is not itself awarded a CMMC Status and can’t confer one on its buyer.

The quick routing map for the most common situations:

If your situation is…ConsiderThe gap to watch
Small team, low complexity, IT-literate ownerDIY with DoD/CDSE content + custom policy module + spreadsheet recordsRole-based training and evidence discipline for all three requirements
You have a commercial SAT platformKeep it; close the gaps it can't fillCustom policy content, role-based training for security staff, records for offline workers
No security lead; still buildingRPO or managed service with training includedConfirm they deliver all three requirements, not just a phishing platform
You already have an MSSPAsk if the MSSP delivers 3.2.2 training, not just detection3.2.2 often falls between IT services and compliance — confirm ownership
Heading into a C3PAO assessmentFull readiness review before training is the last thing you fixEvidence is hashed; confirm the C3PAO hasn't also been your readiness consultant
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Find My CMMC Path →Do not submit CUI, drawings, or sensitive contract details.

What changes for CMMC Level 3 security awareness training?

Answer: Level 3 keeps all three Level 2 training requirements and adds two enhanced ones from NIST SP 800-172: explicit hire/event/annual training focused on advanced threats (AT.L3-3.2.1e), and role-tailored practical exercises with feedback (AT.L3-3.2.2e). Level 3 is assessed by DIBCAC, and before it begins you must hold Final Level 2 (C3PAO) status for the systems in the proposed Level 3 scope.
ElementLevel 2 (AT.L2-3.2.1–3.2.3)Level 3 additions (AT.L3-3.2.1e / 3.2.2e)
CadenceOrganization-definedInitial hire, after a significant cyber event, and at least annually
Threat focusGeneral risks and policiesSocial engineering, advanced persistent threats, breaches, suspicious behavior
Practical exercisesNot requiredRequired, tailored by role (general, specialized, privileged), aligned to current threats
FeedbackNot requiredRequired — to participants and their supervisors
Content updatesAs the org determinesAt least annually or when the threat picture shifts
AssessorSelf or C3PAODIBCAC only
PrerequisiteFinal Level 2 (C3PAO) on an equal-or-subset scope

Source: Table 1 to 32 CFR 170.14(c)(4).

Do CMMC training requirements flow down to subcontractors?

Answer: Yes, in the sense that CMMC itself flows down. Under DFARS 252.204-7021, a prime must flow the appropriate CMMC requirement to a subcontract when the subcontractor will process, store, or transmit FCI or CUI — and the Awareness and Training requirements follow the level inserted for that subcontract.

The practical points: the flow-down level isn’t automatically the prime’s level — it tracks the FCI/CUI the sub will actually handle. And DoD has said it will not share a subcontractor’s CMMC information with the prime, so subs post their own results and affirmations in SPRS. If you’re a sub, your training obligations are set by the level in your subcontract — confirm it, don’t assume it.

Do CMMC training records get uploaded to SPRS?

Answer: No — your training certificates, rosters, policies, and course materials are not individually uploaded to SPRS. What goes to SPRS is the assessment outcome and your affirmation. Your detailed artifacts live elsewhere, and you keep them available for six years.

For Level 2 (Self), the organization enters the self-assessment result in SPRS. For Level 2 (C3PAO), the C3PAO enters assessment information — including the artifact names, hash values, and hashing algorithm — into the CMMC instantiation of eMASS, which transmits the applicable result to SPRS (32 CFR 170.17). In both cases, the contractor separately enters and maintains the annual affirmation in SPRS.

What does CMMC security awareness training cost?

Answer: Government courseware can take software cost to $0, but the total program cost is mostly labor — building organization-specific content, role-based training, delivery, and a records process.

Training is one of the least capital-intensive requirements in the 110 — the large-dollar CMMC decisions are usually elsewhere (cloud environment, monitoring and logging, encryption, enclave strategy). Spend on the organization-specific pieces that carry the non-deferrable weight, and keep the whole program in proportion to the other thirteen families.

The mistakes that create assessment risk

Answer: The costliest training mistakes aren’t missing videos — they’re broken links between the requirement, the right people, your actual procedures, and your evidence. A polished LMS report can’t rescue undefined security duties, a missing reporting channel, a draft policy, or an employee who can’t explain what they were supposedly taught.

Frequently asked questions

Is security awareness training required for CMMC Level 1?

No. There is no standalone Awareness and Training control at Level 1, which consists of the 15 basic safeguards at 48 CFR 52.204-21(b)(1)(i)–(xv). Training may still be prudent or required by another contract or policy, but it isn’t a Level 1 CMMC requirement.

Is annual training mandatory for CMMC Level 2?

No fixed annual interval appears in the Level 2 requirement. The organization determines content and frequency based on its risks, roles, systems, and policies. Annual refreshers are a defensible baseline, and the explicit “at least annually” language is a Level 3 requirement, not a Level 2 one.

Does the annual affirmation mean annual training is required?

No. The annual affirmation under 32 CFR 170.22 is a yearly attestation of continuing compliance by an affirming official. It does not create or redefine a training frequency.

Do all employees need the same CMMC training?

No. AT.L2-3.2.1 names managers, administrators, and users; AT.L2-3.2.2 targets people with assigned security duties; AT.L2-3.2.3’s objectives address managers and employees. Map training by access and duty, and document your population decision.

Do contractors and temporary workers need training?

It depends on system access and assigned duties, not employment classification. If they touch the in-scope system or perform a security task and fall in your defined population, they’re in scope.

Do CNC or shop-floor workers need training?

If they access in-scope systems, handle CUI, or fall within your insider-threat awareness population, yes. The delivery method can differ — instructor-led, shift-based, kiosk, or printed — as long as you can prove delivery and understanding.

Does Security+, CISSP, or CCSP satisfy AT.L2-3.2.2?

Not by itself. A certification can support the evidence but doesn’t prove the person was trained on your organization’s assigned duties, tools, and procedures. Treat credentials as supporting evidence only.

Are phishing simulations required?

No requirement in these three controls mandates simulations. They’re one recognized awareness technique and can produce useful effectiveness evidence, but they’re optional.

Does KnowBe4 or another platform make us CMMC compliant?

No product alone confers CMMC status. A platform can support delivery, tracking, and records; your policies, role-based training, and evidence remain your responsibility.

Is a separate insider-threat course required?

No. The DoD Level 2 Assessment Guide expressly allows insider-threat material to be integrated into your standard awareness program.

Can free government training satisfy CMMC?

It can contribute useful content, but it doesn’t automatically create your local policies, role mapping, delivery records, or reporting procedures — and how records are retained depends on whether you use CDSE’s Security Awareness Hub (no records kept) or STEPP (transcript retained). Free is a head start, not a complete program.

How long must CMMC training evidence be retained?

Artifacts used as assessment evidence must be retained for six years from the CMMC Status Date, per 32 CFR 170.15–170.18. For a Level 2 (C3PAO) assessment, those artifacts must also be hashed for integrity. Don’t destroy at three years.

Can training requirements go on a POA&M?

AT.L2-3.2.1 and AT.L2-3.2.2 cannot — they’re 5-point requirements, and POA&Ms are limited to 1-point items. AT.L2-3.2.3 is 1 point and may be deferred if your overall score is at least 88 and you close it within 180 days. In a C3PAO assessment, a NOT MET finding can also be re-evaluated during the assessment and for 10 business days after, if additional evidence exists and the Findings Report hasn’t been delivered (32 CFR 170.17(c)(2)).

Are the requirements different for Level 2 Self versus Level 2 C3PAO?

The three security requirements are identical. What differs is who assesses you, where results are recorded, and — for the C3PAO path — that your evidence artifacts must be hashed. A self-assessment has no C3PAO re-evaluation process.

Does CMMC use NIST SP 800-171 Rev. 3 for training?

No. CMMC Level 2 currently maps to Revision 2 under 32 CFR 170.14. DoD would need further rulemaking to move to Revision 3 — and the June 2026 FAR CUI proposal’s use of Rev. 3 does not change what CMMC requires today.

Is this the same as CMMC assessor or practitioner training?

No. Workforce security awareness training is a compliance control for your personnel. CCP and CCA are professional certifications; RP (Registered Practitioner) is a separate ecosystem designation. All are administered outside the Awareness and Training family — CCP/CCA/CCI now through ISACA as the CAICO.

A note on what’s coming: the FAR CUI rule

For DoD contractors, nothing binding has changed. There’s a government-wide CUI rule in rulemaking — the June 23, 2026 proposal is FAR Case 2026-001 (Federal Register document 2026-12559), part of the Revolutionary FAR Overhaul — but it’s proposed, not final, and its comment period closes July 23, 2026.

The June 2026 proposal is nonbinding and does not amend 32 CFR Part 170. It incorporates and revises material from the earlier January 15, 2025 proposal (FAR Case 2017-016), would move CUI requirements into a reorganized FAR Part 40 with new clauses, and — notably — its updated text removed the earlier proposal’s express training requirements. If finalized, it could create separate government-wide FAR CUI obligations, but it would not by itself replace the current CMMC Level 2 Awareness and Training requirements. We’ll update this section when the status changes.

Where this leaves you

Three requirements. Two of them can’t remain unmet when your result is finalized — and can’t be deferred on a POA&M. A frequency you set yourself at Level 2, records you keep for six years, and a free content path that gets you partway but never all the way. The gap between “we do training” and “we can prove all three requirements” is organization-specific work — and it’s rarely the only gap a contractor finds once they start looking.

Need help deciding what type of CMMC provider you need?

The CMMC Path Framework maps your required level, FCI or CUI handling, assessment type, IT environment, and contract timeline to a provider category— not a guaranteed provider, score, or compliance outcome.

Find My CMMC Path →

Do not submit CUI, drawings, contract documents, system diagrams, credentials, vulnerability details, or other sensitive information.

How this page was produced

Who: The Defense Compliance Report Editorial Team.

How:We read the CMMC Program Rule (32 CFR Part 170) directly in the eCFR — the Scoring Methodology (170.24), POA&M limits (170.21), re-evaluation window (170.17), artifact retention (170.15–170.18), affirmation requirement (170.22), and Level 3 selections (Table 1 to 170.14(c)(4)). We cross-checked requirements and assess­ment methods against the DoD CMMC Level 2 Assessment Guide and NIST SP 800-171A, confirmed DFARS mechanics on Acquisition.gov, and verified free DoD training pages, the ISACA/CAICO transition, and FAR Case 2026-001.

Why:Contractors are repeatedly sold “annual CMMC training” without being shown which level applies, what each requirement actually demands, which requirements can’t be deferred, or what the resulting evidence must prove. We have no compensation relationship with any security awareness training vendor named here.

Last verified: . Phase 1 runs November 10, 2025 through November 9, 2026; Phase 2 implementation begins November 10, 2026.

See also: Methodology · Editorial Standards · Corrections Policy.

Primary sources

This resource is educational and does not provide legal, contractual, assessment, or compliance advice. Confirm applicability and scope with a qualified CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO), and consult qualified federal-contracts counsel for contract interpretation. The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation. Last verified: