NIST 800-171 • LEVEL 2 • AWARENESS AND TRAINING

3.2.1Literacy Training and Awareness

Provide security literacy training to system users: As part of initial training for new users and {{ insert: param, A.03.02.01.ODP.01 }} thereafter, When required by system changes or following {{ insert: param, A.03.02.01.ODP.02 }}, and On recognizing and reporting indicators of insider threat, social engineering, and social mining. Update security literacy training content {{ insert: param, A.03.02.01.ODP.03 }} and following {{ insert: param, A.03.02.01.ODP.04 }}.

CMMC Practice Mapping

NIST 800-53 Controls

AT-2

Assessment Objectives

  • security literacy training is provided to system users as part of initial training for new users.
  • security literacy training is provided to system users {{ insert: param, A.03.02.01.ODP.01 }} after initial training.
  • security literacy training is provided to system users when required by system changes or following {{ insert: param, A.03.02.01.ODP.02 }}.
  • security literacy training is provided to system users on recognizing indicators of insider threat.
  • security literacy training is provided to system users on reporting indicators of insider threat.
  • security literacy training is provided to system users on recognizing indicators of social engineering.
  • security literacy training is provided to system users on reporting indicators of social engineering.
  • security literacy training is provided to system users on recognizing indicators of social mining.
  • security literacy training is provided to system users on reporting indicators of social mining.
  • security literacy training content is updated {{ insert: param, A.03.02.01.ODP.03 }}.
  • security literacy training content is updated following {{ insert: param, A.03.02.01.ODP.04 }}.

Practitioner Notes

Every person who touches your systems needs basic security awareness training. This isn't optional or nice-to-have — it's a requirement. New hires get trained before they get access, and everyone refreshes annually at minimum.

Example 1: Subscribe to a security awareness training platform like KnowBe4 or Proofpoint Security Awareness. Set up an annual training campaign under KnowBe4 → Training → Create Campaign that includes modules on phishing, social engineering, insider threats, password hygiene, and CUI handling. Configure the platform to auto-enroll new users and send reminders until training is completed. Export completion reports for your compliance records.

Example 2: Supplement formal training with monthly phishing simulations. In KnowBe4, go to Phishing → Create Campaign and schedule simulated phishing emails. Users who click the link get an immediate training moment. Track click rates over time to measure improvement. Keep records of all simulations and results — assessors will ask for these.

Related NIST 800-171 Requirements

3.2.2 Role-Based Training 3.2.3 Provide Security Awareness Training on Recognizing and Reporting Potential Indicators of Insider Threat