3.2.1 — Train Everyone

What It Says

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

What It Actually Means

Every person who touches CUI systems — from the CEO to the newest hire — must receive security awareness training. This isn’t optional and it isn’t one-size-fits-all.

What the assessor checks:

Security risks are identified. You’ve documented the risks relevant to your CUI environment — phishing, social engineering, unauthorized disclosure, insider threats, physical security risks. These risks are covered in the training content.
Policies and procedures are communicated. Training covers your specific policies — acceptable use, CUI handling, incident reporting, password requirements, remote work rules. Not generic security platitudes — your policies, for your environment.
All personnel are trained. Managers, sysadmins, and general users. Everyone. New hires are trained before they get CUI access. Annual refresher for everyone. The training log shows names, dates, and topic completion status.
Training is documented. The assessor doesn’t care which platform you use (KnowBe4, Proofpoint, internal LMS, even a tracked presentation). They care that you have records proving who was trained, when, and what the training covered.

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are security risks associated with CUI activities identified?	Documented risk topics covered in training content
2	Are applicable policies, standards, and procedures identified?	Training references your specific CUI handling, acceptable use, and incident reporting policies
3	Are all personnel made aware of the security risks?	Training completion records: every CUI user, name, date, course
4	Are all personnel made aware of applicable policies and procedures?	Training content demonstrably covers your policies — not just generic security

What to Have Ready on Assessment Day

Documents they’ll review: Security awareness and training policy; training curriculum and materials; training completion records (names, dates, scores); system security plan; new hire onboarding training records; annual refresher records

People they’ll talk to: Personnel responsible for security awareness training; information security personnel; a sample of general users (to confirm they received training)

Live demos they’ll ask for: “Show me your training platform. Pull up completion records.” “Show me the training content — does it cover CUI handling?” “Show me a new hire’s training completion date vs. their CUI access date.”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“Show me your training completion records. Is everyone current?”
“What topics does the training cover? Does it mention CUI specifically?”
“When do new hires complete training relative to getting CUI access?”
“How often do you refresh training? Show me the schedule.”
“Does the training cover your organization’s specific policies, or is it generic?”
“Can you show me completion for a specific employee I select?”

A defense contractor uses KnowBe4 for security awareness training. New hires complete a 45-minute CUI-specific module within their first week — before CUI access is provisioned. The module covers: what CUI is and why it matters, the company’s CUI handling policy, phishing recognition, password requirements, incident reporting procedures, physical security, and remote work rules. Annual refreshers include updated content based on the current threat landscape and any policy changes. Quarterly phishing simulations supplement the formal training. The KnowBe4 dashboard shows 100% completion for all 52 CUI-authorized users, with dates and scores. The assessor picks three names at random — all show completion within the past 12 months, and new hires show completion before their CUI access provisioning date in Entra ID.

Where Companies Trip Up

No records. Training happened — an all-hands meeting covered security — but nobody kept attendance. The assessor needs names, dates, and topics. Use a platform that tracks completion automatically.

One-and-done. Training at onboarding but no annual refresher. Threats change, policies update, and people forget. Annual refresher minimum, with supplemental content (phishing simulations, security newsletters) throughout the year.

Generic content. Training covers “don’t click phishing links” but never mentions CUI, your specific policies, or your incident reporting process. The training must be relevant to your environment and reference your policies.

New hires trained late. Someone starts Monday, gets CUI access Monday, and completes training two weeks later. Training before access, not after.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.2.2 — Role-Specific Training	General awareness training here; role-specific training for admins and security staff there
3.2.3 — Spot the Insider Threat	Insider threat awareness is a specific training topic
3.6.1 — Have a Plan	Training should cover how to report incidents per your IR plan

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

CMMC Practice ID: AT.L2-3.2.1 | SPRS Weight: 5 points | POA&M Eligible: No