Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Domains
CMMC Deep Dive: Awareness and Training (AT)
A detailed guide to the Awareness and Training (AT) domain, focusing on building a security-conscious workforce.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Awareness and Training
AT
Phishing
Insider Threat
This article is part of our series on The 14 CMMC Domains.
The Awareness and Training (AT) domain recognizes that people are a critical component of any security program. This domain requires organizations to ensure that their workforce understands security risks and their responsibilities in protecting CUI.
Why It Matters
Technical controls can be bypassed by a single, well-crafted phishing email. A properly trained workforce acts as a "human firewall," capable of identifying and reporting threats, thereby significantly reducing the organization's risk profile.
Key Practices
- AT.L2-3.2.1: Ensure personnel are aware of security risks and applicable policies.
- AT.L2-3.2.2: Provide role-based training for specific security duties.
- AT.L2-3.2.3: Provide training on recognizing and reporting potential indicators of insider threats.
What Assessors Look For
- A documented security awareness and training policy.
- Training materials and content.
- Records of training completion for all personnel (including new hires and annual refreshers).
- Evidence of insider threat training.