AT.L2-3.2.1 · NIST SP 800-171 3.2.1

Role-based Risk Awareness

Ensure that managers, system s administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

5 points if not metMust be fully met, cannot POA&M4 assessment objectives

What an assessor scores, the objectives

AT.L2-3.2.1 is met only when every one of these 4 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.security risks associated with organizational activities involving CUI are identified
  • b.policies, standards, and procedures related to the security of the system are identified
  • c.managers, systems administrators, and users of the system are made aware of the security risks associated with their activities
  • d.managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AT.L2-3.2.1, an assessor uses these:

Examine

Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; system security plan; training records; other relevant documents or records

Interview

Personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel composing the general system user community; personnel with responsibilities for role-based awareness training

Test

Mechanisms managing security awareness training; mechanisms managing role-based security training

What it means, in context

Organizations determine the content and frequency of security awareness training and security awareness techniques based on the specific organizational requirements and the systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to r espond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques include: formal training; offering supplies inscribed with security reminders; generating email advisories or no tices from organizational officials; displaying logon screen messages; displaying security awareness posters; and conducting information security awareness events. NIST SP 800-50 provides guidance on security awareness and training programs.

Awareness training focuses user attention on security. Several techniques can be used, such as: • synchronous or asynchronous training; • simulations (e.g., simulated phishing emails); • security awareness campaigns (posters, reminders, group discussions); and • communicating regular email advisories and notices to employees. Awareness training and role- based training are different. This requirement, AT.L2 -3.2.1, covers awareness training, which provides general security training to influence user behavior. This training can apply broadly or be tailored to a specific role. Role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job and is covered by AT.L2-3.2.2. Example Your organization holds a DoD contract which requires the use of CUI. You want to provide information to employees so they can identify phishing emails . To do this, you prepare a presentation that highlights basic traits, including: • suspicious-looking email address or domain name; • a message that contains an attachment or URL; and • a message that is poorly written and often contains obvious misspelled words. You encourage everyone to not click on attachments or links in a suspicious email [c]. You tell employees to forward such a message immediately to IT security [d]. You download free security awareness posters to hang in the office [c,d]. You send regular emails and tips to all employees to ensure your message is not forgotten over time [c,d]. Potential Assessment Considerations • Do all users, managers, and system administrators receive initial and refresher training commensurate with their roles and responsibilities [c,d]? • Do training materials identify the organization-defined security requirements that must be met by users while interacting with the system as described in written policies, standards, and procedures [d]?

What passing evidence looks like

The training content itself (slides, video link, or the vendor course name), a completion record per person with dates, and proof managers and admins saw role relevant risk content, not just the generic module.

Common ways contractors fail AT.L2-3.2.1

  • !One generic phishing video for everyone misses the role based half: the person who handles CUI shipping labels and the tenant admin face different risks and the content must show it.
  • !New hire timing counts. If someone started six months ago and first trained last week, expect the question.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AT.L2-3.2.1, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AT.L2-3.2.1 questions, answered

How many points is CMMC requirement AT.L2-3.2.1 worth?+

AT.L2-3.2.1 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AT.L2-3.2.1 be placed on a POA&M?+

No. AT.L2-3.2.1 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AT.L2-3.2.1 belong to?+

AT.L2-3.2.1 is in the Awareness & Training (AT) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.2.1