AT.L2-3.2.2 · NIST SP 800-171 3.2.2

Role-based Training

Ensure that personnel are trained to carry out their assigned information security -related duties and responsibilities.

5 points if not metMust be fully met, cannot POA&M3 assessment objectives

What an assessor scores, the objectives

AT.L2-3.2.2 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.information security-related duties, roles, and responsibilities are defined
  • b.information security-related duties, roles, and responsibilities are assigned to designated personnel
  • c.personnel are adequately trained to carry out their assigned information security- related duties, roles, and responsibilities

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AT.L2-3.2.2, an assessor uses these:

Examine

Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; system security plan; training records; other relevant documents or records

Interview

Personnel with responsibilities for role- based security training; personnel with assigned system security roles and responsibilities; personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel representing the general system user community

Test

Mechanisms managing role-based security training; mechanisms managing security awareness training

What it means, in context

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the secu rity requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to sys tem-level software, security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technic al controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. NIST SP 800 -181 provides guidance on role -based information security training in the workplace. SP 800-161 provides guidance on supply chain risk management.

Training imparts skills and knowledge to enable staff to perform a specific job function. Training should be available to all employees for all organizational roles to accommodate role changes without being constrained by the training schedule. Awareness training and role-based training are different. Awareness training provides general security training to influence user behavior and is covered by AT.L2-3.2.1. This requirement, AT.L2-3.2.2, covers role-based training that focuses on the knowledge, skills, and abilities needed to complete a specific job. Role-based training may include awareness topics specific to individual roles such as ensuring systems administrators understand the risk associated with using an administrative account. Example Your company upgraded the firewall to a newer, more advanced system to protect the CUI it stores. You have been identified as an employee who needs training on the new device [a,b,c]. This will enable you to use the firewall effectively and efficiently. Your company considered training resources when it planned for the upgrade and ensured that training funds were available as part of the upgrade project [c]. Potential Assessment Considerations • Are the duties, roles , and responsibilities that impact, directly or indirectly, the information security of the company or its systems defined and documented [a]? • Do information security-related tasks have accountable owner s, and is a strictly limited group of individuals assigned to perform them [b]? • Are personnel who are assigned information security -related duties, roles , and responsibilities trained on those responsibilities, including the security requirements unique or inherent to their roles or responsibilities [c]?

What passing evidence looks like

A short duties matrix (role, security duties, training that covers those duties) and completion records proving each person was trained for their assigned security duties.

Common ways contractors fail AT.L2-3.2.2

  • !This one is about carrying OUT security duties, not general awareness. The admin needs admin training, the person who reviews logs needs log review training. Map duty to training explicitly.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AT.L2-3.2.2, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AT.L2-3.2.2 questions, answered

How many points is CMMC requirement AT.L2-3.2.2 worth?+

AT.L2-3.2.2 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.

Can AT.L2-3.2.2 be placed on a POA&M?+

No. AT.L2-3.2.2 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.

What family does AT.L2-3.2.2 belong to?+

AT.L2-3.2.2 is in the Awareness & Training (AT) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.2.2