CMMC v2.0 - Awareness and Training

1. AT.L2-3.2.1. Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

1.1. "Determine if:

1.2. (a) security risks associated with organizational activities involving CUI are identified

1.3. (b) policies, standards, and procedures related to the security of the system are identified

1.4. (c) managers, systems administrators, and users of the system are made aware of the security risks associated with their activities

1.5. (d) managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system

2. AT.L2-3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

2.1. "Determine if:

2.2. (a) information security-related duties, roles, and responsibilities are defined"

2.3. (b) information security-related duties, roles, and responsibilities are assigned to designated personnel

2.4. (c) personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities

3. AT.L2-3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.

3.1. "Determine if:

3.2. (a) potential indicators associated with insider threats are identified"

3.3. (b) security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees"