CMMC 2.0 security awareness training: a quick guide

Learn what the information security directive CMMC 2.0 states about security awareness training and how your organization can meet these requirements.

Is security awareness training required under CMMC 2.0?

Yes. Security awareness training is a mandatory requirement under CMMC 2.0 at both Level 1 and Level 2. Any organization handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) must ensure that employees understand cybersecurity risks and follow the procedures necessary to protect sensitive information.

Without proper training in place, organizations cannot achieve CMMC certification — and without certification, they cannot bid on Department of Defense (DoD) contracts.

What is CMMC 2.0?

CMMC stands for Cybersecurity Maturity Model Certification. It is a framework developed by the U.S. Department of Defense to ensure that defense contractors adequately protect sensitive information.

CMMC 2.0 simplifies the original five-level model into three levels:

• Level 1 (Foundational): Basic cyber hygiene for organizations handling Federal Contract Information (FCI). Aligned with FAR 52.204-21.
• Level 2 (Advanced): Comprehensive security for organizations handling Controlled Unclassified Information (CUI). Aligned with all 110 controls in NIST SP 800-171.
• Level 3 (Expert): Enhanced security for the most sensitive programs. Aligned with a subset of NIST SP 800-172.

Most defense contractors will need to achieve Level 1 or Level 2 compliance. Both levels include specific requirements around security awareness training.

CMMC 2.0 security awareness training requirements by level

Level 1: Basic Cyber Hygiene

At Level 1, the focus is on basic practices for protecting FCI. Training requirements include:

• Phishing awareness: Employees must be able to recognize and report phishing attempts, including suspicious emails, links, and attachments.
• Password hygiene: Training on creating strong passwords and avoiding password reuse.
• Physical security: Awareness of how to handle physical access to systems and sensitive areas.
• Acceptable use: Understanding the rules for using organizational IT systems.

Level 1 compliance is based on self-assessment — no third-party audit is required.

Level 2: Advanced Security for CUI

Level 2 requirements are significantly more rigorous, aligned with all 110 controls in NIST SP 800-171. Training must cover:

• Regular threat updates: Ongoing training on current threats like phishing, ransomware, and social engineering.
• Role-specific training: Employees with CUI access need specialized training relevant to their responsibilities.
• Incident reporting: Clear procedures for reporting security incidents.
• Insider threat awareness: Recognizing signs of insider threats and knowing how to respond.
• Documentation: All training activities must be documented for audit purposes.

Level 2 compliance requires a third-party assessment by a certified C3PAO (CMMC Third-Party Assessment Organization).

How to implement CMMC-compliant security awareness training

Meeting CMMC training requirements does not have to be complicated. Here are the key steps to get your organization compliant:

1. Assess your current level

Determine whether your organization needs Level 1 or Level 2 compliance based on the type of information you handle (FCI vs. CUI) and the contracts you pursue.

2. Choose a training platform

Select a security awareness training platform that covers the topics required by CMMC, including phishing recognition, password management, incident reporting, and social engineering. Look for a solution that offers regular updates to keep pace with evolving threats.

3. Run phishing simulations

Phishing simulations are one of the most effective ways to test whether employees can apply what they have learned. Regular simulations help identify knowledge gaps and reinforce good security habits.

4. Document everything

CMMC auditors will ask for proof that training has been conducted. Make sure your platform provides reporting features that track completion rates, quiz scores, and participation over time.

5. Make training ongoing

A one-time training session is not enough. CMMC expects organizations to provide continuous security awareness training that keeps employees informed about the latest threats. A gamified approach can help keep employees engaged over time.

CMMC 2.0 compliance resources

For more detailed information about CMMC requirements and compliance:

• CMMC Official Website: The latest compliance guidance from the Department of Defense is available at CMMC Resources & Documentation and the CMMC 2.0 overview.
• NIST SP 800-171: The full security requirements for protecting CUI are available at the NIST website.

→ Learn more about security awareness training for compliance