GRCWatch
Sign inStart free trial

CMMC AT.L2-3.2.1: Role-Based Risk Awareness

Role-based risk awareness is foundational to CMMC Level 2 compliance. This control requires your organization to ensure that managers, systems administrators, and all information system users understand the security risks tied to their roles and the policies governing system protection. Without documented awareness, you risk non-compliance and inadequate employee security practices.

What this means

AT.L2-3.2.1 mandates that your organization provide role-specific security risk training and communication to three key groups: (1) managers who oversee information systems and personnel, (2) systems administrators who configure and maintain systems, and (3) all end users who access organizational data. Each group must understand both the unique risks associated with their activities and the applicable security policies, standards, and procedures that govern system use. This goes beyond generic security awareness—it requires tailored, role-relevant messaging so that each employee knows what they're responsible for protecting and why.

How to comply

  1. 1.Identify and document all roles that interact with information systems (managers, administrators, developers, end users, contractors).
  2. 2.Assess security risks specific to each role's activities and access levels.
  3. 3.Develop role-based awareness training materials that explain applicable policies, standards, and procedures in role-relevant language.
  4. 4.Deliver initial and annual refresher training to all staff in their respective roles.
  5. 5.Document training completion with sign-off records showing date, content, and attendee role.
  6. 6.Establish a process to communicate policy updates and emerging security risks to affected roles throughout the year.
  7. 7.Measure awareness effectiveness through quizzes, assessments, or security incident metrics.

Evidence auditors look for

  • Role-based security awareness training curriculum tailored for managers, admins, and end users
  • Training attendance records with employee name, role, date completed, and trainer signature
  • Annual awareness training calendar and schedule by role
  • Security policy and procedures documentation specific to each role's responsibilities
  • Email communications or security alerts sent to administrators regarding system-level risks
  • Incident response acknowledgment forms signed by users confirming understanding of phishing and social engineering risks
  • Training assessment scores or quiz results demonstrating comprehension of role-specific security requirements
  • Documented communications about new threats, system changes, or policy updates sent to affected roles

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates role-based awareness training assignment and tracks completion by role across your organization, generating the signed attestation records required for AT.L2-3.2.1 audits.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AT.L2-3.1.1 — Security Awareness TrainingAT.L2-3.2.2 — Security Update and Vulnerability AwarenessAC.L2-3.1.1 — Authorized Access ControlSI.L2-3.14.1 — Information System Security Practices