CMMC AT.L2-3.2.3: Insider Threat Awareness Training Requirements
Insider threats pose one of the highest-risk vulnerabilities to defense contractors and SMBs handling sensitive data. CMMC Level 2 control AT.L2-3.2.3 requires organizations to provide security awareness training that equips employees to identify and report potential insider threat indicators before damage occurs. This control moves beyond generic security training to create a culture of vigilance across your organization.
What this means
This control mandates that your organization deliver targeted security awareness training focused specifically on insider threat recognition and reporting. Employees must understand what constitutes suspicious behavior—including unauthorized access attempts, data exfiltration, policy violations, and behavioral red flags—and know the correct escalation procedures. The training should emphasize that insider threats can originate from current employees, contractors, or third-party vendors with system access.
How to comply
- 1.Develop insider threat awareness curriculum covering threat indicators, behavioral red flags, and reporting procedures
- 2.Train all personnel with system access on recognizing suspicious activities (unauthorized access, data copying, policy violations)
- 3.Establish clear reporting channels and make employees comfortable reporting concerns without fear of retaliation
- 4.Document training completion and maintain attendance records for audits
- 5.Conduct annual refresher training and track awareness metrics over time
- 6.Create escalation procedures that route insider threat concerns to security leadership
Evidence auditors look for
- Training curriculum documents with insider threat-specific content modules
- Employee training completion records and sign-off sheets
- Attendance logs with dates and participant names
- Training acknowledgment forms confirming understanding of reporting procedures
- Internal communications promoting insider threat awareness
- Documented incident reports showing employees using training to identify threats
- Annual training schedule and refresher completion tracking
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks insider threat training completion across your entire organization, generates compliance evidence reports, and reminds you when refresher training is due—eliminating manual record-keeping and ensuring CMMC auditors always see current, documented awareness across your workforce.
See how GRCWatch handles this control automatically
Start free trial