Checklist: 10 Actionable Steps to Make Staff Aware of Security Risks and Policies for NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AT.L2-3.2.1

This post provides a practical, 10-step checklist to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control AT.L2-3.2.1 — the requirement that managers, system administrators, and users are made aware of security risks associated with their activities and of the applicable policies, standards, and procedures for organizational systems — with actionable implementation tips, small-business examples, and compliance artifacts you can produce for an assessor.

What AT.L2-3.2.1 requires (quick summary)

AT.L2-3.2.1 mandates documented, repeatable activities that ensure the workforce knows the security risks tied to their roles and the policies/processes that govern acceptable behavior. For a Compliance Framework implementation this means formalizing training, acknowledgements, role-based messaging, measurable evidence (logs/rosters), and periodic refreshes mapped into your SSP and POA&M.

Checklist: 10 Actionable Steps

Below are ten concrete actions you can implement right away. Each item includes practical how-to notes, who should own it, and the compliance artifact to collect.

1. Create a role-based awareness matrix. Define roles (e.g., executives, managers, system admins, contractors, developers, remote workers) and list the specific risks and policies each role must know. Owner: Security Manager. Artifact: published matrix in your SSP or document repository (SharePoint/Confluence).
2. Develop concise, role-specific training modules. Build 15–30 minute modules for common risks: phishing, credential handling, CUI handling, remote access, and privileged access hygiene. Use an LMS (e.g., Moodle, TalentLMS, or a hosted provider like KnowBe4). Owner: Training Lead. Artifact: LMS completion reports (CSV/PDF) showing user, module, completion date, score.
3. Require signed policy acknowledgements during onboarding and annually. Present Acceptable Use, Data Handling, and Remote Access policies during onboarding and force an annual re-acknowledgement. Implement digital signature or checkbox with SSO tie-in (Azure AD/Okta). Artifact: signed acknowledgement logs, timestamped entries exported from your HR or IAM system.
4. Run monthly phishing simulations and real-time reporting. Automate phishing tests targeted by role and measure click/report rates. Feed results into POA&M for users who repeatedly fail and escalate for retraining. Owner: IT Security. Artifact: phishing campaign reports, remediation assignments.
5. Hold quarterly “risk brief” sessions for managers and admins. These 30–60 minute meetings review recent incidents, threat intelligence relevant to your sector, and policy updates. Make attendance mandatory for managers and system owners. Artifact: meeting minutes, attendance roster.
6. Publish policies in a single, version-controlled repository. Use a centrally accessible location (SharePoint/Confluence/Git repo) with policy version history, last-reviewed dates, and an “effective date.” Link policy pages to role-specific sections in the awareness matrix. Artifact: policy repository screenshots and version history exports.
7. Integrate technical enforcement where possible. Combine awareness with controls: require MFA for admin accounts, use conditional access to block non-compliant devices, restrict CUI storage to encrypted, access-controlled locations. Owner: IT Ops. Artifact: conditional access policy configs, MFA enforcement logs, encryption audit reports.
8. Implement a documented incident reporting and escalation path. Teach users how to report suspicious emails/devices and what information to include. Route reports into a ticket system (Jira/ServiceNow) and track time-to-response. Artifact: ticket exports, SLA metrics, incident follow-up notes.
9. Conduct role-specific hands-on exercises for admins. For system administrators, include tabletop exercises and simulated attacker scenarios (e.g., privileged credential compromise). Validate they can perform containment, account disablement, and forensic evidence preservation. Artifact: exercise plans, test results, and corrective actions.
10. Measure and document KPIs; tie to continuous improvement. Track completion rates, phishing click-to-report ratios, time-to-acknowledgement, and repeat offenders. Use these metrics in monthly security reviews and update training/policies accordingly. Artifact: KPI dashboard exports and updated training plans.

Implementation details specific to Compliance Framework

For a NIST SP 800-171 / CMMC Level 2 implementation you need to map these activities into your SSP and reflect gaps in your POA&M. Each checklist item should have an owner and a measurable artifact that an assessor can review: LMS logs, signed ack records, policy version history, phishing campaign summaries, conditional access policy exports, and meeting minutes. Small businesses can centralize artifacts in a secured cloud folder and include a brief “audit guide” that points assessors to each artifact and its relevance to AT.L2-3.2.1.

Small-business scenario and real-world example

Example: A 30-person DoD subcontractor uses Azure AD + Okta SSO, SharePoint for policy, and KnowBe4 for training. They created a role-based matrix, implemented annual sign-off using Azure AD Conditional Access and Power Automate to log acknowledgements, run quarterly phishing campaigns, and keep an SSP that references each artifact location. When preparing for assessment they exported LMS completion reports, conditional access screenshots, and the phishing campaign report into a single evidence zip with a README that maps files to AT.L2-3.2.1 controls — reducing assessor time and improving auditor confidence.

Risks of not implementing AT.L2-3.2.1

Failing to make staff aware of risks and policies increases the chance of successful phishing, credential compromise, mishandling of Controlled Unclassified Information (CUI), and improper privileged actions. For contractors this can lead to lost contracts, corrective action plans, negative findings from assessors, and actual operational incidents (data leakage, ransomware). From a technical view, untrained admins may inadvertently disable logging, over-provision access, or fail to rotate credentials — all of which materially increase organizational risk.

Compliance tips and best practices

Keep training short and frequent rather than long and infrequent; use microlearning and role-based drills. Automate evidence collection: integrate your LMS and IAM to export CSVs with user UPNs, training IDs, and timestamps so artifacts match identity records in your SSP. Keep an “evidence index” that maps document names to specific requirements; include screenshots of policy pages with browser timestamps to prove availability. Finally, document remediation steps in your POA&M for any deficiencies discovered during phishing or exercises.

In summary, AT.L2-3.2.1 is as much about documentation and measurability as it is about teaching. Implement the 10 steps above, attach clear artifacts, assign owners, and continuously measure outcomes—doing so will significantly reduce operational risk and make a CMMC/NIST assessment straightforward for a small business.