Meeting AT.L2-3.2.2 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires role-based cybersecurity exercises and simulations that prove personnel can fulfill their security responsibilities; this post lays out a practical, small-business–oriented approach to designing, running, measuring, and documenting those exercises to meet compliance and reduce real-world risk.
Context and Objectives
Framework: Compliance Framework. Practice: Practice. Requirement: Role-based cybersecurity training and exercises (AT.L2-3.2.2) that demonstrate personnel competence in protecting Controlled Unclassified Information (CUI). Key objectives: define role-specific learning objectives, run realistic exercises aligned to roles, capture evidence that training/objectives were met, and integrate results into your System Security Plan (SSP) and Plan of Action and Milestones (POA&M). Implementation notes: exercises must be repeatable, documented, and mapped to responsibilities in job descriptions and the SSP.
Design approach — map roles to risks and objectives
Start by inventorying roles that touch CUI or security controls: executives (policy/contract decisions), system owners, privileged administrators (Active Directory, cloud admins), developers, help desk, and general users. For each role define 2–4 measurable objectives (for example, "IT admin will follow the privileged access process to request and approve break-glass access within 15 minutes" or "Help desk will validate MFA reset requests using documented identity proofing steps"). Use a simple mapping spreadsheet with columns: Role, Responsibility, Exercise Type, Success Criteria, Evidence to Collect, Frequency. This map becomes the source of truth for exercise scope during audits.
Role-specific exercise templates and real-world examples
Design templates per role: executives need tabletop decision exercises about contract/incident notification and legal escalation; system owners run configuration review simulations (e.g., misconfigured AWS S3 bucket containing CUI); admins require live-play technical exercises (privileged credential theft simulation, lateral movement containment); help desk needs identity-proofing and escalation drills; end users get targeted phishing simulations and data-handling scenarios. Example 1 (small defense subcontractor, 25 people): run a quarterly phishing campaign (GoPhish) for users, a semiannual admin destructive-power exercise where an admin must detect and revoke a compromised admin account using EDR telemetry, and an annual executive tabletop to rehearse CUI breach notification to prime contractors. Example 2 (remote development shop): simulate a stolen laptop with cached CUI and test remote wipe, EDR detection, and recovery from backups in an isolated lab.
Technical setup and safe execution
Implement exercises in isolated environments to avoid collateral impact: use virtual lab VMs with snapshots, dedicated testing Azure or AWS accounts, or segmented VLANs. For phishing tests use GoPhish or a managed service and capture click rates, credential submissions, and follow-up behaviors (who reported vs. who clicked). For admin simulations, create test AD accounts in a "Lab" OU with realistic privileges, enable Windows Event Forwarding or Sysmon, and ingest logs into your SIEM (Elastic, Splunk, Microsoft Sentinel). Configure EDR (CrowdStrike, Microsoft Defender for Endpoint) to generate alerts on simulated TTPs (credential dumping, lateral movement) and measure time-to-detect (TTD) and time-to-contain (TTC). When simulating data exfiltration, use synthetic CUI files labeled clearly as test data to avoid legal issues. Capture forensic artifacts (timeline of events, pcap of simulated exfil, EDR logs) as evidence for assessors.
Running exercises and assessment criteria
Run exercises with an inject schedule and observers: prepare a script with injects, expected responses, and escalation triggers. Use an exercise control team (two people can suffice) to inject events, monitor telemetry, and score performance against success criteria. Success criteria should be objective—example: "Privileged account compromise detected by EDR within 30 minutes and account disabled within 60 minutes; containment steps documented and performed in order." Collect artifacts (timestamped alerts, screenshots of actions taken, ticket numbers, call logs) and a post-exercise After Action Report (AAR) that lists findings, root cause, remediation tasks, owners, and due dates. For tabletop exercises, capture decisions in meeting minutes and update policies/SSP to reflect any procedural changes.
Metrics, evidence handling, and documentation for compliance
Track both process and outcome metrics: exercise completion rate by role, mean time to detect (MTTD), mean time to respond/contain (MTTR), percentage of users reporting phishing, and number of corrective actions closed within target windows. Keep an evidence repository (encrypted, access-controlled) containing exercise plans, inject scripts, logs, AARs, attendance lists, and screenshots. Reference these artifacts in your SSP and link POA&M entries to corrective tasks discovered during exercises. During a CMMC assessment, provide the assessor the mapping spreadsheet showing which exercises map to AT.L2-3.2.2, plus supporting artifacts for the most recent exercise for each critical role.
Compliance tips and best practices
Recommendations: (1) Start small—run table-top exercises before live technical tests. (2) Schedule role-based exercises at a sensible cadence: quarterly for admins and incident responders, semiannual for help desk and engineers, annual for all staff. (3) Use realistic but safe test data (sandboxed CUI). (4) Automate evidence capture where possible—SIEM dashboards and incident tickets reduce post-exercise work. (5) Tie exercises to training by creating follow-up microlearning for gaps discovered (e.g., 10-minute refresher on phishing reporting). (6) Ensure executive sponsorship and include legal/HR in tabletop planning to avoid policy conflicts. (7) Integrate results into the SSP and POA&M immediately—delays weaken your compliance posture.
Risk of not implementing AT.L2-3.2.2 is both operational and contractual: without role-specific exercises you increase the likelihood of missed detection, improper handling of CUI, escalated impact of breaches, and failure during CMMC assessments that can jeopardize DoD contracts. For a small business, one successful phishing or admin-credential compromise can lead to data exfiltration, reputational harm, lost contracts, and significant remediation cost—exercises materially reduce these risks by validating people and processes ahead of an incident.
Summary: Build a simple role-to-objective map, design safe, repeatable exercise templates (phishing, tabletop, admin technical playbooks), capture objective evidence (logs, AARs, metrics), and feed findings into your SSP and POA&M. For small businesses this approach is practical, affordable, and scales: start with quarterly phishing and an annual admin technical exercise, expand coverage based on risk, and document everything so you both improve security and demonstrate compliance with AT.L2-3.2.2.
