Meeting AT.L2-3.2.1 under NIST SP 800-171 Rev. 2 / CMMC 2.0 Level 2 requires more than training delivery — it demands measurable evidence that managers and users understand security risks and change behavior; this post gives you a practical KPI set, tests to run, and an improvement plan you can implement in a small-business environment to demonstrate compliance and reduce CUI exposure.
Compliance Framework mapping and objectives
AT.L2-3.2.1 maps to the Awareness and Training family: ensure that managers and users are made aware of security risks and applicable policies and procedures. The key objectives are to (1) train appropriate personnel, (2) validate understanding and behavioral change, and (3) retain documentation and evidence for auditors. For small businesses handling Controlled Unclassified Information (CUI), that means a lightweight but auditable program tying actions (phishing click rates, reporting behavior, remediation) to documented learning outcomes.
KPIs to measure awareness effectiveness
Choose KPIs that are objective, measurable, and tied to risk reduction. Recommended KPIs for AT.L2-3.2.1 include:
- Training completion rate — percent of role-based users who completed required training within a reporting period (target ≥ 95%).
- Phishing simulation click rate — percent of users who clicked simulated phishing links (target < 5% after remedial training).
- Phishing report rate — percent of users who report suspicious emails to your security mailbox (goal: increasing trend; report-to-click ratio > 0.5).
- Mean time to remediate risky behavior — average days between a failed simulation and completion of corrective training (target < 7 days).
- MFA adoption rate — percent of privileged and user accounts protected by multi-factor authentication (target 100% for privileged accounts, ≥ 95% for all users).
- Knowledge retention score — average score on quarterly quizzes or assessments (target ≥ 80%).
- Incident rate tied to user action — number of phishing-driven incidents or credential compromises per quarter (trend downwards).
Tests and measurement methods
Run both technical simulations and human-centered assessments to build an evidence trail. Practical tests include: scheduled and randomized phishing simulations (use Microsoft Defender Attack Simulator, commercial platforms like KnowBe4/Cofense, or one-off tests using internal scripts), pre/post-training knowledge quizzes, tabletop exercises for managers, and monitoring of security telemetry for risky events. Instrumentation details: ensure your mail gateway and MTA logs retain metadata (source IP, DKIM/SPF status, spam score) and feed those into a SIEM to correlate simulation results with actual email flows and user reporting.
Small-business implementation notes
For cost-conscious organizations: use Microsoft 365 Defender's built-in attack simulator (if licensed) or inexpensive third-party tools. Configure DMARC/SPF/DKIM for your domains before large-scale simulations to avoid false positives. Use your ticketing system (Jira, ServiceNow Express, Zendesk) to automatically assign remediation tasks when a user fails a simulation. Store training completion certificates and simulation reports in your compliance evidence repository (encrypted storage with access logging) to satisfy auditors.
Improvement plan (Plan → Do → Check → Act)
Design a cyclical improvement plan: Plan — identify target metrics and baseline via an initial campaign; Do — run awareness modules and simulate attacks; Check — analyze KPIs monthly, segment by role, location, and manager; Act — apply targeted remediation (role-based follow-up, one-on-one coaching for repeat offenders, technical controls like conditional access). Example: baseline phishing click rate is 18% across 40 employees. Plan a focused curriculum for high-risk groups, run bi-weekly targeted simulations for 60 days, and require individuals who fail twice to complete a 30-minute interactive module plus manager review.
Real-world example and scenario for a small business
Scenario: a 45-employee defense contractor handling CUI. Baseline: training completion 70%, phishing click 22%, reporting rate 2%. Action steps: enable MFA for all employees, implement monthly phishing simulations, require completion of a 20-minute CUI-handling module with a post-test, and configure the SIEM to flag credential-liftoff indicators. After three months: training completion 98%, phishing click 6% (repeat offenders reduced to 3 users), reporting rate 18%, and a documented drop in credential-related helpdesk tickets. Evidence collected: LMS completion exports, phishing platform reports, SIEM alerts and remediation tickets, and meeting notes showing management review — all packaged for auditors against AT.L2-3.2.1.
Risks of not implementing measurable awareness
Without measurable awareness programs you face increased risk of credential theft, phishing-driven breaches, and mishandling of CUI — all of which can lead to contract loss, fines, reputational harm, and mandatory breach reporting. From a compliance angle, lack of evidence (no KPIs, no simulation logs, incomplete training records) will lead to nonconformities during a CMMC assessment or NIST-based audit, potentially jeopardizing DoD contracts.
Compliance tips and best practices
Document role-based training requirements in policy, schedule recurring measurement activities, and maintain a single compliance evidence repository with immutable exports (time-stamped CSVs, signed PDFs). Align KPIs to risk and make thresholds realistic. Automate where possible — integrate phishing platforms with your LMS and ticketing system so remediation is tracked. Engage leadership with an executive dashboard showing trends, risk posture, and highlight repeat offenders to drive accountability. Finally, prepare a succinct audit package: policy, training matrix, KPI reports, simulation outputs, remediation tickets, and meeting minutes that demonstrate continuous improvement.
Summary: AT.L2-3.2.1 is satisfied when awareness is demonstrably reducing risk — not merely when courses are assigned. Use a focused KPI set (completion, click/report rates, remediation time, retention), run technical and human tests, and implement a PDCA improvement plan. For small businesses, leverage built-in or low-cost tools, automate evidence collection, and keep remediation tight and documented so you both improve security posture and clearly demonstrate compliance during assessments.
