How to Meet NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AT.L2-3.2.1

Requirement

NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AT.L2-3.2.1 – Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Understanding the Requirement

This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires an organization to identify risks tied to handling controlled unclassified information (CUI), document the relevant policies, standards, and procedures, and then ensure managers, system administrators, and everyday users know both the risks and the rules. The emphasis is on reducing human-error-driven incidents through practical security awareness training, clear documentation, and role-appropriate messaging so staff understand what behavior is required and why—examples include avoiding opening malicious attachments, protecting credentials, and following incident reporting procedures.

Technical Implementation

• Create an awareness policy and role assignments. Draft a short security awareness policy that states training frequency (on hire and annually), responsibilities (who delivers, who enforces), and acceptable behavior expectations. Assign a named owner—typically the security officer or HR partner—so there is a single point of accountability for awareness activities.
• Catalog applicable policies, standards, and procedures in a central repository. Maintain a simple, version-controlled index (shared drive or intranet page) listing the security policy, acceptable use, incident response, access control, and data handling procedures for CUI. Include a one-page “what this means for you” summary for managers, admins, and end users to reduce complexity.
• Deploy structured, role-based training and track completion. Require basic security awareness for all employees and role-specific modules for managers and system/network administrators (e.g., privileged access hygiene, change control, and logging expectations). Use an online course or an instructor session, collect completion certificates, and log each completion in a simple training tracker (spreadsheet or small LMS). Make completion a condition of access to CUI systems.
• Use reminders and short micro-training to reinforce behavior. Send quarterly one-page reminders or short 5–10 minute micro-modules that focus on high-risk behaviors: phishing recognition, secure file sharing, password managers, and reporting suspicious activity. Pair these with occasional simulated phishing campaigns to measure awareness and target re-training to individuals who click.
• Provide escalation and manager-focused guidance. Teach managers how to spot risky team behaviors, how to approve or restrict system privileges, and how to handle reported incidents. Give system administrators a clear checklist for secure configuration, change approval, and how to document deviations—this supports both security and the evidence needed for assessments.
• Measure, remediate, and maintain evidence. Track completion rates, phishing test results, and incident-reporting metrics. Require remediation training for repeat offenders and keep training certificates and the training log as audit evidence. Tie recurring non-compliance to HR actions so the policy has teeth.

Example in a Small or Medium Business

A 60-person engineering subcontractor handling CUI assigns the IT manager as security officer and publishes a short awareness policy that mandates training on hire and every 12 months. New hires complete an online annual security awareness module and submit their certificate to HR; the security officer records each certificate in a training log spreadsheet. System administrators complete an additional privileged-access training module that covers secure configuration, password vault use, and emergency access procedures. Managers receive a one-page guide that explains how to approve access requests and how to escalate suspected incidents. The company runs a quarterly micro-training email and conducts simulated phishing twice a year; employees who fall for phishing receive targeted follow-up training. All training completion records and phishing metrics are kept for compliance review and are reviewed during management meetings to improve messaging and reduce repeat mistakes.

Summary

Combining a clear awareness policy, a central repository of concise procedures, role-based training, and measurable reinforcement closes the gap between documented security expectations and everyday behavior. For SMBs, practical technical measures—tracked training, phishing simulations, manager guidance, and documented evidence—reduce human-error risk, ensure managers and admins understand their responsibilities, and provide the records needed for audits or assessments demonstrating compliance with AT.L2-3.2.1.