Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AT.L2-3.2.2 – Ensure that personnel are trained to carry out their assigned information security related duties and responsibilities.
Understanding the Requirement
This control (NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires that an organization defines which information-security duties exist, assigns those duties to named personnel, and ensures those personnel receive the training they need to perform them. Practically, that means documenting roles and responsibilities, creating role-based training paths, and verifying completion and competency so staff can reliably carry out tasks such as system administration, incident handling, or secure configuration management.
Technical Implementation
- Map roles and responsibilities. Create a short, maintained roster (job-title + duties) that identifies information-security responsibilities for each role (e.g., SIEM admin, network admin, backup operator). Keep this roster in a central location (HR or IT folder) and review it at hiring, role change, and annually.
- Establish role-based training plans. For each security role, list required training and certifications. For system and security administrators require completion of the DoD "Privileged User Cybersecurity Responsibilities" course (or equivalent), and add vendor-specific training where relevant (e.g., Splunk admin course, Security+ for general security duties).
- Use a simple training tracking system. Implement a training log (spreadsheet or lightweight LMS) to record course names, dates, certificates, and expiration/refresh dates. Collect certificate files or screenshots as evidence and store them with the personnel record.
- Integrate training into onboarding and change management. Add required security training to new-hire checklists and to any role-change workflow. Prevent assignment of sensitive privileges until the required training is complete and documented.
- Validate competency, not just completion. Require a short practical check after training—examples include configuration walkthroughs, simulated incident response drills, or review of recent changes. Keep records of these competency checks alongside course completions.
- Schedule refreshers and audits. Set automatic reminders for annual refresh training and audit the training log quarterly to ensure compliance. Tie training compliance to access reviews so privileges can be revoked if training lapses.
Example in a Small or Medium Business
When Acme Tech (a 75-person managed services SMB) started formalizing security duties, leadership created a one-page roster that listed each security-related role and assigned a named person. Alice was designated as the SIEM administrator and required to complete the DoD privileged user course plus the Splunk admin certification. HR added those training items to Alice’s onboarding checklist and the IT manager blocked elevated SIEM privileges until Alice uploaded her completion certificates to the company training log. The company used a simple Excel template to track course name, completion date, certificate file, and next refresh due date. After completing courses, Alice performed a supervised configuration review to demonstrate competency; the reviewer signed off in the log. The IT manager set quarterly reminders to audit the log and the CEO tied timely completion of required security training into annual performance conversations. Within six months the company had documented evidence for all assigned security roles and a repeatable process for new hires and role changes.
Summary
Meeting AT.L2-3.2.2 is a mix of policy and practical steps: define and assign security duties, require role-based training (including privileged-user coursework for administrators), document completion and competency, and keep an auditable training log with refresh rules. For SMBs this can be accomplished without heavy tools—use clear role documentation, a simple tracking spreadsheet or lightweight LMS, enforce training before granting privileges, and perform periodic audits to ensure personnel remain capable of carrying out their assigned information security responsibilities.
