AT.L2-3.2.1 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires that managers, system administrators, and users be trained to perform their assigned information security-related duties; preparing for an audit of this control means having documented policy, role-based training content, verifiable evidence of completion, and a repeatable tracking process that a small organization can operate without a full security operations group.
What auditors look for (practical checklist)
Auditors expect a clear policy that defines training objectives and roles, a training matrix mapping required courses to roles, artifacts proving delivery (LMS logs, meeting minutes, slide decks), completion evidence (certificates, signed attestations, test scores), and evidence of ongoing maintenance (refresher schedules, metrics, corrective actions). For AT.L2-3.2.1, emphasize CUI handling, privileged account use, incident reporting, and user responsibilities. Make these elements visible, indexed, and auditable.
Step-by-step implementation for a small business
Start by drafting a short Training Policy (policy filename example: training_policy_v1.0.pdf) that states scope (all staff and contractors handling Federal Contract Information / CUI), minimum training requirements, frequency (onboarding, role changes, annual refresher), responsibilities (HR, IT, managers), and record retention (e.g., 3 years or per contract requirement). Keep the policy concise—1–2 pages is acceptable for small shops—but include an exhibit or appendix that maps policy statements to AT.L2-3.2.1.
Build a training matrix and curriculum
Create a role-based training matrix (training_matrix.csv or training_matrix.xlsx) that lists roles (employee, contractor, system admin, manager), required modules (e.g., CUI basics, acceptable use, privileged access, incident response), minimum pass scores, and frequency. For small teams, use low-cost solutions such as Google Workspace Forms + Sheets, Microsoft 365 Learning Pathways, Moodle, or a lightweight LMS that exports completion reports. Map each module to specific control language from NIST SP 800-171 so an auditor can see exactly how each training topic satisfies AT.L2-3.2.1.
Collecting and protecting evidence
Acceptable evidence includes: LMS export (names, email, completion timestamp, course ID), signed training attestations (PDFs or DocuSign records), quiz/test results, meeting attendance logs with signer names, slide decks with version history, and phishing simulation reports for awareness. Store artifacts in a secure repository (SharePoint with versioning and audit logs, an encrypted S3 bucket with access logging, or a GRC tool). Ensure integrity—retain hashes or signed PDFs and enable immutable retention or WORM where possible to prevent accidental or malicious modification.
Real-world small business scenarios
Scenario A: A 25-person engineering shop wins a DoD subcontract and must demonstrate CMMC 2.0 Level 2 readiness. They create a single training policy, use Microsoft Forms to assign modules, and export completion CSVs stored in a SharePoint folder with restricted access. Managers confirm completion via a monthly attestation email saved as evidence. Scenario B: A 10-person managed services company uses open-source Moodle installed on a hardened VM; they map Moodle course IDs to the training matrix and produce reports during readiness reviews. Both approaches are low-cost and create clear evidence paths.
Compliance tips and best practices
Use a naming convention and evidence index to simplify audits: e.g., evidence/AT_L2-3.2.1/training_matrix_2026-03-01.csv, evidence/AT_L2-3.2.1/lms_export_2026-02-28.csv, evidence/AT_L2-3.2.1/attestations_Q1_2026.pdf. Require manager attestations for staff who cannot complete online training due to operational constraints—attestation forms should state the reason and remediation plan. Automate reminders (calendar invites, email sequences) and configure SSO so that course completions are tied to corporate identities rather than generic accounts.
Technical considerations and integrations
Integrate training tracking with HR and IAM systems so onboarding/offboarding triggers training assignments and revokes access for those who do not complete required courses. Exportable audit logs are critical: enable and retain LMS logs, SharePoint access logs, and identity provider (IdP) logs for user activity. For privileged roles, keep separate higher-assurance artifacts (signed policy acknowledgment for admins, evidence of specialized admin training and lab/exam results). If using phishing simulations, retain raw click and remediation statistics as evidence of program effectiveness.
Risks of not implementing AT.L2-3.2.1
Failing to implement role-based training and retain evidence risks failed audits, loss of contract eligibility, and increased likelihood of human-caused incidents such as CUI exposure or misconfigured privileged accounts. From a practical standpoint, an organization without training records cannot prove that users understood incident reporting, which can exacerbate breaches and lead to regulatory fines, remediation costs, and reputational damage—risks small businesses can ill afford.
In summary, meeting AT.L2-3.2.1 is as much about process and evidence as it is about content: draft a concise policy, build a role-based training matrix, choose tooling that can produce verifiable exports, protect and index artifacts, and tie training into HR/IAM workflows. For small businesses, low-cost LMS options, manager attestations, and disciplined naming/retention practices will create a defensible audit posture while keeping overhead manageable.
