AT.L2-3.2.2 requires organizations to ensure personnel are trained to carry out their assigned information security duties and that training completion is demonstrable with reliable evidence — in short, it’s not enough to deliver training; you must track, measure, and produce auditable proof that the right people completed the right training at the required intervals. This post gives Compliance Framework–specific, practical steps and technical details you can implement today to meet the control, including examples tailored for small businesses, measurable KPIs, and defensible evidence artifacts assessors will accept.
Understanding the control and its objectives
At a practice level within the Compliance Framework, AT.L2-3.2.2 targets role-based training for personnel handling Controlled Unclassified Information (CUI) and other sensitive assets. Key objectives are: (1) define which roles require which courses, (2) ensure training is completed on hire and periodically thereafter, (3) maintain accurate records of who completed what and when, and (4) make records tamper-resistant and retrievable for assessments or audits. Implementing this control tightly links to your System Security Plan (SSP), training policy, and Plan of Action & Milestones (POA&M) for any gaps.
Step-by-step implementation for Compliance Framework alignment
Start by building a Training Matrix that maps roles to required training artifacts (e.g., CUI handling, phishing, secure coding). For each entry include frequency (on hire, annual, refresh after incident), minimum passing score, and remediation steps for failures. Implement an LMS (Learning Management System) or lightweight alternatives (SCORM/xAPI-compatible modules, Google Forms with SSO, or Microsoft 365 training pathways) and enable Single Sign-On (SAML/OIDC) so completion records tie unambiguously to an identity. Link training requirements in your SSP and reference the Training Matrix in your policy so assessors can trace requirements to evidence.
Technical implementation details
Choose an LMS or combination of systems that produce cryptographically verifiable or at least immutable logs. Practical stack options: a cloud LMS that supports SCORM/xAPI + an LRS (Learning Record Store) for statement storage; SSO via Azure AD or Okta to guarantee unique user IDs; and automated exports to CSV/JSON for archival. Configure the LMS to record: userID, courseID, moduleID, start/end timestamps, duration, score, IP address, and certificate ID. Store exports and certificates in a WORM-capable storage (e.g., AWS S3 with Object Lock for retention) and keep a hash (SHA-256) of each certificate/report in a small internal ledger or SIEM so you can show immutability and chain-of-custody during audit.
Small business, real-world scenario
Example: Acme Engineering is a 25-person subcontractor that handles limited CUI. They implemented TalentLMS (cloud), integrated with Okta for SSO, and created three role profiles: Admin (CUI custodians), Developer, and General Staff. Onboarding triggers an API call from HRIS to TalentLMS to auto-enroll new hires. Completion certificates are auto-generated and saved to a dedicated Google Drive folder with folder-level access controls; the same certificates are exported daily to an S3 bucket with Object Lock and a daily SHA-256 digest is stored in the company’s MS Teams channel (pinned). For low-budget shops, a similar flow can be accomplished with MoodleCloud + SAML + scheduled CSV exports saved to an encrypted USB and backed up to cloud storage with a retention policy.
Measuring compliance: metrics and reports that matter
Define and publish KPIs such as: percent of required personnel trained within 30 days of hire (target >= 95%), annual retraining completion rate, average quiz score per role (target >= 80%), and phishing click rate (trend downwards). Build automated dashboards (Power BI, Grafana, or LMS native reporting) that show real-time compliance and exceptions. For evidence production, prepare package templates containing: the Training Matrix, policy excerpt, SSP reference, per-user completion exports (signed and timestamped), a summary KPI dashboard PDF, and chain-of-custody notes. These artifacts map directly to Compliance Framework expectations and speed up assessments.
Risk of non-compliance and POA&M handling
Failing to implement AT.L2-3.2.2 exposes the organization to higher insider-risk, mis-handling of CUI, and increased probability of successful social engineering. From a contracting perspective, inadequate evidence can result in failed CMMC assessments, lost contracts, or remediation requirements in a POA&M. When gaps are identified, record them in the POA&M with specific remediation tasks (e.g., “Deploy LMS, configure SSO, enroll 100 staff”), owners, and realistic milestones — and include compensating controls such as supervised access until training is complete.
Practical compliance tips and best practices
Tips: (1) Automate enrollment from HR so training is not dependent on managers remembering to invite new hires; (2) Use role-based tags in your IAM directory so training assignments can be generated from group membership; (3) Keep retention policy and export scripts simple and documented — assessors want repeatable procedures; (4) Use immutable storage (WORM/Object Lock) for final evidence sets; (5) Keep a human-readable index (an evidence manifest) that maps exported filenames to users and training IDs; and (6) test your evidence package by doing a mock assessment in which a colleague requests your training artifacts and times how long it takes you to produce them.
In summary, meeting AT.L2-3.2.2 under the Compliance Framework is a combination of policy, automation, and defensible evidence storage: build a role-to-training matrix, automate enrollment and identity binding via SSO, use LMS features (SCORM/xAPI/LRS) to capture detailed logs, archive signed exports to tamper-resistant storage, and present a concise evidence package tied to your SSP and KPIs. For small businesses this can be achieved affordably by selecting cloud LMS options or open-source tools and focusing on clear processes and immutable evidence rather than expensive enterprise suites — the goal is demonstrable, auditable training compliance that an assessor can reproduce and a contracting officer can trust.
