Awareness & Training

Awareness & Training is the people layer. Technical controls fail when people don’t know the policies, don’t recognize threats, or don’t understand their responsibilities.

The Big Picture

The assessor will check training records for every person with CUI access. No records = no evidence of training = finding. They may also ask a random employee about CUI handling to see if the training stuck.

The Three Levels

Everyone (3.2.1) — All staff get security awareness training covering CUI risks and your specific policies. Documented, tracked, annual refresher.

Security Roles (3.2.2) — Admins, security staff, and incident responders get additional training specific to their duties. A sysadmin who hardens servers needs different training than the receptionist.

Insider Threat (3.2.3) — All staff are trained to recognize insider threat indicators and have a confidential reporting path.

---

All 3 Requirements

Ref	Short Name	What It Covers
3.2.1	Train Everyone	Security awareness for all CUI users
3.2.2	Role-Specific Training	Training matched to security responsibilities
3.2.3	Spot the Insider Threat	Recognize and report insider threat indicators