Family 3.2 3 requirements
Training & Awareness.
People know the rules. And they get tested.
The big picture
Annual training is the floor — assessors look for evidence that everyone took it and that role-specific training reaches the people who handle CUI.
Theme 1
All practices.
3.2.1 — 3.2.3General security awareness, role-specific training, and insider-threat awareness.
- 3.2.1 Train Everyone. All staff receive security awareness training covering CUI risks, policies, and responsibilities. Documented and tracked. 3.2.2 Role-Specific Training. Security staff and admins get training specific to their security role — not just general awareness. 3.2.3 Spot the Insider Threat. Train staff to recognize insider threat indicators and provide a clear, confidential reporting path.