Home / Guides / Security Awareness Training

Security Awareness Training for CMMC: The AT Control Family

Focus: cmmc security awareness training Veteran-run · practitioner guide Updated Jul 2026 ~8 min read
The short answer

CMMC's Awareness & Training (AT) family requires that everyone who touches your systems gets security awareness training, that people with security duties get role-specific training, and that the training covers the threats you actually face — which means phishing and social engineering. It's not a suggestion and it's not a one-time video. You need a program that runs on a defined schedule and leaves records, because the AT family is graded on evidence that training happened and keeps happening.

Your people are the control that fails first. You can buy the best firewall on the market and encrypt every byte of CUI, and none of it matters when someone on the team clicks a link in a fake invoice and hands over their password. The government knows this, which is why security awareness training isn't an optional nicety in CMMC — it's a required control family, and one an assessor can check with uncomfortable precision.

The good news: the AT family is one of the most achievable parts of a CMMC build for a small shop. You don't need a training department. You need a program, a schedule, and records. Let me walk through what the controls actually require, what a small contractor genuinely needs, and how to run the whole thing without it eating your week.

Why training is a required control

Every serious breach report lands in the same place: the human was the way in. Phishing, pretext phone calls, a malicious attachment dressed up as a purchase order — the attacker doesn't pick the lock, they knock and get let in. For a small defense contractor, one clicked link can mean compromised credentials, and compromised credentials near CUI is the exact outcome CMMC is built to prevent.

CMMC Level 2 rests on the 110 controls in NIST SP 800-171, grouped into 14 control families. Awareness & Training is one of them, and it exists because technical controls alone can't stop a person from being tricked. Training is how you turn your workforce from your weakest control into a working one. It also supports Incident Response, because a trained employee who recognizes and reports a phishing attempt is often the earliest warning you'll ever get.

The mindset shift Treat training as a control you operate, not a compliance chore you survive once a year. A program that runs continuously — awareness plus regular phishing tests — is both better security and stronger evidence than a single annual slideshow everyone clicks through on autopilot.

What the AT family actually asks for

Cut through the reference language and the Awareness & Training requirements come down to three plain jobs.

Two things drive assessors here. First, coverage: did every person actually get trained, with a record to prove it? A single untrained user is a gap. Second, frequency: is this ongoing on a schedule you defined, or a thing you did once in 2024 and forgot? The controls let you set the cadence, but they expect you to set one, document it, and hold to it.

The trap "We told everyone to be careful" is not a training program. A verbal reminder leaves no record, covers no defined curriculum, and proves nothing to an assessor. The AT family is evidence-driven — if you can't produce completion records, a policy, and a schedule, the control isn't met no matter how security-conscious your team feels.

What a small shop actually needs

A small contractor doesn't need an enterprise learning-management system or a compliance officer. What you need is a platform that does the heavy lifting — delivery, reminders, phishing simulations, and record-keeping — so one person can run a real program in a few hours a month. The features that actually matter:

The training platform I recommend

For a small contractor who has to satisfy the AT family and produce clean evidence without a training department, the platform I point people to is KnowBe4. It's the most widely used security awareness platform for a reason — it pairs a deep content library with the phishing simulation engine that turns training from a checkbox into something measurable.

KnowBe4

Awareness training · phishing sim

KnowBe4 gives you a large library of ready-to-assign awareness modules plus a phishing simulation platform that lets you send safe fake-phishing campaigns, measure who clicks, and automatically enroll those users in follow-up training. The platform tracks completion, runs the reminders, and produces the reports on its own — which means the AT (Awareness & Training) evidence an assessor wants gets generated as you go instead of assembled in a panic later. It scales down cleanly to a small shop, covers both the general awareness everyone needs and role-based tracks for your security folks, and the simulation results give you a genuine measure of whether the training is working. For a small DoD contractor, that combination is the fastest path to an AT program that's real, ongoing, and documented — while feeding your IR (Incident Response) program with people who actually report the attempts they spot.

Awareness libraryPhishing simulationAuto reportingAT.L2IR.L2
See KnowBe4 →

Why this one? Because the AT family is won on two things — did everyone get trained, and can you prove it — and KnowBe4 is built around exactly those two jobs. The content covers the coverage requirement; the simulations and reporting cover the evidence requirement and, better, actually measure whether behavior changed. Use it to deliver and document the training, then reflect the program in your SSP so the assessor can see the control is real and operating.

Keep your SSP honest A training platform helps you satisfy and document the AT family. It does not, by itself, make you "CMMC compliant," and no honest vendor will say it does. You still need a written training policy that defines who gets trained on what and how often, records proving the program runs on that schedule, and the other 100-plus controls across the remaining families. Map the tool to the control it genuinely supports and your SSP tells the truth — which is what gets graded.

How to run the program

An AT program stays simple if you set it up as a system that runs on its own. Four moves.

  1. Write the training policy first.Before you assign a single module, document who gets trained, on what, and how often — annual baseline awareness for everyone, role-based training for security duties, and a phishing simulation cadence. This policy is what the assessor reads against your records. Set your frequency here and justify it.
  2. Roll out baseline awareness to everyone.Enroll every user — owner included — in the general awareness track. Cover phishing, social engineering, handling CUI, and how to report something suspicious. Get 100 percent completion; one untrained person is a gap on the coverage requirement.
  3. Run phishing simulations on a schedule.Send safe simulated phishing campaigns monthly or quarterly, track the click rate, and auto-assign remedial training to anyone who bites. Watching that click rate fall over time is both real security improvement and the single best evidence your program works.
  4. Add role-based training for security duties.Anyone who administers systems, manages accounts, or runs security tools gets deeper, duty-specific training on top of the baseline. Keep those completion records separate so the role-based requirement is easy to demonstrate.
The deadline that makes this urgent November 10, 2026 begins Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Self-assessment and affirmation language is already in contracts now. A training program's strength is its history — completion records and falling phishing click-rates accumulated over months. You can't manufacture that the week before an assessment, so start the program early and let the evidence build.

The evidence an assessor wants

The AT family lives and dies on records. When the assessor asks about training, here's what should be sitting ready in a folder:

The whole reason to use a platform like the one above is that it produces most of this automatically. You run the program; the evidence generates itself. That's the difference between an AT control you can demonstrate in five minutes and one you spend a stressful week trying to reconstruct.

Want to see where training sits against the other 109 controls before you commit? Run the free SPRS score estimator for a baseline in a couple of minutes. And if the overall cost of getting compliant is what's on your mind, read CMMC Compliance Cost for Small Business for the honest breakdown.

Skip the guesswork

The platform delivers training. This documents the whole program.

A tool running your training is one control family handled. The rest of the assessment is the paperwork that ties it together: a training policy, a System Security Plan that describes your AT program, the 20 required policies, and an SPRS scorer that shows where every control stands. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.

Frequently asked questions

Does CMMC require security awareness training?

Yes. The Awareness & Training (AT) family requires that everyone who touches your systems gets security awareness training, that people with security-relevant roles get training specific to those duties, and that the training addresses the current threats your organization faces — which in practice means phishing and social engineering. It's one of the 14 control families in NIST SP 800-171, and skipping it isn't an option if you want to pass a Level 2 assessment.

How often do employees need security training for CMMC?

The controls require training on a defined frequency and when roles or systems change, but they let you set the interval in policy. The practical standard most small contractors adopt is annual baseline awareness for everyone, refreshed when someone's role changes, plus ongoing phishing simulations run monthly or quarterly. You define the cadence, document it, and then prove you actually held to it.

Do phishing simulations count toward CMMC training?

They're one of the strongest ways to satisfy the awareness requirement, because they measure whether training changed behavior instead of just proving people watched a video. Running simulated phishing campaigns, tracking who clicks, and assigning follow-up training gives an assessor concrete evidence that your awareness program is real and operating — exactly what the AT family checks for. Simulations supplement formal training rather than replacing it.

What evidence does an assessor want for the AT controls?

Records that the training happened and that it's ongoing: completion logs by person and date, the content or curriculum you used, your written training policy defining who gets trained on what and how often, phishing simulation results over time, and role-based training records for anyone with security duties. The AT family is heavily evidence-driven, so a platform that generates completion reports and campaign results automatically saves enormous time at assessment.

Can a small contractor run security training without a training department?

Yes. Modern security awareness platforms are built for exactly this — you assign a training track, the platform delivers it, runs the phishing simulations, and produces the completion and results reports on its own. A one- or two-person shop can stand up a compliant program in an afternoon and maintain it with a few hours a month, because the platform automates the delivery, reminders, and record-keeping that used to require staff.

Does buying a training platform make me CMMC compliant?

No single tool makes you compliant. A training platform helps you satisfy the Awareness & Training family and produce its evidence, but you still need a written training policy, records that prove the program runs on your defined schedule, and the rest of the 110 controls across the other 13 families. Use the platform to deliver and document the training, then reflect it in your SSP so the assessor can see the control is real and operating.