CMMC's Awareness & Training (AT) family requires that everyone who touches your systems gets security awareness training, that people with security duties get role-specific training, and that the training covers the threats you actually face — which means phishing and social engineering. It's not a suggestion and it's not a one-time video. You need a program that runs on a defined schedule and leaves records, because the AT family is graded on evidence that training happened and keeps happening.
Your people are the control that fails first. You can buy the best firewall on the market and encrypt every byte of CUI, and none of it matters when someone on the team clicks a link in a fake invoice and hands over their password. The government knows this, which is why security awareness training isn't an optional nicety in CMMC — it's a required control family, and one an assessor can check with uncomfortable precision.
The good news: the AT family is one of the most achievable parts of a CMMC build for a small shop. You don't need a training department. You need a program, a schedule, and records. Let me walk through what the controls actually require, what a small contractor genuinely needs, and how to run the whole thing without it eating your week.
Every serious breach report lands in the same place: the human was the way in. Phishing, pretext phone calls, a malicious attachment dressed up as a purchase order — the attacker doesn't pick the lock, they knock and get let in. For a small defense contractor, one clicked link can mean compromised credentials, and compromised credentials near CUI is the exact outcome CMMC is built to prevent.
CMMC Level 2 rests on the 110 controls in NIST SP 800-171, grouped into 14 control families. Awareness & Training is one of them, and it exists because technical controls alone can't stop a person from being tricked. Training is how you turn your workforce from your weakest control into a working one. It also supports Incident Response, because a trained employee who recognizes and reports a phishing attempt is often the earliest warning you'll ever get.
Cut through the reference language and the Awareness & Training requirements come down to three plain jobs.
Two things drive assessors here. First, coverage: did every person actually get trained, with a record to prove it? A single untrained user is a gap. Second, frequency: is this ongoing on a schedule you defined, or a thing you did once in 2024 and forgot? The controls let you set the cadence, but they expect you to set one, document it, and hold to it.
A small contractor doesn't need an enterprise learning-management system or a compliance officer. What you need is a platform that does the heavy lifting — delivery, reminders, phishing simulations, and record-keeping — so one person can run a real program in a few hours a month. The features that actually matter:
For a small contractor who has to satisfy the AT family and produce clean evidence without a training department, the platform I point people to is KnowBe4. It's the most widely used security awareness platform for a reason — it pairs a deep content library with the phishing simulation engine that turns training from a checkbox into something measurable.
KnowBe4 gives you a large library of ready-to-assign awareness modules plus a phishing simulation platform that lets you send safe fake-phishing campaigns, measure who clicks, and automatically enroll those users in follow-up training. The platform tracks completion, runs the reminders, and produces the reports on its own — which means the AT (Awareness & Training) evidence an assessor wants gets generated as you go instead of assembled in a panic later. It scales down cleanly to a small shop, covers both the general awareness everyone needs and role-based tracks for your security folks, and the simulation results give you a genuine measure of whether the training is working. For a small DoD contractor, that combination is the fastest path to an AT program that's real, ongoing, and documented — while feeding your IR (Incident Response) program with people who actually report the attempts they spot.
Why this one? Because the AT family is won on two things — did everyone get trained, and can you prove it — and KnowBe4 is built around exactly those two jobs. The content covers the coverage requirement; the simulations and reporting cover the evidence requirement and, better, actually measure whether behavior changed. Use it to deliver and document the training, then reflect the program in your SSP so the assessor can see the control is real and operating.
An AT program stays simple if you set it up as a system that runs on its own. Four moves.
The AT family lives and dies on records. When the assessor asks about training, here's what should be sitting ready in a folder:
The whole reason to use a platform like the one above is that it produces most of this automatically. You run the program; the evidence generates itself. That's the difference between an AT control you can demonstrate in five minutes and one you spend a stressful week trying to reconstruct.
Want to see where training sits against the other 109 controls before you commit? Run the free SPRS score estimator for a baseline in a couple of minutes. And if the overall cost of getting compliant is what's on your mind, read CMMC Compliance Cost for Small Business for the honest breakdown.
A tool running your training is one control family handled. The rest of the assessment is the paperwork that ties it together: a training policy, a System Security Plan that describes your AT program, the 20 required policies, and an SPRS scorer that shows where every control stands. The CMMC Level 2 DIY Compliance Kit is all of it, editable, built for a small shop doing this itself.
Yes. The Awareness & Training (AT) family requires that everyone who touches your systems gets security awareness training, that people with security-relevant roles get training specific to those duties, and that the training addresses the current threats your organization faces — which in practice means phishing and social engineering. It's one of the 14 control families in NIST SP 800-171, and skipping it isn't an option if you want to pass a Level 2 assessment.
The controls require training on a defined frequency and when roles or systems change, but they let you set the interval in policy. The practical standard most small contractors adopt is annual baseline awareness for everyone, refreshed when someone's role changes, plus ongoing phishing simulations run monthly or quarterly. You define the cadence, document it, and then prove you actually held to it.
They're one of the strongest ways to satisfy the awareness requirement, because they measure whether training changed behavior instead of just proving people watched a video. Running simulated phishing campaigns, tracking who clicks, and assigning follow-up training gives an assessor concrete evidence that your awareness program is real and operating — exactly what the AT family checks for. Simulations supplement formal training rather than replacing it.
Records that the training happened and that it's ongoing: completion logs by person and date, the content or curriculum you used, your written training policy defining who gets trained on what and how often, phishing simulation results over time, and role-based training records for anyone with security duties. The AT family is heavily evidence-driven, so a platform that generates completion reports and campaign results automatically saves enormous time at assessment.
Yes. Modern security awareness platforms are built for exactly this — you assign a training track, the platform delivers it, runs the phishing simulations, and produces the completion and results reports on its own. A one- or two-person shop can stand up a compliant program in an afternoon and maintain it with a few hours a month, because the platform automates the delivery, reminders, and record-keeping that used to require staff.
No single tool makes you compliant. A training platform helps you satisfy the Awareness & Training family and produce its evidence, but you still need a written training policy, records that prove the program runs on your defined schedule, and the rest of the 110 controls across the other 13 families. Use the platform to deliver and document the training, then reflect it in your SSP so the assessor can see the control is real and operating.