AT.L2-3.2.1 — Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

What this control requires

Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

Source: CMMC L2 v2.13 AT.L2-3.2.1 / NIST SP 800-171 R2 3.2.1 (official control text).

Why this matters

This control ensures personnel understand that their daily actions—clicking links, choosing passwords, handling CUI, granting access—directly affect the organization's security posture. Uninformed users are the weakest link in any defense: they fall for phishing, misconfigure systems, or accidentally expose sensitive data. By making security risks, policies, and procedures explicit and memorable, the organization transforms employees from liabilities into active defenders who recognize threats, follow protocols, and report incidents promptly.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, training certificate, screenshot, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls