AT.L2-3.2.2 — Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

What this control requires

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

Source: CMMC L2 v2.13 AT.L2-3.2.2 / NIST SP 800-171 R2 3.2.2 (official control text).

Why this matters

Organizations face security breaches when employees do not understand how to execute their specific cybersecurity responsibilities—whether configuring firewalls, reviewing access logs, or responding to phishing attempts. Generic awareness training is insufficient. This control requires role-specific instruction that equips each person with the tactical knowledge needed for their actual duties. A system administrator needs hardening procedures; a procurement officer needs supply chain risk assessment skills; a developer needs secure coding practices. Without targeted training, even well-intentioned staff inadvertently create vulnerabilities through misconfiguration, improper handling of CUI, or failure to follow incident response protocols.

What evidence assessors expect

Assessors typically look for: training certificate, CSV export, PDF, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls