03.02.01 — (a) Provide security literacy training to system users: (b) Update security literacy training content {{ insert: param, A.03.02.01.ODP.03 }} and following {{ insert: param, A.03.02.01.ODP.04 }}.

What this control requires

(a) Provide security literacy training to system users: (b) Update security literacy training content {{ insert: param, A.03.02.01.ODP.03 }} and following {{ insert: param, A.03.02.01.ODP.04 }}.

Source: NIST SP 800-171 R3 §03.02.01 (official control text).

Why this matters

Security literacy training transforms employees from potential vulnerabilities into active defenders. Most breaches originate from human error—clicking phishing links, mishandling Controlled Unclassified Information (CUI), or falling for social engineering tactics. This control ensures every system user understands their security responsibilities, recognizes threats like phishing and insider threat indicators, and knows how to report suspicious activity. Without consistent training, organizations face preventable data breaches, regulatory penalties, and loss of government contracting eligibility. Training also covers operations security and proper CUI handling, ensuring personnel protect sensitive information in all work environments including telework scenarios.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, training certificate, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls