03.02.03 —
What this control requires
Source: NIST SP 800-171 R3 §03.02.03 (official control text).
Why this matters
This control requires organizations to provide security awareness training to all personnel, ensuring everyone understands their role in protecting Controlled Unclassified Information (CUI). Human error remains the leading cause of security incidents—phishing, social engineering, and accidental data exposure all exploit untrained users. By educating employees on recognizing threats, following security policies, and reporting suspicious activity, organizations create a human firewall that complements technical controls. This training protects not only the organization's systems but also the sensitive government information entrusted to them, reducing the risk of breaches that could compromise national security or business operations.
What evidence assessors expect
Assessors typically look for: training certificate, CSV export, PDF, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.02.03.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →