Back to Control Explorer



Control Acronym



Awareness And Training

CMMC Level


800-171 Control #


CMMC Description

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

CMMC Clarification

Training imparts skills and knowledge. It enables staff to perform a specific resilience function. Training programs identify cybersecurity skill gaps within your organization. Then, the programs train users on their specific cybersecurity roles and responsibilities. There is an important distinction between awareness training and role-based training. Awareness training provides general security training to influence user behavior. Role based training focuses on the knowledge, skills, and abilities needed to complete a specific job. Example Your company upgraded the firewall to a newer, more advanced system. Your company identified you as an employee who needs training on the device. This will enable you to use it effectively. Your company considered this when it planned for the upgrade. It made training funds available as part of the upgrade project.

800-171 Description

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

800-171 Discussion

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. [SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management.

Other Source Discussion


CIS Control References

CIS Controls v7.1 17.5, 17.6, 17.7, 17.8, 17.9

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AT-2, AT-3

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.2.2

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AT.2.057.[a] information security-related duties, roles, and responsibilities are defined;

Assessment Sub-Criteria 2

AT.2.057.[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and

Assessment Sub-Criteria 3

AT.2.057.[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15