The Awareness and Training family is one of the smallest families in NIST 800-171 . It contains only three controls. Because of that, it is also one of the most underestimated.

Many contractors treat this family as a checkbox. They run a generic cybersecurity awareness course once a year, export a completion report from a training platform, and assume the requirement is covered. That approach often holds up until an assessor starts asking deeper questions. What training specifically addresses CUI handling? What training do administrators receive that normal users do not? How do employees recognize insider threat indicators, and where are they instructed to report them?

Those questions are where many otherwise mature programs begin to show gaps.

Unlike many technical control families in NIST 800-171, the Awareness and Training controls cannot be satisfied through configuration in Microsoft 365 GCC High. There is no tenant setting that proves compliance. Assessors evaluate policies, training content, completion records, and whether the training program reflects the organization’s real operating environment.

Microsoft 365 can still support the program. Defender for Office 365 includes Attack Simulation Training for phishing simulations. SharePoint is commonly used to host training materials and maintain completion records. Compliance Manager can help track control implementation progress. These tools support a training program, but they do not replace the organizational responsibility to design and maintain one.

This article is Part 2 of the NIST 800-171 GCC High Configuration Guide. It assumes you already have a functioning Microsoft GCC High tenant, understand the shared responsibility model, and are implementing against NIST SP 800-171  Rev. 2.

Awareness and Training Family overview

Awareness and Training controls focus on the human side of security. While many other NIST 800-171 families rely on technical configuration inside Microsoft 365, this family is implemented primarily through policies, training programs, and organizational procedures.

In a GCC High environment, Microsoft provides tools that can support a training program, such as phishing simulation capabilities and compliance tracking features. However, the responsibility for designing, delivering, and documenting security training remains entirely with the organization.

Because of this, assessors typically evaluate the quality and coverage of the training program rather than tenant configuration. They want to see evidence that personnel understand security risks, that administrators receive training appropriate to their responsibilities, and that employees know how to recognize and report insider threats.

AT controls and CMMC Scope

Awareness and Training controls apply to everyone who interacts with systems inside the CMMC assessment boundary. Unlike technical controls, there is no infrastructure subset that can be scoped down. If a user has access to systems that store or process Controlled Unclassified Information, that user must receive awareness training.

In enclave architectures this is where organizations sometimes stumble. Training programs may cover employees who actively handle CUI documents but overlook administrators, help desk staff, or developers who maintain the enclave environment. Assessors generally expect the training program to cover all users with access to the enclave, not only those who directly process CUI.

Role-based training requirements are narrower but still important. Anyone responsible for administering security controls or maintaining GCC High infrastructure should receive training specific to those responsibilities.

AT controls and GCC High implementation

The Awareness and Training family focuses on three things: baseline security awareness, role-specific training, and insider threat awareness.

3.2.1 Security Awareness

CMMC Practice: AT.L2-3.2.1

This control establishes baseline security awareness for everyone who interacts with organizational systems. Users, managers, and administrators all need to understand the risks associated with their activities and the policies that govern secure system use.

Organizations typically implement this control through an annual security awareness program. The program should explain phishing and social engineering threats, password security practices, incident reporting procedures, and how Controlled Unclassified Information must be handled.

Training platforms such as KnowBe4, Proofpoint, or similar services are commonly used because they simplify reporting and tracking. Some organizations deliver training internally using recorded presentations or instructor-led sessions. Both approaches are acceptable as long as completion records and training content exist.

Microsoft Defender for Office 365 can support this control through Attack Simulation Training. Phishing simulations allow organizations to measure how effectively users recognize suspicious messages. Results from these exercises often reveal gaps in awareness and can guide future training.

Assessors reviewing this control typically request the organization’s training policy, the curriculum used, and completion records demonstrating that all personnel with access to CUI completed the training.

3.2.2 Role-Based Security Training

CMMC Practice: AT.L2-3.2.2

The second control recognizes that some roles carry greater security responsibility than others. Administrators managing identity systems, endpoint security platforms, or monitoring infrastructure require deeper training than general users.

Organizations usually address this requirement by defining role-based training expectations. A common approach is a role-training matrix that maps each security-related role to the training required for that role.

Assessors typically look for evidence that administrators received training relevant to the systems they manage. Programs often struggle here when organizations assume experienced administrators do not require documented training.

3.2.3 Insider Threat Awareness

CMMC Practice: AT.L2-3.2.3

The final Awareness and Training control focuses on recognizing and reporting insider threats.

A strong training module explains that insider threats are not always malicious. Some incidents involve intentional wrongdoing such as a disgruntled employee attempting to exfiltrate data. Others occur unintentionally when employees mishandle sensitive information, fall victim to phishing, or transfer data to unauthorized locations.

Training programs should therefore cover both malicious and unintentional insider threat scenarios.

Examples often include unusual access patterns, large data transfers outside normal responsibilities, attempts to bypass security controls, or requests for access beyond job requirements. In defense contractor environments it is useful to include examples that reflect real operational situations rather than generic corporate examples.

Personnel must also understand how to report suspicious activity. Organizations typically designate a reporting channel such as a security team contact, insider threat program official, or anonymous reporting form.

Microsoft 365 can support insider threat monitoring through tools such as Purview Insider Risk Management and Entra ID Identity Protection. These capabilities complement awareness training but do not replace the requirement for personnel education.

AT PowerShell commands

Awareness and Training controls are documentation-driven, so PowerShell is not used to configure them directly. Instead, commands are often used to validate the user population that must complete training.

Export active users (supports 3.2.1)

Connect-MgGraph -Environment USGov -Scopes "User.Read.All"

Get-MgUser -All -Filter "accountEnabled eq true" |
Select DisplayName, UserPrincipalName, Department |
Export-Csv AT_AllUsers.csv -NoTypeInformation

This list is often compared against training completion records to confirm all users were included.

Export privileged roles (supports 3.2.2)

Connect-MgGraph -Environment USGov -Scopes "RoleManagement.Read.Directory"

Get-MgDirectoryRole | ForEach-Object {
Get-MgDirectoryRoleMember -DirectoryRoleId $_.Id
} | Export-Csv AT_PrivilegedUsers.csv -NoTypeInformation

This identifies administrators who should receive role-specific training.

Evidence your C3PAO will likely want to see

For the Awareness and Training family, assessors focus primarily on documentation and training records. They usually begin by reviewing the organization’s awareness training policy and training curriculum. From there they verify that completion records cover all users who have access to systems within the assessment boundary.

Assessors also evaluate role-based training documentation to confirm administrators receive instruction relevant to their responsibilities. Insider threat awareness content and reporting procedures are typically reviewed as part of this process.

Common AT family assessment findings

One of the most common issues is incomplete training coverage. Organizations frequently provide records for employees but overlook contractors or temporary personnel who still have system access. Anyone with access to in-scope systems should be included.

Another common finding appears when training programs rely entirely on generic cybersecurity awareness content. If training never addresses Controlled Unclassified Information, assessors may question whether employees understand the risks associated with handling defense-related data.

Role-based training gaps also appear frequently. Administrators responsible for managing security infrastructure sometimes receive the same training as general users even though their responsibilities require deeper knowledge of the systems they manage.

Insider threat awareness is another area where programs often fall short. Some organizations include only a brief mention of insider threats within broader training. Assessors generally expect a more detailed explanation of insider threat indicators and how employees should report suspicious activity.

How the Awareness & Training Family supports other control families

Awareness and Training controls strengthen nearly every other control family in NIST 800-171 because they address the human side of security.

Access Control and Identification and Authentication controls depend on users understanding how to protect credentials and recognize suspicious login activity. Without that awareness, even well-configured authentication systems can be undermined by phishing or social engineering.

Incident Response programs also rely on trained personnel. Employees are often the first to notice unusual system behavior, phishing attempts, or possible insider threat indicators. Training helps them recognize these situations and report them quickly.

The Insider Threat Awareness control in particular reinforces Personnel Security and Incident Response practices by ensuring employees understand both malicious and unintentional insider risks.

In practice, organizations that treat training as a compliance checkbox often struggle across multiple control families because users do not understand how their daily actions affect security.

Get started

The Awareness and Training family focuses on the human side of security. Even well-configured GCC High environments depend on users who understand how to recognize threats, protect sensitive information, and follow security procedures.

During a CMMC assessment, these controls are validated through documentation and completion records. Assessors will review evidence supporting 3.2.1 Security Awareness, 3.2.2 Role-Based Training, and 3.2.3 Insider Threat Awareness.

Secureframe Defense helps organizations maintain the evidence required for these controls by tracking training completion alongside technical compliance data. When an assessor requests proof that personnel completed awareness training or role-specific instruction, those records are already mapped to the corresponding NIST 800-171 requirements.

See how Secureframe automates evidence collection for the AT family by scheduling a demo with a product expert.