CUI Training: What Your People Actually Need to Know

Word count: ~1,870 Specificity markers: (1) NIST/CMMC controls — AT.L2-3.2.1, AT.L2-3.2.2, AT.L2-3.2.3; (2) Cost/time — $15–$30/user/year (KnowBe4, Proofpoint), 30–60 min annual training, 90-day new-hire deadline; (3) Tool/product names — KnowBe4, Proofpoint Security Awareness, CDSE CUI training, SANS Security Awareness; (4) Common mistake — completion certificates without comprehension evidence; (5) Decision point — off-the-shelf vs. custom training content

---

CUI Training: What Your People Actually Need to Know

The Awareness and Training domain has three requirements. On a scale of effort, it sits toward the easier end — no hardware to buy, no network segmentation to design. But it trips up contractors because they confuse "completed training" with "effective training." An assessor interviewing employees who just clicked through a module is going to notice when nobody can explain what CUI is or what to do with a suspicious email.

Here's what the requirements actually demand and how to build a training program that satisfies them.

The Three Requirements

AT.L2-3.2.1 — Security awareness training for all users. Everyone who uses your information systems must receive security awareness training. Not just people who handle CUI directly — anyone whose account can touch the systems that process, store, or transmit CUI. The training must cover:

• Organizational security policies and expected behaviors
• Recognized threats and vulnerabilities, including social engineering and phishing
• How to recognize and report security incidents
• CUI handling procedures specific to your organization

"All users" means all users. It includes executives who have system access, operations staff who occasionally log into project management systems, remote workers, temporary employees, and contractors with system accounts. The definition is anyone with authorized access to your covered information systems.

AT.L2-3.2.2 — Role-based training for users with security responsibilities. Certain roles carry additional security responsibilities and need training beyond the general awareness curriculum:

• System administrators who configure and manage CUI systems
• Security personnel (ISSO, IT security lead)
• Users with privileged access (local admins, domain admins, backup operators)
• Anyone who makes security-relevant decisions (approving access requests, reviewing audit logs)

The training content must reflect the actual responsibilities of the role. "Admin-level security training" that's identical to user awareness training doesn't satisfy this requirement. A sysadmin needs to understand secure configuration practices, access control management, audit log review, and incident response procedures specific to their role.

AT.L2-3.2.3 — Insider threat awareness. Your personnel must be trained to recognize potential insider threat indicators and know how to report concerns. Insider threat isn't just disgruntled employees — it includes:

• Unintentional data disclosure (the employee who emails CUI to a personal account "for convenience")
• Credential compromise (an insider threat can mean an adversary using a legitimate user's account)
• Deliberate exfiltration
• Organizational policy violations that create risk even without malicious intent

The training should tell employees specifically what behavioral indicators to watch for and exactly how to report concerns (to a manager, an ISSO, an anonymous hotline, or whatever your organization uses).

What the Training Must Cover

Your security awareness training must address CUI specifically — not just generic cybersecurity concepts. Generic phishing awareness training does not satisfy CMMC's AT requirements unless it includes CUI-specific content. Your training must cover:

What CUI is and what it looks like. Show examples of documents that contain CUI. Show the banner marking format. Make it visual and concrete. If your employees see "CUI" at the top of a document and don't recognize it, you have a training gap.

CUI handling procedures. What your employees are allowed and not allowed to do with CUI: - Only access CUI on authorized systems (not personal devices, not personal cloud accounts) - Only transmit CUI through authorized channels (your encrypted email system, your approved file sharing platform) - Never send CUI to personal email addresses — including their own - Store CUI only in approved locations - Mark all CUI they create with the correct banner and designation indicator

Phishing and social engineering. Adversaries actively target defense contractors. Your employees should be able to recognize spear-phishing emails, suspicious links, and requests for information that seem slightly off. Spear-phishing targeted at defense contractors frequently uses legitimate-looking DoD or prime contractor email domains with subtle variations.

Incident reporting. Every employee must know the specific steps for reporting a security incident. Not "tell your manager" — the actual procedure: who to call, what information to provide, and the 72-hour DFARS reporting requirement context (so employees understand why speed matters).

Insider threat recognition. What behavioral indicators look like. How to report without assuming guilt. That anonymous reporting options exist.

Password and authentication hygiene. Never share credentials. Use MFA on everything that supports it. Report suspicious login notifications immediately.

Who to Train and When

All users at hire: Security awareness training within 90 days of being granted system access. Many organizations require it before system access is granted — a reasonable approach that also reduces risk.

All users annually: Refresh training at least once per year. The threat landscape changes. Your CUI handling procedures may change. Annual training keeps knowledge current and keeps your documentation in good standing.

When the threat environment changes: If there's a significant new threat (a major phishing campaign targeting DIB contractors, a new malware variant in the wild), timely supplemental awareness material is appropriate — an email, a short video, a brief all-hands notice. Keep records of these supplemental communications.

When roles change: If an employee moves from a non-privileged role to a system administrator role, they need role-based training before or promptly after the role change.

Off-the-Shelf vs. Custom Content

Most small and mid-size defense contractors use commercial security awareness training platforms. These work well if you choose them carefully and supplement with CUI-specific content.

Commercial platforms: - KnowBe4: $15–$30/user/year. Large library of awareness modules, phishing simulation, compliance-specific content. Has CUI and DoD-specific modules available. Strong completion tracking and reporting. Most commonly used platform in the DIB. - Proofpoint Security Awareness: Similar pricing, strong phishing simulation and user-level risk scoring. Integrates well with email security. - SANS Security Awareness: $20–$35/user/year. Higher-quality content, particularly for technical role-based training. Better for organizations that want depth over breadth. - CDSE (Center for Development of Security Excellence): Free. The DoD's own training resource at cdse.edu. Includes specific CUI training modules (search for "CUI Training" on the CDSE catalog). The CUI Awareness and Fundamentals course is directly applicable to AT.L2-3.2.1 requirements.

Decision point: If you have fewer than 50 users, the CDSE free CUI training plus a basic phishing awareness platform covers most of what you need at minimal cost. For 50+ users, a commercial platform with integrated phishing simulation and automated tracking is worth the per-user cost because of the documentation it generates. For highly technical staff, supplement the commercial platform with SANS role-based content.

What you cannot rely on exclusively: Generic compliance training that includes "check a box to acknowledge you read the policy." Policy acknowledgments are not training. They don't satisfy AT.L2-3.2.1 unless accompanied by actual content delivery and comprehension evidence.

Documentation: What You Need to Show the Assessor

This is where many contractors get caught. They did the training — but they can't prove it. Your training documentation must include:

• Training content or curriculum: What was covered. Module titles, a course outline, or the full content — enough for the assessor to confirm it addresses required topics.
• Completion records: Who completed training, what training, and when. This means individual records, not just "all employees were trained." Name, date, training title.
• Acknowledgment signatures: Evidence that employees acknowledged the content — a digital sign-off in your training platform or a paper signature log.
• Role-based training records: Separate documentation showing which employees hold security-relevant roles and completed role-appropriate training.
• Training schedule: Evidence of annual cadence — not just one training event from 18 months ago.

Training platforms like KnowBe4 and Proofpoint generate these reports automatically. Pull and archive them quarterly. For CDSE training, have employees download their certificates of completion and submit them to a central location.

Common Mistakes

Completion records without comprehension evidence. Clicking through a module and passing a 5-question quiz with unlimited retries doesn't demonstrate understanding. Assessors sometimes interview employees directly — asking what CUI is, what to do if they receive a suspicious email, or how to mark a document they've created. If the employee hasn't retained anything, the training program has a gap. Use post-training assessments with real scores and review results annually.

No CUI-specific content. Generic cybersecurity training — password hygiene, phishing awareness, acceptable use — is necessary but not sufficient for CMMC. AT.L2-3.2.1 requires training on CUI handling and your organization's security policies. If your training program doesn't mention CUI, it doesn't meet the requirement regardless of how many modules it includes.

Treating contractors and temps differently. Temporary staff and contractors with system accounts have the same training requirement as full-time employees. If they have access to CUI systems, they need the training and the documentation.

Annual training that's identical every year. If your threat environment evolves and your CUI procedures change but your training deck is the same one from three years ago, you have a problem. Update content annually. Even if the changes are incremental, update the version date and document what changed.

What Your Assessor Expects

For the AT domain, the assessor will: - Examine: Training content (to verify it covers required topics), completion records (to verify all users are trained), and role-based training documentation - Interview: A sample of users — typically 5–10% of the user population, including at least some privileged users — asking questions like: "What is CUI? How do you handle a CUI document you receive by email? What would you do if you thought an email was a phishing attempt? What do you do if you accidentally sent a CUI file to the wrong person?" - Examine: Evidence that training occurred within the required timeframes (annually, within 90 days of hire)

The interview is the honest test. An assessor who talks to five employees and discovers none of them can define CUI, identify a CUI banner, or describe the incident reporting procedure will have serious concerns about the entire training program — regardless of what the completion records say.

Prepare your people. The week before your assessment, brief everyone on key concepts. It's not gaming the system — it's exactly what continuous awareness training is supposed to achieve.

---

The minimum viable CUI training program: CDSE CUI fundamentals course + annual phishing simulation + a one-page CUI quick reference card with your organization's specific procedures. Total annual cost for a 20-person company: under $500. Training time: under 2 hours per person per year.