This post shows a practical, step-by-step approach to building an audit-ready training program that satisfies Compliance Framework requirements for AT.L2-3.2.2 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2), including concrete tech details, small-business examples, evidence collection, and risk mitigation advice.
What AT.L2-3.2.2 requires (plain language)
AT.L2-3.2.2 requires organizations to ensure managers and system users are aware of the security risks tied to their activities and the applicable policies, standards, and procedures — meaning you must have documented, role-based training; proof of delivery and completion; and a repeatable process for updating, tracking, and retaining evidence for audits. Within the Compliance Framework context this becomes a measurable program: defined learning objectives, assignment rules per role, automated tracking, and artifacts that match control language during assessment.
Step-by-step implementation (practical)
Step 1 — Scope and mapping: Start by creating a training matrix that maps job roles to specific control statements in NIST 3.2.x and CMMC Level 2. For example, label "CUI handlers" (engineers, program managers) vs "Privileged users" (admins, DevOps) vs "All users." For each role list the topics required (CUI handling, data labeling, remote access rules, incident reporting, privileged account procedures) and the success criteria (quiz score, signed attestation).
Step 2 — Build content and sequence: Use short, role-based modules with clear objectives: new hire baseline (30–60 minutes), annual refresh (30 minutes), privileged-user deep-dive (90 minutes), and role-specific hands-on (phishing simulations, secure file transfer). Use SCORM- or xAPI-compliant content so your LMS can provide time-stamped completion records and exportable score reports for auditors. Include a manager briefing module that focuses on oversight responsibilities and how to verify team compliance.
Step 3 — Deploy tooling and integrations: For a small business, an affordable LMS (Moodle, TalentLMS, Litmos) integrated with Azure AD or Okta for SSO provides reliable identity linkage. Configure SAML or OIDC so completion records include the unique user ID (UPN) and timestamps. If you use Microsoft 365, consider Microsoft Purview or Intune to correlate device compliance with training status; use API calls (Microsoft Graph or LMS REST API) to pull CSV/JSON exports into your GRC or evidence repository. Ensure logs are immutable or hashed (e.g., SHA-256) and stored with retention defined by contract (commonly 3–5 years).
Technical evidence and attestations
Design evidence packages that auditors expect: training matrix PDF with versioning, exported LMS completion reports (user ID, module ID, timestamp, score), signed attestation forms (digital signature or checked acceptance in LMS), update/change log for content versions, and manager attestations (periodic emails or LMS-based certs). For stronger audit chains, store exports in a write-once location (e.g., Azure Blob with immutable retention or an S3 bucket with Object Lock) and retain API call logs showing when records were generated.
Small-business scenarios and real-world examples
Example A — 25-person defense subcontractor: They used a hosted LMS (TalentLMS) + Azure AD SSO. New hires complete the "CUI Awareness" module on day 1; managers receive an automated weekly report highlighting non-completers. Phishing simulations run quarterly; failures trigger a 15-minute remedial module. Artifacts: weekly CSV exports stored in SharePoint with versioned filenames (training_matrix_v1.0.xlsx, completions_2026-03-31.csv), and manager emails saved as PDF attestations. This setup provided sufficient proof for a DFARS compliance review.
Example B — Small manufacturer using Microsoft stack: They created short videos hosted in SharePoint, embedded quizzes via Microsoft Forms, and used Power Automate to write completion entries into an Azure SQL evidence table. A Graph API script generates a quarterly evidence bundle (training_matrix.pdf, completions.csv, quiz_results.json) and copies it to an immutable blob for auditors. Privileged access is gated: admins must have a "training_complete" attribute in Azure AD before Conditional Access grants access to admin consoles.
Compliance tips, best practices, and risks of non-compliance
Best practices: map each training artifact to the specific control language in your policies; version content and keep a changelog; require manager sign-off for role assignments; combine knowledge checks with attestation; schedule automated reminders and escalation to HR for persistent non-compliance; run tabletop exercises annually. Technical tips: use SCORM/xAPI for granular event data, secure evidence in immutable storage, and log API calls with requestor identity. The risk of not implementing AT.L2-3.2.2 is concrete: mishandled CUI, failed audits or lost contracts, remedial corrective action plans (CAPs), and reputational damage. For small businesses, those outcomes can mean lost revenue or contract termination.
Summary: Build the program by mapping roles to control statements, creating concise role-based training, deploying an LMS with identity integration, collecting immutable, time-stamped evidence, and operationalizing manager attestations and remediation. With a documented training matrix, automated evidence exports, and a defined retention policy, a small business can demonstrate compliance with AT.L2-3.2.2 during an assessment while reducing real-world security risk.
