Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AT.L2-3.2.3 – Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Understanding the Requirement
This control (from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires organizations to ensure personnel — including managers and employees — can recognize indicators of insider threat and know how to report them. The intent is twofold: identify the common signs of negligent or malicious insider behavior, and establish an awareness program so staff can promptly and correctly report suspicious activity to the appropriate people. Training must be recurring and targeted so staff and supervisors understand indicators and escalation paths.
Technical Implementation
-
Adopt a baseline training course and schedule: Require all employees to complete a standardized “Insider Threat Awareness” course annually and during onboarding. Use an LMS to assign the course, record completion, and automatically re-enroll staff each year. For small teams, a tracked spreadsheet combined with certificates of completion is acceptable if digital LMS is not available.
-
Differentiate training by role: Provide a manager-specific module covering how to receive reports, preserve evidence, and trigger investigations. Front-line staff get practical recognition indicators (unusual access patterns, hoarding documents, unexplained wealth, after-hours access) and clear reporting steps.
-
Define and publicize reporting channels: Establish multiple reporting methods (e.g., direct manager, security officer, anonymous hotline/email) and publish them in orientation materials, intranet, and visible posters. Ensure each channel has a documented owner and SLA for acknowledgment and initial triage.
-
Integrate technical controls that complement awareness: Pair training with DLP policies, least-privilege access, logging of file transfers and removable media usage, and alerts for anomalous behavior (bulk downloads, after-hours access). Configure automated alerts to feed security staff when indicators appear so human reports and monitoring reinforce each other.
-
Practice and validate through exercises: Run tabletop exercises and simulated scenarios annually to test whether employees recognize indicators and managers follow the reporting and escalation procedure. Use lessons learned to update training content, contact lists, and investigation playbooks.
-
Document policy and retention: Maintain a simple insider-threat policy that describes indicators, reporting steps, protections for reporters, and disciplinary processes. Keep training records, investigation notes, and corrective actions for the retention period required by your contracts or governance needs.
Example in a Small or Medium Business
Acme Tech Solutions, a 60-person contractor that handles Controlled Unclassified Information (CUI), implements AT.L2-3.2.3 by requiring all staff to complete the free "Insider Threat Awareness" course during onboarding and annually thereafter. The IT team tracks completions in the company LMS and emails noncompliant staff reminders. Managers receive an additional 30-minute session on how to accept reports, preserve evidence, and engage HR and the security lead. Acme posts a clear reporting banner on its intranet and offers an anonymous reporting mailbox monitored daily by the security officer. One night an employee notices a coworker repeatedly staying late and copying printed CUI into a personal bag; the employee uses the anonymous mailbox to report the observation. The security officer initiates an investigation, correlates access logs showing unusual file transfers, interviews the involved parties, and confirms unauthorized copying to a removable drive. The company follows its incident playbook: the individual is suspended pending HR action, the removable media policy is reinforced, DLP rules are tightened, and the entire staff completes a targeted refresher on indicators and reporting. Acme documents the incident, updates training examples to reflect the scenario, and demonstrates to its contracting officers that the insider threat control is active and effective.
Summary
Meeting AT.L2-3.2.3 requires a combination of policy, recurring role-based training, clear reporting channels, and supporting technical controls. For SMBs this means adopting and tracking an annual insider-threat awareness course, equipping managers to handle reports, pairing awareness with monitoring (DLP, logs, access controls), and exercising the process through tabletop drills. Together these measures ensure employees can recognize indicators, feel comfortable reporting them, and that the organization can respond promptly to limit damage and meet compliance obligations.
