AT.L2-3.2.2 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 requires that managers, system administrators, and users are made aware of the security risks associated with their activities—this post provides a practical, small-business-focused blueprint to design, implement, and evidence a training program for remote and hybrid workforces that meets that control.
What AT.L2-3.2.2 expects (Key objectives)
The core objectives are to ensure personnel understand: (1) what Controlled Unclassified Information (CUI) looks like in their daily work, (2) how their remote/hybrid environment changes risk (home Wi‑Fi, personal devices, public networks), and (3) what specific behaviours and technical controls are required to protect that information. For a Compliance Framework implementation this means documented role-based training, tracked completion, and demonstrable reinforcement (phishing tests, policy acknowledgements, tabletop exercises).
Designing a role-based training program (Implementation notes)
Start by mapping roles (executive, program manager, developer, system administrator, HR, finance, facilities) to the specific CUI handling tasks they perform. Create modular training: a 30–45 minute core module covering threat landscape, secure remote access (VPN, MFA), device hygiene (OS patches, disk encryption such as BitLocker or FileVault), and data handling rules; then add targeted modules for developers (secure coding, repository hygiene), system admins (privilege management, logging, patching cadence), and managers (incident reporting, access approval workflows).
Practical implementation steps
Use an LMS that supports SCORM or xAPI (Moodle, TalentLMS, Docebo) so you can track per-user completion and export evidence. Integrate automated phishing simulation and metrics (KnowBe4, Cofense) to create behavioral KPIs: completion rate ≥95% within 30 days of hire, quarterly refresher completion, phishing click-through rate target <5% after remediation. Require signed policy acknowledgment (acceptable use, remote work security) via DocuSign or an LMS attestation to provide traceable evidence for audits.
Technical controls to teach and demonstrate
Training must be paired with enforceable technical controls so behaviors can be tested and monitored. For small businesses this commonly includes: MDM enrollment (Microsoft Intune or Jamf) with enforced device compliance, full-disk encryption (BitLocker/FileVault) enforced by policy, MFA for all cloud services (Azure AD Conditional Access with device compliance rules), endpoint protection (EDR like Microsoft Defender for Business), and corporate VPN or Zero Trust access (ZTNA) for CUI systems. Include in training the simple, exact steps employees must follow to enroll devices, check encryption status, and report lost/stolen devices.
Real-world small-business scenarios
Example 1: A 25-person defense subcontractor requires program managers to access CUI via a cloud-hosted contract portal. Training includes a step-by-step demo: enroll in Intune, install company certificate, connect to ZTNA portal, use SSO + FIDO2 security key for high-risk accounts. Evidence: screenshots from MDM console showing device compliance plus signed attestation for each program manager.
Example 2: A hybrid engineering team uses personal laptops occasionally. The policy prohibits local storage of CUI—training shows how to use OneDrive for Business with conditional access, configure device-specific rules, and use the enterprise data loss prevention (DLP) policy to block downloads. Practical exercises: have engineers complete a simulated file transfer that triggers DLP and then walk through remediation steps.
Measurement, reinforcement, and audit evidence
Keep a compliance folder with: training course outlines, LMS completion exports (CSV with timestamps), signed policy acknowledgements, phishing simulation reports, MDM device compliance reports, and incident logging for any security event tied to human behavior. Schedule quarterly role-based refreshers and an annual full program review. During internal audits, present KPIs (training completion rate, phishing click-through trend, time-to-remediate incidents) to show continuous improvement.
Risks of non‑implementation and remediation tips
Failing to adequately train remote/hybrid staff increases the risk of CUI exposure through credential theft, misconfiguration, insecure personal devices, or improper file sharing—consequences include contract termination, loss of DoD business, regulatory penalties, and reputational harm. If gaps are found, prioritize: 1) immediate mandatory remedial training for affected roles, 2) enforce technical controls (block access for non-compliant devices via Conditional Access), and 3) conduct an incident-focused tabletop to update procedures and communications protocols.
In summary, meeting AT.L2-3.2.2 for a remote or hybrid workforce requires a repeatable, role-based training program tightly integrated with technical controls and measurable outcomes: use an LMS for evidence, enforce MDM and MFA, run phishing simulations, and maintain organized artifacts for audits—small businesses can implement this at reasonable cost by prioritizing high-risk roles and automating evidence collection through cloud management tools.
