You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

CMMC Certification and Security Awareness Training

The regulations call out Security Awareness Training, so how do you stay compliant?

Everyone in the government space is talking about it. So, what is it?

CMMC - “Cybersecurity Maturity Model Certification”

It wouldn’t be government without the acronyms, so buckle up....

It’s a framework designed for the protection of the US Defense Industrial Base (DIB). Specifically, the focus is on securing Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This essentially refers to any form of sensitive unclassified data that a contractor (or sub-contractor) creates or possesses for or on behalf of the government.

Ultimately, this became critical for organizations seeking DoD (Department of Defense) contracts after the Interim Rule became effective on November 30, 2020.

CMMC certification requires an assessment from a C3PAO (Certified Third Party Organization).

How does CMMC relate to NIST?

From a quick pass, you’ll see that CMMC includes a lot of requirements out of NIST SP 800-171. This not all, though. CMMC also incorporates controls from NIST 800-53, AIA’s NAS 9933 and CERT’s Resilience Management Model.

Ok, one last (and critical) point on this relationship: CMMC includes five levels of maturity. These levels build on one another, meaning the requirements of each higher level include those of the levels below. So you can move step-wise from 1 to 2 to 3… you get it.


  • Level 1: Safeguard Federal Contract Information (FCI)
  • Level 2: Serve as transition step in cybersecurity progression to protect CUI
  • Level 3: Protect Controlled Unclassified Information (CUI)
  • Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

Ok, I think we’re done with all the acronyms. Now let’s dig into the Security Awareness Training requirements at each level! These will be all the requirements that start with those labeled Awareness and Training, or “AT.”

CMMC Level 1: Safeguard Federal Contract Information (FCI)

Explicit Security Awareness Training requirements start at Level 2.

This means Level 1 doesn't include any explicit AT requirements for Security Awareness Training, so let's keep moving.

CMMC Level 2: Serve as transition step in cybersecurity progression to protect CUI

AT.2.056: All Users Must Receive Cybersecurity Awareness Training

“Ensure that all Managers, system administrators, and users or organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.”

AT.2.057: Training must include security-related duties

“Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.”

Your INFIMA Security Awareness Training covers these topics!

CMMC Level 3: Protect Controlled Unclassified Information (CUI)

AT.3.058: Train on Insider Threats

“Provide security awareness training on recognizing and reporting potential indicators of insider threat.”

Your INFIMA Security Awareness Training covers these topics too!

CMMC Levels 4-5: Protect CUI and reduce risk of Advanced Persistent Threats (APTs)

AT.4.059: Train on current cyber threats and update training at least annually

“Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.”

AT.4.060: Practical user testing and feedback

“Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.”

And yes, your INFIMA Security Awareness Training covers this too!

As you move toward higher levels of CMMC Certification, you'll want to ensure your Training program stays right there with you.

Are you ready to take action?
We make it easy to keep your Training current. Find out how to protect your team with INFIMA's Automated Security Awareness platform.

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.