CMMC Practice Requirement:

Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

CMMC Requirement Explanation:

The vast majority of cyber attacks are caused by human error. Security awareness training helps reduce the chance of cyber attacks resulting from human error. An example of a human error is when a user downloads an attachment from a malicious email.

Example CMMC Implementation:

Provide security awareness training to your employees and persons using your systems. Security awareness training can be given via instructor or online training. Security awareness training should cover important security policies and common cyber threats. Occasionally send security awareness/tip emails to employees.


- Scenario 1:


Your company requires all its employees and system users to complete annual security awareness training. It accomplishes this by having personnel take the online DoD "Annual Security Awareness" refresher. Personnel who complete the training receive a certificate of completion. Every employee is responsible for providing their certificate to your security officer.
The DoD Annual Security Awareness Refresher
The DoD Annual Security Awareness Refresher

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance