Is role-based training the same as general security awareness?

No. 3.2.1 is awareness for everyone. 3.2.2 is job-specific training for people with actual security duties. An IT admin needs training on privilege management. A receptionist doesn't.

What if an MSSP handles most of our security work?

Your staff still need training on their role in the program: who to contact when they suspect an issue, how to handle data they touch, what their responsibility is in the incident response chain.

Do we need 100% completion?

Yes. Documented exceptions only (extended medical leave, recently hired person with training scheduled). Plan for at least annual refresher training for each role.

AT.L2-3.2.2

AT.L2-3.2.2: Role-Based Training

Personnel with security duties receive training specific to their assigned information security responsibilities

Role-based training means people with security-related job duties get additional training on top of what everyone else takes. Everyone gets the general awareness track (AT.L2-3.2.1). Then your IT administrator gets additional modules on privileged account management, patch workflows, and incident response procedures. Finance and HR staff get additional training on social engineering targeting and sensitive records handling. The assessor will ask what your IT staff receives that’s different from what everyone else gets. If your answer is “they all take the same awareness module,” that’s a finding. Every client I’ve worked with does this. It’s standard practice, not optional.

What the assessor is actually evaluating

The assessor will look for:

A documented list of job roles that have security responsibilities
Training content tied to each role (with evidence: course descriptions, training materials, or LMS configurations)
Records showing completion of role-appropriate training, not just general awareness
Evidence that training covers the specific duties in that person’s job (not just “here’s the policy”)
At least annual refresher training for each role
How you assign training based on actual security responsibilities, not just seniority or department

The assessor will ask questions like: “What training does your network admin receive?” “What about your database admin?” “Your receptionist?” If the answers are all the same, you’re missing the point of 3.2.2.

How this differs from AT.L2-3.2.1

AT.L2-3.2.1 is mandatory awareness training for everyone in the organization. It covers the basics: the security policy, how to report issues, password rules, why CUI matters. AT.L2-3.2.2 assumes people have completed 3.2.1, then adds job-specific training for people whose work directly touches security controls.

Think of it this way: 3.2.1 gets everyone on the same page. 3.2.2 teaches each person how to do their actual security job correctly.

Start by identifying job titles or functions with hands-on security duties:

System administrators and network administrators
Application developers (if you have them)
Security personnel (if you have them)
Incident response team members
System owners or information system security officers (ISSOs)
Anyone managing access controls or authentication systems
Finance and HR staff handling sensitive records

If someone makes decisions about who gets access, how systems are configured, how incidents are handled, or how data is protected, they need role-based training.

Training content expectations

Your role-based training should address the specific duties in the security plan. Examples:

IT staff: privilege management procedures, change control processes, patch deployment workflows, incident response escalation, system backup and recovery, security event monitoring
Finance/HR: recognizing phishing and social engineering, proper handling of sensitive personnel files, reporting suspicious activity, clean desk practices
Executives: their role in incident response decisions, approval authorities for security exceptions, business email compromise awareness
Developers: secure coding practices, code review procedures, vulnerability handling, secure dependency management

The training doesn’t have to be lengthy. A one-hour workshop on privilege management tailored to your environment is more valuable than a generic three-hour course. Your LMS configuration screen counts as documentation if it shows role-based course assignment.

SSP language that works

Example SSP Language: AT.L2-3.2.2

[Organization Name] maintains a matrix of job roles with security-related responsibilities. Each role has assigned training covering the specific procedures and practices for that position. Training is assigned based on actual security duties.

IT Administrators complete training on at least an annual basis covering: privileged account management, incident detection and reporting procedures, and system configuration standards. Network administrators complete additional training on network segmentation and monitoring procedures.

System owners and technical team leads receive training on their responsibilities for categorizing systems, documenting security controls, and ensuring compliance with the information security program.

All personnel handling CUI complete training on CUI handling requirements specific to their role. Finance and HR staff receive training on social engineering targeting their department and secure handling of sensitive records.

Training completion is tracked in [LMS name] and records are retained for at least three years. Role-based training is refreshed at least annually, or more frequently if significant changes occur to security policies or procedures.

How to present your evidence

During the assessment, have ready:

A list or spreadsheet showing each role with security duties and the person or people in that role
Course names or training materials and how they map to each role
Screenshots from your LMS showing role-based course assignments
Training completion records for the past 12 months, grouped by role
At least one example of role-specific training content (the actual course, a description, an agenda, a video link)
Your training plan for the coming year

The assessor needs to see that training is intentional and tied to job duties, not random or generic.

Common failures

What gets flagged

Everyone takes the same general awareness training and calls it done. The DoD CDSE CUI module is a baseline for everyone. It doesn't replace role-based training. An IT admin still needs training on how to execute your change management procedures and what to do when a system alert fires.

Training is assigned by job title, not by actual security role. If you have two system administrators and only one gets advanced training on incident response because of tenure or location, you're not assigning based on role. Actual security duties should drive assignment.

What makes assessors move on satisfied

You have documented security roles, each with assigned training content, and completion tracking over the past year. Your LMS shows different courses assigned to your IT team, your developers, your finance staff. You can pull reports showing 100% completion with documented reasons for any gaps (new hire starting next week, person on extended leave returning in two weeks).

Q&A: What the assessor asks and what good answers sound like

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "Walk me through your role-based training. What does your IT administrator learn that's specific to their job?"

"Our IT admins get the general awareness track like everyone else, plus additional modules on privilege management, incident response escalation, and our change management procedures. [Pull up the LMS] Here's the IT admin campaign. You can see the modules assigned and completion dates."

Assessor: "How do you assign training? Do you use your job classifications?"

"We have a security role matrix that lists all positions with hands-on security duties. [Pull up the matrix] Each role has assigned training in our LMS. When someone gets hired into that role, the training is assigned automatically. We review the matrix at least every six months."

Assessor: "What if someone is new? How long before they complete their role-based training?"

"Within their first 30 days, before they're granted production access. [Pull up onboarding checklist] We track it here. If someone is delayed, that's a documented exception until the training is done."

If you use an MSP/MSSP

If an MSSP handles most of your security operations, your contractor staff still need role-based training appropriate to their actual duties. General awareness, insider threat awareness, CUI handling, and then role-specific training for whatever security responsibilities they carry. If they don’t have an IT role, they don’t get IT admin training. But they do get training on who to call, how to report, and how to handle CUI in their workflows.

Here’s the part that catches people: your MSP/MSSP staff must also complete the training and be able to show it. If your MSSP manages your firewall and runs incident response, the assessor may ask what training those MSSP personnel have received. The MSSP should be able to produce their own training records for the staff working on your account. Make sure your MSP agreement covers this.

Note: This practice assumes personnel have already completed general awareness training (AT.L2-3.2.1). Role-based training builds on that foundation with job-specific content and procedures.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AU.L2-3.3.1: System Auditing All Practices AT.L2-3.2.1: Security Awareness Training →