AT.L2-3.2.3

AT.L2-3.2.3: Insider Threat Awareness

Provide security awareness training that addresses insider threats, including how to recognize and report suspicious behavior.

Insider threat awareness sits in the middle of your security awareness program. You’re not looking for advanced threat intelligence here. You’re looking at basic recognition: what does suspicious behavior look like, and when do people report it. This complements AT.L2-3.2.1 (general awareness) and IR.L2-3.6.1 (incident response).

Family Awareness and Training
Practice AT.L2-3.2.3
Difficulty Easy
Key evidence Training records, attendance, course content

What the assessor is actually evaluating

The assessor wants to know two things: (1) Did you teach people what insider threats look like? (2) Do they know how to report it? You don’t need a full threat model. You need basic awareness that gets people to recognize patterns like unusual data access, after-hours activity, or someone asking questions about systems outside their job.

The key phrase in AT.L2-3.2.3 is “recognize insider threats.” Your training needs to build that recognition muscle. This could be part of your general security awareness program, or it could be a standalone module. Length doesn’t matter. Content matters.

What a realistic SSP definition looks like

AT.L2-3.2.3 Insider Threat Awareness

All personnel complete insider threat awareness training during onboarding and annually thereafter. Training covers:

  • Indicators of suspicious behavior (unusual access patterns, data hoarding, policy violations)
  • What qualifies as potential insider threat activity in [Company] context
  • Reporting procedures and escalation paths
  • Protection of reporters from retaliation

Training is delivered via [method: video, instructor-led, etc.]. Attendance is tracked in [system]. Content is reviewed annually and updated based on threat environment changes.

How to present your evidence

Gather these items:
  • Training materials or course outline (show what you teach about insider threats)
  • Attendance or completion records for all personnel (dated)
  • Training schedule or calendar showing regular delivery
  • Any sign-off sheets or acknowledgments
  • If using an off-the-shelf platform, show the course enrollment list
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "Where do employees report if they see suspicious activity?" A: "They go to [manager/HR/security contact]. We train them on this annually." [Pull up training materials showing reporting section]

Q: “Can you walk me through your most recent training?" A: “[Brief overview of content covered]. Here’s the attendance record showing when and who completed it.”

Q: “How often do you do this training?" A: “During onboarding and annually for all staff. Here’s our schedule.”

Common failures

Too generic. You have a general "security awareness" training slide that mentions threats generically. Assessors see this all the time. Insider threat needs its own focus. Separate it out or dedicate clear sections to insider threat indicators.
No attendance proof. You have a training presentation but no way to show who took it or when. Track completion dates. A spreadsheet works.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

You're good here. You have an annual training calendar, training materials that specifically address insider threats (unusual access, policy violations, reporting), and attendance records showing all staff completed it in the past 12 months. Assessors move on quickly from this one.

If you use an off-the-shelf training platform

Many companies use platforms like KnowBe4, Proofpoint, or Cisco Security Awareness. If your platform includes an "insider threat" or "suspicious behavior" module, that works. Show the enrollment list and completion records. Your SSP can reference the platform by name.

If you use an MSP/MSSP

Insider threat awareness training is almost always your responsibility, not your MSP’s. Your MSP might manage the training platform or delivery mechanism, but the content decisions and compliance decisions stay with you. You decide what gets taught about insider threats in your organization. You’re accountable for proving that your personnel received the training.

An MSP might provide a recommended training curriculum or manage enrollment in a third-party platform. If they do, verify that the content covers insider threat recognition and reporting specific to your environment. Sign off on the material before it’s delivered. Document that you reviewed and approved it.

Verify training content

If your MSP manages training delivery or platform, request a walkthrough of the insider threat module. Confirm it covers suspicious behavior indicators, reporting procedures, and retaliation protection. You need to be able to explain the training content to the assessor, even if your MSP manages enrollment.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AU.L2-3.3.1: System Auditing All Practices AT.L2-3.2.2: Role-Based Training →