AT.L2-3.2.3

AT.L2-3.2.3: Insider Threat Awareness

Provide security awareness training that addresses insider threats, including how to recognize and report suspicious behavior.

Insider threat awareness sits in the middle of your security awareness program. You’re not looking for advanced threat intelligence here. You’re looking at basic recognition: what does suspicious behavior look like, and when do people report it. This complements AT.L2-3.2.1 (general awareness) and IR.L2-3.6.1 (incident response).

Family Awareness and Training
Practice AT.L2-3.2.3
Difficulty Easy
Key evidence Training records, attendance, course content

What the assessor is actually evaluating

The assessor wants to know two things: (1) Did you teach people what insider threats look like? (2) Do they know how to report it? You don’t need a full threat model. You need basic awareness that gets people to recognize patterns like unusual data access, after-hours activity, or someone asking questions about systems outside their job.

The key phrase in AT.L2-3.2.3 is “recognize insider threats.” Your training needs to build that recognition muscle. This could be part of your general security awareness program, or it could be a standalone module. Length doesn’t matter. Content matters.

What a realistic SSP definition looks like

Example SSP Language: AT.L2-3.2.3

All personnel complete insider threat awareness training during onboarding and annually thereafter. Training covers indicators of suspicious behavior (unusual access patterns, data hoarding, policy violations), what qualifies as potential insider threat activity in [Company] context, reporting procedures and escalation paths, and protection of reporters from retaliation.

Training is delivered via [method: video, instructor-led, etc.]. Attendance is tracked in [system]. Content is reviewed annually and updated based on threat environment changes.

How to present your evidence

Evidence checklist
  • Training materials or course outline covering insider threat indicators
  • Attendance or completion records for all personnel (dated)
  • Training schedule or calendar showing regular delivery
  • Sign-off sheets or acknowledgments
  • Course enrollment list (if using an off-the-shelf platform)

Common failures

What gets flagged

Too generic. You have a general "security awareness" training slide that mentions threats generically. Assessors see this all the time. Insider threat needs its own focus. Separate it out or dedicate clear sections to insider threat indicators.

No attendance proof. You have a training presentation but no way to show who took it or when. Track completion dates. A spreadsheet works.

What makes assessors move on satisfied

An annual training calendar, training materials that specifically address insider threats (unusual access, policy violations, reporting), and attendance records showing all staff completed it in the past 12 months. Assessors move on quickly from this one.

If you use an off-the-shelf training platform

Off-the-shelf training platforms

Many companies use platforms like KnowBe4, Proofpoint, or Cisco Security Awareness. If your platform includes an "insider threat" or "suspicious behavior" module, that works. Show the enrollment list and completion records. Your SSP can reference the platform by name.

If you use an MSP/MSSP

Insider threat awareness training is almost always your responsibility, not your MSP’s. Your MSP might manage the training platform or delivery mechanism, but the content decisions and compliance decisions stay with you. You decide what gets taught about insider threats in your organization. You’re accountable for proving that your personnel received the training.

An MSP might provide a recommended training curriculum or manage enrollment in a third-party platform. If they do, verify that the content covers insider threat recognition and reporting specific to your environment. Sign off on the material before it’s delivered. Document that you reviewed and approved it.

Verify training content

If your MSP manages training delivery or platform, request a walkthrough of the insider threat module. Confirm it covers suspicious behavior indicators, reporting procedures, and retaliation protection. You need to be able to explain the training content to the assessor, even if your MSP manages enrollment.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks

Assessor: "Where do employees report if they see suspicious activity?"
"They report to their manager or our security contact. We train everyone on the reporting process annually. [Pull up training materials showing reporting section]"
Assessor: "Can you walk me through your most recent training?"
"We covered insider threat indicators, unusual access patterns, and reporting procedures. [Pull up attendance record] Here's who completed it and when."
Assessor: "How often do you do this training?"
"During onboarding and annually for all staff. [Pull up training schedule] Here's our schedule showing the last two cycles."

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AU.L2-3.3.1: System Auditing All Practices AT.L2-3.2.2: Role-Based Training →