CMMC compliance training is the annual cybersecurity awareness instruction every defense contractor employee must complete to meet the Awareness and Training domain of the Cybersecurity Maturity Model Certification. Under CMMC 2.0 Level 2, all users, managers, and system administrators who touch Controlled Unclassified Information must be trained on the specific threats to their roles and the policies that protect CUI — and that training must be documented well enough to survive a third-party audit.
If your company has a DoD contract or subcontract on the books past November 10, 2026, this is no longer an optional line item.
What Is CMMC and Why Does Training Sit at the Center of It?
The Cybersecurity Maturity Model Certification, or CMMC, is the Department of Defense’s framework for verifying that contractors actually protect the sensitive information they handle — not just that they claim to. CMMC 2.0 has three levels. Level 1 covers Federal Contract Information and maps to 17 basic safeguards. Level 2 covers Controlled Unclassified Information and maps to all 110 controls in NIST SP 800-171. Level 3 adds 24 enhanced controls from NIST SP 800-172 for contractors working on programs the DoD considers high-risk targets.
The training requirement shows up across all three levels, but it bites hardest at Level 2. Practice AT.L2-3.2.1 (historically labeled AT.2.056) requires that managers, system administrators, and end users be made aware of the security risks tied to their activities and the policies, standards, and procedures that govern those activities. Practice AT.L2-3.2.2 adds role-based training — meaning your IT admins need different training than your shipping clerks. A good starting point for any workforce is a general password security and cybersecurity fundamentals course, which covers the authentication hygiene auditors will ask about first.
Here is what tends to surprise contractors on their first assessment: the training control is not scored on whether employees finished the course. It’s scored on whether you can hand a C3PAO assessor a dated, named, role-tagged record showing each person completed training tied to documented policies. If the records are a mess, the control fails — even if every employee actually watched the videos.
Who Has to Be Trained, and How Often?
Everyone with access to your information systems needs baseline security awareness training. That includes full-time employees, part-time staff, contractors, interns, and — this trips people up — anyone with a login to a network that processes CUI. If your accounting department can reach a shared drive that has a single CUI file on it, accounting is in scope.
The training cadence is annual at minimum. NIST SP 800-171 Rev. 2 calls for “periodic” training, and the DoD’s interpretation in CMMC Level 2 assessments has consistently landed on once per year, plus additional training when a user’s role changes or when a significant threat emerges (say, a ransomware wave targeting your sector). Some contractors run a short monthly refresher on top of the annual course to keep phishing recognition sharp. That’s not a requirement — it’s a reasonable hedge.
Role-based training is where most contractors underinvest. A help desk technician with privileged credentials needs training specific to privileged access, secure configuration, and incident handling. A finance manager needs training on social engineering and wire fraud. Generic “cybersecurity awareness” content covers the floor, but it doesn’t satisfy AT.L2-3.2.2 on its own. For staff in trusted positions with access to sensitive data or systems, an insider threat awareness course is the kind of targeted content assessors expect to see tied to specific job roles.
What Does CMMC 2.0 Level 2 Actually Require for Training Content?
Every compliant training program hits four things. First, the material has to cover the specific security risks associated with your employees’ actual work — not a generic deck that could apply to any industry. Second, it has to tie directly to your written policies. If your Acceptable Use Policy forbids personal USB drives, your training has to teach employees what your Acceptable Use Policy says. Third, it has to include the procedures for recognizing and reporting indicators of insider threat. Fourth, it has to be updated annually to reflect new threats.
The DoD doesn’t prescribe a specific course or vendor. A self-built deck delivered over Zoom can meet the requirement — technically acceptable — but it’s brittle under audit because completion tracking is manual and policy updates fall behind. That’s why most contractors use a learning management system. The LMS handles enrollment, completion tracking, quiz scoring, and auto-assignment by role, and it produces the signed completion records assessors want to see.
One overlooked piece: ethics and conduct training. CUI mishandling is frequently not a technical failure but a behavioral one — an employee emails a CUI attachment to a personal Gmail to work over the weekend. A workplace ethical decision-making course helps frame the “why” behind the policy, which tends to move compliance from grudging to genuine. Assessors don’t require it by name, but it shores up the culture piece that AT.L2-3.2.1 gestures toward.
What Does the Training Record Look Like During an Assessment?
A Certified Third-Party Assessment Organization (C3PAO) will ask for three artifacts when they evaluate your training controls. The first is the training content itself — they want to see the slide deck, the course outline, or the LMS module. The second is evidence of delivery — attendance logs, LMS completion reports, or signed acknowledgment forms. The third is the policy that governs all of it — a written security awareness and training policy that says who gets trained, on what, how often, and how you handle non-completers.
Small contractors often stumble on artifact three. They run the training, they track completions, but they never formalize the policy. That gap alone can fail AT.L2-3.2.1 — not because the training didn’t happen, but because there’s no documented requirement saying it had to. Spend a day writing a two-page policy. The return on that day is enormous.
Record retention matters too. The DoD’s CUI rules require records to be kept for the duration of the contract plus at least three years, and assessors will ask to see prior-year records to confirm the annual cadence. If your LMS purges old completions after 12 months, you have a compliance problem you don’t know about yet.
How Long Does It Take to Stand Up a Compliant Training Program?
Most DoD contractors need 30 to 90 days to go from “we have nothing” to “we have a defensible training program,” assuming you’re using an off-the-shelf LMS and licensed content. The timeline breaks down roughly like this: one week to draft and approve the security awareness policy, two to four weeks to select and roll out an LMS, two to four weeks to assign and complete the baseline courses across the workforce, and another two weeks to build out role-specific assignments for privileged users, developers, and finance.
The six-to-twelve-month timeline you see quoted in CMMC prep articles refers to the entire Level 2 control set — the 110 NIST 800-171 controls, not just training. Training is one of the faster domains to close, which is why most consultants suggest starting there. It builds early wins and gives your workforce the context they need for the harder technical controls coming next.
For contractors handling hazardous materials in addition to CUI — think defense logistics and supply — the security awareness training requirements stack. Workers shipping DoD goods also need 49 CFR hazardous materials security awareness training, which has its own three-year refresh cadence under DOT rules. Keeping both programs on the same LMS simplifies the audit trail for both assessors.
What Are the Penalties for Falling Short?
CMMC doesn’t impose direct fines the way OSHA does. The consequences are contractual and commercial. After November 10, 2026, contracting officers will require Level 2 certification by default for any solicitation that involves CUI. A contractor without a valid certificate isn’t penalized — they’re simply ineligible to bid. For primes losing the ability to compete on DoD work, that’s effectively the harshest fine possible.
There’s a second exposure lane: the False Claims Act. Since the DOJ’s Civil Cyber-Fraud Initiative launched in late 2021, contractors who’ve attested to meeting DFARS 252.204-7012 cybersecurity requirements (which overlap heavily with CMMC Level 2) and then failed to actually meet them have faced FCA settlements ranging from several hundred thousand to tens of millions of dollars. A missing or sloppy training program is exactly the kind of gap that becomes evidence of a material misrepresentation in an FCA case.
Get Your Team Trained — Without the Paperwork Headache
Building a CMMC-aligned training program doesn’t require custom content or a six-figure budget. Coggno’s marketplace has the role-based cybersecurity, insider threat, and ethics courses DoD contractors use to meet AT.L2-3.2.1 and AT.L2-3.2.2, with automatic completion tracking and audit-ready records.
Start with Cybersecurity and Password Security as your baseline awareness course for all employees. Add Minimizing Insider Threats for staff with privileged access or CUI responsibilities. Round out the behavioral side with Ethical Decision Making in the Workplace so the “why” lands alongside the “what.”
Frequently Asked Questions About CMMC Compliance Training
Is CMMC training required for all DoD contractors?
Yes, for any contractor whose contract flows down DFARS 252.204-7021 (the CMMC clause). Level 1 contractors handling only Federal Contract Information need basic awareness training. Level 2 contractors handling Controlled Unclassified Information need role-based training plus documented policies and records. Level 3 contractors add enhanced training tied to APT defense.
How often does CMMC awareness training need to be completed?
At least annually. The DoD’s interpretation of “periodic” training under NIST SP 800-171 has consistently landed on 12-month refresh cycles, and C3PAO assessors will ask for records showing each employee completed training within the past year. Additional training is required when an employee’s role changes or when a new significant threat emerges.
Does CMMC require a specific training provider?
No. The DoD does not endorse or require a specific vendor. You can build content internally, use open-source materials, or license courses from a training marketplace. What matters is that the content is tied to your documented policies, covers the specific risks of your employees’ roles, and produces auditable completion records.
What happens if an employee refuses to complete CMMC training?
You need a written policy covering non-completion — typically loss of network access until training is finished. Assessors will ask how you handle non-completers, and “we just keep reminding them” is not an acceptable answer. Most contractors tie training completion to continued access privileges and make that link explicit in the security awareness policy.
Do contractors at CMMC Level 1 need formal training records?
Level 1 is a self-assessment rather than a third-party audit, but the training control (3.2.1) still applies. You need records sufficient to demonstrate annual training happened if DoD ever audits your self-attestation, and False Claims Act exposure applies even at Level 1. Treat the records the same as you would for Level 2.
How much does a CMMC training program typically cost?
For a contractor with 25 to 200 employees, off-the-shelf courseware runs roughly $5 to $25 per seat per year for baseline awareness content, plus $50 to $200 per seat for role-based privileged user training. LMS fees add another $3 to $12 per user per month at small-business scale. Custom-built content costs more upfront but is usually not worth it until you’re over 500 seats.
