NIST SP 800-171 Rev 2 practice 3.2.1 requires organizations to ensure that all personnel who access systems containing CUI — including managers, system administrators, and general users — are made aware of the security risks associated with their specific activities. This includes identifying the applicable policies, standards, and procedures governing system security and ensuring those are communicated to relevant personnel. Awareness is distinct from formal training: it is the continuous process of keeping personnel informed about threats, vulnerabilities, and behavioral expectations as they relate to CUI handling. The practice demands that risk identification be tied to organizational roles and system functions, not delivered as generic content. Compliance requires documented evidence that awareness activities occurred and that the content addressed both risk and policy dimensions.
Where it stops · what it isn't
- —Does not require role-based security training with measurable competency outcomes — that is covered by AT-L2-3.2.2
- —Does not address insider threat awareness specifically — that is covered by AT-L2-3.2.3
- —Does not govern personnel screening or vetting prior to system access — that falls under PS-L2-3.9.1
- —Does not require awareness of physical security controls unless those controls directly relate to CUI system access
- —Does not mandate specific delivery formats such as computer-based training, in-person sessions, or video — format is left to organizational discretion
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/awareness-and-training