comp-at-3.2.3

Provide Insider Threat Awareness Training

cmmc · framework · Gold standard

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Provide Insider Threat Awareness Training

CMMC Level 2 practice AT.L2-3.2.3, rooted in NIST SP 800-171 Rev 2 requirement 3.2.3, mandates that organizations identify potential indicators associated with insider threats and provide security awareness training to both managers and employees on recognizing and reporting those indicators. Insider threats include current or former employees, contractors, or business partners who misuse authorized access to harm the organization's systems, data, or mission — whether through intentional espionage, sabotage, theft of CUI, or unintentional negligence. The training must address behavioral indicators such as unusual access patterns, expressed grievances, financial stress signals, or attempts to bypass security controls, as well as technical indicators like unauthorized data exfiltration or off-hours system access. Organizations must ensure this training reaches the entire user population — not just IT staff — because any authorized user can become an insider threat vector. This practice complements personnel security screening (NIST SP 800-171 §3.9) by keeping the workforce vigilant throughout the employment lifecycle, not just at onboarding.

Where it stops · what it isn't

—Does not require organizations to implement a full Insider Threat Program (ITP) with dedicated monitoring tools or a formal insider threat working group, which is a higher-maturity expectation beyond Level 2
—Does not cover technical controls for detecting insider threats such as User and Entity Behavior Analytics (UEBA), data loss prevention (DLP) systems, or privileged access monitoring — those fall under audit (AU) and access control (AC) domains
—Does not address pre-employment background investigation or personnel screening processes, which are covered under Personnel Security (PS) practice 3.9.1 and 3.9.2
—Does not mandate specific reporting structures such as a hotline or anonymous tip system, though those are recommended enabling conditions
—Does not replace or substitute for general security awareness training required under AT.L2-3.2.1; insider threat awareness is an additive, specialized component

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

domain/awareness-and-training

REQUIRES

comp-at-3.2.1

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.