The calendar alert triggers. Your defense industrial base client is 60 days out from a Level 2 CMMC assessment. The Certified Third-Party Assessor Organization (C3PAO) has sent the initial documentation request list. Right there in the Awareness and Training (AT) domain: prove your security awareness training meets the mandate.

You know the client's staff completed the modules. Finding the evidence is the problem. Building the required reports means pulling raw CSVs, cross-referencing HR rosters, and mapping individual courses to specific Department of Defense controls. The stakes are real. Missing documentation can lead to a failed certification, which may result in lost DoD contracts and strained supply chain relationships.

This post covers what CMMC requires for security awareness training documentation, what auditors look for when they ask for it, and what most SAT platforms don't give you by default.

What CMMC Requires for Security Awareness Training

The Cybersecurity Maturity Model Certification (CMMC) dictates strict parameters for awareness and training. The framework defines exact controls, scopes, and enforcement mechanisms.

Citations: Derived from NIST SP 800-171 §3.2. Level 2 practices are AT.L2-3.2.1 (security awareness), AT.L2-3.2.2 (role-based training), AT.L2-3.2.3 (insider threat awareness).

Scope: All personnel handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). Role-based training (3.2.2) applies specifically to personnel with significant security responsibilities.

Frequency: Annual refresher at minimum; ongoing reinforcement expected.

Content requirements: General awareness (3.2.1), role-based security training for those with significant security roles (3.2.2), and insider threat awareness (3.2.3). Role-based training is the most common failure point in CMMC assessments.

Retention: Align to DoD record retention requirements in your specific contract; consult your contracting officer or C3PAO.

Assessor: C3PAO (Certified Third-Party Assessor Organization). Phase 1 enforcement began late 2025.

What Auditors Actually Look For

When a C3PAO assessor evaluates a training program, they test operational reality. They follow a strict assessment guide. They do not accept verbal confirmation. They want evidence.

First, they look for program evidence. This means reviewing your written policy and curriculum to ensure it maps exactly to the AT.L2 practices. If your curriculum covers generic phishing but ignores insider threat awareness, you fail AT.L2-3.2.3.

Next, they demand per-person records. Assessors pull the active directory roster of every user who interacts with CUI or FCI. They sample that list. They demand training logs for those exact names. They check scope coverage. If a user has elevated system privileges, the assessor looks specifically for AT.L2-3.2.2 role-based training records. General awareness is not enough for admins.

They look for cadence evidence. Annual training is the floor. Assessors expect ongoing reinforcement throughout the year. They want a timeline of continuous engagement, proving the workforce receives regular updates on current threats.

Finally, they look at the response to identified issues. If a user repeatedly fails a simulated phishing test, the system must show a response. Recording the click is not enough. The documentation must show the subsequent remedial training. The assessor wants proof that human risk triggers an operational correction.

What Most SAT Platforms Give You by Default

The security awareness training category produces data. It rarely produces evidence. Most SAT platforms function as campaign distribution tools.

They output raw completion reports. They show per-campaign phishing results, isolating exactly who failed a test on a given day. They build dashboards with aggregate percentages. For an MSP operator preparing for a C3PAO review, this is raw material. It requires manual labor to become evidence.

What these platforms typically do not produce in an audit-ready format are framework-mapped reports specific to CMMC. They lack evidence bundles that combine initial training, ongoing phishing performance, and policy acknowledgements into a single user timeline. They do not generate date-range-scoped exports that cleanly match the specific assessment window.

Instead, the MSP engages in manual reconciliation. You export directory rosters. You export training logs. You manually reconcile the workforce against completions to prove no CUI handlers were missed. You're the managed service now. The platform logs the activity, but you carry the burden of proving compliance.

The output is a standard spreadsheet. It lacks the integrity-hashed PDF artifacts assessors prefer to verify the data hasn't been modified post-export.

Your CMMC training documentation checklist

To survive a C3PAO assessment without losing days to manual data formatting, your evidence must be precise. Build your documentation bundle using this scannable checklist.

Per-person records:

• Full legal name and employee ID

• Organizational role or title

• Date of CUI/FCI access authorization

• Training completions with exact dates and timestamps

• Content mapping (explicitly tying modules to general awareness, role-based training, and insider threats)

• Information security policy acknowledgements with signature dates

• Refresher evidence (timestamps for ongoing continuous reinforcement)

• Response to identified needs (remedial training dates triggered by simulation failures)

Program-level artifacts:

• Written security awareness and training policy

• Scope statement defining the personnel handling CUI/FCI

• Complete curriculum overview mapping back to NIST SP 800-171 §3.2

• Audit protocol compliance evidence proving continuous delivery

Retention:

• Retain all records according to the DoD requirements specified in your contract.

Modern managed SAT platforms can generate this documentation automatically. Kinds, for example, produces CMMC-mapped PDF reports scoped by date range and workforce selection, with SHA-256 integrity hashes embedded in the footer so auditors can verify the report hasn't been modified. But whatever platform you use, the checklist above is what your documentation should include. If your current platform can't produce this without manual reconciliation, you have a documentation problem, not a training problem.

Related Frameworks

Organizations subject to CMMC often also deal with NIST 800-53 and ISO 27001. For related guidance, see the posts on those frameworks.

This post describes general patterns in CMMC training documentation. It is not legal or compliance advice. Confirm specific obligations with your compliance advisor, assessor, or relevant contracting officer.