Skip to content

CMMC Training Requirements

 

Learn about training requirements under CMMC, frequency of training, senior official affirmation requirements, the False Claims Act and CMMC compliance attestations, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What security awareness and training requirements must employees meet under CMMC Level 2? 

 

Summary: CMMC Level 2 requires all personnel with access to organizational information systems and CUI to receive security awareness training addressing security risks, applicable organizational policies and procedures, and specific threats including social engineering and phishing, under Awareness and Training (AT) domain requirements 3.2.1, 3.2.2, and 3.2.3 of NIST SP 800-171 Rev 2. 

Training must be role-specific: system administrators and security personnel have different training requirements from general staff with standard user access. At minimum, all personnel must be trained on how to identify, handle, mark, and protect CUI; how to recognize and report phishing, social engineering, and suspicious activity; the organization’s acceptable use, incident response, and access control policies; and the consequences of non-compliance. 

Training records, including dates, content, and personnel who completed training, must be maintained as evidence for CMMC assessment. New employees must complete training before being granted access to in-scope systems. Training must be updated when policies change or new threats emerge. 

 

How often must security awareness training be conducted under CMMC Level 2? 

 

NIST SP 800-171 Rev 2 requires security awareness training when personnel are first assigned to a role involving access to organizational information systems, and when assigned to a new role, with the organization defining a recurring frequency in its training policy, the DoD’s published Organization-Defined Parameters for NIST SP 800-171 Rev 2 establish annual training as the expected cadence. 

Annual training means at minimum once every 12 months per employee, with documentation of completion. Organizations should also provide ad-hoc training following significant changes to policies, when new threats emerge, or following a security incident. Training completion records, including employee name, training content, date, and completion confirmation, must be retained and available as evidence during C3PAO assessments. 

A training program with no documented completion records fails this domain regardless of how thorough the content is. Organizations should maintain a formal training calendar and automate completion tracking where possible to ensure consistent annual compliance.

 

Who inside the organization is responsible for owning CMMC compliance? 

 

Summary: CMMC compliance requires a designated internal owner, typically a senior IT or security professional such as a CISO, IT Director, or designated CMMC Compliance Lead,  who has the organizational authority, budget access, and cross-functional relationships needed to implement, coordinate, and maintain all 110 NIST SP 800-171 Rev 2 controls across the entire assessment scope. 

Distributing CMMC responsibility across multiple departments without a single accountable owner is one of the most common organizational gaps that derails compliance programs. The compliance owner must have direct access to the executive team and the ability to escalate security issues and resource needs. Their responsibilities include: overseeing development and maintenance of the SSP; coordinating across IT, legal, HR, operations, and procurement; managing the gap analysis and remediation process; engaging and managing the RPO or C3PAO relationship; ensuring annual affirmations are filed accurately in SPRS; and maintaining an audit-ready evidence posture between assessment cycles. 

In organizations too small to employ a dedicated security professional, this function is often outsourced to a CMMC Registered Practitioner (RP) through a Registered Practitioner Organization (RPO) under a formal engagement agreement.

 

What is the senior official affirmation requirement under CMMC and what personal legal liability does it create? 

 

Summary: The CMMC program requires a senior company official, defined under 32 CFR Part 170 as an Affirming Official (AO) who is a senior executive of the Organization Seeking Certification, to personally affirm annually that the organization’s CMMC self-assessment or certification results in SPRS are accurate and that the organization is maintaining compliance at the required level. 

This affirmation is not an administrative checkbox, it creates direct personal legal liability under the False Claims Act (31 U.S.C. §§ 3729–3733). When a senior official affirms compliance in SPRS, they are making a certification to the U.S. government that is subject to civil and criminal penalties if knowingly false. 

The Department of Justice has used the False Claims Act to pursue cybersecurity misrepresentation cases against defense contractors, with settlements reaching millions of dollars. The individual executive who signed the affirmation can face personal civil liability in addition to corporate liability. Senior executives, CFOs, COOs, CEOs, who are asked to affirm CMMC compliance must ensure they have a clear understanding of the organization’s actual security posture before signing. Signing an affirmation based solely on an IT team’s assurances without independent review represents significant personal legal risk.

 

How does the False Claims Act (FCA) apply to CMMC compliance attestations? 

 

Summary: The False Claims Act (31 U.S.C. §§ 3729–3733) applies to CMMC compliance attestations because any knowing misrepresentation of cybersecurity compliance status in SPRS, including inflated self-assessment scores, affirmed compliance that does not reflect actual security posture, or false statements about CMMC status, constitutes a false claim against the federal government subject to civil and criminal penalties. 

The FCA allows the federal government and private whistleblowers (qui tam relators) to bring civil fraud claims against contractors who knowingly submit false claims or statements to obtain government payment or contract awards. Under CMMC, each contract award or renewal for which CMMC compliance is a condition represents a potentially actionable false claim if the contractor’s attested compliance status is materially inaccurate. 

Civil penalties under the FCA currently range from approximately $13,900 to $27,900 per false claim, plus treble damages. Criminal penalties for willful violations can include up to 10 years imprisonment per count. The Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, specifically targets cybersecurity compliance misrepresentation in federal contracting. The $9 million settlement against Aerojet Rocketdyne in 2023 for cybersecurity misrepresentation signals that DoJ actively enforces these obligations.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties