3.2 — Awareness & Training

Awareness & Training (AT) Policy

Ensures all OCSI personnel are aware of cybersecurity risks and trained in their responsibilities for protecting CUI — covering 3 controls per NIST SP 800-171 Rev 2.

Family: 3.2 — Awareness & Training Controls: 3 Owner: Sandra O. Floyd Last Review: April 3, 2026
SELF-ASSESSMENT

Control statuses below reflect an internal self-assessment prepared with AI assistance. Statuses marked "Implemented" may be organizational claims without verifiable evidence. See POA&M for known gaps.

Policy Statement

OCSI shall ensure that all personnel are aware of cybersecurity risks associated with their activities and that they are adequately trained to carry out their assigned information security-related duties and responsibilities.

Control Implementation
ControlRequirementImplementationStatus
3.2.1Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systemsNOT IMPLEMENTED. No formal security awareness training program exists. No training platform, no completion tracking, no CUI handling orientation. This is an organizational requirement that must be established. Not Implemented
3.2.2Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilitiesNOT IMPLEMENTED. No role-specific security training program. No documented training materials for Command Center administrators or CUI data handlers. Not Implemented
3.2.3Provide security awareness training on recognizing and reporting potential indicators of insider threatNOT IMPLEMENTED. No insider threat awareness program. No training materials or assessment mechanism. Not Implemented
Training Schedule (Planned — Not Yet Initiated)
Action Required: None of the training activities below have been initiated. A training program must be established before CMMC assessment.
  • New Hire: CUI handling orientation within first week of employment — not yet created
  • Quarterly: Security briefing with external MSSP — MSSP not yet engaged
  • Annual: Full cybersecurity awareness training with assessment — not yet created
  • Annual: Insider threat awareness training — not yet created
  • As Needed: Role-specific training upon system or policy changes
Evidence Gap: No training completion records exist. No briefing attendance logs. This entire control family requires implementation from scratch.

© 2026 OUTSOURCE Consulting Services, Inc. — CUI // SP-AT // NIST 800-171 3.2