Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

How to Create a CMMC Training Program

Building a CMMC-compliant training program does not require a massive budget or dedicated training staff. Small defense contractors can create effective programs using available resources and a systematic approach. This guide walks you through creating a training program that satisfies CMMC requirements and actually improves your security.

CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity program for defense contractors.

The key is starting with clear objectives, developing relevant content, and maintaining documentation that proves your program works.

Step 1: Define Your Training Requirements

Before creating content, understand what your program must accomplish:

Identify Your Audience

List everyone who needs training:

  • Employees with CUI system access
  • Contractors and temporary workers
  • IT and system administrators
  • Managers and supervisors
  • Remote workers

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection.

Map Roles to Training Needs

Different roles need different training:

RoleTraining Focus
All usersGeneral awareness, phishing, CUI handling
IT staffSecure configuration, access management, and incident response
ManagersPolicy enforcement, security oversight, and reporting
CUI handlersMarking, storage, transmission, destruction
Remote workersHome office security, VPN usage, travel security

Document Requirements

Create a training policy that specifies:

  • Who must complete training
  • What topics must be covered
  • When training must occur (initial, annual, triggered)
  • How completion is tracked
  • Consequences for non-completion

Step 2: Develop or Acquire Training Content

You have several options for training content:

Option 1: Commercial Training Platforms

Third-party platforms offer ready-made content:

Pros:

  • Professional, engaging content
  • Regularly updated for new threats
  • Built-in tracking and reporting
  • Phishing simulation included

Cons:

  • Monthly or annual subscription costs
  • May need customization for CUI-specific topics
  • Generic content not tailored to your environment

Popular platforms:

  • KnowBe4
  • Proofpoint Security Awareness
  • SANS Security Awareness
  • Infosec IQ
  • Ninjio

Cost: Typically $15-50 per user per year

Option 2: In-House Development

Create your own training materials:

Pros:

  • Customized to your specific environment
  • No ongoing subscription costs
  • Can address your exact policies and procedures
  • Employees see real examples from your organization

Cons:

  • Time investment to create content
  • Requires updating when threats evolve
  • May lack professional production quality
  • No built-in phishing simulation

Resources for in-house development:

  • CISA cybersecurity awareness resources (free)
  • NIST cybersecurity awareness materials
  • DoD Cyber Awareness Challenge (free for contractors)
  • Industry-specific templates

Option 3: Hybrid Approach

Many organizations combine approaches:

  • Commercial platform for general awareness and phishing simulation
  • Custom modules for CUI handling and organization-specific policies
  • In-person sessions for role-based training

This balances professional content with necessary customization.

Step 3: Structure Your Training Program

Organize training into logical components:

Initial Training (New Hire)

Delivered before granting CUI system access:

  • General security awareness (60-90 minutes)
  • Organization security policies (30 minutes)
  • CUI handling procedures (30 minutes)
  • Role-specific training (varies by role)
  • Acknowledgment of responsibilities

Annual Refresher Training

Reinforces key concepts and covers new threats:

  • Updated awareness content (30-60 minutes)
  • New threat briefing
  • Policy changes review
  • Knowledge assessment

Specialized Training

Additional training for specific roles or situations:

  • IT administrator security training
  • Incident response team training
  • Manager of security oversight training
  • Travel security briefing

Continuous Awareness

Ongoing reinforcement between formal training:

  • Monthly security tips via email
  • Quarterly phishing simulations
  • Posters and visual reminders
  • Security topics in team meetings

Step 4: Deliver Training Effectively

How you deliver training affects its impact:

Online Training

Self-paced modules completed individually:

  • Flexible scheduling for employees
  • Consistent content delivery
  • Automatic tracking and reporting
  • Works well for distributed workforces

Best practices:

  • Keep modules under 15-20 minutes
  • Include interactive elements
  • Require passing quiz scores
  • Set completion deadlines

In-Person Training

Live sessions with the instructor:

  • Allows questions and discussion
  • Better for complex or sensitive topics
  • Builds security culture through interaction
  • Effective for role-based training

Best practices:

  • Keep sessions under 60 minutes
  • Use real examples and scenarios
  • Include hands-on exercises
  • Document attendance

Lunch and Learn Sessions

Informal sessions during lunch breaks:

  • Less formal than required training
  • Good for emerging threats and timely topics
  • Builds security culture
  • Supplements formal program

Step 5: Test Knowledge and Behavior

Verify training effectiveness through assessment:

Knowledge Quizzes

Test comprehension after training:

  • Include questions on key topics
  • Require minimum passing score (typically 80%)
  • Provide immediate feedback
  • Require remediation for failures

Phishing Simulations

Test real-world application:

  • Send realistic simulated phishing emails
  • Vary difficulty and techniques
  • Track click rates and report rates
  • Provide immediate coaching for those who fail
  • Run monthly or quarterly

Practical Exercises

Test hands-on skills:

  • CUI handling scenarios
  • Incident reporting practice
  • Physical security checks

Metrics to Track

MetricTarget
Training completion rate100%
Average quiz score>85%
Phishing click rate<5%
Phishing report rate>70%
Time to complete trainingWithin deadline

Step 6: Maintain Documentation

CMMC assessors need evidence that your program operates:

Training Policy

Document that specifies:

  • Training requirements by role
  • Frequency requirements
  • Content requirements
  • Tracking and enforcement procedures

Training Materials

Retain copies of:

  • Presentation slides
  • Training videos or modules
  • Handouts and reference materials
  • Quiz questions and answers

Completion Records

For each training event, document:

  • Employee name
  • Training completed
  • Date completed
  • Score (if assessed)
  • Acknowledgment signature

Program Records

Maintain records of:

  • Training schedule
  • Phishing simulation results
  • Program improvements made
  • Annual program review

Step 7: Continuously Improve

Review and enhance your program regularly:

Annual Program Review

Each year, evaluate:

  • Training completion rates
  • Assessment scores and trends
  • Phishing simulation results
  • Security incident patterns
  • Employee feedback
  • New threats requiring coverage

Update Content

Refresh training when:

  • New threats emerge
  • Policies change
  • Technology changes
  • Assessment reveals gaps
  • Regulations update

Benchmark Performance

Compare your metrics to industry standards:

  • Average phishing click rates
  • Training completion benchmarks
  • Incident rates per employee

Sample Training Calendar

A practical training schedule for small organizations:

MonthActivity
JanuaryAnnual awareness training begins
FebruaryPhishing simulation #1
MarchIT staff role-based training
AprilSecurity newsletter
MayPhishing simulation #2
JuneManager of security training
JulyMid-year awareness refresher
AugustPhishing simulation #3
SeptemberInsider threat training
OctoberCybersecurity Awareness Month activities
NovemberPhishing simulation #4
DecemberAnnual program review

Key Takeaways

Creating a CMMC training program requires defining your requirements, developing or acquiring appropriate content, delivering training effectively, and documenting everything. You do not need expensive solutions—many effective programs combine commercial platforms with custom content.

Test knowledge through quizzes and phishing simulations. Track metrics to demonstrate program effectiveness. Review and improve annually based on results and emerging threats.

Start simple and build over time. A basic program that operates consistently beats an elaborate program that never launches.

Related Articles:

Official Sources: This article is based on NIST SP 800-171 Revision 2, NIST SP 800-50, and industry best practices for security awareness training programs.

Need help building your CMMC training program? Contact Greypike for expert guidance on Level 1 and Level 2 certification, or get started with Obolix to streamline your compliance journey.

Tags:
Table of Contents