CMMC training is critical for healthcare organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) as part of Department of Defense (DoD) contracts. With enforcement beginning in November 2026, compliance is mandatory. Here's what you need to know:
- CMMC Overview: A DoD framework ensuring contractors protect sensitive information, based on NIST standards.
- Healthcare Relevance: Applies to hospitals, TRICARE administrators, medical device manufacturers, and others working with military data. Organizations can use automated vendor solutions to manage these complex supply chain requirements.
- Training Focus: Role-specific training, insider threat awareness, and documented evidence of compliance.
- CMMC Levels:
- Level 1: Basic security hygiene for FCI.
- Level 2: Formalized training aligned with NIST SP 800-171 for CUI.
- Level 3: Advanced training addressing persistent threats and incident response.
To comply, organizations must implement tailored training programs for roles like clinicians, IT staff, and researchers while maintaining detailed, auditable records. Regular updates and ongoing enterprise risk assessments ensure readiness for audits. Compliance not only protects sensitive data but also secures eligibility for future DoD contracts.
HITT- HIPAA and CMMC Compliance Opportunities for Cybersecurity Revenue- 6.2.26
sbb-itb-535baee
Key CMMC Training and Awareness Requirements
CMMC Training Levels for Healthcare: Requirements at a Glance
What the CMMC AT Domain Covers
The Awareness and Training (AT) domain is all about ensuring that employees grasp cybersecurity risks and that specialized staff receive training tailored to their roles [4][5]. As GRC Academy explains:
"Awareness training provides general security training to influence user behavior... role-based training focuses on the knowledge, skills, and abilities needed to complete a specific job." [5]
These training requirements differ depending on the CMMC maturity level, which we’ll break down below.
Training Expectations by CMMC Level
At Level 1, the focus is on basic security hygiene for those handling Federal Contract Information (FCI). This includes maintaining evidence of practices like access control and physical security.
Level 2 introduces a more formalized structure, aligning with NIST SP 800-171 standards. At this stage, three key controls must be implemented:
| CMMC Control | Training Type | Who It Applies To | Core Topics |
|---|---|---|---|
| AT.L2-3.2.1 | General Awareness | All users, clinicians, managers | Phishing, malware, passwords, incident reporting [4][3] |
| AT.L2-3.2.2 | Role-Based Training | IT staff, sysadmins, developers | Security tools, system configuration, auditing [5] |
| AT.L2-3.2.3 | Insider Threat Awareness | All staff handling CUI | Behavioral indicators, reporting procedures [4][3] |
At this level, training must be documented and tailored for all personnel who work with Controlled Unclassified Information (CUI).
Level 3 builds on Level 2 by requiring stricter and recurring training. This includes mandatory sessions at hiring, after major cybersecurity incidents, and annually. The focus expands to cover advanced persistent threats (APTs) and social engineering [1].
Which Healthcare Roles Need CMMC Training
CMMC training isn’t one-size-fits-all. It must be customized to address the specific duties of each role, particularly in healthcare settings where federal data is involved. Here’s how training should align with common healthcare roles:
- Clinicians and general medical staff: Need basic awareness training to spot phishing attempts, handle data safely, and identify CUI in clinical workflows [2][3].
- IT and security teams: Require technical training on tasks like managing firewalls, securing system configurations, reviewing logs, and applying patches [5].
- Procurement and supply chain officials: Must understand the risks tied to third-party access and the security requirements for acquisitions [5].
- Researchers and lab staff: Need specialized training on how to handle CUI according to the protocols of their specific environment [2].
- Privileged users (e.g., system administrators): Should receive advanced training on risks related to administrative accounts, as well as the importance of session logging [5][2].
To enhance security, consider setting up a CUI enclave and focusing specialized training efforts on personnel who interact with federal data [2].
Core Training Topics for Healthcare Staff
Cybersecurity Basics Every Staff Member Should Know
If you’re working in healthcare and use a computer, mobile device, or access patient records, there are a few cybersecurity basics you need to know. These include spotting phishing attempts, maintaining strong password practices, enabling multi-factor authentication (MFA), and reporting anything suspicious immediately [10].
Phishing attacks are no longer limited to emails - they now target individuals through SMS, phone calls, and even QR codes. Training should address these evolving tactics [10]. On top of that, Level 2 training introduces how to properly identify, label, and store Controlled Unclassified Information (CUI) [2].
With the average cost of a data breach projected to hit $7.42 million by 2025 and human error accounting for 88% of incidents, the urgency of effective training is undeniable [10]. Short, focused modules - ideally under 10 minutes - work best for busy clinical staff who operate in high-pressure settings [10].
These foundational skills pave the way for more specialized, role-specific training, which is outlined in the next section.
Role-Based Training for High-Risk Functions
General awareness training is a good start, but some roles come with higher risks and demand tailored, task-specific instruction. As one guidance document puts it:
"3.2.2 means: if someone's role includes a security duty, they need training for that duty." - Daydream [7]
Here’s how role-specific training can be applied to key functions within healthcare:
| Healthcare Role | Training Focus |
|---|---|
| IT/Security Teams | Vulnerability management, encryption, network segmentation, and log reviews [2][7] |
| Biomedical Engineers | Securing networked medical devices (e.g., infusion pumps), IoT/OT risks, and network segregation [1][11] |
| Help Desk/Support Staff | Identity verification for password resets, remote support restrictions, and phishing incident reporting [7] |
| Vendor Managers | Managing supply chain risks, verifying subcontractor compliance, and controlling third-party access [5][11] |
| Finance and Billing Teams | Detecting wire transfer fraud, payroll scams, and Business Email Compromise (BEC) [10] |
The key is to align each role with its specific security responsibilities and create training modules that reflect real-world workflows. Assessors generally prefer customized training that matches operational practices over generic, one-size-fits-all courses [7].
Training Topics by CMMC Level
Beyond general and role-specific training, the Cybersecurity Maturity Model Certification (CMMC) levels introduce progressively advanced requirements. For Level 1, the focus remains on foundational practices like phishing awareness, as outlined in the cybersecurity basics above. This level is geared toward anyone handling Federal Contract Information (FCI) [2].
Level 2 expands to include all 110 practices detailed in NIST SP 800-171’s 14 domains. For example, insider threat indicators and awareness (AT.L2-3.2.3) become a key focus - something not typically required under frameworks like HIPAA or SOC 2 [3]. A useful resource here is the Department of Defense’s free Insider Threat Awareness Course, which fulfills this Level 2 requirement [4].
At Level 3, the training gets even more advanced. Teams must understand how to counter Advanced Persistent Threats (APTs) and participate in practical exercises, like unannounced phishing simulations [8][9].
"A well-trained and security-aware workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy." - GRC Academy [8]
How to Build a CMMC-Compliant Training Program
Assessing Training Needs and Setting Objectives
Before diving into training development, start by identifying everyone who interacts with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This includes IT staff, managers, and remote workers. To streamline the process, consider defining a CUI enclave. This approach narrows the training focus to relevant personnel, helping to reduce both the program's complexity and its cost [2].
Once you've identified these roles, map out their specific training needs. For instance, IT administrators should focus on skills like secure configuration and access management, while personnel handling CUI must understand proper marking, storage, and disposal practices [12][13].
Next, set clear and measurable goals for your program. For example, aim for 100% training completion within the first 30 days of employment, a passing quiz score of at least 85%, a simulated phishing click rate of less than 5%, and a phishing report rate exceeding 70% [12]. These benchmarks not only track progress but also demonstrate compliance effectively.
Aligning CMMC Training with Healthcare Operations
Rather than reinventing the wheel, you can build on your existing HIPAA training modules to meet CMMC requirements.
"CMMC complements - not replaces - HIPAA." - Kevin Henry, Cybersecurity, AccountableHQ [2]
HIPAA is centered on protecting electronic protected health information (ePHI), while CMMC focuses on safeguarding FCI and CUI tied to federal contracts. Despite their differences, the two frameworks share common ground in areas like malware protection, access control, and incident response. By identifying these overlaps, you can consolidate training topics and minimize redundancy for your staff [2][3].
To make the training relevant to healthcare workflows, adopt a layered approach. Start with a commercial security awareness platform for general cybersecurity topics, and then add custom modules tailored to your organization's needs. These could include procedures for handling CUI, electronic health record (EHR) workflows, or clinical scenarios like ransomware attacks on EHR systems or anomalies in networked medical devices [2][12]. Not only is this approach practical, but it’s also cost-efficient, with commercial platforms typically costing between $15 and $50 per user per year [12].
Keeping Training Current Over Time
A training program isn’t a one-and-done effort - it needs to evolve to keep up with new threats and requirements. CMMC practice AT.4.059 mandates that security awareness training must be updated at least annually or whenever significant new threats arise [6][8].
"A consistently executed program is more effective than an elaborate one that isn't implemented." - Greypike's CMMC Knowledge Base [12]
To maintain effectiveness, plan for regular updates and training cycles. This could include annual refreshers, quarterly phishing simulations, monthly bite-sized learning sessions, and immediate retraining triggered by incidents [12][14]. For example, if an employee fails a phishing test or violates a policy, remedial training should be completed within 14 days [13].
Feedback from staff and data from incidents can also guide improvements. If phishing click rates remain high or quiz scores hover near the passing mark, it’s a clear signal to revisit and refine the training materials rather than waiting for the next scheduled review.
Documenting and Proving CMMC Training Compliance
Once you've established a structured training program, the next step is to document and demonstrate compliance with CMMC training requirements effectively.
Tracking Training Participation and Completion
For a training program to hold up under scrutiny, it must be backed by detailed, auditable records. These records should include key details such as the employee's ID and role, the training module name and version, the UTC completion date, assessment scores, and a link to the certificate or training recording. Retain these records for at least three years, unless your specific DoD contract specifies otherwise. Aim for 100% completion of role-based training within 30 days of hire and ensure an average assessment score of at least 80% [13].
To simplify tracking, integrate your HR system with your training platform. This integration ensures new hires or employees with changing roles are automatically assigned the right training. It also creates a seamless, auditable trail that shows when and how each individual was enrolled in the program [7].
What Assessors Expect to See
CMMC assessors take a thorough approach when evaluating training compliance. They’ll review your policies and records, interview staff to gauge their understanding, and test the systems you use to manage training [8]. Simply having documentation isn’t enough - your team must clearly articulate what they’ve learned. Assessors look for a traceable connection between assigned duties, the corresponding training content, evidence of completion, and ongoing refreshers [7]. A missing or unclear link in this chain will likely result in a finding.
Here’s a breakdown of the documentation categories, the key artifacts needed, and what they demonstrate to assessors:
| Documentation Category | Key Artifacts | What It Proves to an Assessor |
|---|---|---|
| Governance | Security Training Policy, SOPs | The program is formally defined and managed |
| Role Definition | Role-to-Responsibility Map, Job Descriptions | Security duties are assigned to specific individuals |
| Content | Training Slides, Course Outlines, Runbooks | Training aligns with assigned responsibilities |
| Execution | LMS Exports, Signed Attestations, Certificates | Training has been completed as required |
| Competency | Quiz Results, Tabletop Attendance Logs | Personnel have demonstrated necessary skills |
| Maintenance | Change Management Logs, Updated Materials | Training evolves with new threats or technologies |
This framework not only supports the design of your training program but also strengthens your organization’s preparedness for audits.
For CMMC Level 3, the bar is set even higher. You’ll need to show that training includes practical, role-specific exercises and that content is updated following major cyber events [1][8].
Using Technology to Manage Training Records
Manually managing training records can be prone to errors and inefficiencies. A centralized platform can streamline the process, especially when integrated with your HR system. This is particularly helpful for healthcare organizations juggling both HIPAA and CMMC requirements. Tools like Censinet RiskOps™ can centralize training documentation by linking records directly to SOPs and specific CMMC practices (e.g., AT.L2-3.2.2). This ensures audit-ready evidence collection, which is especially critical for healthcare delivery organizations handling training records for third parties, such as MSPs, consultants, and contractors operating within the CUI boundary [7].
Before an audit, conduct an internal review by randomly sampling employee training records. Check for assignment details, content versions, completion dates, and scores. If you can’t retrieve this information quickly and accurately, it’s a sign of a gap that needs to be addressed well ahead of the assessment [7].
Conclusion: Meeting CMMC Training Requirements in Healthcare
CMMC training compliance in healthcare isn’t just a box to check - it’s an ongoing effort that evolves with the organization. Successful programs are dynamic: they’re tailored to specific roles, regularly updated, and backed by solid documentation. As Kevin Henry, Cybersecurity Expert at Accountable HQ, explains:
"CMMC for healthcare gives you a structured, evidence-driven path to protect federal information without losing sight of clinical realities." [2]
General security awareness training alone won’t cut it. Staff members with security-related responsibilities need training that directly aligns with their roles in the Controlled Unclassified Information (CUI) environment. Assessors look for measurable benchmarks - both in terms of training completion and demonstrated competency [13].
Technology plays a key role in meeting these tailored requirements. Platforms like Censinet RiskOps™ enable healthcare organizations to centralize training documentation, directly tie records to CMMC practices, and manage third-party vendor risk to maintain audit-ready evidence. These tools also streamline processes by automating the connection between HR onboarding and training assignments, reducing the risk of manual errors [13].
Assessors require detailed, audit-ready records that include UTC timestamps, version tracking for training modules, and proof of completion. Organizations must hold onto these records for at least three years and ensure training content is updated promptly when significant threats or operational changes arise [13][8].
FAQs
How do we know if we handle FCI or CUI?
Federal Contract Information (FCI) refers to data given to or created for the government as part of a contract, which isn’t meant for public release. Most government contractors deal with FCI in some capacity. On the other hand, Controlled Unclassified Information (CUI) includes data that must be protected under certain laws and is clearly labeled by the government. If you haven’t been provided with documents marked as CUI or instructed to label information as such, it’s unlikely you’re working with CUI.
What CMMC training do different healthcare roles need?
The Cybersecurity Maturity Model Certification (CMMC) emphasizes the importance of role-based training for healthcare organizations. This means tailoring training programs to match the specific security responsibilities of each role. Here's how it breaks down:
- System administrators: Learn about secure configurations, patch management, and reviewing system logs.
- CUI handlers: Focus on marking, storing, and transmitting Controlled Unclassified Information (CUI) securely.
- Managers: Understand how to enforce policies and handle incident escalation effectively.
To stay compliant, it's essential to maintain a training matrix that outlines who needs what type of training. Additionally, keep detailed records of training completions for audit purposes.
What training records will CMMC assessors ask for?
CMMC assessors need clear proof that employees have been trained for their specific security roles. This means keeping detailed records that include:
- Employee's name and role
- Training date and duration
- Curriculum or module version completed
Additionally, you’ll need to show evidence that employees understood the training. This can be done through quiz scores or signed acknowledgments confirming their comprehension.
To stay prepared for audits, maintain a role-based training matrix and a security awareness policy. These tools help demonstrate that your organization is consistently meeting training requirements.
