What is CMMC and how is it different from NIST 800-171?

CMMC (Cybersecurity Maturity Model Certification) is the DoD's mechanism for verifying that defense contractors actually implement the security controls they have been claiming to implement. NIST SP 800-171 is the underlying control set; CMMC adds third-party assessment by an accredited C3PAO (Certified Third-Party Assessment Organization). The shift from self-attestation to third-party assessment is the operative change. CMMC Level 2 maps directly to NIST 800-171's 110 controls; Level 3 adds a subset of NIST 800-172 enhanced controls.

Does CMMC explicitly require phishing simulation?

CMMC does not name 'phishing simulation' as a specific control, but the AT family controls - particularly AT.L2-3.2.1 (security awareness training), AT.L2-3.2.2 (role-based security training), AT.L2-3.2.3 (insider threat awareness), and AT.L2-3.2.5 if applicable at higher levels - collectively require security awareness programs that produce measurable behavior change against social engineering threats. Phishing simulation is the primary mechanism organizations use to satisfy and provide evidence for these controls. Assessors do not require phishing simulation specifically, but they will not accept training-only programs that produce no measurable defense against the actual attack vector.

What evidence does a C3PAO assessor want for awareness training controls?

Three classes of evidence: (1) Documented program - written policy specifying training cadence, scope, role-based content and remediation requirements. (2) Records of training delivery - completion records per user with dates, training-content topics and verification that employees actually received and completed the training. (3) Records of effectiveness measurement - phishing simulation results over time showing trend analysis, with a documented response when click rates exceed organizational thresholds. Assessors specifically look for evidence that the program has been operating continuously, not assembled in the weeks before the assessment.

How often must awareness training be conducted under CMMC?

The base requirement is annually for all in-scope personnel, with role-based reinforcement for privileged or specialized roles. In practice, organizations targeting defensible CMMC posture run continuous (monthly to quarterly) phishing simulations with auto-assigned remediation training, plus an annual comprehensive training module. The 'annual' floor is a compliance minimum; assessors evaluating programs that just barely meet the floor frequently surface findings about insufficient operational maturity.

We already have NIST 800-171 attestation. What changes for CMMC?

The control content is largely identical at CMMC Level 2 - same NIST 800-171 controls, same evidence requirements at the technical level. The change is who reviews the evidence: NIST 800-171 has historically been self-attested via SPRS (Supplier Performance Risk System); CMMC requires a third-party C3PAO assessment with on-site or remote-witness verification of evidence. Organizations that documented evidence well during NIST 800-171 self-assessment generally pass CMMC; organizations that self-attested without rigorous evidence frequently fail.

What is the CMMC enforcement timeline?

CMMC 2.0 phased rollout began with rule publication in late 2024 (32 CFR 170 finalized) and the DFARS clause finalization in late 2025. Phased contract incorporation began with new DoD contracts and option periods in 2025-2026, with full rollout extending through 2028. Specific contract dates depend on the DoD office issuing the contract and the data classification (FCI vs CUI). Defense contractors should assume any new federal contract awarded from 2025 forward may include the DFARS 252.204-7021 CMMC requirement; the safest planning posture is to be assessment-ready by your next major contract renewal.

CMMC Phishing Simulation & Awareness Training Requirements (2026)

By The Bait & Phish Team
Compliance, CMMC, DoD, NIST 800-171

CMMC 2.0 enforcement is the most consequential compliance shift the DoD supply chain has seen in a generation. The headline is third-party assessment: where NIST 800-171 has lived as self-attestation in SPRS for years, CMMC introduces accredited C3PAO assessors who actually verify evidence. The awareness-training (AT) family of controls is one of the areas where well-intentioned programs frequently fail assessment - not because the policy is missing, but because the operational evidence is thin or assembled too late.

This post translates the CMMC AT-family requirements into a working phishing simulation and awareness training program: which controls they map to, what evidence assessors actually want, where DoD suppliers commonly fall short and how phishing simulation specifically satisfies and produces evidence for the controls.

What CMMC actually requires for awareness training

CMMC Level 2 maps to the 110 NIST 800-171 controls. The AT family is small but consequential:

AT.L2-3.2.1 - Provide basic security awareness training to information system users. Annual minimum; written policy specifying scope and content.
AT.L2-3.2.2 - Ensure personnel are trained to carry out their assigned information security-related duties. Role-based training for privileged users, system administrators and security staff.
AT.L2-3.2.3 - Provide insider threat awareness training. Recognition of insider threat indicators, reporting channels, non-retaliation framing.
AT.L2-3.2.5 - Provide updated insider threat training annually (where applicable based on Level scope).

None of these explicitly say "run phishing simulations." But the assessor evaluating AT.L2-3.2.1 wants evidence that the training program actually trained people against the attack vector that compromises 90%+ of breaches in DoD-supplier-relevant attack data. A training program that passes the letter of AT.L2-3.2.1 with a 30-minute annual video produces weaker evidence than one that pairs the annual training with continuous phishing simulation showing measurable click-rate improvement over the assessment window.

What evidence a C3PAO assessor wants

Three classes of evidence, and assessors look at all three:

Documented program. Written policy specifying cadence, scope, role-based content, threshold-exceedance response and remediation requirements. Without the policy, no other evidence is evaluated - the policy is the artifact AT.L2-3.2.1 specifically demands.
Records of training delivery. Per-user completion records with timestamps and content topics. Assessors sample the records and may interview employees to verify training was actually received.
Records of effectiveness measurement. Phishing simulation results over time - click rates, completion rates, trend analysis. A documented response when click rates exceeded organizational thresholds (the threshold itself should be in the policy). Most importantly, evidence that the program has been operating continuously, not assembled in the four weeks before the assessment.

The "we just bought it last month" problem

The single most common AT-family finding is operational immaturity - a program that exists on paper but lacks the longitudinal evidence to demonstrate it has actually been running. This is particularly common when DoD suppliers realize CMMC enforcement is imminent and rush to procure a phishing simulation platform 90 days before the assessment.

The fix is predictable: start now, even if the assessment is 12+ months out. A 12-month evidence window with quarterly trend reports and a half-dozen documented threshold-exceedance responses is qualitatively different evidence than a 90-day window with one campaign. C3PAOs are trained to recognize the pattern.

Phishing simulation as the evidence engine

A continuous phishing simulation program - monthly campaigns, multi-channel coverage, auto-assigned remediation training, longitudinal reporting - produces exactly the evidence the AT family demands without requiring separate effort. The byproduct of running the program properly is the assessment evidence package.

Specific recommendations for CMMC-aligned programs:

Monthly simulation cadence across the assessment scope. Annual is the floor; monthly is the operational standard.
Multi-channel coverage - email + SMS + voice. CMMC Level 3 specifically calls out advanced threats including voice social engineering.
Role-based difficulty - finance, HR, IT admins and executives get harder lures. AT.L2-3.2.2 specifically calls for role-based content.
Auto-assigned remediation - when a user clicks, the appropriate training module fires immediately. Behavior-triggered learning is what produces measurable click-rate decline over the assessment window.
Quarterly trend report - click rate, training completion, time-to-remediation. Document threshold exceedances and the program response.
Insider threat content in the annual training module - AT.L2-3.2.3 explicitly requires insider threat awareness, including recognition cues and reporting channels.

How CMMC differs from neighboring frameworks

For organizations already running other compliance programs, CMMC's specific demands relative to neighbors:

vs. NIST CSF - CSF is voluntary and outcome-oriented; CMMC is contractually required and control-specific. NIST 800-171 controls (which CMMC inherits) are more prescriptive than CSF's outcome categories.
vs. SOC 2 - SOC 2's CC1.4 covers awareness; the evidence pattern (policy + completion records + effectiveness measurement) is similar. CMMC adds the C3PAO third-party-assessor layer that SOC 2 already has via the auditor.
vs. ISO 27001 - ISO Annex A.7.2.2 covers awareness; the controls are slightly less prescriptive than CMMC AT but the evidence pattern overlaps substantially. Organizations with strong ISO 27001 awareness evidence are typically well-positioned for CMMC.
vs. FedRAMP / federal civilian - FedRAMP also incorporates NIST 800-53 AT controls; the evidence is reusable across CMMC and FedRAMP if both frameworks are in scope.

Common assessor findings

The AT-family findings that come up most often in real C3PAO assessment reports:

Policy exists but does not specify cadence or threshold-exceedance response - fails AT.L2-3.2.1 even with completion records.
Annual training delivered but no role-based content for privileged users - AT.L2-3.2.2 finding.
Phishing simulation records exist but only cover the 90 days before assessment - operational maturity finding; assessor escalates.
Training completion records are not tied to specific users or specific training topics - evidence rejected as insufficient.
No documented response to historical click-rate spikes - assessor questions whether the program is actually monitored.

Each of these is a procedural failure, not a tooling failure. The platform produces the records; the program design and policy specify what to do with them.

For DoD primes vs. subs

Prime contractors typically face Level 2 or Level 3 assessments depending on the data classification (FCI for Level 1; CUI for Level 2; CUI plus enhanced threats for Level 3). Subs frequently face flow-down requirements where the prime contractor's contract obligations propagate to the sub via the DFARS 252.204-7021 clause. The practical effect: subs that handle CUI need to plan for Level 2 assessment regardless of their direct DoD contract status.

Smaller DoD suppliers - especially those entering the supply chain for the first time - frequently underestimate the awareness-training control demands. A $500K DoD subcontract is the same evidence bar as a $50M prime contract for Level 2 awareness controls. Plan accordingly.

Where Bait & Phish fits

Bait & Phish is built for the operational profile CMMC assessors look for: continuous monthly phishing simulation across email, SMS and voice; auto-assigned remediation training when users click; quarterly trend reports exportable to PDF for the evidence package; per-user completion records with timestamps. The 15+ years of operating history matters here - DoD suppliers under assessment value vendors with track-record evidence over newer entrants. Start a 25-user free trial to validate the platform fits your CMMC program design, or talk to us about an evidence-package walkthrough mapped to AT control numbers.

This post is informational and does not constitute compliance, legal or assessment advice. Specific CMMC assessment readiness, DFARS clause interpretation and C3PAO selection are organization-specific - consult your compliance counsel, your prime contractor (if a sub) or an accredited C3PAO for tailored guidance.

See also: Compliance Phishing Requirements Comparison for cross-framework evidence overlap, and Government Phishing Training Requirements for the broader federal context.

Related compliance guides

30apr