Not ready for a Complete Pen Test? How about finding out your Cyber Score in 2 mins? Click here for your Cyber Score
Facebook Youtube Linkedin Whatsapp
Capital Cyber Logo
CMMC Training Requirements: What Machine Shop Teams Must Know

CMMC Training Requirements: What Machine Shop Teams Must Know

Published by Capital Cyber | Leesburg, VA | (571) 410 3066

Most CNC shops and precision manufacturers think CMMC compliance is an IT problem. They budget for firewalls, endpoint security, and access controls — and then forget one of the requirements that assessors flag most often: training.

CMMC training requirements are not optional. They are not a checkbox buried in a policy document. They are live assessment criteria that a C3PAO auditor will test when your certification is on the line.

This guide explains exactly what CMMC training requirements apply to machine shop teams, who needs to complete them, what the training must cover, and how to document it correctly before your assessment.

Table of Contents

  1. Why Training Matters for CMMC
  2. Which CMMC Controls Cover Training
  3. Who at a Machine Shop Must Complete Training
  4. What CMMC Training Must Cover
  5. How Often Does Training Need to Happen
  6. How to Document Training for Your Assessment
  7. Common Training Mistakes Machine Shops Make
  8. How to Build a Simple CMMC Training Program

1. Why Training Matters for CMMC

CMMC Level 2 is built on the 110 security controls in NIST SP 800-171. Two of those controls fall under the Awareness and Training (AT) control family — and they directly govern how your team is trained on cybersecurity and CUI handling.

For machine shops, this matters more than most people expect. Your floor workers, quality team, estimators, and office staff all interact with systems, files, and data that may touch CUI. If one person mishandles a technical drawing, clicks a phishing email, or shares a file to a personal account, that can trigger a compliance failure — or worse, a real breach.

Training is not just a CMMC formality. It is one of the most practical defenses a shop of 15, 50, or 200 people has against the threats that actually cause contract loss.

2. Which CMMC Controls Cover Training

Under CMMC Level 2, two controls in the AT family govern training requirements:

Column 1Column 2

AT.L2-3.2.1 — Role-Based Security Awareness

Ensure that personnel are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational systems.  In plain language: everyone who touches your systems or CUI must understand what the risks are and what your policies say.

AT.L2-3.2.2 — Role-Based Training

Ensure that personnel are trained to carry out their assigned information security responsibilities.  In plain language: people with specific security duties — IT administrators, compliance leads, anyone who manages access or handles CUI workflows — must receive training specific to those roles.

Both controls require documented evidence. A C3PAO assessor will ask to see it.

3. Who at a Machine Shop Must Complete Training

This is where many shops get it wrong. They train the IT person and the owner and assume that covers it. It does not.

Under AT.L2-3.2.1, all personnel who access organizational systems or handle CUI must complete security awareness training. For a typical CNC or precision machine shop, that includes:

  • CNC operators and programmers accessing job files or CAM software on networked machines
  • Quality control technicians accessing inspection software or drawing repositories
  • Engineers and estimators working with customer-provided technical data
  • Office staff with access to email, shared drives, or ERP systems
  • Shop managers and supervisors with system access
  • Remote workers or hybrid employees accessing shop systems from outside the facility
  • Any subcontractor or temp worker with credentials to your network or systems

Under AT.L2-3.2.2, role-specific training applies to anyone with security-related responsibilities:

  • IT administrators and managed service provider staff
  • The person managing your System Security Plan (SSP)
  • Anyone responsible for access control or account provisioning
  • Your designated CMMC compliance lead or point of contact

If someone has an account on your network or touches a file that contains CUI, they are in scope for training.

4. What CMMC Training Must Cover

Your training program must address the actual risks your team faces — not just generic cybersecurity awareness. For machine shops handling defense contracts, that means covering:

Core Awareness Topics (All Personnel)

  • What CUI is and why it requires protection
  • How to identify CUI in your shop (technical drawings, specifications, contract data, inspection reports)
  • Acceptable use of company systems, email, and devices
  • Password security and multi-factor authentication
  • Phishing and social engineering — how to recognize and report suspicious messages
  • Physical security — clean desk, visitor access, locking workstations
  • Incident reporting — what to do when something goes wrong and who to contact
  • Removable media restrictions — USB drives, personal devices, external storage
  • Cloud storage rules — no personal Dropbox, Google Drive, or iCloud for CUI

Role-Specific Topics (Security Personnel and Compliance Leads)

  • Access control administration and account lifecycle management
  • Audit log review and monitoring responsibilities
  • Incident response procedures
  • Configuration management basics
  • System Security Plan awareness and their role within it
  • POA&M tracking and remediation responsibilities

Your training content should reference your actual policies. Assessors look for alignment between what your SSP says and what your training covers. Generic off-the-shelf content alone will not pass if it does not connect to your specific environment and procedures.

5. How Often Does Training Need to Happen

CMMC does not specify an exact training frequency in calendar days, but the expectation based on NIST 800-171 guidance and C3PAO assessment practice is:

  • Initial training at the time of hire or before granting system access
  • Annual refresher training at a minimum for all personnel
  • Event-driven training when there is a significant change — a new policy, a security incident, a new system, or a new CUI handling procedure
  • Role-specific training when someone’s security responsibilities change

For machine shops with high employee turnover — which is common on the production floor — the initial training requirement is critical. If a new hire accesses your ERP or shop management system on day one without completing training, that is a gap a C3PAO will find.

Build training into your onboarding checklist and do not grant system access until training is confirmed and documented.

6. How to Document Training for Your Assessment

Documentation is where machine shops most often fall short. Verbal training does not count. A lunch-and-learn with no record does not count. An email blast that says “read this policy” does not count.

Your C3PAO assessor will look for:

Training Records That Show:

  • Name of the individual who completed training
  • Date training was completed
  • Title or description of the training content
  • Method of delivery (in-person, online module, video, etc.)
  • Acknowledgment or sign-off by the employee

How to Maintain Records:

  • A training log in your HR system or a simple spreadsheet is acceptable
  • Learning management systems (LMS) like KnowBe4, Proofpoint Security Awareness, or similar platforms auto-generate completion certificates
  • Signed acknowledgment forms stored in an employee file work for smaller shops
  • Training completion should be tied to your onboarding workflow so new hires cannot slip through

What to Include in Your SSP:

Your System Security Plan must describe your training program — who is trained, on what topics, how often, and how records are maintained. If your SSP says training occurs annually but your records only show training from three years ago, that is a finding.

Keep records for at least three years to cover the CMMC triennial assessment cycle.

7. Common Training Mistakes Machine Shops Make

Mistake 1: Only training the IT person.

Every employee with system access is in scope. One trained administrator does not satisfy AT.L2-3.2.1 for the rest of the shop.

Mistake 2: Using generic off-the-shelf content with no customization.

Generic cybersecurity training is a starting point, not a complete solution. Your training must reference your specific policies, your CUI environment, and your reporting procedures. Assessors ask employees questions — and generic answers signal generic training.

Mistake 3: No records.

“We trained everyone at our all-hands meeting last spring” is not evidence. You need names, dates, and signatures.

Mistake 4: Training once and never again.

Annual refreshers and event-driven training are both required. A one-time training event from two years ago will not hold up.

Mistake 5: Not training new hires before granting access.

High turnover shops are particularly vulnerable here. Build training into your access provisioning workflow — no credentials until training is complete and documented.

Mistake 6: Forgetting subcontractors and temps.

If a temp worker or contract employee has credentials to your systems, they are in scope. Either include them in your training program or restrict their access to systems that do not touch CUI.

8. How to Build a Simple CMMC Training Program

You do not need a large budget or a dedicated training team. Here is a practical approach for machine shops of any size:

Step 1: Define Your In-Scope Personnel

List everyone with system access or CUI contact. This becomes your training roster.

Step 2: Choose a Delivery Method

  • Small shops (under 25 employees): in-person training with a signed acknowledgment form works well
  • Mid-size shops (25 to 100 employees): an online platform like KnowBe4 or Proofpoint automates delivery and tracking
  • Larger shops: an LMS integrated with your HR system is the most scalable option

Step 3: Build or Source Your Content

Start with a platform that provides NIST 800-171 or CMMC-aligned content modules, then customize the introductory and CUI-handling sections to reference your shop’s specific policies and procedures.

Step 4: Create a Training Acknowledgment

Every employee should sign or digitally confirm that they completed training and understand the content. One page is enough. Keep it on file.

Step 5: Build Training Into Onboarding

Add “complete CMMC security awareness training” as a required step before system access is granted to any new hire or contractor.

Step 6: Schedule Annual Refreshers

Set a recurring annual training cycle. Tie it to something easy to remember — your fiscal year start, your contract renewal month, or a fixed calendar date.

Step 7: Document Everything in Your SSP

Your System Security Plan should describe the training program in plain language. Assessors will cross-reference your SSP description against your training records.

The Bottom Line

CMMC training requirements are not complicated — but they are non-negotiable. For machine shops handling defense contracts, a weak training program is one of the fastest ways to generate findings during a C3PAO assessment.

The good news: this is one of the most fixable gaps in any shop’s CMMC readiness. A well-documented, role-appropriate training program built into your onboarding process satisfies both AT controls, demonstrates a real security culture to your assessor, and protects your shop from the human-error incidents that cause most real-world breaches.

Not sure where your training program stands?

Capital Cyber works with CNC shops, precision manufacturers, and defense subcontractors to build CMMC training programs that hold up under assessment. We review what you have, identify the gaps, and help you build documentation that satisfies your C3PAO.  Book a free CMMC Readiness Call: capital-cyber.com/contact

Capital Cyber | 1019B Edwards Ferry Rd. #1183, Leesburg, VA 20176

Security Obsessed. Service Driven.