The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is now a contractual requirement for defense contractors handling Controlled Unclassified Information (CUI). CMMC Level 2, which aligns with the 110 security requirements in NIST SP 800-171, includes explicit requirements for security awareness training that directly impact how defense contractors should structure their phishing simulation programs. With CMMC assessments now being conducted by authorized C3PAOs (CMMC Third Party Assessment Organizations), contractors need to ensure their security awareness programs meet the specific evidence requirements that assessors expect to see.
Which CMMC 2.0 Controls Require Phishing Simulation?
Several NIST 800-171 controls mapped to CMMC Level 2 directly relate to security awareness and phishing simulation. AT.2.056 requires organizations to ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. AT.2.057 requires that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. AT.3.058 requires role-based security training that accounts for the different threat profiles faced by different roles within the organization. While none of these controls explicitly mandate phishing simulation, CMMC assessors interpret them in the context of the current threat landscape, and a security awareness program that does not include behavioral testing through simulation is unlikely to satisfy assessors.
What Do CMMC Assessors Expect to See?
C3PAO assessors evaluate security awareness programs using a combination of documentation review, interviews, and evidence examination. They expect to see a formal security awareness training policy that defines the scope, frequency, and methods of training, including phishing simulation. They review evidence that all personnel with CUI access completed initial and annual refresher training. They look for phishing simulation campaign records showing regular testing throughout the assessment period, ideally monthly. They examine remedial training records showing that employees who failed simulations received follow-up training. They also interview employees and managers to verify that the documented program is actually being executed and that personnel can articulate basic security awareness concepts including phishing identification and reporting.
How Should Defense Contractors Structure Their Programs?
Structure your program to directly address CMMC assessment requirements. Implement a minimum of monthly phishing simulations for all personnel with CUI access. Design simulation scenarios that reflect threats specific to the defense industrial base: foreign intelligence service impersonation, defense procurement fraud, export control violation pretexts, and classified information social engineering. Provide role-based simulations that test personnel against threats relevant to their specific access and responsibilities. Track completion rates at 100 percent for the assessment scope population, addressing gaps immediately when personnel miss required training or simulation campaigns. Maintain chain-of-custody documentation for all evidence, ensuring that records are timestamped, tamper-resistant, and available for assessor review.
How Do You Prepare for a CMMC Assessment?
Begin CMMC assessment preparation at least 12 months in advance to build a sufficient evidence trail. Conduct a gap assessment of your current security awareness program against CMMC Level 2 requirements and document all remediation actions. Run a minimum of 12 monthly simulation campaigns before the assessment window opens so you can present a full year of trend data. Prepare a compliance mapping document that explicitly connects each phishing simulation activity to the specific NIST 800-171 controls it satisfies. Conduct mock interviews with employees to ensure they can articulate security awareness concepts when assessors ask questions. Have your evidence package reviewed by a CMMC Registered Practitioner (RP) before the formal assessment to identify and address any gaps. For related compliance frameworks, see our guides on NIST CSF 2.0 mapping and SOC 2 requirements.