We frequently receive questions about whether annual security awareness training is truly required under CMMC, especially given the model’s use of terms like “ongoing awareness.” While CMMC does allow flexibility in how awareness activities are delivered, from an assessment perspective, annual training is typically the lowest-risk and most defensible approach.
CMMC uses the term “periodically” when describing security awareness requirements, which is generally interpreted as an organization-defined interval not to exceed one year. In practice, annual training aligns cleanly with assessor expectations by providing clear, consistent, and verifiable evidence that all users received required training within a defined timeframe. This approach significantly reduces subjectivity, minimizes evidence burden, and avoids the assessment friction that can arise when trying to prove informal or ad-hoc awareness activities spread throughout the year.
From an operational standpoint, annual training also fits real-world constraints. It allows organizations to plan, document, and execute training in a structured way without relying on fragmented records, scattered communications, or assumptions about user exposure to security messaging. For most organizations, especially small and mid-sized manufacturers, this results in a clearer compliance posture and a smoother assessment experience.
If you have questions or would like to discuss how this applies to your specific environment or training program, we’re happy to walk through it with you.
