Today we're releasing something we've been building alongside the teams who need it most: full CMMC, ITAR, and FedRAMP workforce training on the InspireCyber Platform – a course line written for the defense industrial base, an evidence engine mapped to the NIST SP 800-171 Awareness & Training family, and a monthly rhythm that keeps both current as the rules move.
If your contracts reference NIST SP 800-171, if a prime's flow-down language just landed on your desk, or if your engineers touch ITAR technical data between coffee and stand-up, this release is for you.
The clock that made this urgentLink to this section
The deadline isn't abstract anymore. On November 10, 2026, Phase 2 of the CMMC rule brings third-party certification into new DoD contracts. The DoD estimates roughly 80,000 organizations will need Level 2 certification – served by fewer than a hundred authorized C3PAOs, whose calendars are already filling. Assessments are projected to run $75k and up, and every evidence gap means re-work at that rate.
Most of that 80,000 has never been assessed before. The ones who walk in prepared will be the ones who treated evidence as something you produce continuously – not something you assemble in a panicked quarter.
The exposure nobody's acceptable-use policy coversLink to this section
Here's the uncomfortable part. Your people are already pasting into AI tools. The question is what.
In a regulated environment, a prompt is an outbound data transfer. CUI pasted into a commercial chatbot is an uncontrolled disclosure. ITAR technical data in the same chat box can be an unauthorized export. And the consumer AI tools your staff reach for sit outside any FedRAMP authorization boundary – no contract, no audit trail, no data-handling commitments, regardless of how good the model is.
Blanket bans don't hold; they just push usage into the shadows. Sanctioned paths now exist – government-cleared AI offerings inside FedRAMP-authorized environments – and the list changes quarterly. Training is what holds. Your machinists, engineers, and program staff need to know what may leave the boundary, which endpoints are off-limits, which cleared alternatives exist, and what to do in the first hour after a spillage.
The course line: AI in the Regulated WorkplaceLink to this section
Not generic security awareness with the logo swapped. Four courses, built for people who work under these rules, taught through interactive scenarios:
RW-101 – AI in CUI environments. The flagship. What CUI and FCI are, why commercial AI endpoints are off-limits, which cleared alternatives exist, prompt hygiene, and first-hour spillage response.
RW-201 – ITAR awareness for the workforce. ITAR for everyone who isn't the export-compliance officer: what technical data is, U.S.-persons rules, deemed exports in everyday tools, and the AI-prompt-as-export framing.
RW-301 – CUI handling & insider threat. DIB-specific security awareness and insider-threat recognition – the AT.L2-3.2.1 and 3.2.3 content, taught through scenarios instead of slideware.
RW-401 – FedRAMP literacy. What an authorization boundary actually is, what "FedRAMP-authorized" does and doesn't cover, and how to evaluate tools – from practitioners who have carried a product through authorization.
The content is live, not laminated: redaction labs on realistic documents, "may I paste this?" drills, and branching spillage scenarios that make the right reflex automatic.
Walk in with the AT family closedLink to this section
Assessors ask a precise question: who was trained, on what content, on which version, when – and can you prove it? That record is what the platform produces, continuously.
- AT.L2-3.2.1 – Security awareness training. Every user completes DIB-specific awareness content – CUI handling, AI data spillage, phishing – with per-user completion records.
- AT.L2-3.2.2 – Role-based security training. Training paths assigned by group and role, so admins, engineers, and program staff each carry the training their duties require.
- AT.L2-3.2.3 – Insider threat awareness. Recognition and reporting of insider-threat indicators, woven into scenarios and tracked to completion for every seat.
- Content versioning. Completions are recorded against the content version. When the rules change and content updates, stale seats are flagged for retraining – provably.
When you need it, you export the training-evidence pack mapped to the AT family – per user, per course, per content version – and hand it to your C3PAO. No screenshots, no spreadsheet archaeology.
A standing capability, not an annual eventLink to this section
Compliance training that happens once a year decays long before the re-assessment does. The platform runs a simple operating rhythm:
- Enroll the workforce. Provision the org, import your people, and assign role-based paths by group – engineers, program staff, admins.
- Train on live content. Interactive, DIB-specific courses built around the documents and decisions your teams actually face.
- Reinforce monthly. A short scenario keeps readiness current: new cleared-AI authorizations, fresh incident patterns, rule changes as they land.
- Prove it on demand. The evidence pack is always one export away.
Per-seat pricing covers the whole workforce – chemists, technicians, CNC operators, and program admins alike – without per-course nickel-and-diming.
Built for every corner of the DIBLink to this section
The scenarios speak your floor's language, whether that's precision manufacturing (G-code and inspection photos are CUI too), aerospace and defense programs, industrial equipment, engineering services, laser technologies, chemical and materials labs, electronics and semiconductors, or defense communications teams operating inside strict ATO boundaries.
And for our Australian readers: with the AUKUS licence-free environment now live, Australian and UK defence suppliers are stepping inside the ITAR perimeter for the first time – with the same training obligations and almost no local supply. We built for both sides of that bridge, including AUKUS authorized users and DISP members.
Written by people who live under these rulesLink to this section
This isn't compliance content written from a checklist. Our practitioners have carried a product through FedRAMP Moderate authorization and work daily in ITAR- and CMMC-regulated file sharing – the same boundary your people operate inside. When RW-401 explains what an authorization boundary covers, it's from the team that drew one.
See it before your assessor doesLink to this section
The CMMC training line is available on the platform today. Start at our Government & Defense Compliance Training page, or skip straight to a 30-minute briefing – not a sales demo. Bring your assessment timeline; we'll walk your team structure, map the training obligation, and show you the exact evidence pack your assessor would receive.
Request a briefing – November 10, 2026 is closer than it looks.