Free Download

SECURITY AWARENESS RESOURCE PACK

Four ready-to-deploy templates every business needs. Incident Report, MFA Enrollment Checklist, Vendor Risk Questionnaire, and Quick Reference Card. Mapped to GLBA, HIPAA, CMMC, PCI, NYDFS, and SOC 2. Free for any organization to use.

CMMC Registered Practitioner Org | Raleigh, NC | 23+ Years | BBB A+
Get the Free Pack See the Paid SAT Course
Version: 2026.05 Updated: 2026-05-08 Files: 4 templates
Why This Pack Matters

Every Regulator Now Names Security Awareness Training

Six federal and state frameworks now require documented annual security awareness training. Not optional. Not "best practice." Named control objectives with assessment evidence requirements.

The landscape changed quietly over the last 36 months. The FTC Safeguards Rule (16 CFR Part 314), finalized in late 2021 and amended in late 2023, requires every "financial institution" — and that definition now sweeps in tax preparers, mortgage brokers, motor vehicle dealers, finders, and check cashers — to "provide your personnel with security awareness training" under 16 CFR 314.4(e). Failure to maintain documented training is one of the most common findings in FTC enforcement actions, and the median civil penalty in published 2024 and 2025 settlements ran in the high six figures before remediation costs.

The Department of Defense CMMC 2.0 Level 2 framework, now mandatory for every contractor and subcontractor in the Defense Industrial Base handling Controlled Unclassified Information, names two specific awareness controls: AT.L2-3.2.1 (security awareness training) and AT.L2-3.2.2 (insider threat awareness). Without documented annual training, no Joint Surveillance Voluntary Assessment will issue a passing score. Without a passing score, no DoD contract.

And the same is true for HIPAA covered entities and business associates under 45 CFR 164.308(a)(5), PCI-DSS v4.0 Requirement 12.6 for any merchant that touches a card number, NYDFS 23 NYCRR 500.14(a)(3) for any covered financial entity in New York, and SOC 2 Common Criteria CC1.4 / CC2.2 for any service organization undergoing a Type 2 audit.

This Resource Pack does not replace the training itself. It gives you the documentation chassis — the forms, checklists, and reference materials your employees and your auditor expect — so the training that does happen produces the evidence that satisfies the rule.

What's Inside

Four Templates, One ZIP Download

Editable HTML files. Open in any browser, paste into Word or Google Docs, brand with your logo, deploy.

01

Incident Report Template

One-page form for any employee to report a suspected phishing email, lost device, suspicious vendor message, social engineering attempt, malware sighting, or unauthorized access. Sections capture detection time, reporter and detector, affected systems and data, immediate actions taken, and disposition (closed, escalated to IT, escalated to legal, escalated to law enforcement, breach-notification triggered). Used as the front-end intake for your incident response runbook and as primary evidence for HIPAA 164.308(a)(6), CMMC IR.L2-3.6.1, NIST 800-171 03.06.01, and SOC 2 CC7.3.

incident-report-template.html — 7 KB
02

MFA Enrollment Checklist

Step-by-step walkthrough for enabling multi-factor authentication on the six accounts that matter most: Microsoft 365 with Authenticator app or hardware key, Google Workspace, Apple ID for any device touching work data, the company password manager (1Password, Bitwarden, Keeper, Dashlane), business banking, and personal social accounts most often used as a foothold. Includes the order of operations, what to do if enrollment fails, and the recovery path if a device is lost. Phishing-resistant MFA options (FIDO2 / passkey) are flagged separately because that is the bar CMMC and NYDFS now expect.

mfa-enrollment-checklist.html — 10 KB
03

Vendor Risk Questionnaire

Twenty-five questions in five sections: company and contact information, security and compliance posture (SOC 2, ISO 27001, HIPAA BAA, PCI attestation), data handling (storage location, encryption at rest, encryption in transit, retention, deletion), incident history (24-month breach disclosure, breach-notification practice, cyber insurance carrier and limits), and contractual security terms (audit rights, subprocessor disclosure, data residency). Calibrated for SMB-to-mid-market onboarding any new SaaS provider — short enough that vendors will actually fill it in, deep enough to surface real risk before signature.

vendor-risk-questionnaire.html — 9 KB
04

Quick Reference Card

Single-page tri-fold designed to live on every employee's desk and ship in every new-hire welcome packet. Front: how to spot a phishing email in under five seconds — sender domain, urgency cues, mismatched links, requests for credentials, requests for gift cards or wires. Inside: company password rules, MFA reminders, AI-deepfake voice and video warning signs, and the single rule for reporting any suspicious message. Back: IT helpdesk number, security incident reporting channel, after-hours escalation path. Print on cardstock, laminate, distribute. Recall data: a printed reference is recalled at roughly 4x the rate of an emailed PDF.

quick-reference-card.html — 8 KB
When to Use It

Five High-Leverage Use Cases

New-Hire Onboarding

Drop the four templates into the day-one packet. The Quick Reference Card sets baseline expectations on day one; MFA enrollment is completed in week one; the Incident Report form lives in the wiki; the Vendor Risk Questionnaire flags any tools the new hire wants to bring with them.

Annual SAT Refresh

Re-issue the templates at the start of every fiscal year alongside the actual training course. Auditors and underwriters look for evidence of an annual touchpoint; this pack supplies the documentation proof that the touchpoint happened.

SOC 2 / HIPAA / CMMC Evidence Binder

Save completed Incident Reports, MFA enrollment confirmations, and Vendor Questionnaires into your evidence repository (SharePoint, Drive, ComplianceArmor, etc.). When the assessor walks the floor, you point at the binder.

Vendor Onboarding Gate

Make the Vendor Risk Questionnaire a required step before any new SaaS subscription is signed. Procurement teams that adopt this pattern catch about 1 in 5 prospective vendors with a meaningful security gap, before contract.

Post-Incident Lessons-Learned

After any reported event, walk the affected team through the Quick Reference Card and the MFA Checklist. Behavioral change post-incident is the single largest lift in awareness program effectiveness.

How To Deploy

Five Steps from Download to Documentation

Download and unzip

Enter your work email below. We send the ZIP within 60 seconds. Unzip locally; the four HTML files open in any browser for preview.

Brand and edit

Open each template in Word, Google Docs, or your CMS. Replace the placeholder logo and contact details with your own. The HTML uses inline styles so paste-into-anything works without extra CSS.

Distribute to staff

Email the Quick Reference Card and MFA Enrollment Checklist to all employees. Print the Quick Reference Card on cardstock; pin it next to every monitor.

Wire into operations

Add the Incident Report URL to your IT helpdesk page and the new-hire wiki. Make the Vendor Risk Questionnaire a required gate in your procurement workflow.

File for the auditor

Save completed instances (incident reports, vendor reviews, MFA confirmations) into a versioned evidence folder. When the SOC 2, HIPAA, or CMMC assessor arrives, you point to that folder. Done.

Get The Pack

Free Download — Email Below

Enter your work email. We send the ZIP within 60 seconds and add you to our monthly cybersecurity newsletter (one-click unsubscribe). No credit card. No upsell ambush.

Send Me the SAT Resource Pack

4 templates. ZIP. Free.

By submitting, you agree to receive the resource pack and our monthly newsletter. We never sell your email. Unsubscribe in one click.

Go Deeper

Pair the Pack with the Course

The pack is the documentation chassis. The course is the actual training that produces the evidence the documentation describes.

2026 Security Awareness Training Course

Annual SAT for every employee. Six modules, twelve lessons, 90 minutes, audio narrated, ends with a 20-question certified exam. $99 per seat per year. Volume pricing at 5 seats.

View course →

Security Awareness Training Service Page

Full overview of our SAT delivery: regulatory mapping, syllabus, group pricing tables, certificate sample, FAQ, and the case for choosing a practitioner-built course over a platform library.

Service overview →
More Free Packs

Industry-Specific Resource Packs

If you operate in a regulated vertical, the industry-specific packs ship templates calibrated to your auditor's checklist.

CPA Firm Cybersecurity Resource Pack

For accounting and tax practices subject to IRS Publication 4557 and the FTC Safeguards Rule. WISP template, Qualified Individual designation memo, vendor SOC 2 review tracker, breach-notification 30-day matrix.

Download CPA pack →

FTC Compliance Resource Pack

For any business operating under FTC jurisdiction. GLBA Privacy Notice template, Safeguards Rule annual report, claim substantiation log, marketing disclosure checklist.

Download FTC pack →
FAQ

Frequently Asked Questions

Twelve questions we hear most often about the SAT Resource Pack, the templates, the licensing, and how the pack fits into a complete program.

What is in the free Security Awareness Training Resource Pack?
Four ready-to-deploy templates: an Incident Report Template for capturing the who / what / when / how of every reported event, an MFA Enrollment Checklist that walks every employee through enabling multi-factor authentication on Microsoft 365, Google Workspace, Apple ID, the company password manager, banking, and social platforms, a 25-question Vendor Risk Questionnaire to send any new SaaS provider before they touch your data, and a single-page Quick Reference Card laminated-friendly tri-fold summary. All templates are editable HTML, brand-able, and updated as the threat landscape evolves.
Is the resource pack really free?
Yes. The pack is free for any organization to download and use internally. There is no per-seat fee, no time-limited trial, and no obligation to purchase the paid 2026 Security Awareness Training course. We ship the pack as part of our public commitment to raise the security baseline for North Carolina businesses, regulated industries, and DoD supply-chain firms. The only thing we ask in return is your work email so we can email the download link and add you to our monthly cybersecurity newsletter — unsubscribe is one click.
Which compliance frameworks does this pack support?
The four templates collectively support documentation evidence required by 16 CFR Part 314.4 (GLBA Safeguards Rule), 45 CFR 164.308(a)(5) (HIPAA Security Rule administrative safeguards), CMMC 2.0 Level 2 AT.L2-3.2.1 and AT.L2-3.2.2, NIST SP 800-171 Rev 3 controls 03.02.01 / 03.02.02, PCI-DSS v4.0 Requirements 6.4 and 12.6, 23 NYCRR 500.14 (NYDFS Part 500), and SOC 2 Common Criteria CC1.4 / CC2.2 / CC7.3. Auditors and assessors will accept the templates as starting evidence; you will need to fill them in with your actual incident records, MFA enrollment logs, vendor reviews, and so on.
Do I need to be a Petronella client to use the pack?
No. The pack is freely usable by any organization, anywhere. Our paid 2026 Security Awareness Training course at $99 per seat per year layers on the actual employee training, the 90-minute audio-narrated curriculum, the certificate of completion, and the documentation that satisfies the annual training mandate. The pack is a great starter; the course closes the loop.
How does the Incident Report Template work?
It is structured as a one-page form with sections for date and time of detection, who detected and who reported, the nature of the event (phishing, suspected malware, lost device, unauthorized access, suspicious vendor email, social engineering attempt), the systems and data potentially affected, the immediate actions taken, the disposition (closed, escalated to IT, escalated to legal, escalated to law enforcement, breach-notification triggered), and a free-text narrative. Front-line staff can complete it in under three minutes and IT or security leadership can triage from the form alone.
What does the MFA Enrollment Checklist cover?
Six high-leverage authentication targets for every employee: Microsoft 365 with the Authenticator app or hardware key, Google Workspace, Apple ID for any device that touches work data, the company password manager (1Password, Bitwarden, Keeper, etc.), business banking, and the personal social platforms most commonly used to gain a foothold. The checklist explains the order of operations, what to do if a step fails, and how to recover account access if a device is lost — the most common reason employees disable MFA after enrollment.
How is the Vendor Risk Questionnaire structured?
Twenty-five questions in five sections: company and contact information, security and compliance posture (SOC 2, ISO 27001, HIPAA BAA, PCI attestation), data handling (where data is stored, encryption at rest and in transit, retention, deletion), incident history (any breach in the last 24 months, breach-notification practice, cyber insurance), and contractual security terms (audit rights, subprocessor disclosure, data residency). The questionnaire is calibrated for a small or mid-sized business onboarding any new SaaS vendor — short enough that vendors will actually fill it in, deep enough to surface genuine risk.
What is the Quick Reference Card for?
A single-page tri-fold meant to live on every employee's desk or in the welcome packet for new hires. Front: how to spot a phishing email in five seconds. Inside: the company's password rules, MFA reminders, and the rule for reporting any suspicious message. Back: the IT helpdesk number, the security incident reporting channel, and the after-hours escalation path. Print it on cardstock and laminate it. Real-world data shows a printed reference is recalled at roughly four times the rate of an emailed PDF.
Can I rebrand the templates with our company name and logo?
Yes. The HTML files are editable in any text editor, Microsoft Word, Google Docs (paste-as-HTML), or your CMS. We grant a single-organization license for internal use, including on intranets, in onboarding materials, and as part of compliance binders. Reselling the templates as your own deliverable to clients is not permitted — talk to us about the white-label vCISO bundle if that is the use case.
How often is the pack updated?
At minimum twice a year (spring and fall) and within 30 days of any material change in the named regulatory frameworks (GLBA, HIPAA, CMMC, PCI, NYDFS, SOC 2). Subscribers to the download list automatically receive the new ZIP and a short changelog email. The current version is 2026.05, last updated 2026-05-08.
How does this pair with the paid 2026 Security Awareness Training course?
The pack gives you templates; the course gives every employee the briefing that makes them want to use the templates. The 2026 SAT course is six modules, twelve lessons, ninety minutes, audio-narrated, ends with a 20-question final exam and a printable certificate of completion. It is mapped to the same six frameworks as the pack, satisfies the named annual training requirement, and currently runs $99 per seat per year with volume discounts at five seats.
What other free resource packs do you offer?
We currently publish three: this Security Awareness Training pack for every employee, the CPA Firm Cybersecurity Resource Pack for accounting and tax practices subject to IRS Publication 4557 and the FTC Safeguards Rule, and the FTC Compliance Resource Pack for any business operating under FTC jurisdiction. Each is themed around the regulatory environment of the audience. A fourth pack covering CMMC 2.0 Level 2 documentation is planned for Q3 2026.
About The Author

Built by Practitioners, Not Curriculum Writers

CP

Craig Petronella, CMMC-RP

Founder & CEO, Petronella Technology Group

Craig is a CMMC Registered Practitioner, an Amazon best-selling author of 12 cybersecurity books, host of the Cybersecurity and Compliance with Craig Petronella podcast, and 23-year veteran of incident response, forensic investigation, and compliance program delivery. The PTG team — including Blake Rea, Justin Summers, and Jonathan Wood — are also CMMC Registered Practitioners. Petronella Technology Group is a North Carolina-based MSSP serving GLBA, HIPAA, CMMC, PCI, and NYDFS-regulated clients across the United States.

Get the Pack. Train the Team. Pass the Audit.

Free SAT Resource Pack now. Optional paid course when you are ready to layer on the actual annual training.

Download the Free Pack View the SAT Course
CPA Resource Pack FTC Resource Pack SAT Service CMMC AT.L2-3.2.1 HIPAA SAT All Courses Talk to PTG

Petronella Technology Group, Inc. — 7000 Six Forks Road, Raleigh, NC 27615 — 919-348-4912 — support@petronellatech.com. The free Security Awareness Training Resource Pack is provided "as-is" for single-organization internal use. Templates are not legal advice. Consult counsel for jurisdiction-specific compliance interpretations. The 2026 Security Awareness Training course is sold separately at $99 per seat per year.