AT

Awareness and Training

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations  |  Controls: 25

← Back to Catalog
Control ID Title / Statement Priority Baseline Impact
AT-1
Security Awareness and Training Policy and Procedures 3 params
The organization: a. Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibiliti...
View parameters
Param ID Label Constraint / Choices
at-1_prm_1 organization-defined personnel or roles Organization-defined
at-1_prm_2 organization-defined frequency Organization-defined
at-1_prm_3 organization-defined frequency Organization-defined
AT-2
Security Awareness Training 1 param
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b...
View parameters
Param ID Label Constraint / Choices
at-2_prm_1 organization-defined frequency Organization-defined
AT-2(1)
Practical Exercises
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
AT-2(2)
Insider Threat
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
AT-3
Role-based Security Training 1 param
The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigne...
View parameters
Param ID Label Constraint / Choices
at-3_prm_1 organization-defined frequency Organization-defined
AT-3(1)
Environmental Controls 2 params
The organization provides {{ insert: param, at-3.1_prm_1 }} with initial and {{ insert: param, at-3.1_prm_2 }} training in the employment and operation of environmental controls.
View parameters
Param ID Label Constraint / Choices
at-3.1_prm_1 organization-defined personnel or roles Organization-defined
at-3.1_prm_2 organization-defined frequency Organization-defined
AT-3(2)
Physical Security Controls 2 params
The organization provides {{ insert: param, at-3.2_prm_1 }} with initial and {{ insert: param, at-3.2_prm_2 }} training in the employment and operation of physical security controls.
View parameters
Param ID Label Constraint / Choices
at-3.2_prm_1 organization-defined personnel or roles Organization-defined
at-3.2_prm_2 organization-defined frequency Organization-defined
AT-3(3)
Practical Exercises
The organization includes practical exercises in security training that reinforce training objectives.
AT-3(4)
Suspicious Communications and Anomalous System Behavior 1 param
The organization provides training to its personnel on {{ insert: param, at-3.4_prm_1 }} to recognize suspicious communications and anomalous behavior in organizational information systems.
View parameters
Param ID Label Constraint / Choices
at-3.4_prm_1 organization-defined indicators of malicious code Organization-defined
AT-4
Security Training Records 1 param
The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security trainin...
View parameters
Param ID Label Constraint / Choices
at-4_prm_1 organization-defined time period Organization-defined
AT-5
Contacts with Security Groups and Associations
at-1a Develops, documents, and disseminates to {{ insert: param, at-1_prm_1 }}:
at-1a.1 A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiza...
at-1a.2 Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
at-1b Reviews and updates the current:
at-1b.1 Security awareness and training policy {{ insert: param, at-1_prm_2 }}; and
at-1b.2 Security awareness and training procedures {{ insert: param, at-1_prm_3 }}.
at-2a As part of initial training for new users;
at-2b When required by information system changes; and
at-2c {{ insert: param, at-2_prm_1 }} thereafter.
at-3a Before authorizing access to the information system or performing assigned duties;
at-3b When required by information system changes; and
at-3c {{ insert: param, at-3_prm_1 }} thereafter.
at-4a Documents and monitors individual information system security training activities including basic security awareness training and specific informat...
at-4b Retains individual training records for {{ insert: param, at-4_prm_1 }}.