AT

Awareness and Training

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures  |  Controls: 41

← Back to Catalog
Control ID Title / Statement Priority Baseline Impact
AT-01
Policy and Procedures 9 params
a. Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}: 1. {{ insert: param, at-01_odp.03 }} awareness and training policy that: (a) Addresses purpose, scope, roles, r...
View parameters
Param ID Label Constraint / Choices
at-1_prm_1 organization-defined personnel or roles Organization-defined
at-01_odp.01 personnel or roles personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;
at-01_odp.02 personnel or roles personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;
at-01_odp.03 Select one-or-more: organization-level; mission/business process-level; system-level
at-01_odp.04 official an official to manage the awareness and training policy and procedures is defined;
at-01_odp.05 frequency the frequency at which the current awareness and training policy is reviewed and updated is defined;
at-01_odp.06 events events that would require the current awareness and training policy to be reviewed and updated are defined;
at-01_odp.07 frequency the frequency at which the current awareness and training procedures are reviewed and updated is defined;
at-01_odp.08 events events that would require procedures to be reviewed and updated are defined;
AT-02
Literacy Training and Awareness 9 params
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): 1. As part of initial training for new users and {{ insert: param, ...
View parameters
Param ID Label Constraint / Choices
at-2_prm_1 organization-defined frequency Organization-defined
at-2_prm_2 organization-defined events Organization-defined
at-02_odp.01 frequency the frequency at which to provide security literacy training to system users (including managers, senior executives, ...
at-02_odp.02 frequency the frequency at which to provide privacy literacy training to system users (including managers, senior executives, a...
at-02_odp.03 events events that require security literacy training for system users are defined;
at-02_odp.04 events events that require privacy literacy training for system users are defined;
at-02_odp.05 awareness techniques techniques to be employed to increase the security and privacy awareness of system users are defined;
at-02_odp.06 frequency the frequency at which to update literacy training and awareness content is defined;
at-02_odp.07 events events that would require literacy training and awareness content to be updated are defined;
AT-02(01)
Practical Exercises
Provide practical exercises in literacy training that simulate events and incidents.
AT-02(02)
Insider Threat
Provide literacy training on recognizing and reporting potential indicators of insider threat.
AT-02(03)
Social Engineering and Mining
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
AT-02(04)
Suspicious Communications and Anomalous System Behavior 1 param
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using {{ insert: param, at-02.04_odp }}.
View parameters
Param ID Label Constraint / Choices
at-02.04_odp indicators of malicious code indicators of malicious code are defined;
AT-02(05)
Advanced Persistent Threat
Provide literacy training on the advanced persistent threat.
AT-02(06)
Cyber Threat Environment
(a) Provide literacy training on the cyber threat environment; and (b) Reflect current cyber threat information in system operations.
AT-03
Role-based Training 6 params
a. Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}: 1. Before authorizing access to the system, in...
View parameters
Param ID Label Constraint / Choices
at-3_prm_1 organization-defined roles and responsibilities Organization-defined
at-03_odp.01 roles and responsibilities roles and responsibilities for role-based security training are defined;
at-03_odp.02 roles and responsibilities roles and responsibilities for role-based privacy training are defined;
at-03_odp.03 frequency the frequency at which to provide role-based security and privacy training to assigned personnel after initial traini...
at-03_odp.04 frequency the frequency at which to update role-based training content is defined;
at-03_odp.05 events events that require role-based training content to be updated are defined;
AT-03(01)
Environmental Controls 2 params
Provide {{ insert: param, at-03.01_odp.01 }} with initial and {{ insert: param, at-03.01_odp.02 }} training in the employment and operation of environmental controls.
View parameters
Param ID Label Constraint / Choices
at-03.01_odp.01 personnel or roles personnel or roles to be provided with initial and refresher training in the employment and operation of environmenta...
at-03.01_odp.02 frequency the frequency at which to provide refresher training in the employment and operation of environmental controls is def...
AT-03(02)
Physical Security Controls 2 params
Provide {{ insert: param, at-03.02_odp.01 }} with initial and {{ insert: param, at-03.02_odp.02 }} training in the employment and operation of physical security controls.
View parameters
Param ID Label Constraint / Choices
at-03.02_odp.01 personnel or roles personnel or roles to be provided with initial and refresher training in the employment and operation of physical sec...
at-03.02_odp.02 frequency the frequency at which to provide refresher training in the employment and operation of physical security controls is...
AT-03(03)
Practical Exercises
Provide practical exercises in security and privacy training that reinforce training objectives.
AT-03(04)
Suspicious Communications and Anomalous System Behavior
AT-03(05)
Processing Personally Identifiable Information 2 params
Provide {{ insert: param, at-03.05_odp.01 }} with initial and {{ insert: param, at-03.05_odp.02 }} training in the employment and operation of personally identifiable information processing and tra...
View parameters
Param ID Label Constraint / Choices
at-03.05_odp.01 personnel or roles personnel or roles to be provided with initial and refresher training in the employment and operation of personally i...
at-03.05_odp.02 frequency the frequency at which to provide refresher training in the employment and operation of personally identifiable infor...
AT-04
Training Records 1 param
a. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and b. Ret...
View parameters
Param ID Label Constraint / Choices
at-04_odp time period time period for retaining individual training records is defined;
AT-05
Contacts with Security Groups and Associations
AT-06
Training Feedback 2 params
Provide feedback on organizational training results to the following personnel {{ insert: param, at-06_odp.01 }}: {{ insert: param, at-06_odp.02 }}.
View parameters
Param ID Label Constraint / Choices
at-06_odp.01 frequency frequency at which to provide feedback on organizational training results is defined;
at-06_odp.02 personnel personnel to whom feedback on organizational training results will be provided is/are assigned;
at-1a Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:
at-1a.1 {{ insert: param, at-01_odp.03 }} awareness and training policy that:
at-1a.1.(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
at-1a.1.(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
at-1a.2 Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
at-1b Designate an {{ insert: param, at-01_odp.04 }} to manage the development, documentation, and dissemination of the awareness and training policy and...
at-1c Review and update the current awareness and training:
at-1c.1 Policy {{ insert: param, at-01_odp.05 }} and following {{ insert: param, at-01_odp.06 }} ; and
at-1c.2 Procedures {{ insert: param, at-01_odp.07 }} and following {{ insert: param, at-01_odp.08 }}.
at-2.6.(a) Provide literacy training on the cyber threat environment; and
at-2.6.(b) Reflect current cyber threat information in system operations.
at-2a Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
at-2a.1 As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and
at-2a.2 When required by system changes or following {{ insert: param, at-2_prm_2 }};
at-2b Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};
at-2c Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and
at-2d Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
at-3a Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:
at-3a.1 Before authorizing access to the system, information, or performing assigned duties, and {{ insert: param, at-03_odp.03 }} thereafter; and
at-3a.2 When required by system changes;
at-3b Update role-based training content {{ insert: param, at-03_odp.04 }} and following {{ insert: param, at-03_odp.05 }} ; and
at-3c Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
at-4a Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-base...
at-4b Retain individual training records for {{ insert: param, at-04_odp }}.