Template:Cybersecurity/Awareness and training

AT-1 Security awareness and training policy and procedures

This control recommends the organization develop, document, disseminate, review, and update security training policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of security training but also to address how it will be implemented, reviewed, and updated.

Additional resources:

NIST Special Publications 800-12, Rev. 1, pages 59–60
NIST Special Publications 800-50
NIST Special Publications 800-100, pages 26–34
LIMSpec 7.1, 7.2

AT-2 Security awareness training

This control recommends the organization provide the necessary basic security awareness training as part of initial training, as well as follow-up training, when the system changes, or at a specific mandated frequency. This broadly applies to all information system users and includes the use of training material, informational posters, security reminders and notices, system messages, and awareness events towards meeting the requirements of this control.

Additional resources:

AT-3 Role-based security training

This control recommends the organization provide the necessary role-specific security training to personnel with specific assigned security roles and responsibilities. The training should occur before authorization to access the system is provided, as well as when the system changes or at a specific mandated frequency. This includes the use of training material, policy and procedure documents, role-based security tools, manuals, and other materials towards meeting the requirements of this control.

Additional resources:

AT-4 Security training records

This control recommends the organization document and monitor basic and role-specific security training activities and retain that information for a designated period of time. Note that record retention requirements may vary based on regulations and standards that affect the organization and its operations.

Additional resources: