Awareness and training

Estimated reading time: 2 minutes

AT-1 Security Awareness And Training Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and
  2. Reviews and updates the current:
    1. Security awareness and training policy [Assignment: organization-defined frequency]; and
    2. Security awareness and training procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

AT-2 Security Awareness Training

Description

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

  1. As part of initial training for new users;
  2. When required by information system changes; and
  3. [Assignment: organization-defined frequency] thereafter.

Control Information

Responsible role(s) - Organization

AT-2 (1) Practical Exercises

Description

The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

Control Information

Responsible role(s) - Organization

AT-2 (2) Insider Threat

Description

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

Control Information

Responsible role(s) - Organization

AT-3 Role-Based Security Training

Description

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

  1. Before authorizing access to the information system or performing assigned duties;
  2. When required by information system changes; and
  3. [Assignment: organization-defined frequency] thereafter.

Control Information

Responsible role(s) - Organization

AT-3 (1) Environmental Controls

Description

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.

Control Information

Responsible role(s) - Organization

AT-3 (2) Physical Security Controls

Description

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.

Control Information

Responsible role(s) - Organization

AT-3 (3) Practical Exercises

Description

The organization includes practical exercises in security training that reinforce training objectives.

Control Information

Responsible role(s) - Organization

AT-3 (4) Suspicious Communications And Anomalous System Behavior

Description

The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.

Control Information

Responsible role(s) - Organization

AT-4 Security Training Records

Description

The organization:

  1. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
  2. Retains individual training records for [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Awareness and training