AT - Awareness and Training
- Controls Count: 5
- Controls IDs: AT-1, AT-2, AT-2 (2), AT-3, AT-4
Controls
AT-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level awareness and training policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
Designate an an official to manage the awareness and training policy and procedures is defined; to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
Review and update the current awareness and training:
Policy the frequency at which the current awareness and training policy is reviewed and updated is defined; and following events that would require the current awareness and training policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current awareness and training procedures are reviewed and updated is defined; and following events that would require procedures to be reviewed and updated are defined;.
Awareness and training policy and procedures address the controls in the AT family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of awareness and training policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to awareness and training policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
an awareness and training policy is developed and documented;
the awareness and training policy is disseminated to personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;;
awareness and training procedures to facilitate the implementation of the awareness and training policy and associated access controls are developed and documented;
the awareness and training procedures are disseminated to personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;.
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses scope;
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses roles;
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level awareness and training policy addresses compliance; and
the organization-level, mission/business process-level, and/or system-level awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and
the an official to manage the awareness and training policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;
the current awareness and training policy is reviewed and updated the frequency at which the current awareness and training policy is reviewed and updated is defined;;
the current awareness and training policy is reviewed and updated following events that would require the current awareness and training policy to be reviewed and updated are defined;;
the current awareness and training procedures are reviewed and updated the frequency at which the current awareness and training procedures are reviewed and updated is defined;;
the current awareness and training procedures are reviewed and updated following events that would require procedures to be reviewed and updated are defined;.
System security plan
privacy plan
awareness and training policy and procedures
other relevant documents or records
Organizational personnel with awareness and training responsibilities
organizational personnel with information security and privacy responsibilities
AT-2: Literacy Training and Awareness
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
As part of initial training for new users and organization-defined frequency thereafter; and
When required by system changes or following organization-defined events;
Employ the following techniques to increase the security and privacy awareness of system users techniques to be employed to increase the security and privacy awareness of system users are defined;;
Update literacy training and awareness content the frequency at which to update literacy training and awareness content is defined; and following events that would require literacy training and awareness content to be updated are defined; ; and
Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
security literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) as part of initial training for new users;
security literacy training is provided to system users (including managers, senior executives, and contractors) the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined; thereafter;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined; thereafter;
security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following events that require security literacy training for system users are defined;;
privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following events that require privacy literacy training for system users are defined;;
techniques to be employed to increase the security and privacy awareness of system users are defined; are employed to increase the security and privacy awareness of system users;
literacy training and awareness content is updated the frequency at which to update literacy training and awareness content is defined;;
literacy training and awareness content is updated following events that would require literacy training and awareness content to be updated are defined;;
lessons learned from internal or external security incidents or breaches are incorporated into literacy training and awareness techniques.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
appropriate codes of federal regulations
security and privacy literacy training curriculum
security and privacy literacy training materials
training records
other relevant documents or records
Organizational personnel with responsibilities for literacy training and awareness
organizational personnel with information security and privacy responsibilities
organizational personnel comprising the general system user community
Mechanisms managing information security and privacy literacy training
AT-2 (2): Insider Threat
Provide literacy training on recognizing and reporting potential indicators of insider threat.
Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or harassment of fellow employees; workplace violence; and other serious violations of policies, procedures, directives, regulations, rules, or practices. Literacy training includes how to communicate the concerns of employees and management regarding potential indicators of insider threat through channels established by the organization and in accordance with established policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role. For example, training for managers may be focused on changes in the behavior of team members, while training for employees may be focused on more general observations.
literacy training on recognizing potential indicators of insider threat is provided;
literacy training on reporting potential indicators of insider threat is provided.
System security plan
privacy plan
literacy training and awareness policy
procedures addressing literacy training and awareness implementation
literacy training and awareness curriculum
literacy training and awareness materials
other relevant documents or records
Organizational personnel who receive literacy training and awareness
organizational personnel with responsibilities for literacy training and awareness
organizational personnel with information security and privacy responsibilities
AT-3: Role-based Training
Provide role-based security and privacy training to personnel with the following roles and responsibilities: organization-defined roles and responsibilities:
Before authorizing access to the system, information, or performing assigned duties, and the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined; thereafter; and
When required by system changes;
Update role-based training content the frequency at which to update role-based training content is defined; and following events that require role-based training content to be updated are defined; ; and
Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information.
Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
role-based security training is provided to roles and responsibilities for role-based security training are defined; before authorizing access to the system, information, or performing assigned duties;
role-based privacy training is provided to roles and responsibilities for role-based privacy training are defined; before authorizing access to the system, information, or performing assigned duties;
role-based security training is provided to roles and responsibilities for role-based security training are defined; the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined; thereafter;
role-based privacy training is provided to roles and responsibilities for role-based privacy training are defined; the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined; thereafter;
role-based security training is provided to personnel with assigned security roles and responsibilities when required by system changes;
role-based privacy training is provided to personnel with assigned security roles and responsibilities when required by system changes;
role-based training content is updated the frequency at which to update role-based training content is defined;;
role-based training content is updated following events that require role-based training content to be updated are defined;;
lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
System security plan
privacy plan
security and privacy awareness and training policy
procedures addressing security and privacy training implementation
codes of federal regulations
security and privacy training curriculum
security and privacy training materials
training records
other relevant documents or records
Organizational personnel with responsibilities for role-based security and privacy training
organizational personnel with assigned system security and privacy roles and responsibilities
Mechanisms managing role-based security and privacy training
AT-4: Training Records
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
Retain individual training records for time period for retaining individual training records is defined;.
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.
information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are documented;
information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training, are monitored;
individual training records are retained for time period for retaining individual training records is defined;.
Security and privacy awareness and training policy
procedures addressing security and privacy training records
security and privacy awareness and training records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with information security and privacy training record retention responsibilities
Mechanisms supporting the management of security and privacy training records