Trackr.Live The landing site for Trackr Services
§ Trackr.Live

AT — Awareness and Training

Awareness and Training is the smallest-feeling family in NIST SP 800-53, and that is exactly why assessors lean on it. Six controls, light baseline footprint, no fancy enforcement mechanism. But AT is where an assessor checks whether the rest of your program is real or just well-formatted. The records here are a sampling target: a roster you can cross-reference against the account list, the onboarding feed, and the privileged-user inventory. If the names don’t line up, the finding isn’t really about training. It’s about whether anybody is minding the lifecycle at all.

A training roster resolving into a set of role-keyed access badges, with one privileged badge flagged as missing its completion stamp, feeding into an audit sampling tray.

AT is a catalog family, not a phase of the RMF. The RMF is the SP 800-37 process: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. AT controls get pulled in at Select when the baseline lands, they get implemented and documented at Implement (the program description in the SSP, the curriculum, the records system), and they get graded at Assess, where the assessor stops reading your policy and starts sampling your roster. Then it all has to keep running in Monitor, because training is a recurring obligation, not a one-time gate. A program that was real at ATO and dead eighteen months later is the normal failure mode, and continuous monitoring exists to catch it.

What’s in the family

Rev 5 spans AT-1 through AT-6, but AT-5 is gone. It was Contacts with Security Groups and Associations, and Rev 5 withdrew it and folded the requirement into PM-15 over in Program Management. If your SSP still cites AT-5 by number, that’s a Rev 4 artifact someone forgot to retire, and it’s the kind of small tell that makes an assessor read the rest of the document more skeptically.

The live controls:

  • AT-1, Policy and Procedures. The org-level policy and the procedures under it. Every family has a -1, it’s mandatory, and everything else in AT inherits its existence from here. Note the federal hook: awareness and role-based training aren’t only an 800-53 obligation, they’re mandated by 5 CFR 930.301 and FISMA, so AT-1 usually points at an agency-wide directive rather than a system-local memo.
  • AT-2, Literacy Training and Awareness. This is the rename that matters. In Rev 4 it was “Security Awareness Training.” Rev 5 changed it to Literacy Training and Awareness specifically to fold in privacy literacy alongside security. If your AT-2 narrative never mentions privacy, you’re describing the Rev 4 control. AT-2 is the annual computer-based training everyone has sat through. The base control is the floor.
  • AT-3, Role-Based Training. Training keyed to a person’s actual role and responsibilities, delivered before they get access and refreshed after. This is the control that earns AT its place in the baseline (more below).
  • AT-4, Training Records. Document who took what, when, and retain it. Dull. Also the thing an assessor literally pulls and samples.
  • AT-6, Training Feedback. Information from the training program flows back to improve the program. New-ish in posture under Rev 5 and easy to fake.

The enhancements that carry weight sit under AT-2 and AT-3. AT-2(1) Practical Exercises is the phishing simulation and the tabletop, and it sits in no baseline; you tailor it in. AT-2(2) Insider Threat and AT-2(3) Social Engineering and Mining are the two content-specific enhancements that do get allocated, and they don’t enter at the same level: (2) is in from Low while (3) waits for Moderate.

One catalog correction worth flagging, because the seed I was handed had it backwards: in Rev 5 the numbering is AT-2(2) = Insider Threat and AT-2(3) = Social Engineering and Mining. If you inherited a control selection that labels (1) as insider threat, it was built off a bad crosswalk. Use the Rev 5 numbers.

On AT-3, the role-based enhancements you’ll see referenced are AT-3(1) Environmental Controls, AT-3(2) Physical Security Controls, and AT-3(5) Processing Personally Identifiable Information, but none of them ride the Low/Moderate/High baselines. AT-3(1) and AT-3(2) sit in no 800-53B baseline at all; you get them only through tailoring or an overlay (a data-center or facilities-heavy system is the usual reason to pull them in). AT-3(5) is allocated to the privacy baseline only, not to the security baselines, which is why it ties straight back to the privacy-literacy reason AT-2 got renamed. If a control selection shows any of these three at a security impact level, something added them on purpose; the bare 800-53B set does not.

Baselines and where the controls come from

The baselines don’t live in 800-53 anymore. Rev 4 kept Low/Moderate/High allocations in Appendix D of the catalog; Rev 5 split them into SP 800-53B, which is the document you tailor against. FIPS 199 sets categorization, FIPS 200 sets the floor, and 800-53B turns your impact level into a starting set. National-security systems use CNSSI 1253 instead, and FedRAMP and DoD layer overlays on top.

For AT, the family is light at the bottom. The base controls (AT-1, AT-2, AT-3, AT-4) are present from Low, which is unusual and tells you something: NIST treats baseline literacy and role-based training as non-negotiable even on a Low system. AT-2(2) insider threat surprises people: it’s allocated from Low and carries straight through High, so even a Low system owes its users insider-threat awareness. AT-2(3) social engineering is the one that waits, arriving at Moderate and continuing to High. AT-6 training feedback sits in no baseline at all; 800-53B leaves it to tailoring or an overlay, so it shows up only when something pulls it in. So a Low system with generic annual CBT, the insider-threat module, and basic role-based training can be fully compliant, while a Moderate system that skipped the social-engineering content has a gap that 800-53B put there on purpose.

Deeper: why AT-3 is where the family earns its keep.
Generic annual CBT (AT-2) is awareness theater past a certain point. It exists, it’s mandated, you have to do it, and a determined attacker is not stopped by the fact that Karen in accounts payable clicked through a fifteen-minute module last March. The control that does real risk reduction is AT-3, role-based training, because it targets the people whose mistakes are expensive: the privileged admins, the developers, the people who process PII. A domain admin who never received training specific to privileged operations is a concrete, demonstrable exposure in a way that a missing annual-awareness completion is not. This is the contestable part, and I’ll own it: if I had to cut a corner anywhere in AT, I’d over-invest in AT-3 for the privileged population and treat the universal AT-2 module as a compliance floor I meet cheaply, not a control I pour design effort into. AT-3 done honestly means a different curriculum for the database admins than for the help desk. AT-3 done as theater means every privileged user took the same generic course and the SSP calls it role-based because the LMS has a field labeled “role.”

Control Typical first live at What an assessor actually checks
AT-1 Low Policy exists, is current, names the federal driver, and the procedures match what the program actually does.
AT-2 Low Pull completion records, sample names, confirm the content covers privacy literacy, not just security.
AT-2(2) Low Insider-threat content is present and ties to the PM-12 program, not a single throwaway slide.
AT-3 Low Role-based curriculum is keyed to real roles; privileged users took privileged-user training, not the generic deck.
AT-4 Low The roster. Cross-checked against AC-2 active accounts and the onboarding feed for gaps.
AT-6 Not in baseline Feedback produced a documented change to the program, not just a survey nobody read.

Treat “first live at” as directional. Your overlay moves things, and FedRAMP or a CNSSI 1253 selection can pull enhancements in earlier than the bare 800-53B set.

What an assessor actually does with this

The record sample is the whole game. An assessor pulls the AT-4 roster and cross-references it three ways. Against AC-2, the active-account list: anyone with a live account and no completed AT-2 is a finding, and a new hire who got provisioned before finishing onboarding training is the classic version of it. Against the PS onboarding and offboarding feed: a person who’s been terminated (PS-4) should not have an open, current training record sitting next to a live account, because that pairing means two lifecycles both failed to close. And against the privileged-user inventory from AC-6: a privileged account with no AT-3 role-based completion is the finding assessors go looking for first, because it’s where the risk actually concentrates.

That last cross-check is the one that ties AT to the controls that matter. AT-2(2) insider threat doesn’t stand alone; it’s the awareness arm of the PM-12 insider-threat program, and the monitoring side lives in AU and AC-6(9) privileged-function logging. AT-3 role-based training is the human-side companion to AC-6 least privilege and PS-2 position-risk designation. The position-risk designation is supposed to drive what role-based training someone needs, and when that linkage is missing you get the on-paper version of AT-3 where the curriculum was never actually mapped to roles.

Where it goes brittle

Completion rate is the metric everyone reports for AT-4, and it’s close to worthless as evidence of literacy. “98% of staff completed annual awareness training” tells you the LMS recorded 98% of seats clicking the final button. It tells you nothing about whether anyone retained anything. The more honest signal is phishing-simulation click-rate from AT-2(1), because it measures behavior under a realistic lure instead of attendance, but it’s also the more contested number: run it badly and you’ve trained people to report every internal email to the help desk, or worse, taught them that the security team is the source of the traps. There’s no clean metric here. Anyone who hands you a single percentage as proof the program works is selling attendance as comprehension.

The other brittle spots are mundane and recurring. Contractors who got an account before completing AT-2 because the access request moved faster than the training assignment. Role-based training that exists as a course catalog entry but every privileged admin took the same generic security course, so AT-3 is satisfied on paper and meaningless in practice. And AT-6 feedback loops that generate a survey and a quarterly report nobody acts on. AT-6 is the easiest control in the family to fake and the easiest to test honestly: ask what changed in the curriculum last cycle as a result of feedback. If the answer is nothing, the loop isn’t a loop. It’s a form.

Artifacts

AT lands in the usual three places. The SSP carries the program description: how literacy and role-based training are actually delivered on this system’s population, who owns the records, what the cadence is. The SAR is the assessor’s verdict after sampling the roster. The POA&M holds whatever the sample turned up, usually a list of accounts without current training or a role-based curriculum that doesn’t map to roles. The fastest way to fail AT is an SSP that restates the catalog text back at the assessor, because they’ve read the catalog and they want the roster.

If your AT narrative could be pasted into any other system’s SSP without changing a name, a role, or a cadence, it’s too generic to pass, and the assessor will go straight to the records to confirm what the prose was hiding.

Sources

Adjacent material on this site