Policy and Procedures

To meet the FedRAMP Moderate “Policy and Procedures” requirement (NIST SP 800-53 Rev. 5 AT-1), you must publish an awareness and training policy plus supporting procedures, get formal approval, and actively distribute them to the people who must follow them. Your documents must explicitly cover purpose, scope, roles, responsibilities, management commitment, coordination, and compliance. ¹

Key takeaways:

• Auditors test AT-1 by looking for approved documents plus proof they were disseminated and used, not just drafted. ¹
• Your policy states “what and why”; your procedures define “who does what, when, and how,” including coordination across HR, Security, and system owners. ¹
• Retain artifacts that link the policy to operations: version history, approvals, training assignments, and exception handling records. ¹

AT-1 is a “program control” that assessors use to judge whether your security awareness and training program is governed, repeatable, and enforceable inside the FedRAMP authorization boundary. The requirement is simple on paper: create, document, and disseminate an awareness and training policy and procedures that cover specific governance elements. ¹ In practice, most findings happen because teams treat AT-1 as a one-time paperwork task, or they write a policy that never translates into operational steps.

For a CCO, GRC lead, or security compliance owner, operationalizing AT-1 means: (1) deciding who owns the program, (2) defining training audiences and triggers (hire, role change, annual cadence, privileged access), (3) coordinating with HR/IT so assignments and completion evidence are reliable, and (4) keeping a clean audit trail that proves the program runs the way the documents say it runs. If you can show those four things consistently, AT-1 stops being a scramble during 3PAO testing and becomes a stable part of continuous monitoring. ¹

Reference sources you can align to: NIST SP 800-53 Rev. 5 for control intent and required elements, plus FedRAMP templates for how to present the program in your authorization package. ^{1 2}

Regulatory text

Requirement (AT-1): “Develop, document, and disseminate an awareness and training policy and procedures that address purpose, scope, roles, responsibilities, management commitment, coordination, and compliance.” ¹

Operator interpretation (what you must do):

1. Develop: Write an awareness and training policy and supporting procedures (not just a slide deck or LMS configuration). ¹
2. Document: Keep them in a controlled format with ownership, approval, versioning, and a review/update mechanism. ¹
3. Disseminate: Prove the right populations received the policy/procedures (or have ready access) and that the procedures are actually followed in day-to-day work. ¹
4. Cover required topics: Your documents must explicitly address:
   • Purpose (why the program exists)
   • Scope (who/what systems are in scope, including the FedRAMP boundary)
   • Roles & responsibilities (owners, HR, managers, system owners, learners)
   • Management commitment (approval, resourcing, enforcement expectations)
   • Coordination (how Security/GRC, HR, IT, and business leaders work together)
   • Compliance (how you measure adherence and handle exceptions) ¹

Who it applies to

Entity scope

• Cloud Service Providers (CSPs) pursuing or maintaining a FedRAMP authorization for a cloud service offering. ¹
• Federal Agencies operating or sponsoring systems authorized under FedRAMP, when they have responsibilities for implementing or maintaining the baseline. ¹

Operational context

• Applies to personnel with access to systems, data, or administrative functions inside the FedRAMP authorization boundary, including employees and relevant third parties (contractors, managed service providers) who perform in-scope work. Map applicability based on actual access paths, not org charts. ¹

Plain-English requirement interpretation

AT-1 requires that your awareness and training program is governed like a control system: someone owns it, leadership endorses it, it is coordinated across functions, and you can prove compliance. The “policy” is the enforceable statement of intent and expectations. The “procedures” are the operational playbooks: how you assign training, track completion, handle late completions, manage role-based requirements, and maintain records for audits and continuous monitoring. ¹

What you actually need to do (step-by-step)

Step 1: Define ownership and governance

• Assign a policy owner (often Security/GRC) and procedure owners (often Security Awareness lead plus HR/L&D and IT identity owners for workflow steps).
• Establish a review/approval workflow (CCO/CISO sign-off, with Legal/HR review if needed).
• Document decision rights: who can approve exceptions, who can change training requirements, and who can attest during audits. ¹

Deliverable: Awareness & Training Policy (AT Policy) with named owner and approver(s). ¹

Step 2: Write the Awareness & Training Policy (policy-level content)

Your policy should be short enough to be read and enforced. Include:

• Purpose: expected behaviors and security outcomes.
• Scope: in-scope personnel and systems; explicitly reference the FedRAMP boundary population.
• Roles/responsibilities: learners, managers, HR/L&D, Security/GRC, system owners.
• Management commitment: explicit statement that completion is required, enforced, and resourced.
• Coordination: the cross-functional handoffs (HR triggers onboarding; IAM provides access rosters; Security sets content requirements).
• Compliance: how compliance is monitored, what happens for overdue training, how exceptions are granted and recorded. ¹

Practical tip: Put “compliance” in operational terms (e.g., how you track completion and escalate). Auditors rarely accept “employees must comply” without a mechanism that proves it.

Step 3: Write the Procedures (procedure-level playbooks)

Procedures should be testable. Build them around events:

• Onboarding: how new hires and third parties are identified, assigned training, and tracked.
• Role change: how privileged/admin users get additional training requirements.
• Recurring awareness: how you schedule periodic training, reminders, and consequences for non-completion.
• Content management: who updates content, how often, and how you validate it remains relevant to your environment.
• Recordkeeping: where completion evidence lives, retention expectations, and who can export it for auditors.
• Exception process: criteria, approvals, compensating actions, and expiry. ¹

Make coordination explicit: Name the systems that drive truth (HRIS for employment status; IAM for access rosters; LMS for completion). Then document the reconciliation step that prevents “phantom compliance” (people with access but not assigned training). ¹

Step 4: Disseminate (and prove dissemination)

Dissemination means more than “posted on the intranet.”

• Publish policy/procedures in a controlled repository accessible to in-scope staff.
• Communicate release and updates via formal channels (email, ticket announcement, LMS announcement).
• Ensure managers know their responsibilities (tracking, escalation).
• Require acknowledgments if that’s your chosen mechanism, and retain evidence of acknowledgments. ¹

Minimum proof standard: You should be able to show an auditor where the policy lives, who received it, and how updates are communicated. ¹

Step 5: Operationalize compliance monitoring

Set up routine checks tied to the “compliance” element:

• Generate completion reports for in-scope populations.
• Track overdue training and document escalations.
• Sample-check that privileged users received role-based training.
• Periodically validate the population list against access rosters. ¹

Where Daydream fits naturally: If you struggle to keep population scoping, evidence exports, and version history consistent across teams, Daydream can centralize the control narrative (policy + procedures) and attach operating evidence to the control so you can answer assessor requests without rebuilding context each time. Use it as your system of record for approvals, versions, and artifacts rather than scattering proof across email, shared drives, and LMS screenshots.

Required evidence and artifacts to retain

Maintain artifacts that prove design (documents exist and are approved) and operation (people received them and the process runs).

Policy/procedure governance

• Current policy and procedures with version number/date
• Approval record (electronic signature, ticket approval, or meeting minutes)
• Review history and change log
• Document owner assignment (RACI or named roles) ¹

Dissemination

• Distribution email or announcement records
• Links or screenshots showing where documents are published (with access controls)
• Acknowledgment logs (if used) ¹

Operational execution

• Training assignment rules (role mappings; onboarding triggers)
• LMS exports showing completion status for in-scope populations
• Evidence of escalations/remediation for overdue learners
• Exception register (requests, approvals, expiration, compensating actions) ¹

FedRAMP packaging support

• References to FedRAMP document templates to align your SSP/control description format and evidence expectations. ²

Common exam/audit questions and hangups

Expect assessors and auditors to ask:

• “Show me the approved AT policy and procedures and who approved them.” ¹
• “How do you define the in-scope population for training inside the authorization boundary?”
• “How do you ensure third parties with access complete training?”
• “How do you handle privileged/admin role-based training requirements?”
• “Prove dissemination: how do you ensure people can access the policy and know it applies to them?”
• “Show evidence the procedure is followed, not just written.” ¹

Hangup that triggers findings: A beautiful policy with no operational traceability. If you cannot connect policy requirements to training assignments, completion evidence, and exception handling, AT-1 often turns into a “not implemented effectively” story during testing.

Frequent implementation mistakes (and how to avoid them)

1. Policy-only implementation: No procedures, or procedures are too vague to test.
   Avoid it: Write event-based procedures (onboarding, role change, periodic, exceptions). ¹

2. No management commitment evidence: Policy says “management supports,” but approval is missing.
   Avoid it: Capture formal approval and show leadership review cadence. ¹

3. Broken coordination across HR/IAM/LMS: Training population doesn’t match real access.
   Avoid it: Add a reconciliation procedure between HR roster, IAM groups, and LMS assignments. ¹

4. Dissemination as a dead link: Policy stored somewhere nobody can access, or contractors can’t reach it.
   Avoid it: Define dissemination channels per audience (employees vs third parties) and retain proof. ¹

5. Evidence as screenshots: Manual screenshots become inconsistent and hard to defend.
   Avoid it: Prefer exportable system reports, immutable approval records, and a controlled evidence library.

Enforcement context and risk implications

No specific public enforcement cases were provided for this requirement in the supplied sources. Practically, AT-1 failures create authorization and continuous monitoring risk: inconsistent training execution increases the chance of control gaps elsewhere (phishing resilience, incident reporting, privileged user behavior), and assessors can treat weak governance as a program maturity issue that drives follow-up testing and remediation commitments. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize governance and draft artifacts)

• Name policy/procedure owners and approvers; document RACI.
• Inventory current awareness/training materials, LMS capabilities, HR/IAM data sources.
• Draft the AT policy with the required elements (purpose, scope, roles, responsibilities, management commitment, coordination, compliance). ¹
• Draft procedures for onboarding, role change, periodic training, recordkeeping, and exceptions. ¹

Days 31–60 (approve, publish, and connect to systems)

• Route documents for review and formal approval; capture approvals and version history. ¹
• Publish in a controlled repository; define dissemination method per audience.
• Configure LMS assignment rules aligned to HR events and IAM roles.
• Stand up an exception register and escalation workflow for overdue training. ¹

Days 61–90 (prove operation and harden evidence)

• Run the first compliance cycle: generate completion reports, remediate overdue cases, and retain artifacts.
• Perform a population reconciliation between HR roster, IAM access groups, and LMS assignments; document results and fixes. ¹
• Align your SSP/control narrative and evidence references to FedRAMP templates so 3PAO requests map cleanly to artifacts. ²
• Optional but high-impact: centralize control documentation and evidence mapping in Daydream to reduce audit churn and maintain consistent versioning and approvals over time.

Frequently Asked Questions

Do we need separate documents for “policy” and “procedures” for AT-1?

You need both policy and procedures content that covers the required governance elements and is disseminated. You can keep them separate or in one controlled document, as long as procedures are concrete and testable. ¹

What does “disseminate” mean in practice?

Disseminate means you publish and communicate the policy/procedures so in-scope personnel can access them and understand they apply. Keep proof of publication and communications, and be ready to show how contractors/third parties receive the same guidance when applicable. ¹

How do we show “management commitment” without writing fluff?

Show it through governance: documented executive approval, assigned ownership, and an enforcement mechanism for non-completion. Auditors treat signed approval and operational escalation as stronger evidence than aspirational language. ¹

Does AT-1 require specific training topics or frequencies?

AT-1 is the governance requirement for your awareness and training program; it does not, by itself, prescribe specific topics or cadence in the provided excerpt. Your policy and procedures should define what your program requires and how you ensure compliance. ¹

How should we handle third-party personnel who access the FedRAMP boundary?

Treat them as in-scope personnel for awareness and training requirements if they have access or perform in-boundary functions. Your procedures should define assignment, tracking, and evidence collection for third parties, including acceptable equivalents and exception handling. ¹

What evidence is most convincing to a 3PAO?

Approved documents with version history plus system-generated records that demonstrate operation: LMS completion exports, assignment rules, and an exception/escalation log. Pair each policy requirement with an artifact that proves it happened. ¹

Footnotes

1. NIST Special Publication 800-53 Revision 5

2. FedRAMP documents and templates