Literacy Training and Awareness

The FedRAMP Moderate “literacy training and awareness” requirement (NIST SP 800-53 Rev. 5 AT-2) means you must provide security and privacy literacy training to every system user at onboarding and again on an organization-defined refresher cycle, with tracked completion evidence. To operationalize it, bind training to identity lifecycle events, define audiences and due dates, and retain auditable records. ¹

Key takeaways:

• Training must cover both security and privacy literacy, not just “security awareness.” ¹
• “Initial for new users” must be enforced through onboarding and account provisioning gates, not email reminders. ¹
• Your biggest audit risk is weak evidence: you need completion, timestamps, audience scope, and escalation records. ¹

AT-2 is a deceptively operational control: most teams can buy training content quickly, but many fail authorization or continuous monitoring scrutiny because they cannot prove coverage, timeliness, and enforcement across all “system users.” In a FedRAMP boundary, “system user” typically includes employees, contractors, and administrators with any form of access (interactive, privileged, API, or support tooling), plus certain third-party personnel if they authenticate into boundary systems. The control’s intent is straightforward: reduce preventable incidents caused by basic mishandling of data, credentials, and system access, and ensure users understand required behavior before they touch the environment. ¹

Operationalizing AT-2 comes down to three things you can test: (1) a defined curriculum mapped to your system and data reality (including privacy), (2) a training assignment mechanism that is tied to HR/identity events and enforces due dates, and (3) durable evidence that an assessor can sample without guesswork. FedRAMP reviewers and 3PAOs will look for consistent execution and clean artifacts more than polished slide decks. ¹

Regulatory text

Requirement excerpt: “Provide security and privacy literacy training to system users including initial training for new users and organization-defined frequency of refresher training thereafter.” ¹

Operator interpretation (what you must do):

1. Define “system users” for your FedRAMP boundary and ensure every such user is in scope for training assignment and tracking. ¹
2. Deliver initial training before or immediately upon access for new users, then repeat refresher training on a defined cadence that you set and document. ¹
3. Maintain proof that training was assigned, completed, and (where applicable) understood (for example via attestations or quizzes), and that overdue training triggers follow-up. ¹

Plain-English interpretation

You need a repeatable program that teaches users the basic “how we operate safely here” rules for both security and privacy, and you must be able to prove who took it and when. AT-2 is satisfied by consistent execution, not by having a policy statement that says training exists. ¹

Who it applies to

In-scope entities

• Cloud Service Providers (CSPs) operating a cloud service offering within a FedRAMP authorization boundary. ¹
• Federal Agencies to the extent they operate, manage, or require training for users accessing the authorized system (often shared responsibility, depending on the service model and agency roles). ¹

In-scope people (“system users”) in practice

Use an inclusion-first definition, then document exclusions. Common in-scope categories:

• Workforce members with SSO access to boundary applications
• Privileged admins (cloud console, IAM, CI/CD, endpoint management)
• Customer support staff with production troubleshooting access
• Contractors and temporaries with boundary credentials
• Third-party personnel who authenticate into boundary tooling (for example, managed service providers)

Your SSP/control narrative should explain how you identify these groups and ensure they are trained. ¹

What you actually need to do (step-by-step)

Step 1: Set your training standard (scope + frequency + pass criteria)

Create a short, explicit standard (policy or procedure) that states:

• Audience definition: what counts as a “system user” for this system/boundary. ¹
• Initial training timing: when a new user must complete training relative to access (make it enforceable in your workflow). ¹
• Refresher frequency: the cadence you choose, and how you handle role changes (for example, promotion to privileged access). ¹
• Completion criteria: completion, attestation, quiz/pass threshold if used, and what “non-compliance” means internally.

Keep it simple. Assessors prefer a clear rule they can test against training records.

Step 2: Build a curriculum that covers both security and privacy literacy

AT-2 explicitly requires security and privacy literacy. ¹

Minimum topic set most FedRAMP environments can defend during testing:

• Acceptable use and user responsibilities for boundary systems
• Credential hygiene (passwords, MFA expectations, session handling)
• Phishing and social engineering reporting
• Data handling rules aligned to your data types (including sensitive data in tickets, logs, and screenshots)
• Privacy basics: what personal data you process, what users must do to avoid improper collection/disclosure, and incident reporting pathways
• Remote access and device expectations (where relevant)
• How to report security and privacy incidents internally

Role-based add-ons: Keep AT-2 “literacy” broad, but add targeted modules for admins, developers, and support staff when their actions create distinct risk. Document the mapping of role → module.

Step 3: Bind training assignment to identity lifecycle (this is where programs fail)

Email reminders do not scale and do not survive audit sampling.

Operational pattern that works:

• Trigger training assignment from HR onboarding (employee/contractor start) and from IAM events (account created, group membership grants boundary access, privileged role granted).
• Gate access where possible: require training completion before granting certain groups/roles, or automatically remove access if training is overdue (where your operations can tolerate it).
• Define escalation: overdue notices to user, then manager, then security/GRC.

If you use a ticketing workflow to provision access, add a required evidence field (training completion screenshot/report, or automated LMS/IAM verification) before approval.

Step 4: Track completion and make sampling easy

Your tracking system must answer, quickly:

• Who is in scope right now?
• Which required courses were assigned to them?
• Did they complete them within your rule?
• What happens when they do not?

Practical options:

• LMS reports exported on a schedule and retained
• IAM-integrated training assignment with automated status checks
• GRC control evidence collection with defined owners and periodic reviews

Daydream can reduce the “evidence chase” by centralizing control expectations, ownership, and evidence requests so training records, overdue exceptions, and approvals are packaged consistently for assessors.

Step 5: Handle exceptions and edge cases explicitly

Common edge cases you should decide upfront:

• Service accounts and non-human identities: document that they are not “users” and are controlled differently, or require training for the humans who manage them.
• Break-glass/emergency access: allow time-bound access with retroactive training requirement and documented approval.
• Third parties: if third-party staff have boundary credentials, make training a contractual onboarding requirement and track completion like internal users (or document an accepted equivalent and retain proof).

Step 6: Operational reviews (so the control stays “operating”)

For FedRAMP continuous monitoring expectations, treat AT-2 as an operating control:

• Periodic reconciliation of HR roster/IAM accounts vs LMS completion
• Review of overdue training and escalations
• Content refresh when your environment or privacy posture changes

Use FedRAMP’s published templates to align how you document the control and present evidence packages. ²

Required evidence and artifacts to retain

Build an “AT-2 evidence pack” that you can hand to a 3PAO without cleanup:

Program artifacts

• Training policy/standard stating initial + refresher requirements, scope, and enforcement.
• Training content outline (syllabus) showing security + privacy topics. ¹

Operational artifacts (most sampled)

• LMS completion report exports with: user identity, course name, assignment date, completion date, status.
• New hire or new-access workflow evidence showing training assignment tied to onboarding/provisioning.
• Overdue escalation evidence: reminder logs, manager notifications, access removal records, or exception approvals.

Change and exception artifacts

• Exception register for users who missed deadlines, with approvals and compensating actions.
• Proof of periodic reconciliation (manager sign-off, GRC task completion, or automated audit log extracts).

Common exam/audit questions and hangups

Expect these lines of questioning from assessors:

1. “Define system users for this boundary.” They will test your definition against IAM groups and contractor lists. ¹
2. “Show me initial training for recent joiners.” They will sample specific start dates and ask for completion proof. ¹
3. “What is your refresher frequency and where is it documented?” They need a stated rule, not an informal practice. ¹
4. “How do you ensure privileged users receive appropriate training?” If you have separate admin modules, prove assignment by role.
5. “What happens when training is overdue?” If the answer is “we email them,” expect follow-up about escalation and enforcement.

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it fails	Fix
Training scope equals “employees only”	Contractors and third-party users often have boundary access	Tie scope to IAM access, not employment type
No privacy component	AT-2 explicitly includes privacy literacy 1	Add privacy modules relevant to your data handling and incident reporting
Refresher cadence not defined	“We do it sometimes” cannot be tested	Set a cadence in writing and align reporting to it
Evidence is scattered	Sampling becomes a scavenger hunt	Create a single evidence pack and owner for AT-2
No link to onboarding/provisioning	New users can access systems before training	Put a training check in the access workflow or gate by group membership

Enforcement context and risk implications

No public enforcement case sources were provided for this requirement in the supplied source catalog, so this page does not list enforcement cases.

From a FedRAMP authorization perspective, AT-2 failures usually show up as assessor findings tied to control operation and evidence quality: incomplete population coverage, inconsistent assignment, or inability to prove completion for sampled users. Operationally, weak literacy training increases the likelihood of preventable security and privacy incidents driven by user actions (mishandling data, falling for phishing, misrouting sensitive information). ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize scope, define the rule, start tracking)

• Write and approve the AT-2 standard: scope, initial requirement, refresher frequency, escalation.
• Inventory system user populations from IAM, HR, contractor lists, and support tooling.
• Select training delivery mechanism (LMS or equivalent) and define required modules (security + privacy).
• Produce the first “current-state” completion report and create an overdue remediation list.

By 60 days (enforce via workflows, close coverage gaps)

• Integrate training assignment with onboarding and account provisioning.
• Implement escalation workflow for overdue training (manager notifications, access review, exceptions).
• Roll out role-based modules for privileged/admin and high-risk roles.
• Start a recurring reconciliation between IAM users and training completion records.

By 90 days (make it audit-ready and sustainable)

• Package an assessor-ready evidence binder: policy, syllabi, completion reports, reconciliations, exceptions.
• Run an internal audit-style sample test: pick recent joiners, privileged users, and contractors; verify artifacts.
• Update SSP/control narrative and references to FedRAMP documentation format as needed. ²
• Operationalize ongoing governance: a named control owner, recurring evidence capture, and metrics you review in security/GRC meetings.

Frequently Asked Questions

Does AT-2 require training for contractors and third-party users?

If they are “system users” with access to the FedRAMP boundary, treat them as in scope and train them or require an equivalent that you can evidence. Define this explicitly in your scope statement. ¹

What counts as “initial training for new users” in an audit?

Auditors look for a defined rule and evidence that training was completed as part of onboarding or prior to access being granted. The safest approach is to tie assignment to provisioning and retain timestamps. ¹

How do we choose the refresher frequency?

AT-2 requires an organization-defined frequency, so you must set and document a cadence you can operate consistently. Pick a frequency you can sustain with clean reporting and enforcement. ¹

Do service accounts need to complete literacy training?

Service accounts are typically not “users,” but the humans who create and manage them are. Document your non-human identity approach so an assessor understands the boundary of “system users.” ¹

What evidence is usually sufficient for assessors?

Keep assignment and completion reports that include identity, course, and completion dates, plus escalation/exception records for missed deadlines. Add your policy and syllabus to show required content includes privacy. ¹

We have multiple systems; do we need separate training for each?

AT-2 is scoped to the system and its users, but you can meet it with a common baseline training plus add-ons for system-specific risks. Document how the curriculum maps to the FedRAMP boundary and roles. ¹

Footnotes

1. NIST Special Publication 800-53 Revision 5

2. FedRAMP documents and templates