PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind

To meet the pr.at-01: personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind requirement, you must run a role-aware security awareness and training program, assign ownership, define required training by population, deliver it on a recurring basis, and retain completion and effectiveness evidence that an auditor can trace to all personnel. This is an operational control, not a policy statement.

Key takeaways:

• Define training requirements by role and risk exposure, then track completion against a roster.
• Treat evidence as part of the control: content, attendance, exceptions, and effectiveness checks.
• Map PR.AT-01 to policy, procedure, a control owner, and recurring evidence collection for audit-ready execution.

PR.AT-01 sits in the “Protect” function of NIST CSF 2.0 and is one of the most frequently tested “common sense” controls because it fails quietly: teams often have training content, but can’t prove coverage, frequency, or relevance by role. The requirement is straightforward, but the operationalization is not. Auditors and customers expect you to show that personnel received awareness and training, that training aligns to cybersecurity risks in day-to-day work, and that you can demonstrate completion across the workforce, including contractors and other non-employee populations where applicable.

This page translates PR.AT-01 into a requirement-level implementation plan a CCO, GRC lead, or Compliance Officer can run. The focus is execution: scoping, minimum program components, how to structure role-based curricula, what evidence to retain, and how to answer common audit questions without scrambling. The goal is a defensible, repeatable program that can be tested at any time, not a one-time campaign that looks good in a slide deck.

Regulatory text

NIST CSF 2.0 (PR.AT-01) excerpt: “Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind.” ¹

What an operator must do:
You must (1) identify who needs training, (2) define what “awareness and training” means for general cybersecurity risk-conscious work, (3) deliver it in a planned and repeatable way, and (4) keep evidence showing coverage and outcomes. PR.AT-01 is satisfied when you can demonstrate that personnel received training appropriate to their general job activities and that the organization can verify completion and manage exceptions. ²

Plain-English interpretation

PR.AT-01 requires you to make cybersecurity “part of the job” for your workforce. People must know how to recognize common threats (phishing, social engineering, unsafe data handling), follow security policies, and escalate issues. Training must reach the whole in-scope population, not just employees who sit at desks and have corporate email.

This requirement is commonly misunderstood as “buy an LMS course.” The real bar is governance plus execution: defined requirements, assigned ownership, tracked completion, and evidence that stands up under examination.

Who it applies to

Entity scope: Any organization running a cybersecurity program and claiming alignment to NIST CSF 2.0, including regulated and non-regulated entities using CSF for assurance, customer requirements, or internal governance. ²

Operational scope (typical):

• All employees (full-time, part-time)
• Contractors and temps who access systems, facilities, or sensitive data
• Third parties performing operational tasks on your behalf, when your contracts/policies require them to follow your security rules or complete your training (scope depends on your third-party governance and access model)

Where auditors focus: populations with access to sensitive data, privileged access, customer-facing roles, finance and payments, HR, engineering, IT operations, and anyone who can trigger a security incident through routine actions.

What you actually need to do (step-by-step)

1) Assign a control owner and define program governance

• Name a control owner (often Security Awareness, GRC, HR/L&D, or Security Operations).
• Document a procedure that describes how training is assigned, delivered, tracked, and enforced.
• Set a recurring evidence cadence (e.g., monthly collection of completion reports and joiner/mover/leaver reconciliation) so you never rebuild proof from scratch.

This aligns directly to the recommended control: map PR.AT-01 to policy, procedure, control owner, and recurring evidence collection. ¹

2) Define the in-scope population using an authoritative roster

Pick a single “source of truth” for each population and reconcile it regularly:

• HRIS roster for employees
• IAM directory export for accounts
• Contractor list from procurement/vendor management
• Third-party user lists from application owners (where applicable)

Operator tip: auditors test negative space. If your completion report shows a meaningful percentage completion but your roster is incomplete, you fail anyway.

3) Build a role-aware training matrix

Create a matrix that links role group → required training → delivery method → tracking method → evidence.

Minimum role groupings most organizations need:

• All personnel (baseline awareness)
• Privileged users (admins, IT ops)
• Developers/engineers (secure coding concepts appropriate to your environment)
• Finance/AP/AR (payment fraud and impersonation patterns)
• HR (sensitive personal data handling)
• Customer support/sales (identity verification, social engineering)

Keep it practical. PR.AT-01 says “general tasks with cybersecurity risks in mind,” so your baseline course should map to everyday actions: handling data, password/SSO behavior, reporting suspicious activity, device hygiene, safe remote work, and physical security.

4) Define delivery triggers and handling for joiners/movers/leavers

Your procedure should specify how people get assigned training:

• Joiners: assignment at onboarding
• Movers: re-assignment when role changes increase risk exposure (e.g., promotion to manager, new system access)
• Leavers: access removal is separate, but you should ensure they are removed from the training population to keep metrics accurate

Add an exception process for extended leave, no-email populations, or operational constraints. The exception process is part of control integrity; auditors accept exceptions when they are documented, approved, time-bounded, and remediated.

5) Execute the training and capture completion evidence

Run training through a system that produces reliable reports (LMS, security awareness platform, or HR training portal). If you must train offline (manufacturing floors, clinicians, field ops), use controlled sign-in sheets and later reconcile them into your tracking system.

Evidence must be traceable:

• Person identifier (name, employee ID, or unique account)
• Course/module name and version
• Completion date
• Delivery method (online, instructor-led)
• Attestation where relevant (policy acknowledgment)

6) Test effectiveness (lightweight but real)

PR.AT-01 does not prescribe a specific measurement method, but you need some mechanism to show training is more than a checkbox. Use one or more:

• Short post-training quizzes with pass/fail records
• Tabletop “spot checks” (scenario questions during team meetings) with documented outcomes
• Phishing simulations where permitted by policy and culture (store results as risk signals, not punishments)

Avoid claiming “risk reduction” unless you can support it with your own internal metrics. Most auditors are satisfied with evidence that you measure comprehension and follow up on failures.

7) Report, remediate, and retain records

Set up recurring reporting to management:

• Completion status by department and role group
• Overdue list with escalations
• Exception log status
• Corrective actions taken for persistent non-compliance

Then retain artifacts in a controlled repository aligned to your retention requirements.

Required evidence and artifacts to retain

Use this checklist as your audit binder:

Governance

• Security awareness and training policy (or equivalent) mapped to PR.AT-01 ²
• Procedure/SOP describing assignment, delivery, tracking, exceptions, and enforcement
• Control owner assignment (RACI or control register entry)

Scope

• In-scope population definition
• Current roster extracts (HRIS/IAM/contractor list) and reconciliation notes

Training content

• Baseline training outline and materials
• Role-based modules and criteria for assignment
• Version history or change log (helps explain why content changed)

Execution evidence

• Completion reports for each training campaign or cycle
• Attendance logs for live sessions
• Exception log (who, why, approval, expiration, remediation)

Effectiveness

• Quiz results or knowledge checks
• Follow-up assignments for failed quizzes
• Evidence of targeted retraining after incidents (optional but persuasive)

Common exam/audit questions and hangups

Auditors and customer assessors tend to ask:

• “Show me the roster you trained against. How do you know it’s complete?”
• “How do you handle contractors and non-employee workers?”
• “How is training adapted for privileged users or developers?”
• “What happens when someone doesn’t complete training?”
• “Show evidence the training occurred and is recurring.”
• “How do you know people understood it?”

Hangup to anticipate: completion reports without a population baseline. Fix this by storing both the roster export and the LMS completion report for the same period, with reconciliation notes.

Frequent implementation mistakes and how to avoid them

1. Mistake: One-size-fits-all training only.
   Avoid it: keep a baseline module for everyone, then add role-based modules for higher-risk groups.

2. Mistake: No exception governance.
   Avoid it: maintain an exception register with approvals and an end date.

3. Mistake: Training exists, but evidence is scattered.
   Avoid it: define an evidence folder structure, retention owner, and recurring evidence collection calendar. ²

4. Mistake: You can’t prove coverage for contractors/third parties.
   Avoid it: decide your rule (train them in-house vs require their equivalent training) and document it in contracts and onboarding.

5. Mistake: No effectiveness signal.
   Avoid it: add a short quiz and track remediation for non-pass results.

Enforcement context and risk implications

NIST CSF is a framework, not a regulator, so PR.AT-01 is usually evaluated through audits, customer security reviews, contractual obligations, and downstream regulatory expectations that require training as part of a “reasonable” security program. The operational risk is direct: untrained personnel increase the likelihood of phishing compromise, misdirected payments, sensitive data mishandling, and delayed incident escalation. The compliance risk is equally practical: if you cannot demonstrate training coverage and recurrence, you will struggle in SOC 2/ISO-aligned assessments and customer due diligence.

Practical 30/60/90-day execution plan

Numeric day-count plans can create false precision. Use phases that match how your organization can execute.

Immediate phase (stand up the control)

• Assign a control owner and publish the procedure for assignment, tracking, exceptions, and enforcement.
• Define in-scope populations and identify authoritative rosters.
• Select baseline training content and delivery method; confirm reporting capability.

Near-term phase (run the first defensible cycle)

• Build the role-based training matrix and implement automated assignments where possible.
• Launch baseline training and priority role-based modules (privileged users, finance, engineering).
• Start exception handling and escalation workflow.
• Capture the first complete evidence package (roster + completion + exceptions + content version).

Ongoing phase (make it repeatable and auditable)

• Add effectiveness checks and targeted refreshers tied to incidents and common failure modes.
• Operationalize joiner/mover processes with HR/IAM triggers.
• Produce management reporting and track corrective actions for chronic non-compliance.

Where Daydream fits (earned mention)

If you manage many controls across frameworks, Daydream helps you keep PR.AT-01 audit-ready by mapping the requirement to an owner, procedure, and a recurring evidence plan, then tracking artifacts (rosters, completion reports, exceptions, and effectiveness results) so you can answer audits without rebuilding the story each time.

Frequently Asked Questions

Does PR.AT-01 require role-based training, or is a single annual course enough?

PR.AT-01 calls for awareness and training so personnel can perform general tasks with cybersecurity risks in mind. A baseline course can satisfy part of that, but higher-risk roles typically need added training to credibly cover their task-level risks. ²

Do contractors and consultants need to complete our training?

If they access your systems, facilities, or sensitive data, you should either enroll them in your program or require equivalent training and retain evidence. The key is consistent scoping, documented requirements, and proof of completion for the in-scope population. ²

What evidence is “minimum viable” for an audit?

Keep the roster used for assignment, the completion report for the same period, the training content outline/version, and an exception log with approvals. Add a short knowledge check if you can, since it helps demonstrate effectiveness.

We have frontline staff without corporate email. How do we handle training?

Use instructor-led training, kiosks, or supervised sessions with controlled attendance logs, then reconcile attendance into your tracking record. The control passes when you can prove those personnel were trained and are included in your coverage reporting.

What should we do when someone refuses or repeatedly fails to complete training?

Define an escalation path in your procedure (manager notification, HR involvement, access restrictions for persistently overdue personnel where feasible) and document actions taken. Auditors look for consistent enforcement and documented follow-through.

How often must we retrain?

PR.AT-01 does not specify a frequency in the requirement text. Set a cadence that matches your risk profile, document it, and prove you execute it consistently with recurring evidence collection. ²

Footnotes

1. NIST CSWP 29; NIST CSF 1.1 to 2.0 Core Transition Changes

2. NIST CSWP 29