AT-1: Policy and Procedures

AT-1 sits at the base of the NIST SP 800-53 Awareness and Training (AT) control family. It is the control that makes your awareness and training program governable: a policy states intent and accountability, and procedures translate that intent into repeatable actions that survive staff turnover. If you handle federal data (including as a contractor) or run a federal information system, assessors will expect you to show (1) the written AT policy and procedures, (2) that they are current and approved, and (3) that you distributed them to the right audiences and can prove it.

AT-1 is also a common failure mode because teams treat it as “we do security training,” then scramble when an auditor asks for the specific policy, the procedures, who they apply to, who owns them, and evidence that they were communicated. Done well, AT-1 reduces ambiguity across HR, IT, Security, and Learning & Development, and it creates a clean linkage from training requirements to role-based curricula, exceptions, and enforcement.

This page gives requirement-level implementation guidance you can execute quickly, with the artifacts and audit questions you should plan for under NIST SP 800-53 Rev. 5. ¹

Regulatory text

Excerpt (AT-1): “Develop, document, and disseminate to {{ insert: param, at-1_prm_1 }}:” ²

Operator interpretation of the excerpt:
AT-1 requires three things you must be able to prove:

1. Develop: You created an Awareness and Training policy and the procedures that make it actionable.
2. Document: The policy and procedures exist as controlled documents (versioned, approved, retrievable).
3. Disseminate: You distributed them to the required audience(s) in your organization and can show evidence of that distribution.

The placeholder in the excerpt (“{{ insert: param, at-1_prm_1 }}”) indicates the audiences are defined by your system parameters (commonly: all users, managers, privileged users, and personnel with security responsibilities). Your job is to make the audience explicit in your documents and your distribution method, then retain proof. ²

Plain-English requirement (what AT-1 really demands)

AT-1 expects a written AT policy that sets governance (scope, roles, expectations, enforcement, and references), plus written AT procedures that describe exactly how training and awareness activities are executed (onboarding, periodic training, role-based training, exceptions, tracking, and remediation). It also expects that people who need to follow these rules can access them and were notified in a trackable way.

If you cannot answer “who owns AT, what is required for which roles, how do we deliver and track it, and how do we handle non-completion,” you are not operational under AT-1 even if training content exists.

Who it applies to (entities and operational context)

AT-1 is relevant anywhere NIST SP 800-53 is the governing control set, including:

• Federal information systems (civilian and defense) operating under NIST-based security programs. ¹
• Contractor systems handling federal data, including environments where federal information is processed, stored, or transmitted and NIST controls are flowed down by contract. ¹

Operationally, AT-1 touches multiple functions:

• Security/GRC: policy ownership, control design, audit readiness.
• HR / People Ops: onboarding triggers, workforce population changes, terminations.
• IT / IAM: role definitions, privileged access populations, system-to-system training assignments.
• Learning & Development: content delivery, LMS configuration, reporting.

What you actually need to do (step-by-step)

Use this as a build checklist. Treat each step as producing an artifact and a repeatable operating rhythm.

Step 1: Assign ownership and define scope

• Name a control owner for AT-1 (often Security Awareness Program Owner, CISO delegate, or GRC).
• Define the scope boundary (enterprise-wide vs. system-specific) and how subsidiaries or segmented environments are handled.
• Identify required audiences: at minimum, “all users,” plus any special populations you require (privileged admins, developers, incident responders, third-party users with access).

Deliverable: AT-1 control record (owner, scope, audiences, systems in scope).

Step 2: Write the AT policy (governance document)

Your AT policy should include:

• Purpose and scope
• Roles and responsibilities (Security, HR, IT, managers, workforce members)
• Training and awareness requirements by audience (high-level)
• Non-completion handling (manager escalation, access impacts, exception approvals)
• Document governance (approval authority, review triggers, where it’s published)

Keep it short enough that people will read it, but specific enough that procedures can be tested against it.

Deliverable: “Awareness and Training Policy” with version control and approvals.

Step 3: Write the AT procedures (how-to documents)

Procedures should be specific and testable. Common procedure modules:

• New hire onboarding assignment and completion tracking
• Recurring training assignment process (who is assigned what, by what trigger)
• Role-based training assignment (e.g., privileged users, engineering, finance)
• Awareness communications (how security bulletins, phishing simulations, or reminders are executed and logged)
• Exceptions process (criteria, approvals, expiration, compensating actions)
• Recordkeeping and reporting (who pulls reports, where stored, retention expectations)

Deliverable: “AT Procedures” document(s) mapped to each policy requirement.

Step 4: Disseminate policy and procedures (and make it provable)

Pick dissemination methods that generate evidence:

• Publish in an internal policy portal with access controls and read receipts where possible.
• Require attestation (annual, onboarding, or at policy update) through your GRC tool, HRIS, or LMS.
• Notify required audiences through tracked communications (ticketing, LMS announcement, or email with logging).

Deliverable: Distribution plan + logs (see Evidence section).

Step 5: Map AT-1 to recurring evidence artifacts (audit readiness)

AT-1 is frequently failed due to missing evidence, not missing intent. Create a simple evidence map:

• Policy: latest approved copy
• Procedures: latest approved copy
• Dissemination: proof of publication + acknowledgements + announcement logs
• Operation: samples showing procedures were followed (training assignment logs, completion reports, exception approvals)

This is where Daydream typically becomes the practical resolution: instead of keeping AT-1 evidence scattered across HR, IT, and LMS exports, centralize the control owner, procedure steps, and recurring evidence requests so collection is routine and defensible.

Deliverable: AT-1 evidence register tied to each procedure.

Step 6: Validate in practice (tabletop test)

Run a quick “audit simulation” internally:

• Ask for the policy, procedures, and dissemination evidence without giving your team time to prep.
• Confirm you can produce artifacts quickly and they match what people actually do.
• Fix gaps: missing approvals, stale versions, unclear audiences, no proof of distribution.

Deliverable: Internal test notes + remediation tasks.

Required evidence and artifacts to retain

Keep evidence in a single place with clear naming and versioning. Assessors will ask for both documents and proof of execution.

Minimum artifact set (practical):

• Approved AT Policy (version history, approval record)
• Approved AT Procedures (version history, approval record)
• Distribution evidence, such as:
  • Policy portal publication screenshot/export (date visible)
  • Attestation report (who acknowledged, when)
  • Announcement record (LMS push, ticket, or email log)
• Operating records demonstrating procedures are followed:
  • Training assignment rules or configuration export (LMS settings)
  • Completion reports (by population)
  • Exception requests and approvals
  • Remediation/escalation tickets for non-completion

Common exam/audit questions and hangups

Expect these questions and prepare “one-click” evidence packages:

1. Show me the AT policy and who approved it.

   • Hangup: policy exists but lacks approval metadata or authority.

2. What procedures implement the policy requirements?

   • Hangup: procedures are tribal knowledge or embedded in slide decks.

3. Who received the policy and procedures? Prove dissemination.

   • Hangup: “available on the intranet” without access logs or attestations.

4. How do you ensure role-based training for privileged users or specialized roles?

   • Hangup: role definitions are unclear; population lists are ad hoc.

5. How do you handle non-completion and exceptions?

   • Hangup: exceptions exist but have no expiry or compensating controls documented.

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating AT-1 as “training content exists.”
  Fix: Make the policy/procedures the source of truth, then align the LMS and HR triggers to those documents.

• Mistake: No clear dissemination evidence.
  Fix: Use an attestation workflow or a system that produces recipient-level logs.

• Mistake: Procedures are too vague to test.
  Fix: Write procedures with “trigger → action → owner → system → evidence produced.”

• Mistake: Audiences are implied, not defined.
  Fix: Name audiences explicitly and tie them to HR/IAM attributes (department, job code, group membership).

• Mistake: Evidence scattered across tools.
  Fix: Maintain an AT-1 evidence register and calendar-based collection so you are never rebuilding proof during an audit.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite enforcement outcomes.

Practically, AT-1 failures increase risk in two ways:

• Control cascade risk: weak AT governance undermines other controls that assume trained users (incident reporting, acceptable use, phishing resistance).
• Assessment risk: assessors often rate policy/procedure controls based on documentation quality and dissemination proof; missing evidence can force broader sampling and deeper scrutiny across your program. ¹

A practical 30/60/90-day execution plan

Use this plan as an operational ramp. Adjust pacing to your audit window and resourcing.

First 30 days (stabilize)

• Assign AT-1 owner and backups; confirm approval authority.
• Inventory existing documents, LMS workflows, and distribution channels.
• Draft or update AT policy and AT procedures; define audiences and exception handling.
• Stand up an evidence register (what, where, owner, how produced).

Days 31–60 (operationalize)

• Route policy/procedures for approval; publish to the policy repository.
• Implement dissemination with trackable proof (attestation or equivalent).
• Align LMS assignments to audiences and role definitions; document the procedure steps and evidence outputs.
• Run an internal “audit simulation” and close gaps.

Days 61–90 (harden and make repeatable)

• Establish a recurring review and evidence collection cadence owned by GRC.
• Add metrics you can defend qualitatively (completion status dashboards, exception aging lists) without turning AT-1 into a reporting project.
• Automate evidence collection where possible; Daydream can centralize control mapping, procedure steps, and recurring evidence artifacts so AT-1 stays continuously audit-ready.

Frequently Asked Questions

Do we need both a policy and procedures to satisfy AT-1?

Yes. AT-1 explicitly requires you to develop, document, and disseminate the policy and the procedures that implement it. Training completion reports alone do not substitute for governed documents. ²

What counts as “dissemination” for AT-1?

Dissemination means you distributed the policy/procedures to the required audiences and can prove it. A policy posted on an intranet may be acceptable only if you can show controlled access and a reliable record that the intended audiences were notified or acknowledged.

Can we meet AT-1 with an enterprise policy, or must it be system-specific?

Either can work if scope is clear and the documents apply to the system boundary under assessment. If you use an enterprise policy, confirm it explicitly covers the system and its audiences, and that dissemination evidence includes the relevant personnel. ¹

Who should approve the AT policy?

The approver should match your governance model (often an executive security leader or designated risk authority). The key is that approval authority is defined in the document governance section and can be evidenced with a formal sign-off record.

How do we handle third parties with access to our systems under AT-1?

Treat third-party users as part of the “audience” definition if they have system access or handle covered data. Your procedures should specify training/awareness requirements, how completion is verified, and what happens if the third party does not complete required training.

What’s the fastest way to get AT-1 audit-ready if we’re behind?

Focus on (1) getting an approved policy and procedures in place, (2) implementing a dissemination method that produces logs or attestations, and (3) creating a tight evidence register that ties each AT-1 requirement to a recurring artifact you can produce on demand.

Footnotes

1. NIST SP 800-53 Rev. 5

2. NIST SP 800-53 Rev. 5 OSCAL JSON