AT-2: Literacy Training and Awareness

AT-2 requires you to provide security and privacy literacy training to every system user, including executives, managers, and contractors, and to be able to prove it with durable completion evidence. To operationalize it quickly, define who is in scope, assign an owner, deploy role-aware training with clear frequency triggers, and retain artifacts that tie each user to required content and completion. ¹

Key takeaways:

• AT-2 is a people control: training must cover both security and privacy literacy for all system users, not just employees. ²
• Auditors fail AT-2 less for weak content and more for weak scope definition and missing evidence. ¹
• Map AT-2 to a control owner, an operating procedure, and recurring evidence artifacts so you can show continuous operation. ²

The at-2: literacy training and awareness requirement is straightforward in wording and painful in audits when you treat it as “annual training” and move on. AT-2 sits in NIST SP 800-53’s Awareness and Training family and expects you to run a repeatable program that reaches everyone who uses your systems, including senior leaders and contractors, and that addresses both security and privacy literacy. ¹

Operationally, AT-2 is less about building perfect courseware and more about control mechanics: scoping, assignment, tracking, exception handling, and evidence. Your exam risk shows up in edge cases: a contractor granted access for a short engagement, an executive with an assistant handling training emails, an acquired team that never got added to the learning platform, or a production support third party using privileged access without having completed your privacy module. The control’s success criteria are simple: you can show who must be trained, what they must take, that they completed it, and that you respond when they do not. ²

This page gives requirement-level implementation guidance you can put into a procedure, hand to HR/IT/security operations, and defend during an assessment.

Regulatory text

“Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):” ²

Operator meaning: you must (1) identify all system users, including non-employees and leadership, (2) deliver training that covers baseline security and privacy literacy expectations, and (3) operate the program in a way you can evidence on demand. Treat “provide” as both assignment and delivery; treat “system users” as anyone with logical access, not just payroll. ¹

Plain-English interpretation

AT-2 expects a baseline literacy layer that makes users safer and more predictable operators of your systems. “Literacy” is broader than phishing drills. Your content has to cover the behaviors your environment depends on (secure authentication, handling sensitive data, reporting incidents) and the privacy obligations tied to the data you process. ¹

A working interpretation that holds up in audits:

• Everyone with access gets training. Employees, interns, temps, contractors, and third parties with accounts or access paths. Executives are explicitly called out, so you need a plan that does not quietly exempt them. ²
• Training is role-aware where risk differs. Baseline modules for all users, plus add-ons for high-risk roles (privileged admins, developers, customer support handling PII, incident responders). ¹
• Training is operationalized. You can show assignments, completion, follow-up, and exceptions with consistent records. ¹

Who it applies to

In-scope entities

AT-2 is commonly applied in:

• Federal information systems implementing NIST SP 800-53 controls. ¹
• Contractor systems handling federal data where NIST SP 800-53 is flowed down contractually or adopted as the control baseline. ¹

In-scope operational contexts

Include AT-2 in scope when any of the following are true:

• You provision accounts (SSO, VPN, SaaS, endpoints) for employees or contractors.
• You allow third parties to administer, support, develop, or process data in your environment.
• You process personal data in systems where user handling errors create privacy risk. ¹

What you actually need to do (step-by-step)

1) Assign control ownership and define the operating model

• Name an AT-2 control owner (often Security GRC with shared execution by HR/L&D and IT). Document who approves content, who runs assignments, and who reports metrics. ¹
• Write a short AT-2 procedure that an auditor can follow end-to-end: scope → assign → deliver → track → follow up → exceptions. Keep it executable, not aspirational. ²

Practical tip: if HR “owns training” but Security “owns compliance,” require a monthly reconciliation meeting and a single system of record for completion exports.

2) Define “system user” and build the population list

Create a scope definition that is testable:

• Include anyone with an identity in your IdP/AD, LMS, or ticketed access request system.
• Include contractors and third parties with shared service accounts only if those accounts represent individuals; otherwise, treat shared accounts as a separate access control issue and document compensating steps for training accountability. ¹

Build the population list using at least two feeds:

• Authoritative identity source (IdP/HRIS/contractor registry)
• Access grant source (ITSM access requests, privileged access management roster, application user lists)

3) Define training requirements by role (a simple matrix)

Create a matrix that maps:

• Role category → required modules → assignment trigger

Example categories you can defend:

• All users (baseline security + baseline privacy)
• Privileged users (admin/secure operations)
• Engineering (secure development expectations appropriate to your environment)
• Customer-facing or data-handling teams (data handling and privacy practices)
• Executives and managers (risk ownership, reporting, and tone-setting responsibilities) ²

Keep the matrix in your GRC system or as a controlled document. Daydream is useful here as the place you map AT-2 to a control owner, procedure, and recurring evidence artifacts, so the matrix is tied to the control record and doesn’t live as a forgotten spreadsheet. ²

4) Set assignment and completion triggers

Auditors look for defined triggers that make the program continuous:

• Onboarding trigger: assign training immediately upon account creation or start date.
• Access change trigger: assign add-on modules when a user gains privileged access or joins a sensitive data workflow.
• Content change trigger: if you materially update modules (policy change, new reporting channel), reassign targeted training to affected groups.

Avoid making “once a year” your only control mechanism. AT-2 does not say “annual,” and assessments often test whether your program responds to changes. ¹

5) Deliver training and enforce completion

Minimum operational expectations:

• Deliver through an LMS or equivalent system that provides immutable logs, timestamps, and user identifiers.
• Configure reminders and escalation (manager notification; service desk ticket; access suspension for high-risk access, where feasible and pre-approved by leadership).

Make exceptions explicit:

• Document acceptable exception reasons (leave of absence, no system access yet, executive scheduling constraints).
• Require a compensating action and a deadline (for example: temporary access limitations, supervised access, or immediate briefing).

6) Measure and report in a way you can evidence

Create a recurring report that shows:

• In-scope population count by role category
• Assigned vs completed
• Overdue list with follow-up actions taken
• Exceptions granted with approver and rationale ¹

7) Connect AT-2 to related controls (so it survives scrutiny)

AT-2 rarely stands alone in audits. Prepare linkages to:

• Access control (joiner/mover/leaver processes)
• Incident reporting procedures (users must know how to report)
• Privacy program artifacts (privacy notices, handling rules, escalation path) ¹

Required evidence and artifacts to retain

Keep artifacts that prove scope, delivery, completion, and follow-up:

Governance

• AT-2 control record: owner, scope statement, role matrix, frequency/triggers, exception process ²
• Training policy/standard referencing security + privacy literacy expectations ¹

Operational evidence

• LMS assignment rules and screenshots/config exports showing how users are targeted
• Completion logs with user ID, module name, completion status, completion date/time
• Population reconciliation evidence (IdP/HRIS export matched to LMS roster)
• Overdue follow-up records (email escalation, tickets, manager attestations)
• Exception register with approvals and closure dates

Content evidence

• Module outlines or slide decks for security literacy and privacy literacy
• Change log for material updates (what changed, who approved, when deployed)

Retention note: keep evidence long enough to cover your audit window and to show continuous operation across cycles; define this in your internal retention schedule.

Common exam/audit questions and hangups

Auditors and assessors tend to ask:

• “Show me your definition of system users and how you identify them.” ¹
• “How do you ensure contractors and third parties complete training before access?” ²
• “Do executives complete the same training? If different, why, and where is that defined?” ²
• “Prove this is operating: give me a completion report and evidence of chasing delinquents.” ¹
• “How do you know the training covers privacy literacy, not just security awareness?” ²

Most hangups come from inability to reconcile population lists, or from contractors being managed outside standard HR workflows.

Frequent implementation mistakes and how to avoid them

1. Mistake: scoping to employees only.
   Fix: define system users via identity and access, not payroll. Pull rosters from your IdP and PAM in addition to HRIS. ²

2. Mistake: no privacy content.
   Fix: add a dedicated privacy literacy module or a clear privacy section in baseline training, and keep the outline as evidence. ²

3. Mistake: executives get informal briefings with no records.
   Fix: provide an exec-tailored module if needed, but track completion in the same system of record and require the same evidence fields. ²

4. Mistake: “training completed” with no proof of assignment and enforcement.
   Fix: retain assignment rules, reminder/escalation artifacts, and overdue follow-up tickets. ¹

5. Mistake: contractors onboarded by procurement with no training trigger.
   Fix: add a gating step in the access request workflow: training required before account activation, or immediate assignment upon account creation with enforced deadline. ¹

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for this requirement, so treat “enforcement” risk as assessment and contractual risk rather than a claim about regulator actions. ¹

AT-2 gaps create predictable failure modes:

• Users mishandle sensitive data because they were never trained on privacy handling rules.
• Contractors become a blind spot: access exists, training records do not.
• During an incident, staff do not report quickly because reporting channels were not taught.

Assessors frequently view training as a foundational control that supports many other controls. Weak AT-2 evidence can cause broader loss of confidence in your control operation. ¹

A practical 30/60/90-day execution plan

First 30 days (stabilize scope and evidence)

• Assign AT-2 owner and backups; document responsibilities. ¹
• Write the AT-2 procedure (scope, triggers, exception handling, evidence list). ²
• Produce an initial in-scope roster from IdP/HRIS/contractor list and reconcile against LMS users.
• Inventory current training content and identify privacy literacy coverage gaps.

Days 31–60 (deploy role matrix and automation)

• Publish the role-to-training matrix and get approvals from Security and Privacy stakeholders. ¹
• Configure LMS assignment rules tied to onboarding and role changes.
• Stand up overdue escalation workflow (manager notifications; ITSM tickets; exception register).
• Start monthly reporting and store exports in your audit evidence repository.

Days 61–90 (prove operation and close edge cases)

• Run a targeted campaign to close delinquencies, with documented follow-up actions.
• Test contractor coverage by sampling recent third-party access grants and verifying training records match. ²
• Tabletop an audit response: pull the last completion report, show scope definition, show exceptions, show module outlines.
• In Daydream, map AT-2 to the control owner, procedure, and recurring evidence artifacts so your audit package is repeatable and survives staffing changes. ²

Frequently Asked Questions

Does AT-2 require separate security and privacy courses?

AT-2 requires security and privacy literacy training, but it does not prescribe course structure. You can meet it with separate modules or a combined course if you can show clear coverage of both areas. ²

Are contractors and third parties really in scope if they only have limited access?

Yes if they are system users, and the control explicitly calls out contractors. Define “system user” based on access, then ensure your onboarding and access workflows assign training for non-employees. ²

How do we handle executives who refuse the LMS?

Don’t create an undocumented exemption. Offer an exec-format option if necessary, but record completion with the same fields you use for everyone else and retain the evidence. ²

What evidence is the fastest to produce during an audit?

A current in-scope roster, an LMS completion export, and the role-to-training matrix, plus a small sample of overdue follow-up tickets. Those show scope, operation, and enforcement without debate. ¹

Our training content is managed by HR. What does Security need to own?

Security needs to own the control requirements: scope definition, role matrix, triggers, exception handling, and audit evidence. HR can administer delivery, but Security must be able to explain and prove control operation. ¹

Can we satisfy AT-2 with a policy acknowledgment instead of training?

Acknowledgments help, but AT-2 calls for literacy training, which implies instructional content and user completion evidence. Use acknowledgments as reinforcement, not as the only artifact. ¹

Footnotes

1. NIST SP 800-53 Rev. 5

2. NIST SP 800-53 Rev. 5 OSCAL JSON