AT-2(2): Insider Threat

AT-2(2): Insider Threat requires you to provide literacy training that teaches your workforce how to recognize potential insider-threat indicators and how to report them through approved channels. To operationalize it quickly, define “what to report,” publish “how to report,” deliver role-appropriate training on a schedule, and retain completion and effectiveness evidence for auditors. ¹

Key takeaways:

• Train people to spot insider-threat indicators and to report them, not just to “be careful.” ¹
• Operationalize via clear reporting paths, triage ownership, and measurable training completion and outcomes.
• Evidence matters: auditors look for repeatable training delivery plus artifacts that prove the content covered insider-threat recognition and reporting.

The at-2(2): insider threat requirement is a training enhancement under NIST SP 800-53 Rev. 5 that focuses on literacy: your users must be able to recognize and report potential insider-threat indicators. This is narrower than a full insider threat program. It does not require you to stand up a dedicated insider threat office, continuous monitoring, or employee risk scoring by itself. It does require you to teach the workforce what “concerning behavior” or “concerning system activity” looks like in your environment and what to do next.

For a CCO, Compliance Officer, or GRC lead, the fastest path is to treat AT-2(2) like an auditable training control with operational hooks. Training without an intake channel, routing, and documented handling creates a predictable audit problem: people can “recognize” issues but have no reliable way to report them, and you cannot show that reports are handled consistently. This page gives you requirement-level implementation guidance you can assign to HR/Learning, Security, and Compliance, along with the evidence set you will need in an assessment against NIST SP 800-53 Rev. 5. ²

Regulatory text

Requirement (verbatim excerpt): “Provide literacy training on recognizing and reporting potential indicators of insider threat.” ¹

What the operator must do:

• Provide training (not just a policy) that covers two outcomes:
  1. Recognize potential insider threat indicators.
  2. Report those indicators through defined channels. ¹
• Make the training repeatable and provable: you need a defined audience, delivery method, frequency/schedule, and retained records suitable for examination.

Plain-English interpretation (what AT-2(2) is asking for)

AT-2(2) expects “insider threat literacy,” meaning your workforce can answer four questions without guessing:

1. What is an insider threat indicator here? Examples must be relevant to your environment (data types, systems, mission, typical fraud patterns, typical IP risks).
2. What should I do immediately? (Stop, preserve evidence, don’t confront, don’t investigate on your own, don’t retaliate.)
3. How do I report it? (Named channels with clear escalation paths.)
4. What happens after I report? (Basic expectations: confidentiality, no retaliation, triage, and feedback when appropriate.)

This requirement is satisfied when training content explicitly covers recognition and reporting, you can show it was delivered to the required population, and the reporting path is real (monitored, owned, and used).

Who it applies to (entity and operational context)

AT-2(2) is part of NIST SP 800-53 Rev. 5 and commonly applies to:

• Federal information systems implementing NIST SP 800-53 controls. ²
• Contractor systems handling federal data where NIST SP 800-53 is flowed down contractually or used as the baseline control framework. ¹

Operationally, scope it to the people most likely to observe or create insider-risk signals:

• All workforce members with system access (employees, contractors, temps).
• Privileged users (admins, cloud operators, DBAs).
• Data stewards (finance, HR, legal, R&D).
• Managers and HR partners who may receive behavioral reports first.
• Security and IT service desk who will see account misuse patterns.

If your organization uses third parties with logical access (MSPs, consultants), include them in the training population or provide an equivalent requirement in onboarding and contract terms.

What you actually need to do (step-by-step)

Step 1: Assign ownership and define the control boundary

• Control owner: usually Security GRC or Security Awareness, with HR/L&D as delivery partner.
• Operational owners: Insider threat triage typically sits with Security Operations, Insider Risk, or an IR/HR/Legal working group.
• Control boundary: identify which systems, business units, and access populations are in scope for NIST SP 800-53 control assessment.

Deliverable: a one-page control implementation statement that maps AT-2(2) to the owners, procedure, and evidence set (this is a common best practice for assessment readiness). ¹

Step 2: Define “indicators” in a way staff can recognize

Create an “indicator library” for training. Keep it practical and role-specific. Categories that work in audits:

• Data handling indicators: unusual mass downloads, sending sensitive files to personal email, repeated attempts to bypass DLP or labeling.
• Access misuse indicators: password sharing, use of someone else’s badge/account, requests for access outside job duties.
• Behavioral/process indicators: coercion attempts, unusual vendor/third-party pressure, unexplained policy exceptions.

Do not turn training into a surveillance policy. Focus on observable risk and reporting expectations.

Step 3: Define reporting channels and triage workflow

Training must include “how to report.” Make that instruction real by documenting:

• Channels: security hotline/email, internal reporting portal, ticket category, or ethics hotline if it routes appropriately.
• Routing rules: who receives reports, what constitutes an incident vs. a concern, and how to involve HR/Legal.
• Non-retaliation and confidentiality: reference your code of conduct/whistleblower protections where applicable; keep the training aligned with internal policy language.

Minimum operational expectation: a monitored inbox/portal plus an intake SOP that states acknowledgement, triage, escalation, and recordkeeping.

Step 4: Build and deliver training content that satisfies the “recognize + report” test

A clean structure auditors respond to:

• Module 1: What insider threat indicators look like in your environment.
• Module 2: Reporting: what, when, and how; “don’t investigate on your own.”
• Module 3: Role-based add-on (privileged users; managers; service desk).

Include scenario questions. A short knowledge check creates stronger evidence than “video watched.”

Step 5: Schedule training events and define triggers

Set training to occur:

• At onboarding (before or immediately after system access).
• On a recurring cadence consistent with your broader security awareness program.
• On role change into privileged or sensitive positions.

If you do not want to state fixed intervals in policy, define “recurring” in your procedure and show consistency in completion reports.

Step 6: Measure effectiveness and close the loop

AT-2(2) says “provide training,” but examiners often probe for effectiveness. Keep it lightweight:

• Track completion and quiz results.
• Track volume/quality of insider-risk reports (trend, not targets).
• Run periodic internal “spot checks” (tabletop scenarios for managers and service desk).

Step 7: Package evidence for assessments

Create an “AT-2(2) evidence binder” (folder) that an auditor can navigate in minutes. Daydream is typically the natural place to map the requirement to the control owner, procedure, and recurring artifacts so you can produce evidence consistently across audit cycles. ¹

Required evidence and artifacts to retain

Use this checklist to stay audit-ready:

Evidence item	What it should show	Owner
Training policy/standard cross-reference	Training includes insider-threat recognition + reporting	GRC / Security Awareness
Training content (slides/video/script)	Indicator examples + reporting instructions	Security Awareness
LMS assignment rules	Who is required to take it (roles, groups)	HR/L&D
Completion report/export	Dates, population, completions, exceptions	HR/L&D
Quiz/knowledge check results	Users had to demonstrate literacy	HR/L&D / Awareness
Reporting channel proof	Hotline/portal/inbox exists and is monitored	Security / Compliance
Intake & triage SOP	How reports are handled and escalated	SecOps / IR / HR/Legal
Exception handling log	How you handle leaves, contractors, access suspension	GRC / HR

Keep versions. Auditors often ask what content was live during the assessment period.

Common exam/audit questions and hangups

• “Show me where the training teaches employees how to report insider-threat indicators.” ¹
  Hangup: training discusses risk but omits specific channels or the instructions are outdated.
• “Who is in scope, and how do you ensure contractors and privileged users complete it?”
• “How do you know the training is effective?”
  Hangup: no quiz, no scenario work, no metrics, no corrective action for repeat failures.
• “What happens after a report is submitted?”
  Hangup: no triage procedure, or ethics hotline reports do not reach security.
• “Provide evidence for the last assessment period.”
  Hangup: LMS exports missing, or content version not retained.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating insider threat as generic security awareness.
   Fix: add explicit “indicators” and “reporting” sections that match AT-2(2) language. ¹

2. Mistake: No single, trusted reporting path.
   Fix: publish at least one primary channel and train to it; document routing for alternates (manager, HR, ethics line).

3. Mistake: Training exists, but the audience is undefined.
   Fix: define in-scope populations in the LMS and in a control statement; include third parties with access.

4. Mistake: Over-collecting sensitive personal data in the reporting process.
   Fix: intake forms should collect only what’s necessary for triage; route to HR/Legal as needed based on your SOP.

5. Mistake: Evidence is scattered across teams.
   Fix: centralize artifacts in a single mapped control record (Daydream or your GRC system) with owners and refresh expectations. ¹

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for this requirement, so you should plan for assessment risk rather than enforcement-specific risk. Practically, AT-2(2) gaps create two outcomes that matter to leadership:

• Delayed detection: insider issues often surface first through peer reports; untrained staff misses signals or stays silent.
• Audit findings: the most common failure mode is “training claimed” but not demonstrably covering insider-threat indicators and reporting, or weak evidence of completion. ¹

Practical 30/60/90-day execution plan

Next 30 days (stabilize)

• Assign control owner and operational triage owner; document RACI.
• Inventory current training; gap-assess against “recognize + report.”
• Publish/confirm reporting channels and create an intake SOP draft.
• Build the evidence binder structure and naming conventions.

Next 60 days (implement and prove)

• Update training content with environment-specific indicators and reporting instructions.
• Configure LMS assignments for all in-scope populations, including contractors with access.
• Add a knowledge check and retain results.
• Run a dry-run audit: pull training completion, content version, and reporting channel proof.

Next 90 days (operationalize)

• Run manager/service desk scenario sessions focused on “what to do with a report.”
• Test the reporting channel (send a test submission; verify routing and response).
• Review exception handling and completion follow-ups.
• Map AT-2(2) in Daydream to the final procedure and recurring evidence artifacts so ongoing collection is routine, not a fire drill. ¹

Frequently Asked Questions

Does AT-2(2) require a full insider threat program?

AT-2(2) specifically requires literacy training on recognizing and reporting potential insider-threat indicators. A broader insider threat program may be appropriate for your risk profile, but it is not stated in this requirement excerpt. ¹

Who must take the training: employees only, or contractors too?

Treat everyone with access to in-scope systems as in scope, including contractors and other third parties with logical access. Auditors will focus on whether your defined population matches actual access patterns.

What counts as “indicators” of insider threat for training purposes?

Use a mix of behavioral/process and technical examples that your workforce can observe and report. Keep it tied to your environment (data types, systems, privileged roles) and to the reporting workflow.

Is a signed policy acknowledgment enough evidence?

Usually no. AT-2(2) calls for literacy training, so you should retain training content and completion records that show users received instruction on recognition and reporting. ¹

How do we handle insider reports that are really HR complaints?

Train staff to report concerns through your defined channel, then use triage criteria to route to HR/Legal/Security based on the SOP. Document routing so auditors can see reports land with the right function.

What’s the fastest way to get audit-ready evidence for AT-2(2)?

Centralize your control mapping, procedure, and recurring artifacts (content version, LMS exports, and reporting channel proof) in one place. Daydream is well-suited for this because it ties the requirement to owners and evidence expectations across cycles. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5