AT-3: Role-based Training

AT-3 requires you to deliver security and privacy training that is tailored to job roles, not one-size-fits-all awareness. To operationalize it fast, define which roles need specialized training, map each role to required topics, deliver training on a set cadence, and retain completion and content evidence that proves the training matched role responsibilities. ¹

Key takeaways:

• Build a role-to-training matrix that ties job responsibilities to security and privacy topics. ¹
• Prove execution with artifacts: rosters, course content, assignments by role, and completion records. ¹
• Treat contractors and third parties with system access as “personnel” in scope and train them to the same role expectations. ¹

The at-3: role-based training requirement is an execution control: assessors look for proof that higher-risk roles received training aligned to what they can touch, change, approve, or exfiltrate. The baseline security awareness course rarely satisfies AT-3 by itself because it does not differentiate between, for example, a payroll clerk, a cloud administrator, a SOC analyst, and a developer with production deployment rights. ¹

Operationally, AT-3 becomes straightforward once you treat it like access governance. You start with roles that materially affect confidentiality, integrity, and availability, then assign training that matches those privileges and workflows. The fastest path is a small number of “training profiles” aligned to real access patterns (privileged admin, engineer with CI/CD, data handler, incident responder, privacy role, etc.), even if HR job titles vary across departments. ¹

This page gives requirement-level guidance you can implement without a long program build. It focuses on: defining role scope, building a training matrix, delivering and tracking training, and preparing evidence for an audit or federal customer review aligned to NIST SP 800-53 Rev. 5. ²

Requirement: AT-3 role-based training (what it means)

AT-3 expects you to provide security and privacy training tailored to personnel roles and responsibilities, with training content that matches what the role does and the risk it introduces. A practical reading: if someone can administer systems, handle sensitive data, develop and deploy code, approve access, investigate incidents, or manage third parties, they need targeted training beyond general awareness. ¹

Your control has two “make-or-break” elements in audits:

1. Role definition and assignment (who is in what role training group, and why).
2. Proof the training was role-specific (course outlines and assignments that map to role responsibilities). ¹

Regulatory text

“Provide role-based security and privacy training to personnel with the following roles and responsibilities: {{ insert: param, at-3_prm_1 }}:” ¹

What the operator must do with this text

• Decide the “roles and responsibilities” list your system needs (the parameterized portion is where your organization specifies the in-scope roles). ¹
• Deliver training for each listed role that covers the security and privacy behaviors that role must execute correctly. ¹
• Track and retain evidence that the right people completed the right training, and that training content stayed current with the role’s responsibilities. ¹

Who it applies to (entity and operational context)

AT-3 is commonly applied in:

• Federal information systems and programs assessed against NIST SP 800-53. ²
• Contractor systems handling federal data, including environments where federal data is processed, stored, or transmitted by a third party. ¹

Operationally, scope includes personnel with logical or physical access that could affect system security or privacy outcomes. Do not limit scope to full-time employees; include contractors and third-party staff who perform in-scope functions or have access consistent with those roles. ¹

Plain-English interpretation (what assessors look for)

Assessors usually test three questions:

• Did you identify which roles need specialized training?
• Did you deliver training that matches those roles?
• Can you prove it with records and repeatable process evidence? ¹

A good AT-3 implementation reads like: “If you have privileged access, deploy code, handle sensitive data, respond to incidents, or administer identity, you get training built for those duties, you complete it, and we can show it.”

What you actually need to do (step-by-step)

Step 1: Name an AT-3 control owner and define governance

Assign one accountable owner (often GRC, Security, or Privacy) with authority to:

• define role groups,
• approve training content or vendors,
• enforce completion with HR/IT, and
• produce audit evidence on demand. ¹

In Daydream, treat AT-3 like an evidence-producing control: attach the owner, procedure, and recurring artifacts to the requirement so audits become “export evidence,” not “rebuild history.” ¹

Step 2: Build a role inventory based on access and duties (not job titles)

Create a list of role groups that reflect real risk. Start from:

• IAM role memberships and privileged access lists,
• HR job families,
• on-call/incident roles,
• data access groups (especially regulated or sensitive datasets),
• SDLC and deployment permissions. ¹

Output: a short set of training groups, each with a plain description of responsibilities.

Step 3: Create a role-to-training matrix (the core AT-3 artifact)

For each role group, define:

• required courses/modules,
• required topics,
• delivery method (LMS, live, tabletop, lab),
• completion trigger (onboarding, role change, periodic refresh),
• who tracks completion. ¹

Practical example of role-specific topics (adapt to your environment):

• Privileged administrators: privileged access handling, change control, logging expectations, secure configuration, break-glass procedures.
• Developers/DevOps: secure coding expectations, secrets management, CI/CD security, code review rules, dependency hygiene.
• Data handlers: data classification, approved sharing methods, encryption and transfer rules, retention and deletion expectations, privacy handling where relevant.
• Incident responders/SOC: escalation rules, evidence handling, reporting timelines and channels, privacy considerations in investigations. ¹

Step 4: Deliver training and enforce completion

Execution needs two controls working together:

• Assignment logic (who gets assigned which course based on role membership).
• Completion enforcement (reminders, manager escalation, access gating where feasible). ¹

Common operational pattern: HR provisions the user, IAM assigns groups, the LMS assigns training based on those groups, and GRC monitors exceptions.

Step 5: Manage role changes and joiners/movers/leavers

AT-3 breaks most often on “movers”:

• Someone changes to a privileged role and never receives the privileged training.
• A contractor is granted access for a short project and bypasses training. ¹

Minimum viable process:

• Trigger training assignment on role change (HRIS ticket, IAM group addition, access request workflow).
• Require completion before access becomes persistent for high-risk roles, where your operations can support it. ¹

Step 6: Refresh training content when responsibilities change

Role-based training must remain aligned to real duties. Treat these as refresh triggers:

• major tooling changes (new CI/CD system, new incident platform),
• policy changes (data handling, encryption rules),
• new threat patterns that affect a specific role’s workflow,
• new privacy processing activities for a business unit. ¹

Step 7: Prepare assessment-ready evidence packages

Build an “AT-3 evidence packet” per role group:

• training description and outline,
• assignment rules,
• roster of in-scope personnel,
• completion reports,
• exceptions with documented approvals and remediation. ¹

Required evidence and artifacts to retain

Keep evidence that proves both design and operation:

• Role-to-training matrix with version history and approvals. ¹
• Training content (slides, modules, outlines, labs, quizzes) showing security + privacy coverage per role. ¹
• Assignment logic (LMS rules, IAM group mapping, SOP describing how people get assigned). ¹
• Completion evidence (LMS reports, certificates, attendance rosters for live sessions). ¹
• Exception handling (waivers, compensating measures, remediation plans). ¹
• Joiner/mover process evidence (tickets, workflow screenshots, change logs) showing role change triggers training. ¹

Daydream tip: store these as recurring artifacts mapped directly to AT-3, with collection owners and due dates. That cuts audit scramble and prevents missing evidence findings. ¹

Common exam/audit questions and hangups

Expect variations of:

• “Which roles require AT-3 training in your environment, and how did you decide?” ¹
• “Show the training content for privileged admins/developers/data handlers and how it differs from general awareness.” ¹
• “How do you ensure contractors and third-party personnel complete training before gaining access?” ¹
• “Show evidence for joiners and movers: someone who changed roles and got the new role’s training.” ¹
• “How do you track late completions and exceptions?” ¹

Hangup to preempt: assessors often reject a spreadsheet that lists courses per job title if you cannot show how job titles map to access and responsibilities.

Frequent implementation mistakes (and how to avoid them)

1. Treating general awareness as role-based training.
   Fix: keep awareness, but add role modules and prove role differentiation with the matrix and content outlines. ¹

2. Using HR titles that do not match real privileges.
   Fix: base role groups on IAM groups, privileged access, and SDLC permissions; document the rationale. ¹

3. Ignoring privacy in role-based training.
   Fix: include privacy handling where the role processes personal data, investigates incidents, or exports datasets. ¹

4. No mover workflow.
   Fix: make role change a training trigger in access request processes; sample-test movers as a control check. ¹

5. Evidence gaps (content not retained, only completion certificates).
   Fix: retain both completion and the underlying course outline/version so you can prove what was taught. ¹

Enforcement context and risk implications

No public enforcement cases are provided in the source catalog for AT-3. The practical risk is assessment failure: without role mapping and evidence, AT-3 is commonly recorded as a control not fully implemented or not operating as intended. That can affect authority to operate decisions, customer trust, and contract outcomes when NIST SP 800-53 alignment is a requirement. ¹

Practical 30/60/90-day execution plan (operator-ready)

First 30 days: establish scope and build the matrix

• Assign AT-3 owner and approvers; document the procedure for defining roles, assigning training, and collecting evidence. ¹
• Identify the initial high-risk role groups using IAM and SDLC access lists. ¹
• Draft the role-to-training matrix and define assignment triggers (onboarding, role change). ¹

Days 31–60: deliver training and instrument tracking

• Publish role-based modules for the initial role groups; keep the content outlines versioned. ¹
• Configure LMS assignments (or manual roster process) tied to role groups; test with a sample of users. ¹
• Stand up exception handling and escalation path with HR and line managers. ¹

Days 61–90: harden operations and evidence

• Run a completion campaign and document remediation for non-completion. ¹
• Validate mover coverage by sampling recent role changes and confirming correct training assignment. ¹
• Assemble an assessment-ready evidence packet for each role group and store it in Daydream as recurring artifacts mapped to AT-3. ¹

Frequently Asked Questions

Does AT-3 apply to contractors and third-party personnel?

Yes if they are “personnel” performing the role or holding access tied to the role’s responsibilities. Train them to the same role expectations and retain the same completion evidence. ¹

Can we satisfy AT-3 with one annual security awareness course?

Usually no, because AT-3 expects training tailored to specific roles and responsibilities. Keep awareness training, then add role modules and prove differentiation with a role-to-training matrix and content outlines. ¹

What’s the minimum set of roles we should start with?

Start with roles that create the most security and privacy impact based on access: privileged admins, developers with deployment rights, data handlers, and incident responders. Expand from there as your role inventory matures. ¹

How do we handle “movers” who change roles mid-year?

Treat role change as a training trigger in your access request or HR workflow and record the assignment and completion. Auditors often ask for mover samples, so test this path early. ¹

What evidence do assessors ask for most often?

They ask for the role-to-training mapping, the training content that shows role specificity, and completion reports tied to rosters of in-scope personnel. Keep exceptions and remediation records available. ¹

Our roles are messy. What if HR titles don’t match access?

Base training groups on access patterns (IAM groups, privileged access, SDLC permissions) and document how each group maps to responsibilities. You can still report in HR terms, but the underlying logic should be access-driven. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5