AT-3(1): Environmental Controls

AT-3(1): Environmental Controls requires you to train the people who manage, maintain, or rely on facility and environmental protections (for example, HVAC, fire suppression, leak detection, power conditioning) so they can operate those controls correctly from day one and keep doing so over time. To operationalize it, define the “who,” train to specific site/system environmental controls, and retain role-based completion and competency evidence.

Key takeaways:

• Scope the training population to roles that operate or depend on environmental controls, including third-party facilities staff where applicable.
• Train to your actual environmental control stack and procedures (normal operations, alarms, maintenance, emergencies), not generic safety content.
• Auditors look for role mapping, initial + recurring training cadence, and evidence that training matches documented procedures.

The at-3(1): environmental controls requirement sits in NIST SP 800-53’s Awareness and Training family and targets a predictable failure mode: organizations buy or inherit environmental controls, but the people running them (or responding to alarms) do not know what “good” looks like, what to do during a fault, or how to avoid bypassing safeguards during maintenance. In practice, that turns physical and facility protections into paper controls.

For a Compliance Officer, CCO, or GRC lead, the fastest path to readiness is to treat AT-3(1) like a role-based training control with tight linkage to your facilities procedures and your system boundary. You are not being asked to redesign your data center. You are being asked to ensure the right people receive initial and recurring training on the environmental controls you already depend on, and to prove it with clean evidence.

This page gives requirement-level implementation guidance you can execute quickly: how to define scope, who owns it, what “training” must cover, what evidence to retain, what assessors typically challenge, and a practical execution plan you can run without turning it into a year-long LMS project.

Regulatory text

Requirement (excerpt): “Provide {{ insert: param, at-03.01_odp.01 }} with initial and {{ insert: param, at-03.01_odp.02 }} training in the employment and operation of environmental controls.” ¹

What an operator must do:

1. Identify the people who must be trained (the placeholders in the excerpt represent your defined training population and your defined training frequency/cycle).
2. Provide initial training before they are expected to operate, maintain, test, monitor, or respond to environmental controls.
3. Provide recurring training on a defined cadence and when material changes occur (new equipment, new procedures, repeated incidents, staffing changes).
4. Make the training specific to employment and operation of environmental controls, meaning how to use the controls in normal operations and how to respond under abnormal conditions.

Authoritative references: NIST SP 800-53 Rev. 5 ²

Plain-English interpretation (what AT-3(1) is really asking)

AT-3(1) expects you to prevent “human error and unfamiliarity” from becoming a single point of failure for facility protections that keep systems available and safe. Environmental controls commonly include:

• Temperature and humidity controls (HVAC, CRAC/CRAH, sensors)
• Fire detection and suppression (smoke detection, clean agent systems, pull stations)
• Water/leak detection and shutoff
• Power protections (UPS, generators, power distribution, surge protection)
• Environmental monitoring and alerting (BMS/DCIM, alert routing, on-call runbooks)

Training must cover how these controls are used, what alarms mean, what actions are authorized, and how to escalate.

Who it applies to (entity and operational context)

AT-3(1) applies when you implement NIST SP 800-53 controls, including:

• Federal information systems and programs adopting NIST SP 800-53 ²
• Contractor systems handling federal data, including hosted environments, managed services, and enterprise environments in scope for federal requirements ²

Operationally, it applies wherever environmental controls protect in-scope systems, including:

• Organization-owned data centers, server rooms, MDF/IDF closets, labs
• Colocation spaces
• Cloud environments where you still operate some environmental dependencies (for example, on-prem edge racks), or where contractual obligations require training for on-site support staff
• Third-party facilities management arrangements (property management, colocation operator, managed data center)

Scope decision: who is “the training population”?

Include roles that can change environmental risk posture or must respond to alarms:

• Facilities engineers/techs, data center operations, building engineering
• IT ops staff with on-call responsibility for environmental alarms
• Security/physical security personnel who receive BMS alerts or control room alarms
• Maintenance staff and contractors who perform work that could disable protections (fire suppression maintenance, HVAC vendor techs)
• Incident responders or duty managers who coordinate response actions

Exclude roles with no operational touchpoints. If you exclude a role that receives alerts, document why and show the alternate coverage (for example, a 24/7 NOC with a runbook and trained responders).

What you actually need to do (step-by-step)

Step 1: Assign ownership and define the control boundary

• Control owner: typically Facilities/Data Center Ops; GRC owns oversight and evidence.
• Define where environmental controls matter: list rooms/sites and systems supported. Tie this to your system boundary documentation used for NIST assessments ².

Output: AT-3(1) control statement + ownership RACI + list of in-scope sites/rooms.

Step 2: Build a role-to-training matrix (this is the heart of auditability)

Create a matrix with:

• Role (job function, not person)
• Environmental controls they touch (HVAC, UPS, suppression, monitoring)
• Required training modules
• Initial training trigger (hire, transfer, contract start)
• Recurring training trigger (scheduled refresher, major change, incident)
• Evidence source (LMS record, sign-in sheet, ticket, vendor certificate)

Output: “AT-3(1) Training Applicability Matrix” maintained by GRC.

Step 3: Define training content tied to your procedures and equipment

Your content should map to how you actually operate. Minimum topics to cover:

• Normal operations: setpoints, monitoring dashboards, routine checks
• Alarm response: what constitutes actionable alarms, triage steps, who to call
• Authorized actions vs prohibited actions: who can silence alarms, bypass interlocks, disable suppression zones
• Maintenance mode: lockout/tagout equivalents for environmental controls, impairment procedures, re-enablement verification
• Emergency response coordination: incident command handoff, evacuation interfaces, post-event restoration steps
• Logging and documentation: where to record actions (tickets, logs), required timestamps and approvals

Practical build tip: start from your existing runbooks/SOPs and convert them into short training modules with scenario questions.

Output: Training outline + mapping from module topics to SOP/runbook sections.

Step 4: Deliver initial training with a “competency check”

AT-3(1) is about operating controls correctly. Passive “read-and-click” training often fails in assessments if it cannot show competency. Use at least one of:

• short quiz with passing criteria (define your criterion internally)
• tabletop scenario (alarm at 02:00, leak detection trip, UPS on battery)
• supervised walkthrough (BMS screen review, suppression panel basics)

Output: Completion record + quiz results or signed competency checklist.

Step 5: Run recurring training and “change-triggered” training

Recurring training should be predictable and easy to prove. Also define triggers such as:

• commissioning new UPS/generator/HVAC unit
• change in alert routing or on-call rotation
• repeated environmental alarms or incidents
• SOP changes impacting response actions

Output: Refresher completion evidence + change-triggered training tickets.

Step 6: Extend requirements to third parties where needed

If third parties operate your environmental controls (colocation operator, facilities contractor), close the gap through:

• contract clauses requiring trained staff for your space
• receiving their training attestations or certifications
• joint incident drills or documented interface procedures

You are not required to run their HR program, but you must show the operating model prevents untrained operation of controls in your scope.

Output: Contract/SOW language + third-party training attestations + contact roster.

Step 7: Package evidence for assessors

Build a single “AT-3(1) evidence packet” so audits do not become a scavenger hunt. Daydream can help by mapping AT-3(1) to a control owner, an implementation procedure, and recurring evidence artifacts so collection stays consistent release over release ¹.

Required evidence and artifacts to retain

Retain artifacts that prove design (what you planned) and operation (what occurred):

Design evidence

• AT-3(1) control narrative (what training is provided; who is in scope) ²
• Role-to-training matrix with triggers and cadence
• Training content outlines and links to SOPs/runbooks
• Procedure for onboarding/transfer/offboarding as it relates to training access

Operational evidence

• Training completion records (LMS export or signed rosters)
• Quiz/competency check results or sign-off checklists
• Tickets showing change-triggered training after major environmental changes
• List of current in-scope personnel and their training status
• Third-party attestations and relevant contract/SOW clauses (if applicable)

Common exam/audit questions and hangups

Assessors tend to test whether your program is real by asking:

• “Who exactly is included in {{ at-03.01_odp.01 }} and how did you decide?”
• “Show initial training completed before independent duty for two recent hires.”
• “What does ‘operation of environmental controls’ mean in your environment?”
• “How do you ensure contractors performing maintenance are trained and do not bypass controls?”
• “Show evidence that training was updated after a material change (new BMS, new suppression vendor).”
• “Where is the link between training content and your written procedures?”

Hangups that slow audits:

• Training evidence spread across Facilities, HR, and IT with no single export.
• Generic safety training substituted for equipment/procedure training.
• No documented triggers beyond an annual refresher concept.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating AT-3(1) as general security awareness.
   Fix: make the modules equipment- and procedure-specific (alarms, bypass rules, maintenance impairment process).

2. Mistake: Training only Facilities and forgetting IT on-call responders.
   Fix: include anyone who receives alerts or makes decisions during incidents.

3. Mistake: No contractor coverage.
   Fix: require training attestations in SOWs and collect them with your evidence packet.

4. Mistake: No proof of “initial” training timing.
   Fix: tie training completion to onboarding checklists and enforce “no solo duty until complete.”

5. Mistake: Evidence doesn’t match scope.
   Fix: keep a current roster of in-scope people and reconcile it against training completion.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not list enforcement actions. Operationally, weak AT-3(1) execution increases the likelihood that environmental alarms are mis-triaged, maintenance disables protections without proper restoration steps, and incident response is delayed. Those are availability and safety risks that can cascade into broader security and compliance failures.

A practical 30/60/90-day execution plan

Because this requirement needs real evidence, focus on sequencing that produces assessable artifacts quickly.

First 30 days (stabilize scope and evidence paths)

• Assign control owner and backup; document RACI.
• Define in-scope sites/rooms and environmental control categories you depend on.
• Draft the role-to-training matrix and validate it with Facilities and IT Ops.
• Inventory existing SOPs/runbooks and identify gaps for alarm response and maintenance impairment.
• Decide where evidence will live (LMS vs GRC repository) and how you will export it for audits.

Days 31–60 (deliver initial training and close the biggest gaps)

• Publish training modules for the highest-risk controls (power, fire, water, monitoring).
• Run initial training for all currently in-scope staff; capture completion evidence.
• Implement onboarding and contractor intake checks so new arrivals get initial training before duty.
• Create a simple competency check (quiz or tabletop) and retain results.

Days 61–90 (operationalize recurring and change-triggered training)

• Set recurring refresher scheduling and automated reminders.
• Define and document change triggers (equipment commissioning, SOP change, repeated alarms).
• Run at least one scenario/tabletop and record attendance and outcomes.
• Build the AT-3(1) evidence packet and do an internal mini-assessment against it.
• If you use Daydream, map AT-3(1) to the owner, procedure, and recurring artifacts so the next audit cycle is a routine export, not a rebuild.

Frequently Asked Questions

Who counts as “personnel” for AT-3(1)?

Include any worker (employee or third party) who operates, maintains, monitors, or responds to environmental controls for in-scope facilities. If a role can silence alarms, place equipment into maintenance mode, or coordinate response actions, treat it as in scope.

Can we satisfy AT-3(1) with general workplace safety training?

Only if it directly trains people on your environmental controls’ operation and response procedures. Most general safety programs do not cover equipment-specific alarms, authorized actions, or restoration/verification steps.

What evidence will an assessor ask for first?

Expect a role-to-training mapping plus completion records showing initial and recurring training. They often sample recent hires or role changes to confirm “initial training” occurred before independent duty.

How do we handle colocation or managed data center environments?

Define the shared responsibility model in writing, then require training attestations from the operator for the staff who can affect your space. Retain the contract language and the attestations in the same evidence packet.

Do we need hands-on training, or is an online module enough?

The control requires training in “employment and operation,” so you should add a competency check appropriate to your environment. A short scenario exercise or supervised walkthrough is often easier to defend than click-through content alone.

What triggers should force retraining outside the normal refresher cycle?

Retrain when you change equipment, monitoring/alert routing, or response procedures, and after incidents that reveal confusion or incorrect actions. Treat those triggers as part of your documented training procedure.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5