AT-3(2): Physical Security Controls

To meet the at-3(2): physical security controls requirement, you must identify which roles handle or rely on physical security controls (badges, locks, visitor management, alarms, cages, secure rooms) and provide role-based training at onboarding and at a defined recurring cadence, then keep auditable proof that training occurred and matches job duties. ¹

Key takeaways:

• Train the right people, not “all staff” by default: scope training to roles that operate, administer, or depend on physical security controls.
• Make the training operational: teach how controls are used day-to-day and what to do when controls fail or are bypassed.
• Evidence is the control: maintain training rosters, content, role mapping, and completion records tied to access privileges and facilities.

AT-3(2) is a training requirement with a physical security twist: it is not satisfied by generic security awareness or a facilities policy posted on an intranet. Assessors typically look for role-based training that matches how your organization actually runs physical access, visitor workflows, secure space management, and exception handling. In practice, the biggest failures are scoping and evidence: teams either (a) train everyone the same way and miss operators who need deeper instruction, or (b) run good training but cannot prove who completed it, when, and against what curriculum.

This requirement matters anywhere physical controls protect systems, media, or people that support regulated workloads, including federal information systems and contractor environments handling federal data. If you operate a data center cage, badge-controlled office, lab, call center, secure print/mail room, or even a small server closet, the training must cover how to correctly use and respond to those physical protections.

Your goal is simple: define the roles, define the controls they touch, train them initially and on a recurring basis, and retain evidence that an auditor can test quickly.

Regulatory text

Text (excerpt): “Provide {{ insert: param, at-03.02_odp.01 }} with initial and {{ insert: param, at-03.02_odp.02 }} training in the employment and operation of physical security controls.” ¹

What an operator must do with this text

• Decide who is in scope (the parameterized population). For most programs, that means personnel who operate, administer, monitor, or are granted privileged physical access to protected areas and assets.
• Deliver initial training before independent duties begin (typically at onboarding, role change, or before granting access).
• Deliver recurring training on an organization-defined schedule (you set the cadence; the key is that it is documented, repeatable, and followed).
• Train on “employment and operation”: how to use physical controls correctly in real workflows (badging, visitor escort, after-hours access, key control, door alarms, secure room procedures, tailgating response, exception approvals).
• Prove it with records that map trainees to roles and the physical controls relevant to those roles. ²

Plain-English interpretation

AT-3(2) requires role-based physical security training for the people who can directly affect physical security outcomes. The training must cover:

• How the physical controls work in your environment (not in theory).
• How to use them correctly (normal operations).
• How to respond to anomalies and failures (lost badge, forced door, alarm activation, visitor without escort, broken lock, access system outage).
• How to escalate and document incidents and exceptions.

Think of AT-3(2) as the bridge between a “physical access policy” and the real-world behavior that prevents tailgating, unauthorized entry, and untracked access to sensitive spaces.

Who it applies to (entity and operational context)

Entity types commonly in scope

• Federal information systems and the organizations that operate them. ²
• Contractors and service providers handling federal data in facilities they control or where they manage access processes. ²

Operational contexts that usually trigger AT-3(2)

• Badge-access offices, secure floors, or controlled entry points.
• Data centers, cages, MDF/IDF rooms, server closets.
• Secure areas for regulated media (backup tapes, removable drives) or sensitive print rooms.
• Third-party managed buildings where you still administer badging, escorting, or access approvals.
• Hybrid workplaces where after-hours access and visitor control are non-trivial.

Roles that are typically in scope (build your own list)

• Facilities/security staff (guards, reception/visitor desk, facilities managers).
• IT operations with physical access (network/server admins, data center technicians).
• Physical access control system (PACS) administrators (badge provisioning, revocation).
• Incident responders who support physical security events.
• People managers who approve access requests for restricted spaces.
• Anyone with keys, master keys, or unsupervised access to restricted areas.

What you actually need to do (step-by-step)

1) Name a control owner and define accountability

• Assign a primary owner (often Facilities/Security) and a compliance owner (GRC/CCO) to ensure training happens and evidence is retained.
• Define who maintains course content and who runs completion reporting.

Operator tip: If Facilities runs training informally, GRC should still own the evidence standard and audit-readiness checklist.

2) Create a role-to-physical-controls training matrix

Build a matrix with:

• Role (job title or function)
• Facilities/areas accessed (secure floor, cage, server room)
• Physical controls used (badge reader, keys, mantrap, visitor system, alarm panel)
• Required training modules
• Initial training trigger (hire, transfer, access granted)
• Recurring training trigger (time-based cadence you define; also after major changes)

This matrix is the single most useful artifact during an assessment because it shows you scoped the control intentionally. ¹

3) Define the training content as procedures, not slides

Minimum content elements to consider:

• Access issuance and revocation workflow: request, approval, provisioning, return of badges/keys.
• Visitor management: ID check, sign-in/out, escort rules, badge types, prohibited areas.
• Tailgating and piggybacking: how to challenge, when to report, what to record.
• Door and alarm events: forced door, propped door, duress alarms, response steps.
• Secure area procedures: no unattended doors, clean desk expectations for secure rooms, escort requirements.
• Media and asset handling in secure spaces: chain-of-custody expectations where applicable.
• Exception handling: how to request temporary access, how to document approvals, emergency access procedures.
• Third-party access: contractors, cleaners, maintenance; escorting and access windows.

Deliver the content in a form that supports testing: short knowledge checks, scenario-based questions, or sign-off against procedures.

4) Implement initial training gates tied to access provisioning

Make training completion a hard prerequisite for:

• Issuing a badge with access to restricted areas
• Issuing keys
• Granting unescorted visitor privileges (if applicable)
• Adding someone to an on-call list with after-hours entry

This is where many programs fail: training is “recommended,” but access is still granted. Your PACS or ticket workflow should reflect the gate.

5) Run recurring training and change-driven retraining

• Define a recurring cadence in your training standard and apply it consistently.
• Trigger retraining after meaningful changes, such as:
  • PACS replacement
  • New visitor process
  • Facility move or remodel affecting access paths
  • Pattern of tailgating incidents or audit findings

6) Build an evidence pack that an auditor can sample

Set up a repeatable quarterly or monthly evidence pull:

• Completion report by role
• New hires/access grantees trained before access date
• Exception report and remediation for overdue training

If you manage this in Daydream, treat AT-3(2) as a control with a mapped owner, procedure, and recurring evidence artifacts so your audit packet is one click away and consistent across cycles. ¹

Required evidence and artifacts to retain

Keep artifacts that prove scope, content, completion, and enforcement:

Scope & design

• Role-to-training matrix (roles, areas, controls, modules)
• Training policy/standard stating initial and recurring requirements
• Access control SOPs referenced by the training

Delivery & completion

• Training materials (deck, SOPs, videos) with version history
• Attendance rosters or LMS completion logs (name, role, date)
• Knowledge check results or attestations (where used)
• New hire and role-change training assignments

Operational enforcement

• Access request tickets showing training was completed before access grant
• PACS provisioning workflow evidence (approval + training prerequisite)
• Exception approvals for urgent access plus compensating controls (escort, temporary badge)

Common exam/audit questions and hangups

• “Who exactly receives this training, and why?” Expect sampling against your role matrix.
• “Show that initial training occurs before physical access is granted.” Auditors often test dates.
• “What do you mean by ‘recurring’?” If you cannot show a defined cadence and adherence, the control looks ad hoc.
• “Is the training specific to your controls?” Generic security awareness rarely satisfies “employment and operation.”
• “How do you handle contractors and other third parties with facility access?” If they can enter restricted areas, they must be addressed through training, escorting, or contractual requirements.

Frequent implementation mistakes and how to avoid them

1. Mistake: Treating AT-3(2) as general awareness training.
   Fix: Create a distinct module for physical security operations with facility-specific procedures and scenarios.

2. Mistake: No linkage between training and badge/key issuance.
   Fix: Add a training completion checkpoint to the access request workflow; deny provisioning until satisfied.

3. Mistake: Missing the “operators.”
   Fix: Ensure guards/reception/facilities and PACS admins have deeper training than general staff.

4. Mistake: Evidence scattered across email and spreadsheets.
   Fix: Centralize in an LMS or a controlled repository; standardize reports and retention.

5. Mistake: Ignoring role changes and temporary access.
   Fix: Trigger training on role change; document temporary access with defined compensating controls.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific enhancement, so you should treat AT-3(2) primarily as an assessment and authorization risk: failure typically shows up as a control deficiency during audits and can cascade into findings about physical access effectiveness, incident response, and protection of systems and media. ²

Operationally, weak physical security training increases the chance of:

• Unauthorized entry through social engineering or tailgating
• Poor visitor controls leading to untracked access
• Delayed response to forced-door or alarm events
• Inconsistent exception handling (after-hours access, maintenance entry)

Practical execution plan (30/60/90-day)

Because the requirement is “initial and recurring” without prescribing fixed intervals, use a phased rollout that prioritizes access-gated roles first.

First 30 days (Immediate)

• Assign control owner(s) and write a one-page AT-3(2) implementation standard. ¹
• Inventory physical controls and protected areas (badge readers, keys, secure rooms, visitor desk).
• Build the role-to-controls training matrix and identify high-risk roles with unescorted access.
• Collect existing training content and SOPs; identify gaps (visitor handling, tailgating, alarm response).

Days 31–60 (Near-term)

• Publish role-based training modules (at least: general staff, privileged access holders, facilities/security operators).
• Add training completion as a prerequisite in access request workflows (tickets) and PACS provisioning.
• Start tracking completions in an LMS or a controlled log with versioned content references.
• Run the first completion campaign for all in-scope roles; document exceptions and corrective actions.

Days 61–90 (Stabilize and audit-proof)

• Implement recurring training assignments per your defined cadence and set automated reminders.
• Perform a mini-audit: sample recent access grants and verify training occurred before access.
• Create a standard evidence packet: role matrix, training content versions, completion reports, and access request samples.
• If you use Daydream, map AT-3(2) to a control owner, procedure, and recurring evidence artifacts so quarterly evidence collection becomes routine instead of a scramble. ¹

Frequently Asked Questions

Does AT-3(2) require training for every employee?

Scope is role-based. Train personnel who operate, administer, or rely on physical security controls as part of their job duties, plus anyone with privileged physical access to protected areas. ¹

Can we satisfy AT-3(2) with annual security awareness training?

Usually no. The requirement is training in the “employment and operation of physical security controls,” which implies facility-specific procedures and role-based instruction beyond general awareness. ¹

What counts as “physical security controls” in practice?

Controls include badges and readers, keys and locks, visitor management processes, guards/reception procedures, alarms, secure rooms/cages, and related operational procedures people must follow. ²

How do we handle third-party contractors who need building access?

Either include them in your training population with documented completion, or enforce compensating controls such as escort-only access with documented procedures and access logs that limit their independent operation of controls. ²

What evidence is most persuasive to auditors?

A role-to-training matrix, versioned training content, completion records, and sampled access requests showing training completion before badge/key issuance typically answer most audit testing quickly. ¹

What should trigger retraining besides the recurring cadence?

Retrain after meaningful changes to facilities, PACS tooling, visitor processes, or after incident patterns that show misunderstanding of procedures. Document the trigger and the updated content version. ²

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5