AT-4: Training Records

A security awareness program without training records fails the first real test: “Show me who took what training, when, and why some people didn’t.” AT-4 addresses that gap by requiring you to document and monitor training activities across the organization, including both broad awareness training and role-based training for people with elevated access or specialized duties.

For a Compliance Officer, CCO, or GRC lead, the fastest path to a defensible AT-4 implementation is to treat training records like any other control evidence stream: define the record schema, identify systems of record (HRIS, LMS, ticketing, GRC), assign ownership, and run a recurring monitoring cadence that produces artifacts an assessor can re-perform. Your goal is not just high completion rates; it’s the ability to prove the program is assigned, completed, tracked, and remediated when it isn’t.

This page translates the at-4: training records requirement into a practical operating procedure you can stand up quickly, then sustain with minimal effort. It assumes you need assessor-grade evidence and cross-functional alignment with HR, IT/security, and privacy, without turning training administration into a full-time job.

Regulatory text

Requirement (excerpt): “Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and” ¹

Operator interpretation: You must (1) create and retain records that show what training was assigned and completed, and (2) continuously track status and exceptions for both security/privacy awareness and role-based training. Records must be detailed enough to support accountability (who, what, when, and outcome) and to show follow-up when training is late, missed, or not applicable. ²

Plain-English interpretation (what AT-4 is really asking)

AT-4 expects an evidence-backed training ledger for your workforce and relevant users:

• Document: Maintain training records that can answer, quickly and reliably: who was required to take training, what training, assigned when, completed when, and what happened if they did not complete.
• Monitor: Run an ongoing control to identify overdue or missing training, resolve it through reminders and escalation, and record the resolution (completion or approved exception).

Two training categories must be included:

1. Awareness training (baseline security and privacy training for the broader population).
2. Role-based training (targeted content for privileged admins, developers, incident responders, privacy staff, system owners, help desk, finance users handling sensitive data, and similar roles). ¹

Who it applies to

Entity scope

• Federal information systems and programs implementing NIST SP 800-53 controls.
• Contractors and other organizations operating systems that handle federal data where 800-53 is in-scope via contract, authorization boundary, or customer requirements. ²

Operational context AT-4 typically applies to:

• Employees (including part-time).
• Long-term contractors and staff augmentation.
• Privileged users (admins, cloud operators).
• Engineering and DevOps roles with code deployment rights.
• People handling sensitive data (regulated, contractual, or mission data).
• System owners and control owners whose decisions affect security/privacy posture.

If your environment includes third parties with access to your systems or data, you should also track whether they complete required training or meet equivalent training requirements under contract. Treat this as part of third-party due diligence and ongoing monitoring, even when the third party uses their own LMS.

What you actually need to do (step-by-step)

1) Name an owner and define the record standard

Assign a primary owner (often Security GRC) and an operational partner (HR/L&D or the LMS admin). Then define a training record schema that you will enforce across sources.

Minimum fields to standardize:

• Learner identity (unique ID), name, email/username
• Worker type (employee/contractor/third party)
• Role and department; privileged role flag
• Training name, training type (awareness vs role-based), version
• Assignment date, due date, completion date
• Result (pass/fail/complete) where applicable
• Delivery method (LMS module, live session, external certification)
• Exception status (approved/denied), approver, expiration date, rationale

Write this down as a 1–2 page “AT-4 Training Records Procedure” that explains data sources, the monitoring cadence, and evidence retention. ²

2) Build the training-to-population mapping

Create a simple matrix that shows which populations must take which training.

Example mapping (adapt to your environment):

• All users: Security + privacy awareness
• Privileged admins: Privileged access handling, logging/monitoring expectations
• Developers: Secure coding and change control expectations
• Incident responders: Incident handling process and communication rules
• Privacy roles: Data handling, incident/breach escalation rules

This matrix is the backbone for monitoring. Without it, you can’t prove training obligations were defined and consistently assigned. ¹

3) Centralize records from systems of record

Most organizations have training evidence split across:

• HRIS (who is active, terminated, on leave)
• LMS (assignments and completions)
• Ticketing (exceptions and access requests)
• GRC repository (control evidence storage)

Pick one place as the system of record for audit export (often the LMS or GRC tool) and ensure it can produce:

• Current completion report
• Historical completion report
• Overdue list
• Proof of assignment and due dates

If you must combine sources, define a reproducible method (saved report + export + reconciliation step). The assessor should be able to follow your process. ²

4) Implement monitoring with escalation and documented remediation

“Monitor” must produce artifacts. Establish:

• A recurring compliance check (owned by GRC or HR/L&D)
• A reminder process (automated notices preferred)
• An escalation path (manager notification; access governance tie-in for privileged roles)
• A documented exception workflow (with expiry and compensating controls if needed)

Practical pattern:

• Overdue awareness training triggers reminders and manager escalation.
• Overdue role-based training for privileged users triggers an access review or temporary access restriction, if feasible in your access governance model.

Record the outcome: completed, exception granted, removed from scope (termination/role change), or other resolution. ¹

5) Tie training records to joiner/mover/leaver (JML) and access governance

AT-4 becomes defensible when training records align to workforce lifecycle:

• Joiners: automatic assignment on start date or first login
• Movers: role-based training assigned upon role change or privilege grant
• Leavers: removed from active population to prevent false “overdue” counts

For privileged roles, connect “role-based training complete” to the access approval or re-certification process, so completion status has an operational consequence and remains current. ²

6) Define retention and evidence packaging

You need retention rules that fit your audit and contractual environment. Even if you choose a simple approach (retain records for the life of employment plus an operational tail), document it and follow it consistently.

Package evidence by period (quarter or other cadence you run) so you can respond quickly to audits:

• Current roster and completion report
• Overdue report and remediation actions
• Exceptions log with approvals and expirations
• Role-based training population list and completion report

Required evidence and artifacts to retain

Store these as assessor-ready exports (PDF/CSV) plus the underlying procedure:

• AT-4 Training Records Procedure (owner, cadence, data sources, escalation)
• Training catalog showing awareness and role-based modules and versioning
• Training-to-population mapping (role matrix)
• Assignments and completions reports (time-bounded exports)
• Overdue/late training report snapshots
• Exception approvals (tickets/workflow records) with expiration tracking
• Proof of monitoring activity (meeting notes, attestation, dashboard screenshots, or GRC task completion logs)
• Sampling support: ability to trace an individual from HR active roster → assignment → completion/exemption

If you use Daydream, map AT-4 to a single control owner, attach the procedure, and schedule recurring evidence tasks so training exports, exception logs, and monitoring attestations land in the same place each cycle.

Common exam/audit questions and hangups

Assessors and auditors usually probe these points:

• “Show me your population in scope. How do you know it’s complete?”
• “How do you distinguish awareness vs role-based training?”
• “How do you handle contractors and third-party users with access?”
• “Show overdue training from a prior period and the remediation trail.”
• “Do exceptions expire? Who approves them?”
• “How do you handle role changes and privileged access grants?”

Hangups that stall audits:

• Inability to reproduce the same report twice (manual spreadsheets with no method).
• Role-based training exists, but there is no defined list of who must take it.
• Exceptions are verbal, in email, or not tracked to closure.

Frequent implementation mistakes (and how to avoid them)

1. Storing completion certificates without assignment context. Fix: keep assignment date, due date, and population mapping with the completion record.
2. No monitoring artifact. Fix: create a recurring compliance check that produces an overdue report and a tracked remediation action list each cycle.
3. Role-based training defined, but roles aren’t tied to identities. Fix: map roles to HR job codes, IAM groups, or privileged access groups, then export membership as evidence.
4. Contractors and third parties fall through the cracks. Fix: require either completion in your LMS or documented equivalency plus contract language, and track it as part of access onboarding.
5. Exceptions never expire. Fix: enforce expirations and re-approval, and record compensating controls when exceptions apply to privileged roles.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied sources for this requirement, so this page does not cite any. Practically, weak training records increase the chance that you cannot demonstrate control operation during audits, customer assessments, and authorization reviews. Operationally, training gaps can also complicate incident response and accountability because you cannot show that users were trained on expected handling practices. ²

Practical 30/60/90-day execution plan

First 30 days (Immediate stabilization)

• Assign an AT-4 owner and backup; document the training record schema.
• Inventory training sources (HRIS, LMS, ticketing) and pick the audit-export system of record.
• Build the training-to-population mapping for awareness and top role-based groups (start with privileged users and engineers).
• Create baseline exports: active roster, completion status, overdue list.

By 60 days (Monitoring becomes repeatable)

• Implement a recurring monitoring cadence with a saved report and an escalation workflow.
• Stand up exception handling: approval path, expiry, and storage.
• Tie “movers” to role-based assignment triggers (HR job change, IAM group membership, or access request workflow).
• Store packaged evidence for at least one completed monitoring cycle.

By 90 days (Assessor-ready operations)

• Expand role-based mapping to remaining sensitive roles (privacy, finance, help desk, system owners).
• Add quality checks: reconcile HR active roster vs LMS learner list; confirm terminations are removed from scope.
• Run an internal mini-audit: sample individuals across roles and trace end-to-end from obligation → assignment → completion/exception → monitoring evidence.
• In Daydream (or your GRC system), set recurring evidence tasks so exports and attestations are collected consistently each cycle.

Frequently Asked Questions

Do we need training records for both security awareness and privacy training?

Yes. AT-4 explicitly calls out documenting and monitoring “information security and privacy training activities,” including awareness and role-based training ¹.

What counts as “monitoring” training records under AT-4?

Monitoring means you track completion status over time, identify overdue or missing training, and record follow-up actions and resolution. A static folder of completion certificates rarely satisfies the “monitor” expectation by itself ¹.

Can we accept third-party training instead of requiring contractors to take our LMS modules?

You can, but document equivalency and keep a record that shows the individual met the requirement (completion proof, mapping to your required topic, and approval). Track it the same way you track internal completions so you can show coverage during assessments.

How should we handle role-based training for privileged users?

Define the privileged population using an authoritative source such as IAM group membership or PAM enrollment, then assign role-based training accordingly. Keep evidence of the group membership list and completion status tied to the role definition ².

What if an employee is on leave and misses the due date?

Treat it as a documented exception with an expiry or re-due date tied to return-to-work, plus manager acknowledgment. The key is that the record shows the reason and the remediation plan, not an unexplained overdue.

We have multiple LMS instances across business units. Is that a problem?

It’s manageable if you standardize the record schema and have a reproducible consolidation method for audit exports. Most audit pain comes from ad hoc spreadsheet merges without a documented procedure and retained exports.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5