AT-6: Training Feedback

AT-6 sits in the NIST SP 800-53 Awareness and Training (AT) family and focuses on a simple operational expectation: training generates results, and those results must be fed back to the personnel who can fix gaps. Most teams already run annual security awareness training and track completion. AT-6 pushes you one step further: completion data alone does not qualify as “feedback on training results” unless you package results into a form that leaders can review and use to steer the program.

This control is straightforward to implement, but frequently fails in audits for one reason: missing “last mile” evidence. A learning management system (LMS) dashboard is helpful, but auditors typically want to see who received which results, when they received them, and what decisions or remediation followed. The fastest path to compliance is to define your recipients, define your result types (completion, assessment scores, phishing simulations, role-based training status), then operationalize recurring reporting with clear ownership.

This page gives requirement-level implementation guidance for a Compliance Officer, CCO, or GRC lead who needs to implement AT-6 quickly and defend it during an assessment against NIST SP 800-53 Rev. 5. ¹

Regulatory text

Requirement (AT-6): “Provide feedback on organizational training results to the following personnel {{ insert: param, at-06_odp.01 }}: {{ insert: param, at-06_odp.02 }}.” ²

What the operator must do

1. Fill in the parameters (the “following personnel”) with named roles or groups in your environment (not vague “stakeholders”).
2. Define what “training results” means for your program (for example, completion status, overdue training, quiz performance, role-based training coverage, trend findings, and exceptions).
3. Provide feedback to those roles in a way you can prove (distribution records, meeting minutes, tickets created, or acknowledgments).
4. Use the feedback loop to drive actions (training refreshes, targeted coaching, access gating, or disciplinary escalation where appropriate).

Plain-English interpretation of the requirement

AT-6 requires a closed loop: training produces measurable outputs, and you communicate those outputs to the people responsible for managing risk and performance. In practice, this means regular, documented reporting of training outcomes to defined recipients, with enough detail to support decisions (who is overdue, where scores are weak, which teams fail simulations, which roles lack required modules).

Treat AT-6 as a governance control. The goal is not to “prove training happened.” The goal is to prove leaders received results and can intervene when the program is not working.

Who it applies to (entity and operational context)

AT-6 is commonly applied in:

• Federal information systems implementing NIST SP 800-53 controls. ¹
• Contractor systems handling federal data where NIST SP 800-53 is flowed down via contract, authorization boundary requirements, or a customer security requirements matrix. ¹

Operationally, you should implement AT-6 anywhere you have:

• A formal security awareness training program (often centralized), and
• Multiple audiences (general workforce, privileged users, engineers, incident responders), and
• Management oversight expectations (security leadership, HR, compliance, system owners, program managers).

What you actually need to do (step-by-step)

Step 1: Define the AT-6 parameters in writing (recipients + scope)

Create an “AT-6 Training Feedback” procedure (or add a section to your training standard) that specifies:

• Recipients (parameter 1): roles/groups who must receive the feedback (examples you can choose from: CISO/security leadership, HR/training admin, system owners, business unit leaders, privileged access owners, compliance/GRC lead).
• Feedback content (parameter 2): what results will be reported (completion rates by org unit, overdue lists, quiz score distributions, phishing simulation outcomes, role-based training compliance, exceptions granted).
• Cadence and trigger events: recurring reporting and event-driven reporting (for example: after new hire onboarding waves, after a major policy change, after a security incident).

Auditor-friendly rule: if a role can enforce completion or fund improvements, they should be on the list.

Step 2: Establish a training results data model

Decide which training outputs are authoritative and where they live:

• System of record (LMS, HRIS, identity system, phishing platform).
• Required fields: user identity, department/team, role, course assignment, due date, completion date, status, assessment score (if applicable), exception flag, manager.

If your environment is messy, document data limitations and compensating steps (manual reconciliation, sampling, or manager attestations).

Step 3: Build a repeatable feedback package (template-based)

Create two report formats:

• Executive summary (1–2 pages): trends, hotspots, exception volume, and decisions needed.
• Operational detail (export/list): specific users/teams overdue, non-compliant privileged users, repeated simulation failures, and open actions.

Include action prompts so the report is more than a dashboard screenshot:

• “Managers with overdue staff must close items by [internal due date].”
• “Privileged access owners must remove access for non-compliant accounts per policy or document exception.”

(Use internal due dates as guidance; you do not need external citations for your own operational targets.)

Step 4: Distribute feedback through controlled channels

Pick one primary distribution method and one backup:

• Primary: ticketing workflow, governance meeting pack, GRC task, or email distribution list with read receipt.
• Backup: posting to a controlled repository and capturing access logs, plus meeting minutes showing review.

Make distribution role-appropriate:

• Managers get their team’s overdue list.
• Security leadership gets trends, high-risk exceptions, and remediation status.
• System owners get results for personnel with access to their system boundary (especially privileged roles).

Step 5: Require acknowledgment and action tracking

AT-6 is easiest to defend when feedback creates measurable follow-up:

• Create issues/tickets for training gaps.
• Track exceptions with an approver and expiration.
• Record decisions in meeting minutes (e.g., “increase targeted training for Finance,” “update module X,” “enforce access gating for admins”).

A lightweight approach works if it is consistent and retained.

Step 6: Operationalize ownership and assurance

Assign:

• Control owner: usually GRC lead, security awareness program owner, or training administrator.
• Data owner: LMS admin or HR operations.
• Action owners: line managers, system owners, IT access governance.

Then add a periodic self-check:

• Confirm reports were generated.
• Confirm reports were distributed to the defined recipients.
• Confirm follow-ups were logged and closed or formally excepted.

Daydream tip: teams commonly map AT-6 in a control library, link it to the training SOP, assign ownership, and define recurring evidence artifacts so evidence collection is not a scramble during audits.

Required evidence and artifacts to retain

Keep artifacts that prove content, recipient, timing, and follow-up:

Design evidence (what should happen):

• Training feedback procedure that names recipients and report contents (AT-6 parameters).
• Reporting templates (executive summary + operational detail).
• RACI or control ownership mapping for AT-6.

Operating evidence (what did happen):

• Copies of periodic training results reports (PDF/export) with date/time.
• Distribution evidence:
  • Email distribution logs, meeting invites/attendance, GRC task assignments, or ticket creation logs.
• Meeting minutes showing review and decisions (security steering committee, compliance committee, or IT governance).
• Action tracking:
  • Tickets with assignees and closure notes,
  • Exception register entries tied to training non-compliance,
  • Access governance actions if you enforce training as a prerequisite.

Assessment-ready packaging Maintain an “AT-6 evidence folder” organized by period (monthly/quarterly) so an auditor can trace: Report → recipients → actions → closure.

Common exam/audit questions and hangups

Auditors and assessors tend to probe the same weak points:

1. “Who are the ‘following personnel’?”
   Hangup: your procedure says “management” without naming roles or groups.

2. “Show me feedback, not training completion.”
   Hangup: you show an LMS dashboard but cannot prove it was delivered to recipients.

3. “How do you handle exceptions?”
   Hangup: exceptions exist, but there is no approver, rationale, or expiration.

4. “What changes occurred because of feedback?”
   Hangup: feedback is informational only; no tickets, minutes, or updates to training content.

5. “How do you ensure the right populations are included?”
   Hangup: contractors, third parties with access, or privileged users are missing from assignments or reporting.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Fix
Treating AT-6 as “completion tracking” only	It does not show “feedback provided to personnel”	Add distribution + acknowledgment evidence 2
Not defining recipients	Parameters remain implicit and non-auditable	Name roles/groups and keep the list current 2
One-size-fits-all reporting	Leaders cannot act on it	Split executive vs operational views; assign action owners
No closed-loop remediation	Results do not drive program improvements	Track actions via tickets/minutes and retain closures
Reporting exists but is ad hoc	Hard to evidence over time	Put it on a recurring calendar and store each cycle’s artifacts

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for AT-6, so this page does not cite enforcement outcomes.

Risk still concentrates in three practical areas:

• Authorization and assessment risk: you may fail control testing if you cannot show that feedback was delivered to defined recipients, even if training completion is high. ²
• Operational risk: without feedback loops, weak training outcomes persist, and teams do not prioritize remediation.
• Governance risk: leadership cannot demonstrate oversight of workforce readiness for security responsibilities, which affects broader control families that depend on trained behavior (for example, incident handling and access governance).

A practical 30/60/90-day execution plan

First 30 days (Immediate)

• Name the AT-6 recipients and document them in the training SOP (draft is fine; publish once approved). ²
• Inventory systems of record for training results (LMS, HRIS, phishing platform) and define authoritative fields.
• Build two report templates (executive and operational).
• Pilot one feedback cycle with your top recipients (security leadership and one business unit leader). Capture distribution evidence.

By 60 days (Near-term)

• Expand distribution to all defined recipients (department managers, system owners, HR/training admin as applicable). ²
• Add action tracking: tickets for overdue training, an exception workflow, and meeting minutes documenting decisions.
• Centralize artifacts in a single evidence repository with a consistent naming convention.

By 90 days (Operationalize and harden)

• Run at least one full recurring cycle end-to-end with documented follow-up closures.
• Add a lightweight QA check (spot-check that each recipient received the report and that overdue items have owners).
• If you manage multiple systems or customers, standardize an AT-6 evidence pack per system boundary so assessment requests are easy to fulfill.

Daydream fit: if you are managing many systems, recipients, and reporting cycles, Daydream can act as the control system of record for AT-6 by tying the procedure, owners, tasks, and recurring artifacts to a single requirement record, which simplifies assessment readiness.

Frequently Asked Questions

Who should receive AT-6 training feedback?

The control requires you to define the recipients as parameters, so choose roles that can act: security leadership, HR/training admin, business unit managers, and system owners for scoped populations. Document the list and keep it current. ²

Does an LMS dashboard satisfy AT-6?

A dashboard alone rarely proves you “provided feedback” to specific personnel. Export or snapshot the results, distribute them to the named roles, and retain evidence of distribution and review. ²

What counts as “training results” for AT-6?

Define it in your procedure and keep it consistent: completion status, overdue training, assessment scores, phishing outcomes, role-based coverage, and exceptions are common inclusions. The key is that results are actionable for the recipients. ²

How do we handle contractors or third-party users with access?

Include them in the populations you report on if they fall within your system boundary or have required training obligations. Your feedback recipients should include the internal owner who can enforce those obligations (for example, the sponsor or system owner).

How much evidence is enough for an assessor?

Keep one complete thread per reporting cycle: the report, the distribution record to defined recipients, and proof of follow-up (tickets, exceptions, or minutes). Consistency across cycles usually matters more than volume.

Can we combine AT-6 reporting with other governance reporting?

Yes, as long as the training results are clearly presented, the recipients match your AT-6 parameter list, and you can show the training section was reviewed and acted on. Preserve the meeting pack and minutes as evidence.

Footnotes

1. NIST SP 800-53 Rev. 5

2. NIST SP 800-53 Rev. 5 OSCAL JSON