1. Home
  2. FedRAMP
  3. AT-2

BRACKETOLOGY | FEDRAMP

AT-2: SECURITY AWARENESS TRAINING

  • FedRAMP Baseline Membership AT-2:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

    • a. As part of initial training for new users;
    • b. When required by information system changes; and
    • c. [Assignment: organization-defined frequency] thereafter.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

Provides basic security awareness training to information system users (including managers, senior executives, and contractors):

  • a. As part of initial training for new users;
  • b. When required by information system changes; and
  • c. At least annually thereafter.

Provides basic security awareness training to information system users (including managers, senior executives, and contractors):

  • a. As part of initial training for new users;
  • b. When required by information system changes; and
  • c. At least annually thereafter.

Provides basic security awareness training to information system users (including managers, senior executives, and contractors):

  • a. As part of initial training for new users;
  • b. When required by information system changes; and
  • c. At least annually thereafter.

SUPPLEMENTAL GUIDANCE

Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.

CONTROL ENHANCEMENTS

AT-2 (1) SECURITY AWARENESS TRAINING | PRACTICAL EXERCISES

The organization includes practical exercises in security awareness training that simulate actual cyber attacks.

Supplemental Guidance:

Practical exercises may include, for example, no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.

RELATED CONTROLS: AT-2 (1)

AT-2 (2) SECURITY AWARENESS TRAINING | INSIDER THREAT
  • FedRAMP Baseline Membership AT-2 (2):
  • MODERATE
  • HIGH

The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

Supplemental Guidance:

Potential indicators and possible precursors of insider threat can include behaviors such as inordinate, long-term job dissatisfaction, attempts to gain access to information not required for job performance, unexplained access to financial resources, bullying or sexual harassment of fellow employees, workplace violence, and other serious violations of organizational policies, procedures, directives, rules, or practices. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures.

RELATED CONTROLS: AT-2 (2)

REFERENCES:

  • C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
  • Executive Order 13587
  • NIST Special Publication 800-50