ARTIFACTS
AT: SECURITY AWARENESS AND TRAINING
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Security Awareness & Training (AT) ; and documents that are widely used in the assessment of controls and control enhancements in the Security Awareness & Training (AT) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR SECURITY AWARENESS AND TRAINING |
| Security & Awareness Training policy |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
ARTIFACTS
Here you'll find a catalog of Security Awareness & Training (AT) related artifacts for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
Security Awareness and Training controls don't have as many controls as other control domains.
| ARTIFACTS | APPLICABLE CONTROL(S) |
| Appropriate codes of federal regulations | AT-2 |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES | AU-1 |
| Codes of federal regulations | AT-3 |
| Procedures addressing security awareness training implementation | AT-2 AT-2 (1) AT-2 (2) AT-3 (3) |
| Procedures addressing security training implementation | AT-3 AT-3 (1) AT-3 (2) AT-3 (4) |
| Procedures addressing security training records | AT-4 |
| Security awareness and training policy | AT-2 AT-2 (1) AT-2 (2) AT-3 AT-3 (1) AT-3 (2) AT-3 (4) AT-3 (3) AT-4 |
| Security awareness and training records | AT-4 |
| Security awareness training curriculum | AT-2 AT-2 (1) AT-2 (2) AT-3 (3) |
| Security awareness training materials | AT-2 AT-2 (1) AT-2 (2) AT-3 (3) |
| Security plan | AT-2 AT-2 (1) AT-2 (2) AT-3 (3) |
| Security plan | AT-3 (1) AT-3 (2) AT-3 (3) AT-3 (4) AT-4 |
| Security training curriculum | AT-3 AT-3 (1) AT-3 (2) AT-3 (4) |
| Security training materials | AT-3 AT-3 (1) AT-3 (2) AT-3 (4) |
| Training records | AT-2 AT-3 AT-3 (1) AT-3 (2) AT-3 (4) |