AT-2—Literacy Training and Awareness
>Control Description
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
As part of initial training for new users and ⚙organization-defined frequency thereafter; and
When required by system changes or following ⚙organization-defined events;
Employ the following techniques to increase the security and privacy awareness of system users ⚙organization-defined awareness techniques;
Update literacy training and awareness content ⚙organization-defined frequency and following ⚙organization-defined events; and
Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
>DoD Impact Level Requirements
FedRAMP Parameter Values
AT-2 (a) (1) [at least annually] AT-2 (c) [at least annually]
>Discussion
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents.
The content addresses the need for operations security and the handling of personally identifiable information. Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies.
Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AT-2 (Literacy Training And Awareness)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AT-2?
- •How frequently is the AT-2 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AT-2?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AT-2 requirements.
- •What automated tools, systems, or technologies are deployed to implement AT-2?
- •How is AT-2 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AT-2 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AT-2?
- •What audit logs, records, reports, or monitoring data validate AT-2 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AT-2 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AT-2 compliance?
Ask AI
Configure your API key to use AI features.