AT-4—Training Records
LI-SaaS
Low
Moderate
High
>Control Description
a
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
b
Retain individual training records for ⚙organization-defined time period.
>FedRAMP Baseline Requirements
Parameter Values
b
five (5) years or 5 years after completion of a specific training program
>Discussion
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AT-4 (Training Records)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AT-4?
- •How frequently is the AT-4 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AT-4?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AT-4 requirements.
- •What automated tools, systems, or technologies are deployed to implement AT-4?
- •How is AT-4 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AT-4 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AT-4?
- •What audit logs, records, reports, or monitoring data validate AT-4 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AT-4 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AT-4 compliance?
Ask AI
Configure your API key to use AI features.