| Field | Detail |
|---|---|
| Control ID | AT-01 |
| Control name | Policy and Procedures |
| Framework | NIST SP 800-53, Revision 5 |
| Control family | Awareness and Training |
| Baselines | LOW, MODERATE, HIGH, PRIVACY |
| Relevance | Organization (First Party and Third Party) |
| Risk severity | Low |
What this control requires
AT-01 requires your organization to develop, document, and distribute an awareness and training policy with supporting procedures. This control, part of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 framework, mandates that the policy address purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance obligations for your awareness and training program.
The consequence of a policy without clear ownership is drift. AT-01 addresses this directly by requiring your organization to designate a specific official responsible for managing the development, documentation, and dissemination of both the policy and its procedures. Accountability gaps in policy ownership are one of the most common audit findings across the Awareness and Training family.
Staying current matters as much as the initial draft. AT-01 mandates that you review and update both the policy and its procedures at organization-defined frequencies and in response to triggering events such as audit findings, security incidents, and changes to applicable laws or regulations. The policy must also align with your organization’s risk management strategy and applicable legal, regulatory, and directive requirements, which means you should treat review cycles as standing governance obligations rather than one-time documentation tasks.
Why it matters
AT-01 sits at the governance layer of your security program, which means its failure mode is cumulative rather than acute. Without a documented awareness and training policy, your organization cannot demonstrate that its training activities are intentional, consistent, or aligned with legal obligations.
That gap surfaces directly in audits. Assessors check whether the policy exists, whether it covers all required elements, whether a designated official owns it, and whether review cycles are documented. A missing or stale policy creates a finding that cascades across every other control in the Awareness and Training family, because AT-01 is the foundational governance control that supports all of them.
Yet many organizations only discover this cascade during their first formal assessment. A policy that restates control language without defining organizational context, roles, or procedures does not satisfy the requirement.
In practice, this control failure compounds over time. When no designated official owns the awareness and training policy, updates stall, dissemination gaps widen, and the organization loses its ability to prove that training activities are intentional rather than ad hoc. Audit teams treat this pattern as a systemic deficiency rather than an isolated finding.
What attackers exploit
Threat actors benefit from awareness and training policy gaps in several ways:
- Absent role definitions allow social engineering attacks to succeed because no one owns the responsibility for training staff to recognize them.
- Outdated policies leave organizations exposed when regulatory requirements change and training programs fail to adapt, creating both compliance and operational risk.
- No designated official means incident response training, phishing simulations, and onboarding awareness programs lack coordinated oversight, producing inconsistent security behavior across teams.
- Missing review triggers allow policies to stagnate after audit findings or security incidents, so lessons learned never reach the workforce.
- Disconnected privacy and security programs create gaps where human factors in cybersecurity are addressed by one team but not the other, leaving blind spots in training coverage.
How to implement
The most common failure mode for AT-01 is treating it as a document creation exercise rather than an ongoing governance function. Organizations write a policy once, file it in a shared drive, and never establish the review cadence or triggering events that keep it current.
For your organization
Start by assigning a designated official who owns the policy lifecycle. This person does not need to write the policy alone, but they must be accountable for its development, dissemination, and review schedule.
Draft your awareness and training policy to cover every element auditors will check: purpose, scope, roles and responsibilities, management commitment, coordination with other organizational entities, and compliance with applicable laws and directives. Avoid restating NIST control language verbatim. Instead, define what these elements mean for your specific organization, its risk environment, and its workforce.
Build procedures that describe how your organization implements each control in the Awareness and Training family. Procedures should be specific enough that a new team member can follow them and an auditor can verify them. Include details such as how your team maintains training records, how it schedules phishing simulations, and how it tracks training completion.
Establish a defined review frequency for both the policy and procedures. Document the triggering events that force an out-of-cycle review, such as audit findings, security incidents, changes in organizational structure, or updates to applicable regulations. Developing a culture of cybersecurity depends on treating these review cycles as active governance rather than administrative overhead.
Common mistakes to avoid:
- Writing a policy that restates NIST control language without organizational context
- Failing to define a designated official responsible for the policy lifecycle
- Omitting procedures entirely or treating them as identical to the policy
- Setting a review schedule but not documenting triggering events
- Limiting dissemination to the security team instead of all defined personnel
- Creating a single document that combines policy and procedures without distinguishing governance intent from operational steps
For your vendors
When your vendors must demonstrate AT-01 compliance, your assessment should verify that they maintain a documented awareness and training policy with all required elements. Request the policy document and confirm that it addresses purpose, scope, roles, responsibilities, management commitment, coordination, and compliance obligations.
Verify that your vendor has designated a specific official responsible for managing the policy and its procedures. This designated official should be identifiable by name or role, not described generically. Ask for evidence of the most recent policy review, including the date and any changes made.
Evaluate whether the vendor’s policy aligns with their risk management strategy and applicable legal requirements. A vendor operating in a regulated industry should have awareness and training procedures that reflect those regulatory obligations, not a generic template.
Review the vendor’s information security policy documentation for evidence that awareness and training procedures exist as distinct artifacts from the policy itself. Procedures should describe how the vendor delivers, tracks, and updates training.
Common mistakes to avoid:
- Accepting a vendor’s policy document without verifying it covers all required elements
- Failing to check whether the vendor has a designated official for policy management
- Not requesting evidence of review cycles and triggering events
- Treating a vendor’s training program as evidence of AT-01 compliance without verifying the underlying policy and procedures exist
- Overlooking the distinction between the awareness and training policy (the “what” and “why”) and the procedures (the “how”), which must exist as separate documented artifacts
Evidence examples
| Evidence type | Example artifact |
|---|---|
| Policy document | Awareness and training policy addressing purpose, scope, roles, responsibilities, management commitment, coordination, and compliance |
| Procedures document | Documented procedures for implementing awareness and training controls, including training delivery, tracking, and update processes |
| Designated official record | Signed appointment memo or role description identifying the official responsible for policy and procedure management |
| Dissemination records | Distribution logs, email confirmations, or acknowledgment forms showing policy delivery to defined personnel |
| Review and update records | Version history, change logs, or review meeting minutes documenting policy and procedure updates |
| System security plan | Relevant sections of the system security plan referencing awareness and training policy and procedures |
| Privacy plan | Privacy plan sections addressing awareness and training requirements and coordination with the security program |
Cross-framework mapping
| Framework | Control(s) | Coverage |
|---|---|---|
| ISO 27001:2022 | 5.1 Policies for information security | Partial |
| ISO 27001:2022 | 5.2 Information security roles and responsibilities | Partial |
| ISO 27001:2022 | 5.3 Segregation of duties | Partial |
| ISO 27001:2022 | 5.4 Management responsibilities | Partial |
| ISO 27001:2022 | 5.31 Legal, statutory, regulatory requirements | Partial |
| ISO 27001:2022 | 5.36 Compliance with policies, rules and standards | Partial |
| ISO 27001:2022 | 5.37 Documented operating procedures | Partial |
| NIST SP 800-171 Rev 3 | 03.15.01 Policy and Procedures | Partial |
Related controls
- PM-09 Risk Management Strategy: Your awareness and training policy should align with and draw from your organization’s risk management strategy, which defines the risk tolerance and priorities that shape training requirements.
- PS-08 Personnel Sanctions: Personnel sanctions provide the enforcement mechanism for awareness and training policy violations, connecting AT-01 governance to accountability outcomes.
- SI-12 Information Management and Retention: Information management and retention requirements govern how long you must maintain awareness and training records, policies, and procedure documentation.
- AT-02 Literacy Training and Awareness: AT-02 specifies the actual training content and delivery that AT-01’s policy and procedures must govern, making these two controls directly interdependent.
- AT-03 Role-Based Training: Role-based training requirements depend on AT-01’s policy to define which roles require specialized training and how that training is documented and reviewed.
- PM-13 Security and Privacy Workforce: Workforce planning controls ensure your organization has the personnel capacity to develop, deliver, and maintain the awareness and training program that AT-01 requires.
- PM-14 Testing, Training, and Monitoring: Testing and monitoring controls provide the feedback loop that informs AT-01’s policy review cycles, connecting assessment results to policy updates.
Frequently asked questions
What is NIST SP 800-53 AT-01
AT-01 is a NIST SP 800-53 control that requires organizations to develop, document, and disseminate an awareness and training policy and supporting procedures. The control mandates that a designated official manage the policy lifecycle and that the organization review and update both the policy and procedures at defined frequencies and in response to triggering events such as audit findings or regulatory changes.
What happens if AT-01 is not implemented
Failure to implement AT-01 creates a foundational audit finding that affects every other control in the Awareness and Training family. Without a documented policy addressing purpose, scope, roles, responsibilities, and management commitment, your organization cannot demonstrate that its training activities are governed, consistent, or aligned with applicable laws and directives. Assessors will flag the absence of a designated official and the lack of dissemination records as evidence that the awareness and training program lacks accountability.
How do you audit AT-01
Auditors verify that the awareness and training policy is developed, documented, and disseminated to defined personnel and roles. They check that the policy addresses all required elements, including purpose, scope, roles, responsibilities, management commitment, coordination among entities, and compliance with applicable laws. Assessors also confirm that a designated official is responsible for managing the policy and procedures, and that review and update cycles are documented with both a defined frequency and specific triggering events.
Is NIST SP 800-53 AT-01 required for all organizations
AT-01 appears in all four NIST SP 800-53 baselines: LOW, MODERATE, HIGH, and PRIVACY. Federal agencies and contractors operating under the Federal Information Security Modernization Act (FISMA) must implement AT-01 as part of their security authorization process.
Private-sector organizations are not legally required to adopt NIST SP 800-53, but many use it as a voluntary framework for structuring their security and privacy programs. AT-01 serves as the governance foundation for any awareness and training effort regardless of regulatory mandate, because every other control in the AT family depends on the policy and procedures that AT-01 establishes.