AT-2: Literacy Training and Awareness

What this control requires

AT-02 requires organizations to provide security and privacy literacy training to every system user and keep that training current. This obligation covers all personnel with system access, including managers, senior executives, and contractors. Training must begin during onboarding and recur at an organization-defined frequency, with additional sessions triggered by significant system changes or security events.

But scheduling alone is not sufficient. Organizations must also employ awareness techniques that reinforce secure behavior between formal sessions. The content of that training spans understanding security and privacy responsibilities, recognizing and reporting suspected incidents, protecting personally identifiable information (PII), and practicing operations security in both office and telework environments.

In practice, this means the training program is never static. AT-02 requires organizations to incorporate lessons learned from actual security incidents and breaches into training materials, and content must be updated at a defined frequency and whenever events demand it.

Specifically, organizations determine the appropriate depth of training, from basic literacy to advanced topics, based on each user’s authorized access level, role responsibilities, and work environment. You can find additional context on how AT-02 fits within the broader NIST SP 800-53 framework index.

Why it matters

A single employee retrieving an email from a spam folder and opening an unexpected attachment can compromise authentication infrastructure used by thousands of organizations. That is the core risk AT-02 exists to mitigate: human decisions made in seconds that cascade into months of incident response, hundreds of millions of dollars in remediation, and lasting damage to trust.

The result is a workforce that becomes the most reliable entry point for attackers when literacy training is absent or inconsistent. Phishing, pretexting, and social engineering succeed not because employees are careless, but because they haven’t built the reflexes to pause, verify, and report before acting on an unexpected request.

RSA SecurID seed compromise

In March 2011, RSA Security disclosed that its corporate network had been breached. The attack compromised data related to its SecurID two-factor authentication tokens, products deployed across thousands of organizations including United States defense contractors.

Specifically, the initial access vector was a spear-phishing email titled “2011 Recruitment plan.xls,” sent to a small group of RSA employees. One employee retrieved the message from a spam folder and opened the attached spreadsheet. A zero-day Adobe Flash exploit (CVE-2011-0609) executed silently upon opening, giving the attacker a foothold. From there, the attacker moved laterally through RSA’s network and exfiltrated seed values used to generate one-time authentication codes. As Art Coviello, RSA’s Executive Chairman, acknowledged in an open letter, the breach originated from that phishing email.

The downstream consequences were severe. Subsequent attacks against Lockheed Martin and other defense contractors were attributed to the compromised SecurID data. RSA, then part of EMC, offered replacement tokens to over 40 million SecurID users, with the full compromise cost estimated in the hundreds of millions of dollars.

The result is a textbook AT-02 failure. A targeted email impersonating a plausible business topic was sufficient to cause an employee to open an unsolicited attachment from an unknown sender, and security awareness training exists to build exactly the reflexes that flag that behavior as requiring verification.

What attackers exploit

• Phishing and spear-phishing campaigns that impersonate trusted senders or use urgent subject lines to bypass judgment. Effective security awareness training builds pattern recognition for these tactics.
• Social engineering via phone, chat, or in-person pretexting, where attackers exploit employees who haven’t been trained to verify identity before sharing credentials or access. Understanding social engineering techniques is foundational to AT-02.
• Credential harvesting through fake login pages, targeting users who lack training on verifying URLs and recognizing cloned interfaces.
• Insider threat scenarios where employees mishandle sensitive data, not out of malice, but because they were never trained on data classification or spillage response. Addressing human factors in cybersecurity reduces these risks.
• Post-incident confusion when untrained staff don’t know how to report a suspected compromise, delaying containment and escalating damage.

How to implement

Literacy training programs fail most often not from absence, but from stagnation. Annual checkbox training that never evolves and never tests knowledge gives you compliance artifacts without actual risk reduction.

For your organization

Specifically, start by mapping your training curriculum to AT-02’s assessment objectives. Your curriculum should address security and privacy fundamentals, recognizing and reporting suspected incidents, operations security for both office and remote environments, and handling of personally identifiable information.

Specifically, build training around three triggers. First, onboarding: every new user, whether employee, contractor, or executive, completes baseline literacy training before receiving system access. Second, recurring sessions at your defined frequency, which for most organizations means quarterly or semi-annually.

In practice, a third trigger matters as much as the first two: event-driven refreshers following significant system changes, new threat intelligence, or post-incident lessons learned. Supplement formal sessions with awareness techniques that reinforce concepts between them, such as phishing simulation campaigns, security newsletters, visual reminders in collaboration tools, and short micro-learning modules. The goal is building reflexes, not just passing quizzes.

Where this breaks down is knowledge verification. Completion tracking alone doesn’t demonstrate that users understood the material, so include knowledge assessments, phishing simulation results, and periodic spot-checks. Document training records, curriculum versions, completion rates, simulation outcomes, and content update logs.

In practice, most organizations use a combination of a learning management system for course delivery and tracking, a phishing simulation platform for realistic testing, and a content library that stays current with emerging threats. Developing a culture of cybersecurity requires more than tool procurement; it demands executive sponsorship and visible participation.

But the most common failures are preventable. Running training only once per year, excluding contractors or senior executives, never updating content after incidents, relying on completion rates without testing comprehension, and treating training as an IT responsibility rather than an organizational one all undermine AT-02 compliance.

For your vendors

When assessing a vendor’s AT-02 posture, start your security questionnaire with targeted questions. Ask whether the vendor has a documented security awareness training policy, what the training frequency is, whether training covers both security and privacy topics, how new hires are onboarded, and whether lessons learned from incidents are incorporated into training updates.

Specifically, request evidence to verify their claims. Training policy documents should define scope, frequency, and content requirements. Completion rate reports should show participation across all user populations, including contractors.

Take curriculum samples as an example: they should demonstrate coverage of phishing recognition, incident reporting, and data handling. Phishing simulation results reveal whether the program actually changes behavior.

Where this breaks down is in vendor responses that reveal gaps. A vendor with no documented training program, or one that claims 100% completion rates without any form of knowledge testing, hasn’t built a credible program. Training content that hasn’t been updated in over two years suggests the program is dormant. Exclusion of contractors, temporary workers, or executives from training requirements is another warning sign.

The consequence is that self-attestation alone is insufficient when the vendor’s risk tier warrants deeper scrutiny. Request screenshots from their learning management system showing recent completion data, and ask for evidence of post-incident curriculum updates tied to specific events.

In practice, phishing simulation cadence and failure-rate trends over time are the strongest behavioral indicators. A mature program shows declining failure rates and increasing reporting rates across simulation campaigns.

Evidence examples

Cross-framework mapping

Related controls

The Awareness and Training family contains several controls that interact directly with AT-02.

• AC-03 - Access Enforcement: relates because access enforcement depends on users understanding their access privileges and restrictions.
• AC-17 - Remote Access: relates because telework environments require specific training on remote access security.
• AC-22 - Publicly Accessible Content: relates because users need training on what information can be publicly shared.
• AT-03 - Role-based Training: extends AT-02 with specialized training for users who hold significant security responsibilities.
• AT-04 - Training Records: provides the documentation and tracking that proves AT-02 compliance.
• CP-03 - Contingency Training: complements AT-02 with training specific to continuity and recovery procedures.
• IA-04 - Identifier Management: relates because users need training on identity credential management.
• IR-02 - Incident Response Training: builds on AT-02 awareness with specific incident handling procedures.
• IR-07 - Incident Response Assistance: provides the help-desk and support structure users need after awareness training.
• IR-09 - Information Spillage Response: requires trained users who can recognize and report data spillage.

Frequently asked questions

What is NIST SP 800-53 AT-02

AT-02 is the NIST SP 800-53 control requiring organizations to deliver security and privacy literacy training to all system users. It mandates initial training during onboarding, recurring sessions at an organization-defined frequency, and event-triggered refreshers. The control also requires organizations to employ awareness techniques between formal sessions, incorporate lessons learned from security incidents into training content, and applies across LOW, MODERATE, and HIGH baselines, plus PRIVACY.

What happens if AT-02 is not implemented

Without AT-02 implementation, employees lack the trained reflexes to recognize phishing attachments, verify unexpected requests, or report suspected incidents before damage escalates. Your organization also faces audit failures when assessors request training completion records, curriculum documentation, or evidence of post-incident content updates and find none. Because AT-02 is required across LOW, MODERATE, and HIGH baselines, failure to implement it blocks baseline compliance entirely, regardless of your target impact level.

How do you audit AT-02

Auditing AT-02 starts with reviewing training completion records to verify that all user populations, including contractors and executives, received initial and recurring literacy training. Assessors then examine the curriculum content itself to confirm it covers the required topics: phishing recognition, incident reporting, operations security, and PII handling. They also look for documented awareness techniques employed between formal training sessions and check post-incident training update logs to verify that lessons learned from security events were incorporated into materials at the defined update frequency.

How often should security awareness training be conducted under NIST 800-53

NIST SP 800-53 does not prescribe a fixed frequency for AT-02 training. Instead, it requires training at three points: initial training for every new user before they receive system access, recurring training at an organization-defined frequency, and event-triggered refreshers following significant system changes or security incidents. Most organizations set the recurring cadence at quarterly or semi-annual intervals, but the appropriate frequency depends on your risk environment, regulatory obligations, and the broader NIST SP 800-53 framework context.