AT-3: Role-based Training

FieldValue
Control IDAT-03
Control nameRole-based Training
FrameworkNIST SP 800-53, Revision 5
Control familyAwareness and Training
BaselinesLOW MODERATE HIGH PRIVACY
Implementation levelOrganization (First Party and Third Party)
Risk severityMedium

What this control requires

AT-03 requires organizations to deliver role-specific security and privacy training before authorizing system access. Generic awareness sessions don’t satisfy this control. If someone holds a role with defined security or privacy responsibilities, they need training that matches those responsibilities, delivered on a recurring schedule and whenever system changes demand it.

The scope is broader than most teams expect. NIST SP 800-53 maps role-based training across a wide range of positions: system owners, CISOs, authorizing officials, security and privacy officers, architects, developers, database administrators, auditors, incident response staff, procurement officials, and anyone handling personally identifiable information (PII). Each of these roles carries distinct responsibilities, and the training content must reflect those differences.

That breadth is by design. The Awareness and Training (AT) family treats this control as foundational to the broader training program.

The obligation extends beyond initial onboarding. You’re also required to update training content at a defined frequency and in response to specific triggers, including audit findings, security incidents, or changes in applicable laws and regulations. AT-03 explicitly calls for incorporating lessons learned from past incidents and breaches into future training materials.

That feedback loop is what separates a living training program from a static compliance checkbox.

Why it matters

Most organizations treat role-based training as an annual formality, and auditors know it. When training content hasn’t been updated in 18 months and your incident response team can’t articulate the procedures they were supposedly trained on, assessors see a control that exists on paper but fails in practice. That gap introduces real audit risk and can jeopardize certification outcomes under the NIST SP 800-53 framework.

Failure to maintain AT-03 introduces compliance risk that compounds over time. For organizations pursuing or maintaining a NIST-based authorization, inadequate role-based training is a finding that assessors flag consistently. It may result in conditions on your authorization, delayed approvals, or regulatory findings during oversight reviews.

In practice, building a genuine culture of cybersecurity starts with making sure your people actually understand what their role demands.

The risk extends beyond your own workforce. Contractors and third-party personnel with system access fall under the same training requirements. If your vendor’s database administrator has privileged access to your environment but hasn’t received role-appropriate training, you’re carrying that risk on your authorization boundary. Effective human risk management means extending training expectations to everyone who touches your systems, not just full-time employees.

Gaps in role-based training consistently expose the following attack vectors:

  • Privilege misuse from untrained administrators who don’t understand the boundaries of their access or the logging that monitors their actions
  • Incident response delays when incident response (IR) staff haven’t been trained on updated procedures or escalation paths
  • Privacy violations by PII handlers who lack training on current data handling requirements and breach notification obligations
  • Misconfigured systems deployed by engineers who weren’t trained on secure configuration baselines for their specific platform
  • Failed vendor assessments when third-party staff can’t demonstrate role-appropriate security knowledge

How to implement

The most common failure mode isn’t skipping training altogether. It’s delivering the same generic security awareness module to every employee and calling it “role-based,” when auditors clearly distinguish between general awareness (AT-02) and role-specific training (AT-03) within the Awareness and Training family.

For your organization

Start by building a role-to-training matrix that maps every defined security and privacy role to specific training content. This matrix becomes a living document, referenced during onboarding, role changes, and annual reviews.

Specifically, the curriculum must be organized around your defined roles. Structure training modules by responsibility area:

  • Management controls for senior leaders, authorizing officials, and system owners
  • Operational controls for security officers, privacy officers, incident response teams, and contingency planning staff
  • Technical controls for architects, developers, database administrators, and configuration management personnel

In practice, delivery format matters less than relevance and verification. Web-based modules, classroom instruction, hands-on labs, and micro-training sessions all count, but each must be mapped to specific role responsibilities. A developer’s training on secure coding practices looks nothing like a privacy officer’s training on data minimization requirements.

Beyond content, the update cadence must be formalized. Define your update triggers explicitly in policy. At a minimum, training content should be reviewed annually and updated following audit findings, security incidents, changes in organizational systems, and new regulatory requirements.

The result is a traceable feedback loop. Document how lessons learned from incidents feed back into training materials, because assessors want to see a clear path from an after-action report to a curriculum update.

Common mistakes to avoid:

  • Treating the annual awareness module as sufficient for all roles
  • Failing to train personnel before granting system access (AT-03 requires training before authorization)
  • No documented process for updating content after incidents
  • Missing training records for contractors and temporary staff
  • Using the same content year after year without incorporating lessons learned

Beyond avoiding these mistakes, understanding the broader human factors in cybersecurity can help you build curricula that change behavior. Designing training around how people actually process and retain role-specific information addresses root causes rather than surface-level awareness gaps.

For your vendors

When assessing a vendor’s AT-03 compliance, you need evidence that their training program is role-specific, not just that training exists. Generic completion certificates don’t demonstrate that a database administrator received different training than a help desk analyst.

Specifically, request these artifacts during your vendor security review:

  • A role-to-training mapping that shows which roles receive which training modules
  • Sample training materials for at least two distinct roles (for example, a technical role and a management role)
  • Training completion records showing dates, roles, and specific courses completed
  • Evidence of content update history, including triggers that prompted revisions
  • Documentation showing how incident lessons are incorporated into training materials

Red flags to watch for during assessment:

  • Every employee receives identical training regardless of role
  • No documented training schedule or defined frequency
  • Training records lack role designations
  • No evidence of content updates in the past 12 months
  • Contractors or third-party personnel excluded from the training program

Where programs most often fall short is the privacy dimension. Verify that your vendor’s training program covers both security and privacy dimensions. AT-03 addresses both, and a program that only covers security awareness without addressing privacy responsibilities for PII handlers leaves a gap that assessors will identify.

Evidence examples

Evidence TypeExample Artifact
Training policy and proceduresDocumented security and privacy awareness and training policy defining roles, frequencies, update triggers, and delivery methods
Role-to-training curriculum mappingMatrix linking each defined role (system owner, CISO, IR staff, PII handler) to specific training modules and content areas
Training completion recordsTimestamped records showing each individual’s role, assigned training modules, completion dates, and assessment scores
Training materials and contentRole-specific course content, slides, lab exercises, or micro-training modules covering management, operational, and technical controls
Content update documentationChange log showing training material revisions tied to audit findings, incidents, regulatory changes, or system modifications
Lessons-learned integration evidenceAfter-action reports from incidents with traceable updates to training curriculum addressing identified gaps
System security plan and privacy planSections documenting role-based training requirements, assigned responsibilities, and implementation approach

Cross-framework mapping

FrameworkControl(s)Coverage
ISO 27001:20226.3 Information security awareness, education and trainingPartial
NIST SP 800-171 Rev 303.02.02 Role-Based TrainingPartial

Both mappings are partial because AT-03’s explicit requirements around lessons-learned integration, system-change-triggered retraining, and the breadth of defined roles exceed what either ISO 27001 clause 6.3 or NIST SP 800-171 mandate independently.

  • AC-03 — Access Enforcement: role-based training ensures personnel understand the access restrictions that AC-03 enforces technically
  • AC-17 — Remote Access: remote access introduces additional risks that role-based training must address for users connecting from outside the network boundary
  • AC-22 — Publicly Accessible Content: personnel responsible for public-facing content need training on information disclosure risks and review procedures
  • AT-02 — Literacy Training and Awareness: AT-02 covers general awareness for all users, while AT-03 builds on that foundation with role-specific depth
  • AT-04 — Training Records: AT-04 requires documenting the training that AT-03 delivers, creating the audit trail assessors review
  • CP-03 — Contingency Training: contingency planning staff need role-based training on business continuity and disaster recovery procedures specific to their responsibilities
  • IR-02 — Incident Response Training: incident response teams require specialized training on detection, analysis, containment, and recovery procedures beyond general awareness
  • IR-04 — Incident Handling: lessons learned from incident handling under IR-04 feed directly into AT-03 training content updates
  • IR-07 — Incident Response Assistance: help desk and support staff need role-based training on how to recognize and escalate potential security incidents
  • IR-09 — Information Spillage Response: personnel handling classified or sensitive data need specific training on spillage detection, containment, and reporting procedures

Frequently asked questions

What is NIST SP 800-53 AT-03?

AT-03 is the NIST SP 800-53 control that requires organizations to provide role-based security and privacy training to all personnel with assigned security or privacy responsibilities. Unlike general awareness training covered by AT-02, AT-03 demands that training content match each person’s specific role, whether they’re a system owner, incident response analyst, privacy officer, or database administrator. Training must be delivered before system access is authorized and refreshed at a defined frequency, after relevant system changes, and following events like audit findings or regulatory updates. The control also requires incorporating lessons learned from security incidents and breaches into the training curriculum, going further than what the ISO 27001 awareness and training requirement mandates.

What happens if AT-03 is not implemented?

Without AT-03, your organization lacks documented evidence that personnel received training aligned with their specific security and privacy responsibilities, which is a finding assessors consistently flag. Authorization decisions may be delayed or conditioned, and regulatory reviewers can cite the gap as a material weakness in your security program. The operational impact compounds because untrained staff in critical roles, such as incident response personnel, configuration managers, and PII handlers, are more likely to make errors that cascade into incidents, policy violations, or privacy breaches that trigger additional compliance consequences.

How do you audit AT-03?

Auditors verify AT-03 by examining your role-to-training curriculum mapping, training completion records, and evidence that content has been updated at the defined frequency and in response to triggering events. They’ll check that training was delivered before system access was granted for new personnel and that records include the specific role, training module, and completion date for each individual. Assessors also look for documented evidence that lessons learned from past incidents were incorporated into updated training materials, tracing the path from an after-action report to a curriculum change.

What roles require role-based training under NIST SP 800-53?

AT-03 applies to any personnel with defined security or privacy responsibilities, and NIST’s supplemental guidance names a broad set of roles. These include senior leaders, CISOs, system owners, authorizing officials, security and privacy officers, system architects, software developers, database administrators, auditors, configuration management staff, contingency planning and incident response personnel, privacy program managers, and individuals who handle personally identifiable information. The training must cover management, operational, and technical controls relevant to each role, and it extends to contractors and third-party personnel, not just full-time employees.

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial