AT-4: Training Records

What This Control Requires

AT-04 requires organizations to document, monitor, and retain records of all security and privacy training activities. That single requirement covers both awareness and role-based training tied to specific job functions. The control addresses a gap most audit teams encounter early — training happened, but no one can prove it.

What makes this requirement distinct is that NIST SP 800-53 treats training records as a separate control because awareness alone is not auditable without documentation. Organizations must track who completed which training, when they completed it, and whether the content covered the topics required for their role. Retention periods should align with regulatory requirements and records management guidance from bodies like the National Archives and Records Administration (NARA).

In practice, individual supervisors may maintain specialized training records for roles like incident response or contingency planning rather than routing them to a centralized system. The organization still retains responsibility for ensuring those records exist, remain accessible during audits, and follow the same retention timeline as centralized records. An auditor reviewing AT-04 won’t accept “the manager tracks that” as sufficient documentation — supervisor-maintained records still need a defined format, a storage location, and a retention period that matches the organization’s broader records management policy, as described in the NIST SP 800-53 overview.

Why It Matters

Most organizations conduct security training. Far fewer can produce complete records when an auditor asks for them. AT-04 exists because undocumented training is, from a compliance perspective, training that never happened.

Failure to maintain training records introduces audit risk that compounds over time. Assessors evaluating NIST compliance will flag incomplete or missing training documentation as a finding, even when the organization has a mature awareness program. The gap between “we trained everyone” and “here is the evidence” is where audit deficiencies live.

The consequences compound for organizations subject to the Federal Information Security Modernization Act, the Federal Risk and Authorization Management Program, or similar frameworks, where AT-04 findings can delay authorization decisions. In the private sector, training record gaps surface during SOC 2 examinations and customer due diligence reviews. The operational cost of reconstructing records after the fact almost always exceeds the cost of tracking them from the start.

The downstream effect extends beyond the AT-04 finding itself. Without records, organizations can’t demonstrate that contingency plan participants completed CP-03 training or that incident responders fulfilled IR-02 requirements.

What attackers exploit when training gaps exist:

• Employees who never completed phishing awareness training are more likely to fall for credential-harvesting campaigns
• Privileged users without role-based training may misconfigure access controls or mishandle sensitive data
• Incident responders who lack documented training may follow outdated procedures during active incidents
• Vendor personnel with unverified training status introduce unmonitored risk to shared environments
• Gaps in training records make it harder to identify which teams need refresher training after a policy change

How to Implement

For Your Organization

The core challenge with AT-04 isn’t complexity. It’s consistency. Training delivery and training record-keeping are separate workflows, and most organizations treat them as one until an auditor separates them.

Establish a training record management process. Define what constitutes a complete training record: employee name, training title, delivery method, completion date, content summary, and assessed comprehension (if applicable). Map each record field to the evidence your assessors will request.

Centralize records in a learning management system (LMS) or equivalent. Standalone spreadsheets and email confirmations degrade over time. An LMS provides automated completion tracking, timestamped records, and exportable reports. If an LMS is not feasible, maintain a structured repository with version-controlled access.

Define your retention period and document it. AT-04 requires organizations to define how long training records are retained. Align this period with your records retention schedule, any applicable regulatory requirements, and NARA guidance for federal agencies. A common baseline is three years, but your organization-defined parameter should reflect your risk environment and audit cycle.

Integrate training tracking with your information security policy lifecycle. When policies change, training content should update, and records should reflect who completed the revised training. This linkage ensures that your AT-02 awareness program and AT-03 role-based training feed directly into AT-04 documentation.

Build reporting that supports ongoing monitoring. AT-04 requires monitoring, not just documentation. Generate periodic reports that identify overdue training, incomplete records, and coverage gaps by department or role. These reports satisfy the monitoring requirement and double as ready-made evidence during assessments.

Common mistakes to avoid:

• Tracking completion rates without retaining individual records
• Relying on calendar invites or attendance sign-in sheets as primary evidence
• Failing to document training exemptions or deferrals
• Storing records in systems without backup or access controls
• Not distinguishing between awareness training and role-based training in record categories

For Your Vendors

Verifying that a vendor maintains training records is harder than verifying your own, but AT-04 applies to any organization processing your data under NIST SP 800-53. The question is not whether vendors train their staff. It’s whether they can prove it.

Include AT-04-specific questions in your security questionnaires. Ask vendors to describe their training record retention policy, their LMS or tracking mechanism, and whether records distinguish between general awareness and role-based training. The NIST 800-53 questionnaire template provides a starting framework for these assessments.

Request evidence beyond self-attestation. Ask for sample training completion reports (with personal data redacted), screenshots of LMS dashboards, or excerpts from their records retention schedule. A vendor that can’t produce a sample record on request likely does not maintain records consistently.

Evaluate training scope against the vendor’s role. A vendor handling incident response on your behalf should demonstrate IR-specific training records. A vendor managing access provisioning should show evidence of access control training. Generic awareness training alone doesn’t satisfy AT-04 for third-party risk requirements under NIST 800-53.

Red flags during vendor assessments:

• Vendor can’t specify a records retention period
• Training records exist only as manual spreadsheets with no audit trail
• No distinction between awareness training and role-based training
• Training content hasn’t been updated in over 12 months
• Vendor declines to provide sample completion reports

Verification approach. Cross-reference the vendor’s training policy with their most recent SOC 2 report or third-party assessment. If the vendor claims ISO 27001 certification, check whether their awareness training controls under ISO 27001 6.3 align with what they report for NIST AT-04.

Ongoing monitoring matters as much as initial verification. Vendors change training programs, switch LMS platforms, and experience staff turnover. Build AT-04 verification into your recurring assessment cycle rather than treating it as a one-time check during onboarding.

Evidence Examples

Cross-Framework Mapping

AT-04 doesn’t yet have cross-framework mappings. This section will display equivalent controls from frameworks such as ISO 27001:2022 and NIST SP 800-171 once mappings become available.

Related Controls

• AT-02 — Literacy Training and Awareness: Defines the awareness training program whose completion AT-04 documents and tracks
• AT-03 — Role-based Training: Establishes role-specific training requirements that generate the specialized records AT-04 must retain
• CP-03 — Contingency Training: Requires contingency plan training whose records fall under AT-04 retention requirements
• IR-02 — Incident Response Training: Mandates incident response training for designated personnel, producing records that AT-04 governs
• PM-14 — Testing, Training, and Monitoring: Provides the organizational framework for coordinating training activities that AT-04 tracks across programs
• SI-12 — Information Management and Retention: Governs the broader records retention lifecycle that applies to training documentation managed under AT-04

Browse all controls in the Awareness and Training family.

Frequently Asked Questions

What Is NIST SP 800-53 AT-04?

AT-04 is the NIST SP 800-53 control that requires organizations to document, monitor, and retain records of all information security and privacy training activities. It covers both general awareness training tracked under AT-02 and specialized role-based training established by AT-03, ensuring that every training event produces an auditable record with completion dates, participant identification, and content covered. The control applies across all baselines (LOW, MODERATE, HIGH, and PRIVACY), making it a universal requirement for any organization aligning to the NIST SP 800-53 catalog.

What Happens if AT-04 Is Not Implemented?

Organizations that fail to implement AT-04 can’t demonstrate training compliance during audits, even if training activities occurred. Assessors will flag missing or incomplete training records as a finding against the security and privacy awareness and training policy. For federal systems, this finding can delay or block authorization to operate, while in the private sector, training record gaps create liability during regulatory inquiries and undermine the credibility of related controls like CP-03 and IR-02.

How Do You Audit AT-04?

Auditing AT-04 starts with requesting the organization’s training records and comparing them against the security and privacy awareness and training policy, the defined retention period, and the list of personnel requiring training. Assessors verify that records exist for both awareness training and role-based training, that records are retained for the organization-defined time period, and that monitoring processes detect gaps in training completion. Evidence typically includes LMS reports, procedures addressing security and privacy training records, and the system security plan sections referencing AT-04 implementation.

How Long Should You Retain Security Training Records Under NIST 800-53?

NIST SP 800-53 doesn’t prescribe a fixed retention period for training records under AT-04. Instead, the organization defines the retention period based on its regulatory environment, records management policies, and audit cycle. Federal agencies should follow NARA guidance, and a common baseline for most organizations is three years, though programs subject to multiple compliance frameworks should align to the longest applicable requirement.