| Field | Value |
|---|---|
| Control ID | AT-06 |
| Control Name | Training Feedback |
| Framework | NIST SP 800-53 (Revision 5) |
| Control Family | Awareness and Training |
| Baselines | — |
| Implementation Level | Organization |
| Relevance | Organization (First Party and Third Party) |
| Risk Severity | Low |
What this control requires
AT-06 requires your organization to deliver structured feedback on training outcomes to designated personnel at a defined frequency. Closing that loop means the right people know how training programs actually performed, not just that they ran. The control applies to both general security awareness training and role-based training programs.
In practice, this means collecting training results and routing that data to the stakeholders who can act on it. The feedback must reach specific individuals, not a generic distribution list, and it must arrive on a schedule you’ve defined and documented. Your security plan should identify who receives the feedback, what format it takes, and how frequently it’s delivered.
The consequence is a governance gap when this feedback loop is missing. Training results reveal patterns that raw completion rates hide, and when personnel in critical roles consistently fail assessments, that’s a leading indicator of operational risk. Without a feedback mechanism, senior leadership has no line of sight into whether training is actually reducing risk or just generating compliance artifacts.
Why it matters
Most organizations treat training as a checkbox rather than a feedback system. AT-06 exists to prevent that pattern from becoming a blind spot in your security posture.
The result is measurable audit exposure. If your organization undergoes a NIST SP 800-53 assessment, auditors will look for documented evidence that training feedback reaches defined personnel on a defined cadence. Missing that evidence generates findings that can stall or block authorization.
But the deeper problem is organizational. When training feedback never reaches decision-makers, there’s no mechanism to adjust content, increase frequency for high-risk roles, or escalate patterns of repeated failure. Training stays static while threats evolve.
Specifically, when an organization runs monthly phishing simulations but never routes failure data to the CISO, the simulation program produces no governance response. A single quarter of missed feedback may not trigger an incident, but repeated gaps create a training program that can’t self-correct. Personnel in critical roles continue failing assessments with no one in a position to intervene.
What attackers exploit when training feedback is absent
When training feedback never reaches decision-makers, these attack vectors become easier to execute.
- Social engineering campaigns that target undertrained personnel whose repeated assessment failures were never escalated to management
- Credential phishing directed at employees in critical roles who lack role-based training reinforcement
- Stale training content that no longer reflects current attack patterns, increasing insider threat risk across the organization
- Privilege misuse by personnel whose gaps in role-based training went unreported and uncorrected
- Pretexting attacks that succeed because awareness training was never updated based on prior failure data
How to implement
The most common failure mode for AT-06 isn’t a lack of training data. It’s that results sit in a learning management system dashboard no one reviews, never reaching the people who should act on them.
For your organization
Start by defining who receives training feedback and how often they receive it. These are the two assignment parameters the control requires, and your documentation must be explicit about both.
- Designate feedback recipients. Identify the personnel or roles that will receive training results as part of your Awareness and Training program. This typically includes the CISO, security program managers, department heads for critical-role teams, and the training coordinator. Document these assignments in your security awareness and training policy.
- Set the feedback frequency. Define how often feedback is delivered. Quarterly is the most common cadence for organizations with stable training programs, but monthly reporting may be appropriate during the first year of a new program or after significant changes to training content.
- Aggregate results by type. Separate general awareness training results from role-based training results. Aggregated pass/fail rates, completion percentages, and trend data over time are more useful than raw individual scores. Flag any personnel in critical roles who failed or did not complete training.
- Build a feedback delivery mechanism. This can be a recurring report, a dashboard with scheduled distribution, or a standing agenda item in a governance meeting. The key is that you can document and trace every delivery.
In practice, email distribution with read receipts, meeting minutes with attendance records, or a ticketing system entry all work as evidence.
- Document the process. Your security plan should describe the feedback workflow end-to-end, from data collection through delivery. Include the defined frequency, recipient list, report format, and escalation path for critical failures.
Where most programs fall short is in the details of delivery. Common mistakes include relying on ad-hoc verbal updates that leave no evidence trail, reporting only completion rates without failure analysis, and failing to update recipient lists when personnel change roles. Another frequent gap is treating feedback as a one-way broadcast rather than a trigger for action when results show patterns of concern.
For your vendors
When assessing whether a vendor has implemented AT-06, you need to verify that training results actually reach decision-makers, not just that training exists.
Questionnaire questions to include
- Do you provide structured feedback on security training results to designated management personnel?
- What is the defined frequency for training feedback delivery?
- Who receives training feedback reports, and how are those recipients documented?
- How do you track and escalate training failures for personnel in critical roles?
Evidence to request
- A sample training feedback report (redacted as needed) showing aggregated results by training type
- The section of their security awareness and training policy that defines feedback recipients and frequency
- Meeting minutes or distribution logs showing feedback was delivered on the documented schedule
- Escalation log entries for critical-role training failures, if applicable
Red flags to watch for
- The vendor can show training completion data but has no process for routing results to management
- The vendor has not documented feedback recipients, or has not updated the recipient list in over a year
- The vendor describes training feedback as “available on request” rather than proactively delivering it on a schedule
- The vendor cannot produce feedback reports from at least two consecutive reporting periods
In practice, verifying delivery means going beyond self-attestation. Ask for timestamps on feedback reports and cross-reference them against the stated delivery frequency. A vendor claiming quarterly feedback should be able to produce reports from at least the last two consecutive quarters.
Where a vendor claims to be building a security-first culture, feedback loops should be a visible part of their evidence.
Evidence examples
The NIST SP 800-53 assessment process for AT-06 focuses on verifiable delivery of training feedback. The following artifacts demonstrate compliance with the control’s assessment objectives.
| Evidence Type | Example Artifact |
|---|---|
| Policy documentation | Security awareness and training policy defining feedback recipients, delivery frequency, and escalation procedures |
| Training results report | Aggregated quarterly training feedback report showing pass/fail rates by training type and role category |
| Distribution confirmation | Email distribution logs or meeting minutes confirming the organization delivered feedback to designated personnel on schedule |
| Escalation actions | Escalation log entries documenting corrective actions initiated when critical-role personnel failed or missed training assessments |
| Security plan reference | Security plan section describing the training feedback workflow, recipient assignments, and frequency |
| Role-based training data | Role-based training completion and failure data segmented by department and critical-role designation |
Cross-framework mapping
No applicable content for this control.
Related controls
The NIST SP 800-53 catalog formally references no related controls for AT-06. The supplemental guidance does note operational connections within the Awareness and Training family, and several other controls share a dependency on training program governance.
- AT-1 — Policy and Procedures: establishes the organizational policy framework that defines how training feedback is documented, delivered, and maintained
- AT-2 — Literacy Training and Awareness: AT-06 provides the feedback data needed to evaluate and update awareness training content and delivery cycles
- AT-3 — Role-Based Training: AT-06 delivers role-based training effectiveness results to designated management personnel, enabling course corrections
- AT-4 — Training Records: supplies the raw training completion and assessment data that AT-06 aggregates into structured feedback for leadership
- PM-13 — Security and Privacy Workforce: depends on training feedback to identify workforce capability gaps and inform hiring or retraining decisions
Frequently asked questions
What is NIST SP 800-53 AT-06
AT-06 is a NIST SP 800-53 Revision 5 control that requires organizations to provide feedback on security training results to designated personnel at a defined frequency. The control covers both general awareness training results and role-based training results. Its purpose is to ensure decision-makers have visibility into training effectiveness, particularly when personnel in critical roles fail assessments.
What happens if AT-06 is not implemented
Without AT-06, your organization loses the feedback loop between training execution and training governance. Training failures among critical-role personnel go undetected by senior management, removing the trigger for corrective action. During a NIST SP 800-53 assessment, missing feedback delivery evidence generates findings that can delay or block system authorization.
How do you audit AT-06
Auditing AT-06 starts with verifying that the organization has documented the feedback frequency and the specific personnel designated to receive training results. Assessors then examine training feedback reports, distribution logs, and escalation records for critical-role failures to confirm delivery occurred on the documented cadence. The assessment objective focuses on whether feedback actually reached the defined recipients at the defined intervals, not just whether a training program exists.
How often should training feedback be provided
NIST SP 800-53 does not prescribe a specific frequency for AT-06. The control assigns the organization responsibility for defining the cadence that fits its risk environment. Quarterly delivery is the most common choice for mature programs, while monthly reporting is appropriate during program rollouts or after significant training content changes.