FedRAMP Controls / AT
AT-2 Literacy Training and Awareness
Family AT
Baselines moderate
Mapped KSIs 2
Control statement
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
1. As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and
2. When required by system changes or following {{ insert: param, at-2_prm_2 }};
b. Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }};
c. Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and
d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques. Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-CED-01 | General Training _Persistently_ review the effectiveness of training given to all employees on policies, procedures, and security-related topics. | Cybersecurity Education |
| KSI-CED-02 | Role-Specific Training _Persistently_ review the effectiveness of role-specific training given to employees in high risk roles, including at least roles with privileged access. | Cybersecurity Education |