AT: Awareness And Training

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and Reviews and…

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): As part of initial training for new users; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.

The organization provides role-based security training to personnel with assigned security roles and responsibilities: Before authorizing access to the information system or performing assigned duties; When required by information system changes; and [Assignment: organization-defined frequency] thereafter.

The organization: Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and Retains individual training records for [Assignment: organization-defined time period].