home || catalog: SP800-53rev3 / class: Operational / family: (AT) Awareness and Training ||
search controls:
search nistpubs:

AC
AT

AT-01
AT-02
AT-03 *
AT-04
AT-05
AT-06

AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  AT-03: Security Training  

base control objective:
The organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter.

supplemental objective information:
The organization determines the appropriate content of security training based on assigned roles and responsibilities and the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides system managers, system and network administrators, and other personnel having access to system-level software, adequate security-related technical training to perform their assigned duties. Organizational security training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. The organization also provides the training necessary for these individuals to carry out their responsibilities related to operations security within the context of the organization’s information security program.

enhancements to the base objective:

(1) The organization provides employees with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.

Enhancement Supplemental Guidance: Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility.

(2) The organization provides employees with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.

Enhancement Supplemental Guidance: Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring and surveillance equipment, and security guards (deployment and operating procedures).

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

SA-03   Life Cycle Support

documents referenced in SP800-53rev3 for AT-03:

Document Date Status Title
NIST SP800-16 March. 2009 DRAFT   Information Technology Security Training Requirements: A Role- and Performance-Based Model
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-50 October, 2003 current   Building an Information Technology Security Awareness and Training Program
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Search SP800-53rev3 catalog: