AT-02 Literacy Training and Awareness
a. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
1. As part of initial training for new users and at-2_prm_1 thereafter; and
2. When required by system changes or following at-2_prm_2;
b. Employ the following techniques to increase the security and privacy awareness of system users at-02_odp.05;
c. Update literacy training and awareness content at-02_odp.06 and following at-02_odp.07 ; and
d. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in [AT-2a.1](#at-2_smt.a.1) is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-50 Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50.
- SP 800-160-2 Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2.
- SP 800-181 Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1.
- ODNI CTF Office of the Director of National Intelligence (ODNI) Cyber Threat Framework.
Control Enhancements 6
- AT-02(01) Practical Exercises L M H P
- AT-02(02) Insider Threat L M H P
- AT-02(03) Social Engineering and Mining L M H P
- AT-02(04) Suspicious Communications and Anomalous System Behavior L M H P
- AT-02(05) Advanced Persistent Threat L M H P
- AT-02(06) Cyber Threat Environment L M H P
Related controls 17
- AC-03 Access Enforcement L M H P
- AC-17 Remote Access L M H P
- AC-22 Publicly Accessible Content L M H P
- AT-03 Role-based Training L M H P
- AT-04 Training Records L M H P
- CP-03 Contingency Training L M H P
- IA-04 Identifier Management L M H P
- IR-02 Incident Response Training L M H P
- IR-07 Incident Response Assistance L M H P
- IR-09 Information Spillage Response L M H P
- PL-04 Rules of Behavior L M H P
- PM-13 Security and Privacy Workforce L M H P
- PM-21 Accounting of Disclosures L M H P
- PS-07 External Personnel Security L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-16 Developer-provided Training L M H P