September 20, 2023 2 min read

NIST SP 800-53 AT-1 Awareness and Training Policy and Procedures | Download Template Today

AT-1 is titled "Awareness and Training Policy and Procedures" and serves as the foundational control for the entire AT family. It requires organizations to develop, disseminate, and periodically review and update an awareness and training policy and associated procedures that address the following:

  • Security Roles and Responsibilities: Clearly defining the security roles and responsibilities of individuals within the organization to ensure everyone understands their duties related to information security.
  • Security Awareness Training: Establishing a program for providing security awareness training to personnel. This training helps employees understand various security risks, threats, and best practices to protect sensitive information and information systems.
  • Security Training for New Employees: Ensuring that security training is provided to new employees at the time of hiring or before granting them access to information systems.
  • Security Training for Existing Employees: Providing periodic security training for existing employees to reinforce their knowledge and update them on new threats and security measures.
  • Training for Specialized Roles: Providing specialized security training to personnel with specific security-related roles, such as system administrators, security officers, and network administrators.
  • Training Records: Maintaining records of security training activities, including attendance and completion certificates, to demonstrate compliance with the organization's training program.
  • Training Effectiveness: Evaluating the effectiveness of the training program periodically to ensure it is meeting its objectives and making necessary improvements if needed.

The goal of AT-1 is to ensure that personnel are aware of their roles in safeguarding information and understand the organization's security policies and procedures. By providing regular training and promoting security awareness, organizations can reduce the risk of human-related security incidents and improve the overall security posture.

Reporting Requirements

Specifically, Per AT-1 of NIST SP 800-53, organizations are to “Develop, document, and disseminate…” an awareness and training policy and procedures document. The keyword here is “document”, which means you need a policy and procedure for AT-1.

How to Get Started

Start by downloading our world-class NIST RMF Security and Privacy Policies and Procedures templates at the Arlington Security Portal (ASP), which includes access to our awareness and training policy and procedures template, and our NIST RMF developed awareness and training toolkit. 

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at