NIST 800-53 REV 5 • AWARENESS AND TRAINING

AT-4Training Records

Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and Retain individual training records for {{ insert: param, at-04_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.

Practitioner Notes

Keep records of all security training — who completed what, when, and whether they passed. Training records are one of the first things an auditor will ask for.

Example 1: Use your training platform (KnowBe4, the LMS, or even a SharePoint list) to track completion. Maintain records including: employee name, training title, completion date, score or pass/fail status, and the next required training date. Retain records for at least 3 years (or as required by your contract).

Example 2: Create a monthly training compliance report that shows completion rates by department. Send it to department managers with a list of their non-compliant employees. Escalate to the department head after 30 days of non-compliance and to the CISO after 60 days. Include training compliance as a metric in management reviews.

More Awareness and Training Controls

AT-1 Policy and Procedures AT-2 Literacy Training and Awareness AT-2(1) Practical Exercises AT-2(2) Insider Threat