Skip to content

3.2 AT

The document is 489 paragraphs across seven sections. Here is what each section contains and what makes this page particularly important despite the AT family having only three controls.

What makes this page different from AC

The AT family contains the smallest control count in NIST 800-171 — three controls — but it is consistently one of the most commonly failed families in first-time CMMC assessments. The failure mode is almost never absence of a training programme; it is absence of evidence that the programme covers the right content, reaches the right people, and is actually effective. The document is structured accordingly, with more space on programme design and evidence design than on the controls themselves.

Section 0 — ISO 27001 clause context opens with a comparison table you will not find in most compliance documents: the precise distinction between clause 7.2 (Competence) and clause 7.3 (Awareness). These two clauses are frequently conflated — organisations produce a training completion report and assume it covers both. It covers 7.3. Clause 7.2 requires individual competency records with effectiveness assessment for named security roles. The CISO must have a certification or documented competency assessment on file, not just a training completion record. This distinction is where ISO 27001 surveillance audits generate clause 7.2 findings even in mature ISMS programmes.

Section 2 — The role-specific training matrix is the centrepiece of the document. It covers ten role categories from CISO to third-party contractors, with specific training modules, frequency requirements, and competency standards for each. This table is what a C3PAO assessor will compare against EV-B06 records. If the matrix says system administrators must complete PAM platform training on appointment, the assessor will check whether the records show this happened for every administrator appointed in the past assessment period.

Section 3 — Training programme design contains two elements that rarely appear in compliance documentation but are the most operationally useful: an annual training calendar with month-by-month actions and owners, and the phishing simulation programme design. The phishing simulation section makes a point worth reiterating: results must not be used for individual disciplinary action, and this must be stated in the HR Security Policy. Organisations that use simulation results punitively damage their reporting culture and undermine the awareness programme's effectiveness — the opposite of what 3.2.1 requires.

Section 6 — Common findings is the section your team should read before every external assessment. The six findings listed are drawn from the pattern of AT family failures in CMMC Level 2 and ISO 27001 assessments. The most reliably damaging is the third one — insider threat training that is "included in" general awareness training but cannot be produced as a distinct, identifiable module. Control 3.2.3 requires specifically insider threat training, and assessors will ask to see the content. Burying two slides on insider risk within a 60-slide awareness deck and calling it complete fails the specificity test.

Linking this page to the rest of the ISMS space

The AT-AT page should carry four active cross-links in Confluence. Link to the HR Security Policy (the policy that governs training obligations, the no-blame reporting culture, and the disciplinary framework for non-compliance); the Training and Awareness page in the User Guidance Hub (the all-staff visible page with the LMS link and completion deadline); the AT-AC page (because the access control provisioning process must include training completion as a gate); and the AT-CA page (Security Assessment, which requires the training programme to be included in the security assessment scope under control 3.12.1). The AT family does not exist in isolation — it is the mechanism through which every other control family's human requirements are delivered.