By name: "AT-6_training-feedback" description: "Provide feedback on organizational training results to the following personnel [organization-defined]: [organization-defined]." category: "configuration" version: "5.2.0" author: "cyberstrike-official" tags: - nist - sp800-53 - rev5 - at-6 - at tech_stack: - any cwe_ids: [] chains_with: [] prerequisites: [] severity_boost: {}
AT-6 Training Feedback
High-Level Description
Family: Awareness and Training (AT) Framework: NIST SP 800-53 Rev 5
Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.
What to Check
- Verify AT-6 Training Feedback is documented in SSP
- Confirm control is operating effectively
- Review evidence of continuous monitoring for AT-6
How to Test
Step 1: Review Documentation
Examine the System Security Plan (SSP) and related artifacts for AT-6 implementation details. Verify the organization has documented how this control is satisfied.
Step 2: Validate Implementation
# For cloud environments, use cloud-audit-mcp tools
# For on-premises, review system configurations directly
# Example: Check if account management policies exist
grep -r "account.management\|access.control" /etc/security/ 2>/dev/null
Step 3: Test Operating Effectiveness
Verify the control is actively functioning, not just documented. Check logs, configurations, and operational evidence.
Tools
| Tool | Purpose | Usage |
|---|---|---|
| Manual Review | Documentation and interview-based | N/A |
Remediation Guide
Control Statement
Provide feedback on organizational training results to the following personnel [organization-defined]: [organization-defined].
Implementation Guidance
Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.
Risk Assessment
| Finding | Severity | Impact |
|---|---|---|
| AT-6 Training Feedback not implemented | Medium | Awareness and Training |
| AT-6 partially implemented | Low | Incomplete Awareness and Training |
CWE Categories
| CWE ID | Title |
|---|---|
| N/A | No direct CWE mapping |
References
- NIST SP 800-53 Rev 5 - AT-6
- NIST SP 800-53A Rev 5 (Assessment Procedures)
- NIST SP 800-53 Rev 5 Full Catalog
Checklist
- Control documented in SSP
- Implementation evidence collected
- Operating effectiveness validated
- Continuous monitoring in place
- Related controls (none) reviewed