NIST 800-53 r5 · Controls catalogue · Family AT
AT-2Literacy Training and Awareness
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and {{ insert: param, at-2_prm_1 }} thereafter; and When required by system changes or following {{ insert: param, at-2_prm_2 }}; Employ the following techniques to increase the security and privacy awareness of system users {{ insert: param, at-02_odp.05 }}; Update literacy training and awareness content {{ insert: param, at-02_odp.06 }} and following {{ insert: param, at-02_odp.07 }} ; and Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-352 | Cross-Site Request Forgery (CSRF) | 10,337 | Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF. |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Literacy training teaches users to recognize and avoid actions that result in unauthorized exposure of sensitive information. |
CWE-284 | Improper Access Control | 4,832 | Training covers access control policies and the consequences of improper access grants or usage by users. |
CWE-287 | Improper Authentication | 4,730 | Security awareness training instructs users on secure authentication practices and avoiding credential compromise. |
CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | 1,728 | Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites. |
CWE-522 | Insufficiently Protected Credentials | 1,518 | Training instructs users on protecting credentials from disclosure or unauthorized access. |
CWE-290 | Authentication Bypass by Spoofing | 631 | Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Privacy literacy training directly targets preventing exposure of personal information through user mishandling. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||