NIST 800-53 r5 · Controls catalogue · Family AT
AT-4Training Records
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and Retain individual training records for {{ insert: param, at-04_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Retaining and monitoring training records confirms personnel have completed privacy and security awareness training on handling sensitive data, reducing the chance of unauthorized exposure due to lack of knowledge. |
CWE-284 | Improper Access Control | 4,832 | Documenting role-based training completion allows verification that only trained individuals receive or retain access, making improper access control harder to exploit through untrained personnel. |
CWE-522 | Insufficiently Protected Credentials | 1,518 | Training records for security awareness and role-based training verify education on credential protection practices, tangibly reducing risks from mishandling or exposing credentials. |
CWE-285 | Improper Authorization | 1,230 | Monitoring training records supports enforcement of authorization rules by ensuring staff understand and follow authorization procedures before performing actions. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||