OpenStack Platform 13 - Awareness and Training

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
AT-1 Security Awareness And Training Policy And Procedures

not applicable

AT-2 Security Awareness Training

not applicable

AT-2 (1) Practical Exercises

not applicable

AT-2 (2) Insider Threat

not applicable

AT-3 Role-Based Security Training

not applicable

AT-3 (1) Environmental Controls

not applicable

AT-3 (2) Physical Security Controls

not applicable

AT-3 (3) Practical Exercises

not applicable

AT-3 (4) Suspicious Communications And Anomalous System Behavior

not applicable

AT-4 Security Training Records

not applicable

AT-5 Contacts With Security Groups And Associations

not applicable




AT-1: Security Awareness And Training Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and b. Reviews and updates the current: 1. Security awareness and training policy [Assignment: organization-defined frequency]; and 2. Security awareness and training procedures [Assignment: organization-defined frequency].

AT-1 Control Response Information
Implementation Status:

not applicable

AT-1: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-2: Security Awareness Training

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors): a. As part of initial training for new users; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.

AT-2 Control Response Information
Implementation Status:

not applicable

AT-2: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-2 (1): Practical Exercises

“The organization includes practical exercises in security awareness training that simulate actual cyber attacks.”

AT-2 (1) Control Response Information
Implementation Status:

not applicable

AT-2 (1): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-2 (2): Insider Threat

“The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.”

AT-2 (2) Control Response Information
Implementation Status:

not applicable

AT-2 (2): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-3: Role-Based Security Training

The organization provides role-based security training to personnel with assigned security roles and responsibilities: a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and c. [Assignment: organization-defined frequency] thereafter.

AT-3 Control Response Information
Implementation Status:

not applicable

AT-3: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-3 (1): Environmental Controls

“The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.”

AT-3 (1) Control Response Information
Implementation Status:

not applicable

AT-3 (1): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-3 (2): Physical Security Controls

“The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.”

AT-3 (2) Control Response Information
Implementation Status:

not applicable

AT-3 (2): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-3 (3): Practical Exercises

“The organization includes practical exercises in security training that reinforce training objectives.”

AT-3 (3) Control Response Information
Implementation Status:

not applicable

AT-3 (3): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-3 (4): Suspicious Communications And Anomalous System Behavior

“The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.”

AT-3 (4) Control Response Information
Implementation Status:

not applicable

AT-3 (4): What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-4: Security Training Records

The organization: a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and b. Retains individual training records for [Assignment: organization-defined time period].

AT-4 Control Response Information
Implementation Status:

not applicable

AT-4: What is the solution and how is it implemented?

‘This control reflects organizational procedure/policy and is not applicable to component-level configuration.’




AT-5: Contacts With Security Groups And Associations

“[Withdrawn: Incorporated into PM-15].”

AT-5 Control Response Information
Implementation Status:

not applicable

AT-5: What is the solution and how is it implemented?

‘As of NIST 800-53 rev4 this control was withdrawn and incorporated into PM-15.’