AT-3(3)—Practical Exercises
>Control Description
Provide practical exercises in security and privacy training that reinforce training objectives.
>Cross-Framework Mappings
>Supplemental Guidance
Practical exercises for security include training for software developers that addresses simulated attacks that exploit common software vulnerabilities or spear or whale phishing attacks targeted at senior leaders or executives. Practical exercises for privacy include modules with quizzes on identifying and processing personally identifiable information in various scenarios or scenarios on conducting privacy impact assessments.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of AT-3(3) (Practical Exercises)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring AT-3(3)?
- •How frequently is the AT-3(3) policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to AT-3(3)?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce AT-3(3) requirements.
- •What automated tools, systems, or technologies are deployed to implement AT-3(3)?
- •How is AT-3(3) integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce AT-3(3) requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of AT-3(3)?
- •What audit logs, records, reports, or monitoring data validate AT-3(3) compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of AT-3(3) effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate AT-3(3) compliance?
Ask AI
Configure your API key to use AI features.