Description
The organization provides basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system, when required by system changes, and [Assignment: organization-defined frequency, at least annually] thereafter.\n
Supplemental Guidance
The organization determines the appropriate content of security awareness training based on the specific requirements of the organization and the information systems to which personnel have authorized access. The organization’s security awareness program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50.\n
Changes from Rev 4
Title changed from 'Security Awareness Training' Control text extended to include techniques, updates to literacy training and awareness content, and lessons learned Adds multiple parameters Discussion adds examples of events that may precipitate an update to literacy training and awareness content Incorporates awareness training elements of withdrawn App J control AR-5
Enhancements
(0) None.\n