Description
The organization identifies personnel that have significant information system security roles and responsibilities during the system development life cycle, documents those roles and responsibilities, and provides appropriate information system security training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance
The organization determines the appropriate content of security training based on the specific requirements of the organization and the information systems to which personnel have authorized access. In addition, the organization provides system managers, system and network administrators, and other personnel having access to system-level software, adequate technical training to perform their assigned duties. The organization’s security training program is consistent with the requirements contained in C.F.R. Part 5 Subpart C (5 C.F.R 930.301) and with the guidance in NIST Special Publication 800-50.
Changes from Rev 4
Title changed from 'Role-Based Security Training' Adds privacy to control text, to imply training includes privacy, as well as security; adds text to incorporate lessons learned from internal or external security or privacy incidents into training Adds parameter requiring role-based security and privacy training for personnel with specific roles and responsibilities Adds new control text with a parameter to update role-based training at a specific frequency Discussion adds examples of personnel to be trained as well as events that may precipitate an update to role-based training Incorporates role-based training elements of withdrawn App J control AR-05
Enhancements
(0) None.