03.02.02: Role-Based Training
Control Familly: Awareness and Training
SPRS: N/A
Top Ten Failed Requirement: N/A
Supporting Publications:
Supporting Publications:
SP 800-161 [33]
SP 800-181 [34]
Referenced in: N/A
Control Type: N/A
CPCSC Level 2: 03.02.02
CMMC Level(s): N/A
Derived From: NIST SP 800-53r5AT-03
a. Provide role-based security training to organizational personnel:
1. Before authorizing access to the system or CUI, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter
2. When required by system changes or following [Assignment: organizationdefined events].
b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
Discussion:
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, software developers, systems integrators, acquisition/procurement officials, system and network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and personnel with access to system-level software with securityrelated technical training specifically tailored for their assigned duties.
Comprehensive role-based training addresses management, operational, and technical roles and responsibilities that cover physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.
Assessment Methods and Objectives
Examine [SELECT FROM: security awareness and training policy and procedures; procedures for security training implementation; codes of federal regulations; security training curriculum; security training materials; training records; system security plan; other relevant documents or records]
Interview [SELECT FROM: personnel with responsibilities for role-based security training; personnel with assigned system security roles and responsibilities]
Test [SELECT FROM: mechanisms for managing role-based security training and awareness]
NIST SP 800-171A r3 Determining Statements Determine if:
A.03.02.02.ODP[01]: the frequency at which to provide role-based security training to assigned personnel after initial training is defined.
A.03.02.02.ODP[02]: events that require role-based security training are defined.
A.03.02.02.ODP[03]: the frequency at which to update role-based security training content is defined.
A.03.02.02.ODP[04]: events that require role-based security training content updates are defined.
A.03.02.02.a.01[01]: role-based security training is provided to organizational personnel before authorizing access to the system or CUI.
A.03.02.02.a.01[02]: role-based security training is provided to organizational personnel before performing assigned duties.
A.03.02.02.a.01[03]: role-based security training is provided to organizational personnel <A.03.02.02.ODP[01]: frequency> after initial training.
A.03.02.02.a.02: role-based security training is provided to organizational personnel when required by system changes or following <A.03.02.02.ODP[02]: events>.
A.03.02.02.b[01]: role-based security training content is updated <A.03.02.02.ODP[03]: frequency>.
A.03.02.02.b[02]: role-based security training content is updated following <A.03.02.02.ODP[04]: events>.