Description:  

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties.  Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.  [SP 800-181] provides guidance on role-based information security training in the workplace. [SP 800-161] provides guidance on supply chain risk management. 


Priority: High  


Category: Security Awareness Training 


Services Associated with AWS:  

  • AWS Identity and Access Management (IAM), AWS Security Hub, AWS Security Training and Certification


Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of professional competence by individual(s) performing log reviews
  • Administrative: supporting documentation of role-based security training being performed 


Possible Technology Considerations :

  • Learning Management System (LMS)
  • Human Resource Management System (HRMS) 


What needs to be answered : 

Do employees receive security and policy training specific to their role? Does the training cover physical security as well as how to deal with potentially suspicious email or web communications? 


  • Implement Role-Based Information Security Training
    Description This check ensures that personnel receive role-based information security training tailored to their assigned duties and responsibilities. The training covers management, operational, and technical roles and responsibilities, including physical, personnel, and technical controls. The content of the training includes policies, procedures, tools, and artifacts relevant to the specific security roles defined.
  • Provide Technical Training for Security-Related Roles
    Description This check verifies that individuals in security-related roles, such as system developers, security architects, system administrators, and security assessors, receive technical training specific to their assigned duties. The technical training equips them with the necessary knowledge and skills to carry out their responsibilities effectively.
  • Include Operations and Supply Chain Security Training
    Description This check ensures that personnel receive training related to operations and supply chain security within the context of the organizational information security program. The training covers the responsibilities and best practices for ensuring security throughout operational activities and the supply chain.


More Details:  

Employee training programs in place for handling sensitive information including CUI as well as general cybersecurity awareness training.