CMMC Practice AT.L2-3.2.2 – Role-Based Training: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This security training from the HHS is an example of requirements and guidance to provide appropriate role-based security training. This blog discusses security awareness best practices and references other awareness training topics The purpose of this example procedure from the EPA is to help with implementing the security control requirements for the Awareness and Training (AT) control family. KnowBe4 is a large security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. This publication provides guidance for federal agencies and organizations to develop and manage a life cycle approach to building a Cybersecurity and Privacy Learning Program (CPLP). This guide focuses on organizational security awareness, security awareness content, and it provides a security awareness training checklist. Proofpoint Security Awareness Training is offering a free Phishing Awareness Kit. This kit gives you the tools you need to engage your users and turn them into a strong line of defense against phishing attacks and other cyber threats. This SANS whitepaper describes how to successfully implement a comprehensive Security Training, Awareness, and Education program. This course introduces the threats and vulnerabilities faced when working within the government or defense industrial systems. The NICCS Education and Training Catalog is a central location where cybersecurity professionals across the nation can find over 3,000 cybersecurity-related courses. This document is an example of an Acceptable Use for System Administrators Policy from the University of Arizona. This resource provides general awareness and role-based information security training documents.
Discussion [NIST SP 800-171 R2]
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties.
Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.
NIST SP 800-181 provides guidance on role-based information security training in the workplace. SP 800-161 provides guidance on supply chain risk management.
Further Discussion
Training imparts skills and knowledge to enable staff to perform a specific job function. Training should be available to all employees for all organizational roles to accommodate role changes without being constrained by the training schedule. Awareness training and role-based training are different. Awareness training provides general security training to influence user behavior and is covered by AT.L2-3.2.1. This practice, AT.L2-3.2.2, covers role based training that focuses on the knowledge, skills, and abilities needed to complete a specific job. Role-based training may include awareness topics specific to individual roles such as ensuring systems administrators understand the risk associated with using an administrative account.