Organizational Control: Role-based Security Training

Control ID: AT-3 Role-based Security Training Family: Awareness and Training Source: NIST 800-53r4
Control: The organization provides role-based security training to personnel with assigned security roles and responsibilities:
  1. Before authorizing access to the information system or performing assigned duties;
  2. When required by information system changes; and
  3. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance:
Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

Related Controls: AT-2, AT-4, PL-4, PS-7, SA-3, SA-12, SA-16
Control Enhancements: N/A
References: C.F.R. Part 5 Subpart C (5 C.F.R. 930.301); NIST Special Publications 800-16, 800-50.
Mechanisms:
Protocol Implementation Conformance Statements: N/A