Requirement text: AT.2.057: Ensure that personnel are trained to carry out their assigned information
security-related duties and responsibilities.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizations determine the content and frequency of security training based on the
assigned duties, roles, and responsibilities of individuals and the security requirements of
organizations and the systems to which personnel have authorized access. In addition,
organizations provide system developers, enterprise architects, security architects,
acquisition/procurement officials, software developers, system developers, systems
integrators, system/network administrators, personnel conducting configuration
management and auditing activities, personnel performing independent verification and
validation, security assessors, and other personnel having access to system-level software,
security-related technical training specifically tailored for their assigned duties.
Comprehensive role-based training addresses management, operational, and technical roles
and responsibilities covering physical, personnel, and technical controls. Such training can
include policies, procedures, tools, and artifacts for the security roles defined. Organizations
also provide the training necessary for individuals to carry out their responsibilities related
to operations and supply chain security within the context of organizational information
security programs.
NIST SP 800-181 provides guidance on role-based information security training in the
workplace. SP 800-161 provides guidance on supply chain risk management.
CMMC CLARIFICATION
Training imparts skills and knowledge. It enables staff to perform a specific resilience
function. Training programs identify cybersecurity skill gaps within your organization.
Then, the programs train users on their specific cybersecurity roles and responsibilities.
There is an important distinction between awareness training and role-based training.
Awareness training provides general security training to influence user behavior. Role-
based training focuses on the knowledge, skills, and abilities needed to complete a specific
job.
Example
Your company upgraded the firewall to a newer, more advanced system. Your company
identified you as an employee who needs training on the device. This will enable you to use
it effectively. Your company considered this when it planned for the upgrade. It made
training funds available as part of the upgrade project.
References
• NIST SP 800-171 Rev 1 3.2.2
• CIS Controls v7.1 17.5, 17.6, 17.7, 17.8, 17.9
• NIST CSF v1.1 PR.AT-1, PR.AT-2, PR.AT-3, PR.AT-4, PR.AT-5
• CERT RMM v1.2 OTA:SG4.SP1
• NIST SP 800-53 Rev 4 AT-2, AT-3