Security Requirements for 03.02.02 Role-Based Training

Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, software developers, systems integrators, acquisition/procurement officials, system and network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and personnel with access to system-level software with security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities that cover physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.

View CPRT 03.02.02

  1. 03.02.02.a

    Provide role-based security training to organizational personnel:

  2. 03.02.02.a.01

    Before authorizing access to the system or CUI, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter

  3. 03.02.02.a.02

    When required by system changes or following [Assignment: organization-defined events].

  1. 03.02.02.b

    Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].