NIST 800-171 • LEVEL 2 • AWARENESS AND TRAINING
3.2.2 — Role-Based Training
Provide role-based security training to organizational personnel: Before authorizing access to the system or CUI, before performing assigned duties, and {{ insert: param, A.03.02.02.ODP.01 }} thereafter When required by system changes or following {{ insert: param, A.03.02.02.ODP.02 }}. Update role-based training content {{ insert: param, A.03.02.02.ODP.03 }} and following {{ insert: param, A.03.02.02.ODP.04 }}.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- role-based security training is provided to organizational personnel before authorizing access to the system or CUI.
- role-based security training is provided to organizational personnel before performing assigned duties.
- role-based security training is provided to organizational personnel {{ insert: param, A.03.02.02.ODP.01 }} after initial training.
- role-based security training is provided to organizational personnel when required by system changes or following {{ insert: param, A.03.02.02.ODP.02 }}.
- role-based security training content is updated {{ insert: param, A.03.02.02.ODP.03 }}.
- role-based security training content is updated following {{ insert: param, A.03.02.02.ODP.04 }}.
Practitioner Notes
Role-based training goes beyond the basics. Your system admins need different training than your accountants. The people who manage your firewalls need to understand firewall-specific risks, while HR staff need training on protecting PII.
Example 1: For IT administrators, require completion of vendor-specific training on the tools they manage. For example, if you use Palo Alto firewalls, enroll admins in the Palo Alto Networks Digital Learning portal for the Firewall Essentials (EDU-210) course. Document the completion certificate and file it with your training records. Update this annually or when the product version changes.
Example 2: For users who handle CUI, create a targeted training module (can be as simple as a recorded briefing and quiz) that covers: what CUI is, how to identify CUI markings, where CUI may and may not be stored, and what to do if CUI is found in an unauthorized location. Track completion in a training matrix spreadsheet that maps each user's role to their required training and completion dates.