NIST 800-171 • LEVEL 2 • AWARENESS AND TRAINING
3.2.2 — Role-Based Training
Provide role-based security training to organizational personnel: Before authorizing access to the system or CUI, before performing assigned duties, and organization-defined parameter thereafter When required by system changes or following organization-defined parameter. Update role-based training content organization-defined parameter and following organization-defined parameter.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- role-based security training is provided to organizational personnel before authorizing access to the system or CUI.
- role-based security training is provided to organizational personnel before performing assigned duties.
- role-based security training is provided to organizational personnel organization-defined parameter after initial training.
- role-based security training is provided to organizational personnel when required by system changes or following organization-defined parameter.
- role-based security training content is updated organization-defined parameter.
- role-based security training content is updated following organization-defined parameter.
Practitioner Notes
Role-based training goes beyond the basics. Your system admins need different training than your accountants. The people who manage your firewalls need to understand firewall-specific risks, while HR staff need training on protecting PII.
Example 1: For IT administrators, require completion of vendor-specific training on the tools they manage. For example, if you use Palo Alto firewalls, enroll admins in the Palo Alto Networks Digital Learning portal for the Firewall Essentials (EDU-210) course. Document the completion certificate and file it with your training records. Update this annually or when the product version changes.
Example 2: For users who handle CUI, create a targeted training module (can be as simple as a recorded briefing and quiz) that covers: what CUI is, how to identify CUI markings, where CUI may and may not be stored, and what to do if CUI is found in an unauthorized location. Track completion in a training matrix spreadsheet that maps each user's role to their required training and completion dates.