Overview:
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):
a. As part of initial training for new users;
b. When required by information system changes; and
c. [Assignment: organization-defined frequency] thereafter.
Supplemental Guidance:
Organizations determine the appropriate content of security awareness training and security awareness techniques based on the specific organizational requirements and the information systems to which personnel have authorized access. The content includes a basic understanding of the need for information security and user actions to maintain security and to respond to suspected security incidents. The content also addresses awareness of the need for operations security. Security awareness techniques can include, for example, displaying posters, offering supplies inscribed with security reminders, generating email advisories/notices from senior organizational officials, displaying logon screen messages, and conducting information security awareness events.
Related controls: AT-3, AT-4, PL-4.
Action Items:
1) Create a Security and Awareness Training program
2) Ensure training is a new hire requirement and is also performed at regular intervals
Related Documents:
1) Security Awareness and Training Policy
2) Acceptable Use Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
AT-2 (c) [at least annually]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 53
Created: September 25, 2022
Last Updated: September 25, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/fedramp-security-awareness-training-at-2-53.html