Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-50 Rev. 1 (Initial Public Draft)

Building a Cybersecurity and Privacy Learning Program

Date Published: August 28, 2023
Comments Due: October 27, 2023 (public comment period is CLOSED)
Email Questions to:


Marian Merritt (NIST), Susan Hansche (CISA), Brenda Ellis (NASA), Kevin Sanchez-Cherry (DOT), Julie Snyder (MITRE), Donald Walden (Internal Revenue Service)


Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST SP 800-50 was introduced in 2003. New guidance from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014 have informed this revision. In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs. Additionally, the NICE Workforce Framework for Cybersecurity (NICE Framework), which was published as NIST SP 800-181 in 2017 and revised in 2020, further informed the development of the draft of SP 800-50.

Work on a companion guide — NIST SP 800-16r3, Information Technology Security Training Requirements: A Role- and Performance-Based Model — will cease and the original NIST SP 800-16 (1998) will be withdrawn with the final publication of NIST SP 800-50r1.

Goals of this update:

  • Integrate privacy with cybersecurity in the development of organization-wide learning programs
  • Introduce a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
  • Introduce a learning program concept that incorporates language found in other NIST documents
  • Leverage current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
  • Propose an employee-focused cybersecurity and privacy culture for organizations
  • Integrate learning programs with organizational goals to manage cybersecurity and privacy risks
  • Address the challenge of measuring the impacts of cybersecurity and privacy learning programs

Submit comments:

The public comment period is open through October 27, 2023. We encourage you to use this comment template when preparing and submitting your comments.

NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.



awareness; cybersecurity; education; learning program; privacy; role-based; training
Control Families

None selected


Download URL

Supplemental Material:
Comment template (xlsx)

Document History:
09/21/21: SP 800-50 Rev. 1 (Draft)
08/28/23: SP 800-50 Rev. 1 (Draft)