Date Published: August 28, 2023
Comments Due:
Email Questions to:
Author(s)
Marian Merritt (NIST), Susan Hansche (CISA), Brenda Ellis (NASA), Kevin Sanchez-Cherry (DOT), Julie Snyder (MITRE), Donald Walden (Internal Revenue Service)
Announcement
Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST SP 800-50 was introduced in 2003. New guidance from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014 have informed this revision. In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs. Additionally, the NICE Workforce Framework for Cybersecurity (NICE Framework), which was published as NIST SP 800-181 in 2017 and revised in 2020, further informed the development of the draft of SP 800-50.
Work on a companion guide — NIST SP 800-16r3, Information Technology Security Training Requirements: A Role- and Performance-Based Model — will cease and the original NIST SP 800-16 (1998) will be withdrawn with the final publication of NIST SP 800-50r1.
Goals of this update:
- Integrate privacy with cybersecurity in the development of organization-wide learning programs
- Introduce a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
- Introduce a learning program concept that incorporates language found in other NIST documents
- Leverage current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
- Propose an employee-focused cybersecurity and privacy culture for organizations
- Integrate learning programs with organizational goals to manage cybersecurity and privacy risks
- Address the challenge of measuring the impacts of cybersecurity and privacy learning programs
Submit comments:
The public comment period is open through October 27, 2023. We encourage you to use this comment template when preparing and submitting your comments.
NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
This publication provides guidance for federal agencies and organizations to develop and manage a lifecycle approach to building a cybersecurity and privacy learning program (hereafter referred to as CPLP). The approach is intended to address the needs of large and small organizations as well as those building an entirely new program. The information leverages broadly accepted standards, regulations, legislation, and best practices. The recommendations are customizable and may be implemented as part of an organization-wide process that manages awareness, training, and education programs for a diverse set of employee audiences. The guidance also includes suggested metrics and evaluation methods in order that the program be regularly improved and updated as needs will evolve.
This publication provides guidance for federal agencies and organizations to develop and manage a lifecycle approach to building a cybersecurity and privacy learning program (hereafter referred to as CPLP). The approach is intended to address the needs of large and small organizations as well as...
See full abstract
This publication provides guidance for federal agencies and organizations to develop and manage a lifecycle approach to building a cybersecurity and privacy learning program (hereafter referred to as CPLP). The approach is intended to address the needs of large and small organizations as well as those building an entirely new program. The information leverages broadly accepted standards, regulations, legislation, and best practices. The recommendations are customizable and may be implemented as part of an organization-wide process that manages awareness, training, and education programs for a diverse set of employee audiences. The guidance also includes suggested metrics and evaluation methods in order that the program be regularly improved and updated as needs will evolve.
Hide full abstract
Keywords
awareness; cybersecurity; education; learning program; privacy; role-based; training
Control Families
None selected
