Awareness and Training Deep Dive
Deep Dive into Changes to the Awareness and Training Family in FedRAMP Revision 5
The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Awareness and Training family that the new baselines bring.
Considerable Changes to the Low, Moderate, and High baselines include:
- Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
- A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
- A requirement to define awareness techniques for increasing the security and privacy awareness of system users
- A requirement to define the frequency of updates to training and awareness content
- A requirement to define the events which necessitate updates to training and awareness content
- An implication that training should include privacy as well as security
- A requirement to incorporate lessons learned from security or privacy incidents into training
- A requirement to define personnel roles needing role-based security and privacy training
- A new parameter defining frequency of updates to role-based training
Considerable Changes to the Moderate and High baselines include:
-
A new requirement to provide training on recognizing and reporting potential and actual instances of social engineering and social mining
Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO.
Contact InfusionPoints for assistance with your FedRAMP journey.