Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
(a) Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and
(b) Retains individual training records for [FedRAMP Assignment: (L)(M) at least one year; (H) at least five (5) years or 5 years after completion of a specific training program].
NIST 800-53 (r4) Supplemental Guidance:
Documentation for specialized training may be maintained by individual supervisors at the option of the organization. Related controls: AT-2, AT-3, PM-14.
References: None.
NIST 800-53 (r5) Discussion:
Documentation for specialized training may be maintained by individual supervisors at the discretion of the organization. The National Archives and Records Administration provides guidance on records retention for federal agencies.
38North Guidance:
Meets Minimum Requirement:
Records are kept of all the security trainings (basic, role-based, and other system specific security trainings) completed by each individual. The records include the individual who completed the training, the type/name of the training, and the completion date.
Individual training records are retained in accordance with FedRAMP requirements.
Best Practice: None
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Documentation showing that individual training activities are tracked. The documentation details each individual, the training that was completed, and the date of the training. This could be manually captured in a spreadsheet or captured in a learning management system (LMS)
Documentation detailing past training activities showing that the records are retained according to the FedRAMP defined-frequency
Procedures for training record retention
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse