Embedded Files
This page is classified as INTERNAL.
NIST SP 800-53 (r4) Control:
The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
NIST 800-53 (r4) Supplemental Guidance:
This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self- training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms. Related controls: AT-2, AT-3, SA-5.
NIST 800-53 (r5) Discussion:
Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.
38North Guidance:
Meets Minimum Requirement:
This is the documentation itself, that developers provide: runbooks, playbooks, user guides for the personnel responsible for secure deployment, operations, configuration, etc.
RBT is more AT-3:
Develop, document and implement a training program for developers that includes an overview of their role and responsibilities, description of processes and operations.
Track training completion for each employee and contractor/vendor personnel.
Best Practice:
Provide training on an annual basis with annual refresher training there after.
Mimic the organization's security awareness training program to ensure continuity between processes (if/when feasible).
Update training when there are changes to the development environment, tools, processes or standards (SA-15).
All personnel, to include contractors and vendors with security developer roles for the information system must complete training.
If development is outsourced, the vendor/contractor must provide training to the organization's staff to ensure staff are aware of the security functions and features.
Unofficial FedRAMP Guidance:
None.
Assessment Evidence:
This is the documentation itself, that developers provide: runbooks, playbooks, user guides for the personnel responsible for secure deployment, operations, configuration, inistallation, specify security and privacy functions of the system, etc. Can show where docs are stored, provide a subset, and/or any templates.
Documentation that outlines security capabilities of the solution/service within a user guide or a security runbook/manual would also be good evidence.
RBT is more AT-3:
Evidence that describes the developer training program along with training slides or powerpoint given to developers.
Training records of developers that completed the training.
CSP Implementation Tips:
Amazon Web Services (AWS): Complete AWS certification training (e.g., AWS Certified Developer - Associate; AWS DevOps Engineer; etc.) and other developer training courses to gain a greater understanding of AWS.
Microsoft Azure: Complete Microsoft Azure certification training (e.g., Microsoft Certified Azure - Associate; Microsoft Azure Developer Core Solutions; etc.) and other developer training courses to gain a greater understanding of Azure.
Google Cloud Platform: None.
Page updated
Report abuse