Date Published: September 21, 2021
Comments Due: November 5, 2021 (public comment period is CLOSED)
Email Questions to: sp800-50-comments@nist.gov

Announcement

Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program, was published in 2003 and companion document NIST SP 800-16, Information Technology Security Training Requirements: a Role- and Performance-Based Model, was published in 1998 (a 3rd draft revision of NIST SP 800-16 was released in 2014).  New guidance to inform this work comes from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014; in addition, the 2016 update to OMB Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs. To ensure NIST stakeholders benefit from guidance informed by these updated resources, methodologies, and requirements, NIST plans to update SP 800-50 to include privacy, and potentially consolidate with SP 800-16. The new proposed title for SP 800-50 is Building a Cybersecurity and Privacy Awareness and Training Program.

The public is invited to provide input by November 5, 2021, for consideration in the update. The list of topics below covers the major areas in which NIST is considering updates. Reviewers may respond to any or all topic areas as they choose. Reviewers may also provide other relevant comments unrelated to the specific topics below.

1. Updated Security Awareness and Training Program Lifecycle:

NIST proposes updating the descriptions of and terminology used for building a security awareness and training program to include the following elements. NIST seeks input on how to improve items A-E, including any elements that may be missing:

1. Identifying the organization’s awareness and training needs
2. Planning and designing the awareness and training program
3. Developing the awareness and training materials
4. Implementing the program content
5. Post-implementation assessment

2. Incorporation of Privacy Awareness and Training Programs:

NIST proposes incorporating descriptions of and terminology used for building a privacy awareness and training program in parallel with a security awareness and training program. NIST seeks input on whether:

1. The process steps for building a security awareness and training program in item 1 above also accurately reflect the process steps for building a privacy awareness and training program.
2. There are any training and awareness activities that are unique to privacy.
3. There are key privacy training and awareness terminology and topics that should be addressed.

3. Consolidation of SP 800-50 with SP 800-16:

Originally, NIST SP 800-50 and NIST SP 800-16 operated as companion guidance documents. NIST proposes combining content from NIST SP 800-16 into NIST SP 800-50 and producing a single reference document to describe the fundamental elements necessary to develop a security and privacy awareness and training program.

1. Identify benefits or impacts of this proposed consolidation of guidance.
2. Identify the content of NIST SP 800-50 and NIST SP 800-16 that you or your organization are using and how.
3. Describe which aspects of NIST SP 800-50 and NIST SP 800-16 have been the most useful and why.
4. Describe which aspects of NIST SP 800-50 and NIST SP 800-16 have been the least useful and why.
5. Share key concepts or topics that are missing from these publications, including what they are and why they merit special attention.

General feedback is requested on:

1. The scope of NIST SP 800-50 and NIST SP 800-16. Please specify what the scope should be if the two are consolidated.
2. The range of program areas and work roles included in the publications.
3. Terminology, including descriptions of types of cybersecurity and privacy risks, threats, and technologies.
4. Appropriateness of program development framework guidance for organizations of varying size and complexity.
5. The work role and responsibilities of those who manage the privacy and IT security awareness and training programs. With respect to security, explain if the NICE Framework Work Roles of Cyber Curriculum Developer or Cyber Instructor sufficiently capture the responsibilities. 
6. Redundancy of material; or material now addressed by other NIST publications.

When providing comments, please be specific and include the rationale for any proposed additions or deletions of material.

Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally-identifiable information (PII) and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.

An Initial Public Draft of the update, which will be published as SP 800-50 Revision 1, is scheduled for an early 2022 release.

Control Families

None selected