Information Technology Security Training Requirements: a Role- and Performance-Based Model

deZafra, Dorothea; Pitcher, Sadie; Tressler, John; Ippolito, John; Wilson, Mark

doi:https://doi.org/10.6028/NIST.SP.800-16

July 19, 2023: URLs for CSRC publication details pages have changed. Legacy URLs should automatically redirect to the new URLs. However, links to the actual publications have NOT changed (e.g., DOIs and PDFs on nvlpubs.nist.gov). Please send inquiries to csrc-inquiry@nist.gov. [12:20 pm ET - If you received "Page Not Found" errors recently, please retry accessing those files. File synchronization should now be complete.]

NIST SP 800-16

Information Technology Security Training Requirements: a Role- and Performance-Based Model

Documentation Topics

Date Published: April 1998

Supersedes: SP 500-172 (11/01/1989)

Planning Note (09/21/2021):

NIST is requesting feedback on the potential consolidation of SP 800-16 with SP 800-50, as SP 800-50 Revision 1, Building a Cybersecurity and Privacy Awareness and Training Program (proposed title).

Submit your comments by November 5, 2021. See the SP 800-50 Call for Comments for more details and instructions for submitting comments.

Author(s)

Dorothea deZafra (NIH), Sadie Pitcher (U.S. Department of Commerce), John Tressler (U.S. Department of Education), John Ippolito (Allied Technology Group)

Editor(s)

Mark Wilson (NIST)

Abstract

This document supersedes NIST SP 500-172, Computer Security Training Guidelines, published in 1989. The new document supports the Computer Security Act (Public Law 100-235) and OMB Circular A-130 Appendix III requirements that NIST develop and issue computer security training guidance. This publication presents a new conceptual framework for providing information technology (IT) security training. This framework includes the IT security training requirements appropriate for today's distributed computing environment and provides flexibility for extension to accommodate future technologies and the related risk management decisions.

Keywords

Awareness; behavioral objectives; education; individual accountability; job function; management and technical controls; rules of behavior; training

Control Families

Awareness and Training; Program Management

Documentation

Publication:
https://doi.org/10.6028/NIST.SP.800-16
Download URL

Supplemental Material:
None available

Document History:
04/01/98: SP 800-16 (Final)

Topics

Security and Privacy

audit & accountability, awareness training & education

Laws and Regulations

OMB Circular A-130