Date Published: September 21, 2021
Comments Due: November 5, 2021 (public comment period is CLOSED)
Email Questions to:
sp800-50-comments@nist.gov
Planning Note (03/23/2023):
Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program, was published in 2003 and companion document NIST SP 800-16, Information Technology Security Training Requirements: a Role- and Performance-Based Model, was published in 1998 (a 3rd draft revision of NIST SP 800-16 was released in 2014). New guidance to inform this work comes from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014; in addition, the 2016 update to OMB Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs. To ensure NIST stakeholders benefit from guidance informed by these updated resources, methodologies, and requirements, NIST plans to update SP 800-50 to include privacy, and potentially consolidate with SP 800-16. The new proposed title for SP 800-50 is Building a Cybersecurity and Privacy Awareness and Training Program.
The public is invited to provide input by November 5, 2021, for consideration in the update. The list of topics below covers the major areas in which NIST is considering updates. Reviewers may respond to any or all topic areas as they choose. Reviewers may also provide other relevant comments unrelated to the specific topics below.
1. Updated Security Awareness and Training Program Lifecycle:
NIST proposes updating the descriptions of and terminology used for building a security awareness and training program to include the following elements. NIST seeks input on how to improve items A-E, including any elements that may be missing:
2. Incorporation of Privacy Awareness and Training Programs:
NIST proposes incorporating descriptions of and terminology used for building a privacy awareness and training program in parallel with a security awareness and training program. NIST seeks input on whether:
3. Consolidation of SP 800-50 with SP 800-16:
Originally, NIST SP 800-50 and NIST SP 800-16 operated as companion guidance documents. NIST proposes combining content from NIST SP 800-16 into NIST SP 800-50 and producing a single reference document to describe the fundamental elements necessary to develop a security and privacy awareness and training program.
General feedback is requested on:
When providing comments, please be specific and include the rationale for any proposed additions or deletions of material.
Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally-identifiable information (PII) and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.
An Initial Public Draft of the update, which will be published as SP 800-50 Revision 1, is scheduled for an early 2022 release.
None selected
Publication:
No Download Available
Supplemental Material:
None available
Related NIST Publications:
Document History:
09/21/21: SP 800-50 Rev. 1 (Draft)