Building a Cybersecurity and Privacy Learning Program: NIST Publishes SP 800-50r1
NIST Special Publication (SP) 800-50r1 (Revision 1), Building a Cybersecurity and Privacy Learning Program, provides updated guidance for developing and managing a robust cybersecurity and privacy learning program in the Federal Government. This revision was informed by National Defense Authorization Act (NDAA) for FY2021, the Cybersecurity Enhancement Act of 2014, and the NICE Workforce Framework for Cybersecurity (NICE Framework). In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs.
This revision to SP 800-50:
- Integrates privacy with cybersecurity in the development of organization-wide learning programs
- Introduces a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
- Introduces a learning program concept that incorporates language found in other NIST documents
- Leverages current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
- Proposes an employee-focused cybersecurity and privacy culture for organizations
- Integrates learning programs with organizational goals to manage cybersecurity and privacy risks
- Addresses the challenge of measuring the impacts of cybersecurity and privacy learning programs
- Incorporates guidance for using standard instructional design elements, maturity models, and assessment approaches
With the publication of SP 800-50r1, NIST has ceased developing a companion guide—SP 800-16r1 third public draft, A Role-Based Model for Federal Information Technology/Cybersecurity Training—and has withdrawn SP 800-16, Information Technology Security Training Requirements: a Role- and Performance-Based Model (1998).
Comments are closed