1. Home
  2. FedRAMP
  3. AT-3

BRACKETOLOGY | FEDRAMP

AT-3: ROLE-BASED SECURITY TRAINING

  • FedRAMP Baseline Membership AT-3:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization provides role-based security training to personnel with assigned security roles and responsibilities:

    • a. Before authorizing access to the information system or performing assigned duties;
    • b. When required by information system changes; and
    • c. [Assignment: organization-defined frequency] thereafter.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

Provides role-based security training to personnel with assigned security roles and responsibilities:

  • a. Before authorizing access to the information system or performing assigned duties;
  • b. When required by information system changes; and
  • c. At least annually thereafter.

Provides role-based security training to personnel with assigned security roles and responsibilities:

  • a. Before authorizing access to the information system or performing assigned duties;
  • b. When required by information system changes; and
  • c. At least annually thereafter.

Provides role-based security training to personnel with assigned security roles and responsibilities:

  • a. Before authorizing access to the information system or performing assigned duties;
  • b. When required by information system changes; and
  • c. At least annually thereafter.

SUPPLEMENTAL GUIDANCE

Organizations determine the appropriate content of security training based on the assigned roles and responsibilities of individuals and the specific security requirements of organizations and the information systems to which personnel have authorized access. In addition, organizations provide enterprise architects, information system developers, software developers, acquisition/procurement officials, information system managers, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation activities, security control assessors, and other personnel having access to system-level software, adequate security-related technical training specifically tailored for their assigned duties. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical safeguards and countermeasures. Such training can include for example, policies, procedures, tools, and artifacts for the organizational security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs. Role-based security training also applies to contractors providing services to federal agencies.

CONTROL ENHANCEMENTS

AT-3 (1) ROLE-BASED SECURITY TRAINING | ENVIRONMENTAL CONTROLS

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.

Supplemental Guidance:

Environmental controls include, for example, fire suppression and detection devices/systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature/humidity, HVAC, and power within the facility. Organizations identify personnel with specific roles and responsibilities associated with environmental controls requiring specialized training.

RELATED CONTROLS: AT-3 (1)

AT-3 (2) ROLE-BASED SECURITY TRAINING | PHYSICAL SECURITY CONTROLS

The organization provides [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.

Supplemental Guidance:

Physical security controls include, for example, physical access control devices, physical intrusion alarms, monitoring/surveillance equipment, and security guards (deployment and operating procedures). Organizations identify personnel with specific roles and responsibilities associated with physical security controls requiring specialized training.

RELATED CONTROLS: AT-3 (2)

AT-3 (3) ROLE-BASED SECURITY TRAINING | PRACTICAL EXERCISES
  • FedRAMP Baseline Membership AT-3 (3):
  • HIGH

The organization includes practical exercises in security training that reinforce training objectives.

Supplemental Guidance:

Practical exercises may include, for example, security training for software developers that includes simulated cyber attacks exploiting common software vulnerabilities (e.g., buffer overflows), or spear/whale phishing attacks targeted at senior leaders/executives. These types of practical exercises help developers better understand the effects of such vulnerabilities and appreciate the need for security coding standards and processes.

AT-3 (4) ROLE-BASED SECURITY TRAINING | SUSPICIOUS COMMUNICATIONS AND ANOMALOUS SYSTEM BEHAVIOR
  • FedRAMP Baseline Membership AT-3 (4):
  • HIGH

The organization provides training to its personnel on [Assignment: organization-defined indicators of malicious code] to recognize suspicious communications and anomalous behavior in organizational information systems.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.

Provide training to its personnel on malicious code indicators as defined by organization incident policy/capability to recognize suspicious communications and anomalous behavior in organizational information systems.


Supplemental Guidance:

A well-trained workforce provides another organizational safeguard that can be employed as part of a defense-in-depth strategy to protect organizations against malicious code coming in to organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender but who appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to such suspicious email or web communications (e.g., not opening attachments, not clicking on embedded web links, and checking the source of email addresses). For this process to work effectively, all organizational personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in organizational information systems can potentially provide early warning for the presence of malicious code. Recognition of such anomalous behavior by organizational personnel can supplement automated malicious code detection and protection tools and systems employed by organizations.

REFERENCES:

  • C.F.R. Part 5 Subpart C (5 C.F.R. 930.301)
  • NIST Special Publication 800-16
  • NIST Special Publication 800-50