SA-16: DEVELOPER-PROVIDED TRAINING
TAILORED FOR INDUSTRIAL CONTROL SYSTEMS
ISC Control Baseline:
The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.
ICS SUPPLEMENTAL GUIDANCE
No ICS Supplemental Guidance.
RELATED CONTROLS: SA-16
NO CONTROL ENHANCEMENTS
- NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY