800-53|SA-16

Title

DEVELOPER-PROVIDED TRAINING

Description

The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

Supplemental

This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.

Reference Item Details

Related: AT-2,AT-3,SA-5

Category: SYSTEM AND SERVICES ACQUISITION

Family: SYSTEM AND SERVICES ACQUISITION

Priority: P2

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items