AT.L2-3.2.2 requires organizations to formally define information security roles and their associated responsibilities, assign those roles to specific individuals, and provide those individuals with training adequate to perform their security duties competently. This goes beyond general security awareness (covered under AT.L2-3.2.1) by targeting personnel who hold specific security-sensitive positions such as system administrators, incident responders, data custodians, and privileged users. Per NIST SP 800-171 §3.2.2, training must be tailored to the unique responsibilities of each role rather than delivered as a one-size-fits-all program. The practice establishes a direct linkage between what a person is expected to do from a security standpoint and whether they have been equipped with the knowledge and skills to do it. Organizations must maintain records demonstrating both the assignment of roles and the completion of role-appropriate training.
Where it stops · what it isn't
- —Does not cover general security awareness training for all users — that is addressed by AT.L2-3.2.1
- —Does not govern personnel screening or background investigation requirements, which fall under Personnel Security (PS) domain practices
- —Does not define what specific technical certifications must be held, only that training must be adequate for assigned responsibilities
- —Does not address physical security training for facilities personnel unless those personnel hold assigned CUI or system security responsibilities
- —Does not replace or substitute for legal or compliance training mandated by other regulatory frameworks unless those trainings also address information security responsibilities
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.