Draft NIST Special Publication (SP) 800-50r1 (Revision 1), Building a Cybersecurity and Privacy Learning Program, is now available for public comment. The document was first published in 2003 as Building an Information Technology Security Awareness and Training Program. The public comment period for this draft is open through October 27, 2023.
About NIST SP 800-50r1:
Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST SP 800-50 was introduced in 2003. New guidance from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014 have informed this revision. In addition, the 2016 update to Office of Management and Budget (OMB) Circular A-130 emphasizes the role of both privacy and security in the federal information life cycle and requires agencies to have both security and privacy awareness and training programs. Additionally, the NICE Workforce Framework for Cybersecurity (NICE Framework), which was published as NIST SP 800-181 in 2017 and revised in 2020, further informed the development of the draft of SP 800-50.
Work on a companion guide β NIST SP 800-16r3, Information Technology Security Training Requirements: A Role- and Performance-Based Model β will cease and the original NIST SP 800-16 (1998) will be withdrawn with the final publication of NIST SP 800-50r1.
Goals of this update:
- Integrate privacy with cybersecurity in the development of organization-wide learning programs
- Introduce a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events
- Introduce a learning program concept that incorporates language found in other NIST documents
- Leverage current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework
- Propose an employee-focused cybersecurity and privacy culture for organizations
- Integrate learning programs with organizational goals to manage cybersecurity and privacy risks
- Address the challenge of measuring the impacts of cybersecurity and privacy learning programs
Submit comments:
The public comment period is open through October 27, 2023. See the publication details for a copy of the draft and instructions for submitting comments.