SP 800-16 Rev 1 1

SP 800-16 Rev. 1
DRAFT Information Security Training
Requirements: A Role- and Performance-
Based Model

Destin Smith-Norris
ISM 4323: SECURITY MANAGEMENT
4/14/2010
 SP 800-16 Rev 1 2

Table of Contents

1. Table of Contents

2. Executive Summary

3. Background

4. Audience

5. Goals

6. Model

7. Methodology

8. Evaluation of Training

9. Conclusion

10. Reference
 SP 800-16 Rev 1 3

Executive Summary

SP 800-16 Rev 1 is a special publication of the National

Institute of Standards and Technology (NIST). It provides

government and private businesses a comprehensive model of

how to train employees in information security with a role

and performance based model. This document gives a set of

standard information topics that should be taught to

employees with specific roles. The intended audience for the

publication are both information security professionals and

instructional design specialists. NIST 800-16 Rev 1 is a

built as a response to fill the mandates outlined in both

the Federal Information Security Management Act (FISMA) of

2002 and the Office of Personnel Management (OPM) in their

June 2004 mandate - 5 CFR, Part 930.

 SP 800-16 Rev 1 4

Background

SP 800-16 Rev 1 updated the original document from 1998 and

adds provisions to address the "awareness training" and

"role-based training" needs outlined in both the FISMA act

of 2002 and the OPM mandate 5 CFR, Part 930. It is a

companion document to NIST Special Publication 800-50,

Building an Information Technology Security Awareness and

Training Program.

Audience

This document is unique in that is serves multiple

audiences.  It provides a guideline for information security

professionals who have the responsibility of designing and

implementing security awareness training and role-based

training. Also, it is meant to be used by the instructional

design specialists who are responsible for developing and

executing training material.

Goals

Securing information is one of the highest priorities of

both government and private organizations. It is critical to

both national security and business interests to protect the

information stored in digital format.  In order to do this

employees who use these systems must be trained to use

 SP 800-16 Rev 1 5

information systems both efficiently and securely.  The

goals of Special Publication 800-16 are to provide

information security professionals and instructional design

specialists guidelines for implementing awareness training

for an organization and specialized role-based training

programs for users of information systems. 

Model

NIST 800-16 introduces a “Learning Continuum” model of

information security training. The model presents the idea

that learning starts with “Basic Security Awareness”. This

is meant as a way to bring the idea of the importance of

secure practices to any person who comes into contact with

information security systems. According to the document,

“Awareness is not training.” Some examples of awareness

would be motivational slogans on display and events such as

an information security day. “Awareness Training (Basics and

Literacy)” is the first step to begin specialized training.

This is where a program would teach the “what’s” of

security, such as definitions and terms used in security and

policies and procedures put in place to insure the security

of the organization’s information systems.

The primary focus of this document is on the “Role-

Based Training” methodology. Any person in an agency who is

 SP 800-16 Rev 1 6

determined to have a significant role in information systems

is required to take training on how to use them properly and

securely. There are matrices provided in this NIST document

which explain what roles require what training and help in

designing a training program. Some employees who have the

highest responsibilities for information security require

advanced education and professional development. This is

where employees gain certifications or advances degrees

beyond what an agency can offer in-house.

Methodology

NIST SP 800-16 Rev 1 presents information security training

matrices as tools for designing a curriculum. The first step

in implementing a training program is to identify what the

agency already has covered and what the needs of the agency

are. The goals of the training program are to fill the gaps

between the two. Specific training modules are to be

designed to be given to people who are identified as having

a need to know for that information. Matrices for many roles

in most organizations and agency is provided in the document

which give a foundation for the areas of knowledge that

 SP 800-16 Rev 1 7

certain roles require.

Information Security Training Matrix

This publication suggests using the ADDIE instructional

design method. The five phases of this are: Analysis,

Design, Development, Implementation, and Evaluation. An

example of how to use this is presented in the publication.

An organization must analyze the information needs of its

employees and design a training program to give them the

information and training they need to perform their jobs

 SP 800-16 Rev 1 8

with ability to maintain a secure environment. Once these

first steps are done, they can either develop in-house or

buy a training program to match their needs. The training

can be many forms; online, classroom, reading material or

one-on-one. Implementation begins when the employees start

using the training material and it is critical that from

this step on the organization begins evaluating the training

program. This involves questionnaires immediately after the

training as well as managerial review in the long term.

Evaluation of Training

The last phase of any training program, and the longest, is

the evaluation of the training. This begins with the

formative evaluation during the initial training and goes on

to summative evaluation with supervisor feedback and

organizational feedback. Evaluation loops back into the

other steps in that when the training is seen to be lacking

in effectiveness changes must be made to the training

program.

Conclusion

To insure the confidentiality, integrity, and availability

of information, every user of information systems must know

their specific responsibilities and be properly motivated to

 SP 800-16 Rev 1 9

carry out these responsibilities. The motivation comes from

awareness of the issues, and the knowledge and education of

each individual’s responsibilities needs to come from a

role-based information security training program. This NIST

document helps agencies and organizations follow the ADDIE

model to fill in the gaps of knowledge that its employees

are missing with role based training. Not only is it

critical to the continual success of an organization, it is

the law that training be put in place to protect information

in their possession.
 SP 800-16 Rev 1 10

Reference

National Institute of Standards and Technology (NIST).

DRAFT Information Security Training Requirements: A Role-
and Performance-Based Model, from
http://csrc.nist.gov/publications/PubsSPs.html