Security Awareness Blog

Draft NIST SP800-16 (vs. SP800-50)

I just finished reading through the new draft for NIST SP800-16 document titled "A Role-Based Model for Federal Information Technology/ Cyber Security Training ". If you never heard of NIST, FISMA or the SP800 series of documents, you can probably stop reading now and save yourself some time. However if you are involved in security for any federal agency or handle federal data, read on. As you may know, NIST is the federal organization that develops the cyber security standards federal organizations must follow that fall under FISMA. The standards are known as the SP800 series (SP stands for Special Publications). They have two documents that relate to security awareness and education. The first is SP800-16, the second is SP800-50 which is titled "Building an Information Technology Security Awareness and Training Program". As stated by NIST, the difference between the two are as follows.

"The two publications are complementary ? SP 800-50 works at a higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 is at a lower tactical level, describing an approach to role-based IT security training."

So, if you do not fall under FISMA, but are still interested in using NIST as a reference for building a security awareness program, SP800-50 is all you most likely need. If you do fall under FISMA, role-based training plays a huge role in the requirements and as such SP800-16 is a must read. The biggest change I could see with the new draft is the introduction of the term "Cybersecurity Essesentials". Basically SP80016 has replaced the terminology for the first two layers of the learning continuum with "Awareness" now called "Security Awareness" and "Awareness Training" called "Cybersecurity Essentials". After reading the documentation I think this really makes much better sense. The concept is "Security Awareness" is basic training for all employees and staff, it ensures everyone starts on the same sheet of music. The new term "Cybersecurity Essentials" is similar, but directed for IT staff. It explains basic concepts to the technology folks such as elements of risk, attack vectors, what a firewall is, etc. Then after that you can get into roll-specific training (the third layer of the learning continuum).

As typical for NIST, not the easiest or light reading (do not try to read it all in one sitting, your head will hurt, take it in chunks). If you want to skip straight to the meat, go to section 4 and start there. I'm hoping that once SP800-16 is finalized, NIST updates SP800-50, it could use some love.