The National Institute of Standards and Technology (NIST) is looking for public comment on its latest revisional draft that is focused on producing a learning program for cybersecurity and privacy that can be used by government and other organizations.
The draft, titled Building a Cybersecurity and Privacy Learning Program, encompasses changes to the 2003 NIST Special Publication (SP) 800-50, which “includes awareness, role-based training, and education programs” that have a more modern focus.
NIST wants comments on the draft by Oct. 27.
“This document provides guidelines for building and maintaining comprehensive cybersecurity and privacy learning programs (CPLPs) that include awareness activities and campaigns, awareness training, practical exercises, topic-based training, role-based training, and education programs,” stated NIST.
“The document includes guidance on how an organization can create a strategic program plan and ensure that there are appropriate resources to meet the organization’s learning goals,” the agency said.
Additionally, the publication focuses on serving “diverse audiences,” which include workforce and learning professionals, leadership and management, and cybersecurity privacy specialists.
One of the hallmark approaches of the publication includes the Cybersecurity and Privacy Learning Program life cycle, which features four stages to allow managers and teams to “develop curriculum, evaluate instructor feedback, send out practical exercise email quizzes, design posters for awareness, or develop a presentation for senior leadership,” NIST said.
The key goals of the update include:
- Integrate privacy with cybersecurity in the development of organization-wide learning programs;
- Introduce a life cycle model that allows for ongoing, iterative improvements and changes to accommodate cybersecurity, privacy, and organization-specific events;
- Introduce a learning program concept that incorporates language found in other NIST documents;
- Leverage current NIST guidance and terminology in reference documents, such as the NICE Workforce Framework for Cybersecurity, the NIST Cybersecurity Framework, the NIST Privacy Framework, and the NIST Risk Management Framework;
- Propose an employee-focused cybersecurity and privacy culture for organizations;
- Integrate learning programs with organizational goals to manage cybersecurity and privacy risks; and
- Address the challenge of measuring the impacts of cybersecurity and privacy learning programs.
“Providing the workforce with a general understanding of the different origins of cybersecurity and privacy risks is important for enabling them to effectively address the risks they encounter in their daily activities,” stated NIST.