Back

Retrain all personnel, as necessary.


CONTROL ID
01362
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an education methodology., CC ID: 06671

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should develop an initial and ongoing training program. (¶ 33, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Financial institutions should establish a training programme, including periodic security awareness programmes, for all staff and contractors to ensure that they are trained to perform their duties and responsibilities consistent with the relevant security policies and procedures to reduce human err… (3.4.7 49, Final Report EBA Guidelines on ICT and security risk management)
  • The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. (Art. 38.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Course content ¶ 26: Training courses should include the following subjects: the definition of personal information and other kinds of information; the value of information; the need to protect personal information and the consequences of not protecting it; responsibilities and why they matter; wha… (Course content ¶ 26, Course content ¶ 27, Outline Specification for DHR Information Awareness Training, March 2009)
  • Contractors must provide employees guidance by writing company security instructions. The instructions should be prepared by the security controller; be approved by the board level contact and the MOD DE&S DHSY/PSYA or contracting authority; be issued with the signature and authority of the managing… (¶ 14, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • Do current employees/users receive periodic Security Awareness Training? (Table Row II.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The training and awareness program should be ongoing. (¶ 22.6, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should have an ongoing training program that includes ongoing training, at least annually, to maintain professional competency. (CORE - 27(f), URAC Health Utilization Management Standards, Version 6)
  • Educate the governing authority, management, the workforce, and the extended enterprise about expected conduct, and increase the skills and motivation needed to help the organization address opportunities, threats, and requirements. (OCEG GRC Capability Model, v. 3.0, P4 Education, OCEG GRC Capability Model, v 3.0)
  • Apply consistent discipline to individuals at fault and provide necessary retraining. (OCEG GRC Capability Model, v. 3.0, P8.5 Discipline and Retrain, OCEG GRC Capability Model, v 3.0)
  • Personnel must be trained when hired and at least annually. (PCI DSS Requirements § 12.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Educate personnel upon hire and at least annually. (12.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Educate personnel upon hire and at least annually. (12.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Educate personnel upon hire and at least annually. (12.6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are personnel educated upon hire and at least annually? (12.6.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are personnel educated upon hire and at least annually? (12.6.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are personnel educated upon hire and at least annually? (12.6.1 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are personnel educated upon hire and at least annually? (12.6.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Verify that personnel attend security awareness training upon hire and at least annually. (12.6.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Interview a sample of personnel to verify they have completed awareness training and are aware of the importance of cardholder data security. (12.6.1.c, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Are personnel educated upon hire and at least annually? (PCI DSS Question 12.6.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are personnel educated upon hire and at least annually? (PCI DSS Question 12.6.1(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization should provide awareness sessions for users who have completed training and are not following the policies. (Critical Control 9.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a security awareness training program for all employees of the organization and provide regular training updates. (HRS-11, Cloud Controls Matrix, v4.0)
  • Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, o… (CIS Control 14: Safeguard 14.1 Establish and Maintain a Security Awareness Program, CIS Controls, V8)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way… (CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding, CIS Controls, V8)
  • Regular training updates may be required by the authentication solution. (§ 4.5.4.3.9 ¶ 2, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • The individual(s) managing the audit programme should engage in appropriate continual development activities to maintain the necessary competence to manage the audit programme. (§ 5.4.2 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The information collected about the auditor under evaluation should be compared against the criteria set in 7. 2 . 3. When an auditor under evaluation who is expected to participate in the audit programme does not fulfil the criteria, then additional training, work or audit experience should be unde… (§ 7.5 ¶ 1, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • changes in internal, policies, procedures and processes; (§ 7.2.2 ¶ 5 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • changes in organization structure; (§ 7.2.2 ¶ 5 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. (A.7.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • All employees of the organization and, where relevant, contractors should receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. (§ 7.2.2 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. (CC1.4 ¶ 4 Bullet 3 Provides Training to Maintain Technical Competencies, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • When required by information system changes; and (AT-3b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • When required by information system changes; and (AT-2b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • When required by information system changes; and (AT-3b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • When required by information system changes; and (AT-2b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • When required by information system changes; and (AT-3b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • When required by information system changes; and (AT-2b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • When required by information system changes; and (AT-3b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • When required by information system changes; and (AT-2b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Competence is derived from a synthesis of education and experience. It begins with a mastery of the common body of knowledge required for designation as a certified public accountant. The maintenance of competence requires a commitment to learning and professional improvement that must continue thro… (0.300.060.03, AICPA Code of Professional Conduct, August 31, 2016)
  • The organization should provide awareness training for general staff members and train new employees and team members on an annual basis, after major incidents, and after significant changes. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • All employees must complete an interactive online privacy and security awareness course annually. (Table Ref 1.2.10, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. (CC1.4 Provides Training to Maintain Technical Competencies, Trust Services Criteria)
  • The entity provides training programs, including continuing education and training, to ensure skill sets and technical competency of existing personnel, contractors, and vendor employees are developed and maintained. (CC1.4 ¶ 4 Bullet 3 Provides Training to Maintain Technical Competencies, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should provide cybersecurity training that is tailored to staff needs. Effective practices for cybersecurity training include: - defining cybersecurity training needs requirements; - identifying appropriate cybersecurity training update cycles; - delivering interactive training with… (Staff Training, Report on Cybersecurity Practices)
  • A Member's ISSP should contain a description of the Member's ongoing education and training relating to information security for all appropriate personnel. This training program should be conducted for employees upon hiring and periodically during their employment and be appropriate to the security … (Information Security Program Bullet 5 Employee Training ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Require completion of the training specified in Part 2.1 at least once every 15 calendar months. (CIP-004-6 Table R2 Part 2.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-6, Version 6)
  • Require completion of the training specified in Part 2.1 at least once every 15 calendar months. (CIP-004-7 Table R2 Part 2.3 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Personnel & Training CIP-004-7, Version 7)
  • Does the program include constituent annual participation? (§ E.4.3, Shared Assessments Standardized Information Gathering Questionnaire - E. Human Resource Security, 7.0)
  • Technical Surveillance Countermeasure personnel shall periodically attend refresher training or specialized courses to remain proficient and knowledgable. (§ 5.8.2, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Employees must receive initial training and periodic training in how to operate the environmental controls. (PETN-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Information Assurance training program must include the training of all personnel upon hiring and periodically afterwards. (PRTN-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Technical Surveillance Countermeasure personnel must attend periodic refresher training and attend specialized courses annually. (§ 10.b, SECNAV Instruction 3850.4, Technical Surveillance Countermeasures (TSCM) Program)
  • To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this… (§ 164.530(b)(2)(i)(C), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • All personnel who have access to criminal justice information shall receive Security Awareness Training biennially. (§ 5.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency coordinator shall train or ensure contractor personnel who have access to the national crime information center are trained by scheduling new contractor personnel for the certification exam inside of 6 months of their assignment and certified operators for biennial recertification testing… (§ 3.2.7(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Train or ensure the training of Contractor personnel. If Contractor personnel access NCIC, schedule the operators for testing or a certification exam with the CSA staff, or AC staff with permission from the CSA staff. Schedule new operators for the certification exam within six (6) months of assignm… (§ 3.2.7 ¶ 1(6), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • LASO training shall be required prior to assuming duties but no later than six months after initial assignment, and annually thereafter. (§ 5.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • LASO training shall be required prior to assuming duties but no later than six months after initial assignment, and annually thereafter. (§ 5.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • When required by information system changes; and (AT-2b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (AT-2c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (AT-3b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (AT-2b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (AT-2c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (AT-3b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (AT-2b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [FedRAMP Assignment: at least annually] thereafter. (AT-2c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by information system changes; and (AT-3b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., FedRAMP Security Controls High Baseline, Version 5)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Are user security-related responsibilities communicated to the employees on a regular basis? (IT - Security Program Q 20b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • When required by information system changes; and (AT-2b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (AT-2b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (AT-2b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (AT-3b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (AT-3b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • When required by information system changes; and (AT-3b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Organizational policy should include the requirements for refresher training. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must provide security-related training on a defined frequency. (SG.AT-3 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must train all personnel on their roles and responsibilities for Continuity Of Operations and provide refresher training on a predefined frequency. (SG.CP-4 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must ensure that all incident response personnel receive refresher training on their roles and responsibilities on a defined frequency. (SG.IR-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should provide initial employee training and periodic retraining on the use and operation of environmental controls. (App F § AT-3(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish and implement Security Awareness Training for new users (including managers, senior executives, and contractors); when required by system changes; and periodically after initial training. (App F § AT-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish and implement role-based security training for all Information System users periodically after the initial training. (App F § AT-3(iii), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must provide incident response refresher training on a predefined frequency. (App F § IR-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) {organizationally documented frequency} thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) {organizationally documented frequency} thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) {organizationally documented frequency} thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) when required by information system changes. (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) {organizationally documented frequency} thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • When required by information system changes; and (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • When required by information system changes; and (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • When required by information system changes; and (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • When required by information system changes; and (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-3c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • When required by information system changes; and (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • When required by information system changes; and (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • When required by information system changes; and (AT-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • When required by information system changes; and (AT-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Assignment: organization-defined frequency] thereafter. (AT-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • When required by system changes or following [Assignment: organization-defined events]; (AT-2a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • When required by information system changes; and (AT-3b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • When required by information system changes; and (AT-3b., TX-RAMP Security Controls Baseline Level 1)
  • When required by information system changes; and (AT-2b., TX-RAMP Security Controls Baseline Level 1)
  • [TX-RAMP Assignment: at least annually] thereafter. (AT-2c., TX-RAMP Security Controls Baseline Level 1)
  • [TX-RAMP Assignment: at least annually] thereafter. (AT-3c., TX-RAMP Security Controls Baseline Level 1)
  • When required by information system changes; and (AT-3b., TX-RAMP Security Controls Baseline Level 2)
  • When required by information system changes; and (AT-2b., TX-RAMP Security Controls Baseline Level 2)
  • [TX-RAMP Assignment: at least annually] thereafter. (AT-2c., TX-RAMP Security Controls Baseline Level 2)
  • [TX-RAMP Assignment: at least annually] thereafter. (AT-3c., TX-RAMP Security Controls Baseline Level 2)