Skip to main content

SAT-03: Role-Based Cybersecurity & Data Protection Training

SAT 8 — High Protect

Mechanisms exist to provide role-based cybersecurity and data protection-related training: (1) Before authorizing access to the system or performing assigned duties; (2) When required by system changes; and (3) Annually thereafter.

Control Question: Does the organization provide role-based cybersecurity and data protection-related training: (1) Before authorizing access to the system or performing assigned duties; (2) When required by system changes; and (3) Annually thereafter?

General (62)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC1.4-POF7 CC2.2-POF12 CC2.2-POF13
CIS CSC 8.1 14.3 14.4 14.7 14.8 14.9 16.9
CIS CSC 8.1 IG1 14.3 14.4 14.7 14.8
CIS CSC 8.1 IG2 14.3 14.4 14.7 14.8 16.9
CIS CSC 8.1 IG3 14.3 14.4 14.7 14.8 16.9
CSA CCM 4 HRS-11 HRS-12 HRS-13
CSA IoT SCF 2 TRN-01 TRN-02
ENISA 2.0 SO6
GovRAMP Low AT-03
GovRAMP Low+ AT-03
GovRAMP Moderate AT-03
GovRAMP High AT-03
IMO Maritime Cyber Risk Management 3.5.3.6 3.5.5.3 3.5.6.2
ISO 22301 2019 7.3
ISO 27002 2022 5.4 6.3
ISO 27017 2015 7.2.1 7.2.2
ISO 27701 2025 7.2
ISO 29100 2024 6.10
MPA Content Security Program 5.1 OR-3.1 OR-3.2
NAIC Insurance Data Security Model Law (MDL-668) 4.D(5)
NIST AI 100-1 (AI RMF) 1.0 GOVERN 2.0 GOVERN 2.2
NIST Privacy Framework 1.0 GV.AT-P1 GV.AT-P2 GV.AT-P3
NIST 800-53 R4 AT-3
NIST 800-53 R4 (low) AT-3
NIST 800-53 R4 (moderate) AT-3
NIST 800-53 R4 (high) AT-3
NIST 800-53 R5 (source) AT-3 AT-3(2)
NIST 800-53B R5 (privacy) (source) AT-3
NIST 800-53B R5 (low) (source) AT-3
NIST 800-53B R5 (moderate) (source) AT-3
NIST 800-53B R5 (high) (source) AT-3
NIST 800-82 R3 LOW OT Overlay AT-3
NIST 800-82 R3 MODERATE OT Overlay AT-3
NIST 800-82 R3 HIGH OT Overlay AT-3
NIST 800-161 R1 AT-3 AT-3(2) AT-3(8)
NIST 800-161 R1 C-SCRM Baseline AT-3
NIST 800-161 R1 Flow Down AT-3
NIST 800-161 R1 Level 2 AT-3 AT-3(2)
NIST 800-171 R2 (source) 3.2.2
NIST 800-171A (source) 3.2.2[a] 3.2.2[b] 3.2.2[c]
NIST 800-171 R3 (source) 03.01.22.a 03.02.01.a.01 03.02.01.a.02 03.02.02.a 03.02.02.a.01 03.02.02.a.02 03.02.02.b 03.06.04.a 03.06.04.a.01 03.06.04.a.02 03.06.04.b
NIST 800-171A R3 (source) A.03.02.02.ODP[01] A.03.02.02.ODP[02] A.03.02.02.ODP[03] A.03.02.02.ODP[04] A.03.02.02.a.01[01] A.03.02.02.a.01[02] A.03.02.02.a.01[03] A.03.02.02.a.02 A.03.02.02.b[01] A.03.02.02.b[02] A.03.06.04.a.01 A.03.06.04.a.02 A.03.06.04.a.03
NIST 800-172 3.2.1e
NIST 800-218 PO.2.2
NIST CSF 2.0 (source) PR.AT PR.AT-01 PR.AT-02
PCI DSS 4.0.1 (source) 1.1.2 6.2.2 8.3.8 9.5.1 9.5.1.3 12.6 12.6.1 12.6.3 12.6.3.1 12.6.3.2
PCI DSS 4.0.1 SAQ A-EP (source) 6.2.2 8.3.8 12.6.1 12.6.3.1
PCI DSS 4.0.1 SAQ B (source) 9.5.1 9.5.1.3 12.6.1
PCI DSS 4.0.1 SAQ B-IP (source) 9.5.1 9.5.1.3 12.6.1
PCI DSS 4.0.1 SAQ C (source) 6.2.2 8.3.8 9.5.1 9.5.1.3 12.6.1 12.6.3.1
PCI DSS 4.0.1 SAQ C-VT (source) 12.6.1 12.6.3.1
PCI DSS 4.0.1 SAQ D Merchant (source) 1.1.2 6.2.2 8.3.8 9.5.1 9.5.1.3 12.6.1 12.6.3 12.6.3.1 12.6.3.2
PCI DSS 4.0.1 SAQ D Service Provider (source) 1.1.2 6.2.2 8.3.8 9.5.1 9.5.1.3 12.6.1 12.6.3 12.6.3.1 12.6.3.2
PCI DSS 4.0.1 SAQ P2PE (source) 9.5.1 9.5.1.3 12.6.1
SPARTA CM0041
SWIFT CSF 2023 7.2
TISAX ISA 6 2.1.4 9.7.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) SAT-03
SCF CORE ESP Level 1 Foundational SAT-03
SCF CORE ESP Level 2 Critical Infrastructure SAT-03
SCF CORE ESP Level 3 Advanced Threats SAT-03
SCF CORE AI Model Deployment SAT-03
US (43)
Framework Mapping Values
US C2M2 2.1 WORKFORCE-2.E.MIL3
US CERT RMM 1.2 GG2.GP5 OTA:SG4.SP1 OTA:SG4.SP3
US CISA CPG 2022 2.I 2.J
US CJIS Security Policy 5.9.3 (source) AT-3
US CMMC 2.0 Level 2 (source) AT.L2-3.2.2
US CMMC 2.0 Level 3 (source) AT.L3-3.2.1E AT.L2-3.2.2
US CMS MARS-E 2.0 AT-3
US DHS CISA TIC 3.0 3.UNI.UATRA
US FCA CRM 609.930(c)(4)
US FDA 21 CFR Part 11 11.10 11.10(i)
US FedRAMP R4 AT-3
US FedRAMP R4 (low) AT-3
US FedRAMP R4 (moderate) AT-3
US FedRAMP R4 (high) AT-3
US FedRAMP R4 (LI-SaaS) AT-3
US FedRAMP R5 (source) AT-3
US FedRAMP R5 (low) (source) AT-3
US FedRAMP R5 (moderate) (source) AT-3
US FedRAMP R5 (high) (source) AT-3
US FedRAMP R5 (LI-SaaS) (source) AT-3
US FFIEC D1.TC.Tr.E.3 D1.R.St.E.3
US FIPPS 2
US GLBA CFR 314 2023 (source) 314.4(e)(1)
US HIPAA Administrative Simplification 2013 (source) 164.308(a)(5)(ii)(C) 164.308(a)(5)(ii)(D) 164.530(b)(1)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.308(a)(5)(ii)(C) 164.308(a)(5)(ii)(D)
US HIPAA HICP Small Practice 1.S.B 4.S.C
US HIPAA HICP Medium Practice 1.M.D
US HIPAA HICP Large Practice 1.M.D 1.L.C
US IRS 1075 2.D.1 2.D.2.1 2.D.2.2 AT-3
US NERC CIP 2024 (source) CIP-004-7 2.2 CIP-004-7 2.3
US NISPOM 2020 8-101 8-103 8-104
US NNPI (unclass) 2.1 2.2 2.3
US NSTC NSPM-33 6.1
US SSA EIESR 8.0 5.10
US - CA CCPA 2025 7100(a) 7123(c)(12) 7123(c)(13)
US - MA 201 CMR 17.00 17.04(8)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.10(a)(2)
US - NY SHIELD Act S5575B 4(2)(b)(ii)(A)(4)
US - OR 646A 622(2)(d)(A)(iv
US - TX DIR Control Standards 2.0 AT-3
US - TX TX-RAMP Level 1 AT-3
US - TX TX-RAMP Level 2 AT-3
US - VT Act 171 of 2018 2447(b)(2)(A) 2447(c)(8)
EMEA (15)
Framework Mapping Values
EMEA EU AI Act 9.5(c)
EMEA EU EBA GL/2019/04 3.2.1(3) 3.4.7(49)
EMEA EU DORA 13.6
EMEA EU NIS2 Annex 8.2.1 8.2.2 8.2.3 8.2.3(a) 8.2.3(c) 8.2.4
EMEA Germany C5 2020 DEV-04
EMEA Israel CDMO 1.0 20.2 25.3
EMEA Qatar PDPPL 11.3
EMEA Saudi Arabia IoT CGIoT-1 2024 1-9-1
EMEA Saudi Arabia ECC-1 2018 1-10-3 1-10-3-1 1-10-3-2 1-10-3-3 1-10-3-4 1-10-4 1-10-4-1 1-10-4-2 1-10-4-3
EMEA Saudi Arabia OTCC-1 2022 1-8-1 1-8-2 1-8-3
EMEA Saudi Arabia SACS-002 TPC-7
EMEA Saudi Arabia SAMA CSF 1.0 3.1.6 3.1.7
EMEA Spain CCN-STIC 825 8.2.3 [MP.PER.3] 8.2.4 [MP.PER.4]
EMEA UK CAF 4.0 B6.b
EMEA UK DEFSTAN 05-138 2321 2602
APAC (6)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1146 ISM-1565 ISM-1740
APAC China Data Security Law 27
APAC India SEBI CSCRF PR.AT.S2
APAC Japan ISMAP 4.5.2 4.5.3 4.5.3.1 7.2.1 7.2.2 7.2.2.19.PB
APAC New Zealand NZISM 3.6 9.1.6.C.01 9.1.6.C.02 9.1.6.C.03
APAC Singapore MAS TRM 2021 3.6.2 3.6.3 6.1.5
Americas (3)
Framework Mapping Values
Americas Canada CSAG 1.7 1.8 1.9
Americas Canada OSFI B-13 3.1.7
Americas Canada ITSP-10-171 03.01.22.A 03.02.01.A.01 03.02.01.A.02 03.02.02.A 03.02.02.A.01 03.02.02.A.02 03.02.02.B 03.06.04.A 03.06.04.A.01 03.06.04.A.02 03.06.04.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to provide role-based cybersecurity and data protection-related training: (1) Before authorizing access to the system or performing assigned duties; (2) When required by system changes; and (3) Annually thereafter.

Level 1 — Performed Informally

Security Awareness & Training (SAT) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Training activities are decentralized.
  • Security awareness and training methods are often generic, without organization-specific content.
  • IT/cybersecurity personnel self-manage their professional certification requirements to support their assigned duties.
  • Personnel management is mainly decentralized, with the responsibility for training users on new technologies and enforcing policies being assigned to users’ supervisors and managers.
Level 2 — Planned & Tracked

Security Awareness & Training (SAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls to address applicable statutory, regulatory and contractual requirements for security training and awareness activities. o Create/govern security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Self-manage their professional certification requirements to support their assigned duties.

  • Training and awareness activities are decentralized (e.g., a localized/regionalized function) and use non-standardized methods to implement secure, resilient and compliant practices.
  • The Human Resources (HR) department works with cybersecurity personnel to facilitate workforce development and awareness to help ensure secure practices are implemented.
  • Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Security Awareness & Training (SAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data with regards to security awareness and training. o Defines minimum cybersecurity training (including certifications) for personnel, based on their specific roles. o Creates/governs security and awareness training to meet specific statutory, regulatory and/ or contractual compliance obligations. o Identifies and implements industry-recognized HR practices related to security workforce development and awareness to help ensure secure practices are implemented in personnel management operations. o Documents, retains and monitors individual training activities, including basic security awareness training, ongoing awareness training and specific-system training. o Ensures that every user accessing a system processing, storing or transmitting sensitive/regulated data is formally trained in data handling requirements. o Ensures all employees and contractors receive awareness education and training that is relevant for their job function, including social engineering-related threats.

  • A Governance, Risk & Compliance (GRC) function, or similar function:
  • A steering committee is formally established to provide executive oversight of the cybersecurity and data protection program, including security awareness and training.
  • Security awareness and training methods are role-based (e.g., handling sensitive/regulated data).
  • The Human Resources (HR) department:
Level 4 — Quantitatively Controlled

Security Awareness & Training (SAT) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to provide role-based cybersecurity and data protection-related training: (1) Before authorizing access to the system or performing assigned duties; (2) When required by system changes; and (3) Annually thereafter.

Assessment Objectives

  1. SAT-03_A01 roles and responsibilities for role-based cybersecurity / data privacy training are defined.
  2. SAT-03_A02 events that require role-based security training content updates are defined.
  3. SAT-03_A03 role-based cybersecurity / data privacy training is provided to organizational personnel before authorizing access to the system or sensitive / regulated data.
  4. SAT-03_A04 role-based security training is provided to organizational personnel before performing assigned duties.
  5. SAT-03_A05 role-based cybersecurity / data privacy training is provided to organizational personnel per an organization-defined frequency after initial training.
  6. SAT-03_A06 role-based cybersecurity / data privacy training is provided to organizational personnel when required by system changes or following organization-defined events.
  7. SAT-03_A07 the frequency at which to provide role-based security training to assigned personnel after initial training is defined.
  8. SAT-03_A08 the frequency at which to update role-based security training content is defined.
  9. SAT-03_A09 role-based security training content is updated per an organization-defined frequency.
  10. SAT-03_A10 role-based security training content is updated following organization-defined events.
  11. SAT-03_A11 lessons learned from internal or external security incidents or breaches are incorporated into role-based training.
  12. SAT-03_A12 events that require role-based security training are defined.
  13. SAT-03_A13 incident response training for system users consistent with assigned roles and responsibilities is provided within an organization-defined time period of assuming an incident response role or responsibility or acquiring system access.
  14. SAT-03_A14 incident response training for system users consistent with assigned roles and responsibilities is provided when required by system changes.
  15. SAT-03_A15 incident response training for system users consistent with assigned roles and responsibilities is provided per an organization-defined frequency thereafter.
  16. SAT-03_A16 role-based security training is provided to organizational personnel before authorizing access to the system or CUI.
  17. SAT-03_A17 role-based security training is provided to organizational personnel <A.03.02.02.ODP[01]: frequency> after initial training.
  18. SAT-03_A18 role-based security training is provided to organizational personnel when required by system changes or following <A.03.02.02.ODP[02]: events>.
  19. SAT-03_A19 role-based security training content is updated <A.03.02.02.ODP[03]: frequency>.
  20. SAT-03_A20 role-based security training content is updated following <A.03.02.02.ODP[04]: events>.
  21. SAT-03_A21 incident response training for system users consistent with assigned roles and responsibilities is provided within <A.03.06.04.ODP[01]: time period> of assuming an incident response role or responsibility or acquiring system access.
  22. SAT-03_A22 incident response training for system users consistent with assigned roles and responsibilities is provided <A.03.06.04.ODP[02]: frequency> thereafter.

Evidence Requirements

E-SAT-05 Role-Based Training

Documented evidence of specialized user training for privileged users, executives, individuals who handle sensitive/regulated data, etc.

Education

Technology Recommendations

Micro/Small

  • KnowB4 (https://knowbe4.com)

Small

  • KnowB4 (https://knowbe4.com)

Medium

  • KnowB4 (https://knowbe4.com)

Large

  • KnowB4 (https://knowbe4.com)

Enterprise

  • KnowB4 (https://knowbe4.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free