NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-13 — Security and Privacy Workforce

Establish a security and privacy workforce development and improvement program.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Security and privacy workforce development and improvement programs include defining the knowledge, skills, and abilities needed to perform security and privacy duties and tasks; developing role-based training programs for individuals assigned security and privacy roles and responsibilities; and providing standards and guidelines for measuring and building individual qualifications for incumbents and applicants for security- and privacy-related positions. Such workforce development and improvement programs can also include security and privacy career paths to encourage security and privacy professionals to advance in the field and fill positions with greater responsibility. The programs encourage organizations to fill security- and privacy-related positions with qualified personnel. Security and privacy workforce development and improvement programs are complementary to organizational security awareness and training programs and focus on developing and institutionalizing the core security and privacy capabilities of personnel needed to protect organizational operations, assets, and individuals.

Practitioner Notes

Your security program is only as good as the people running it. This control requires you to build and maintain a workforce with the skills and certifications needed to protect your organization.

Example 1: Create a security workforce plan that identifies the roles you need (system admin, security analyst, compliance officer), the certifications each role requires (Security+, CISSP, CISM), and your plan for filling gaps through hiring, training, or contracting.

Example 2: Budget for annual training and certification renewals. Send your IT staff to SANS courses or use platforms like Cybrary or NICCS for role-based training. Track certifications in a spreadsheet and set renewal reminders so nobody lapses. Document DoD 8140 compliance if working on federal contracts.