NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-16 — Developer-provided Training
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: {{ insert: param, sa-16_odp }}.
Supplemental Guidance
Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.
Practitioner Notes
Require developers to provide training for administrators and users of the systems they build or sell. Without proper training, even secure systems will be operated insecurely.
Example 1: Include training requirements in contracts with system developers and vendors. The vendor should provide administrator training covering security configuration, account management, log review, patch management, and incident response specific to their product.
Example 2: For internally developed systems, have the development team create training materials and conduct knowledge transfer sessions with the operations team before handoff. Cover security architecture, common attack scenarios, hardening procedures, and how to recognize and respond to security events specific to the application.