SA-16

SA-16 DEVELOPER-PROVIDED TRAINING

Overview

Number	Title	Impact	Priority	Subject Area
SA-16	Developer-Provided Training	HIGH	P2	System And Services Acquisition

Instructions
The organization requires the developer of the information system, system component, or information system service to provide Assignment: organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.

Guidance
This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.

Guidance

This control applies to external and internal (in-house) developers. Training of personnel is an essential element to ensure the effectiveness of security controls implemented within organizational information systems. Training options include, for example, classroom-style training, web-based/computer-based training, and hands-on training. Organizations can also request sufficient training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security functions, controls, or mechanisms.

Enhancements