3.2.2 — Role-Specific Training

The One-Liner

General awareness isn’t enough for your admins. They need training specific to their security responsibilities.

What It Says

Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

What It Actually Means

People with security-related roles need training beyond general awareness — training specific to what they do. This isn’t the same phishing course everyone takes. This is role-based training that equips people with the skills to perform their specific security duties.

Three things the assessor checks:

1. Security roles and duties are defined. You’ve documented which roles have security responsibilities and what those responsibilities are. System administrators, security officers, incident responders, backup operators, audit log reviewers — each has defined security duties.

2. Roles are assigned to specific people. Named individuals hold these roles — not vague team assignments. The assessor wants to see a list of security-related roles with the people assigned to each.

3. Assigned personnel are trained for their specific duties. The sysadmin who hardens servers has been trained on CIS Benchmarks and your hardening procedures. The incident responder knows the IR plan and has practiced it. The SIEM operator knows how to write queries and investigate alerts. Training records show role-specific content, not just the general awareness course.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are information security-related duties and roles defined?	Documented list of security roles with their specific duties
2	Are security roles assigned to designated personnel?	Named individuals assigned to each role
3	Are assigned personnel trained for their specific duties?	Training records showing role-specific content — not just general awareness

---

What to Have Ready on Assessment Day

Documents they’ll review: Security awareness and training policy; role-based training matrix; training records for personnel in security roles; list of security-related roles and assigned personnel; training curriculum specific to each role

People they’ll talk to: Personnel in security roles (sysadmins, security staff, incident responders); personnel responsible for training; information security management

Live demos they’ll ask for: “Show me your training matrix — who has which security role and what training have they completed?” “Show me the SIEM operator’s training record.” “Has the incident response team been trained on your IR plan?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What security-related roles exist in your organization? Who holds them?”
• “Show me the training record for your primary system administrator — what role-specific training have they completed?”
• “How is role-based training different from your general awareness training?”
• “When new security tools are deployed, do the responsible staff receive training?”
• “Is role-based training updated when responsibilities change?”

Real-World Example

A defense contractor maintains a role-based training matrix. The IT Security Lead has completed: CMMC assessment preparation training, Microsoft Sentinel administration, and incident response procedures. The two system administrators have completed: CIS Benchmark hardening for Windows, Intune device management, and the company’s change management procedures. The backup operator has completed: backup tool administration and the media sanitization procedure per NIST 800-88. Each training is tracked with a completion date and certificate (where applicable). When the company deployed Sentinel as their SIEM, the IT Security Lead completed the Microsoft SC-200 training before taking operational responsibility. The assessor reviews the training matrix, selects the primary sysadmin, and confirms their training records include hardening, patching procedures, and account management — all specific to their duties.

---

Where Companies Trip Up

Same training for everyone. The system administrator gets the same generic phishing course as the receptionist. Role-specific training means different content for different roles.

No role definitions. People perform security functions but the roles aren’t documented. The assessor asks “who is your incident responder?” and nobody’s sure. Define roles, assign them, document them.

No training records. The sysadmin learned on the job, attended conferences, read documentation — but none of it is tracked. Training records need to exist — formal courses, vendor certifications, documented internal training sessions.

New tools without training. A SIEM is deployed but the person managing it never received formal training on the product. When new security tools or responsibilities are assigned, training should precede operational use.

---

How to Talk About This

To a CEO or Board

Every security role is defined and assigned to a named person. Each person in a security role receives training specific to their duties — our sysadmins are trained on hardening and patching, our security lead on SIEM operations and incident response.

To an Engineering Team

Role-based training matrix: security roles × required training × completion status. Roles: sysadmin, security lead, IR responder, backup operator, audit reviewer. Training sources: vendor certifications, product training, internal procedures training. Updated when roles change or new tools are deployed. Tracked alongside general awareness.

---

Connected Requirements

Requirement	Why it matters here
3.2.1 — Train Everyone	General awareness for all users; role-specific training here for security staff
3.6.1 — Have a Plan	IR team must be trained on the incident response plan
3.4.2 — Harden Everything	Sysadmins must be trained on the hardening baselines they apply

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: AT.L2-3.2.2 | SPRS Weight: 5 points | POA&M Eligible: No