Role Based Training (RBT)
Required training at CMS to ensure that federal staff and contractors have the security and privacy knowledge and skills needed for their role
CMS Slack Channel- #cyber-training-support
What is Role Based Training (RBT)?
Role-Based Training (RBT) helps CMS staff and contractors get the right security and privacy training for their assigned roles. This training will have different content depending on each person’s job responsibilities, the specific security requirements of their organization, and the systems to which they have access.
Who needs to take RBT?
Anyone whose role assignment at CMS includes “significant security or privacy responsibilities” (SSR) needs to take role-specific training on a regular basis. These responsibilities include any job task that has the potential to harm the security posture of CMS systems or information. Roles that need to take RBT include:
- Information System Security Officer
- Data Guardian
- System Owner
- Business Owner
- Senior Executive
- Privacy Advisor
- Cyber Risk Advisor
- Contractors who have SSR
You may still need to take RBT even if your role isn’t on the list above. It is required for everyone who has significant security or privacy responsibilities.
How often is RBT required?
If your job requires role-specific training, you will need to take it:
- Within 60 days of when you first get hired (or assigned to the role)
- Annually thereafter
- When information systems have changed in a way that requires you to perform new skills or procedures
The training should be taken before you start accessing sensitive information systems or performing your assigned role that involves significant security or privacy responsibilities.
How to get training
CMS-provided training
CMS is responsible for providing Role Based Training to Federal staff and direct support contractors who have significant security or privacy responsibilities. The RBT provided by CMS is imbedded in the yearly required annual Information Systems Security and Privacy Awareness (ISSPA) Training. This training covers the security and privacy policies, procedures, and skills needed for the respective roles and satisfies both the role and annual requirements.
Some roles may require additional RBT due to specific security and privacy responsibilities. You may find relevant training for your role in the CMS Computer Based Training/Learning Management System (CMS login required). You can also talk to your supervisor to see what RBT you need.
Other training
Besides the Role-Based Training offered by CMS, everyone who needs RBT may take advantage of other qualified training offered by government or industry. This could include conferences, workshops, seminars, forums, or professional independent reading and research. Learn more in the CMS Cybersecurity and Privacy Training Handbook.
What training is right for my role?
When choosing a training or activity for Role-Based Training, you will need to identify if it fulfills the RBT requirements for your role.
Training mapped to NICE roles
Increasingly, training offerings are mapped to the NICE framework, created by the National Institute of Standards and Technology (NIST) as a common reference point for talking about cybersecurity work. This framework includes NICE roles, which describe the Knowledge, Skills, and Abilities (KSA) specific to each role in the security and privacy world.
If the training you are considering has listed the NICE Role ID(s) that it is suitable for, you can use those to see if the training can serve as the required RBT for your role.
There are a few ways you can learn more about your NICE Role ID:
- Ask your business operations staff for help
- Use the NICE Cybersecurity Workforce lookup tool
Training not mapped to NICE roles
If you are considering a training or activity that is not mapped to NICE roles, you will need to evaluate it to see if it covers the topics needed for your Role-Based Training. To evaluate the training, you need to:
- Identify the NICE Role ID(s) that you need training for
- Review the Knowledge, Skills, Abilities (KSA) and Tasks associated with the role(s). You can find these in the or using the NICE Cybersecurity Workforce lookup tool. (You can also ask your business operations staff for help.)
- Now that you know the specific skills you need to train for, check the training description to see if it covers those topics. Depending on the training or activity, you may be checking a course description or syllabus, seminar overview, conference summary or schedule, or other materials that describe the training.
- Document whether the training you are evaluating is relevant to your needed RBT. You can use a table like the one below to help you map the training topics to the related NICE role ID, KSA, and Tasks.
| Training opportunity | NICE role ID | Knowledge | Skills | Abilities | Tasks |
|---|---|---|---|---|---|
Before you choose an external training for your RBT, be sure to have your supervisor review and approve it. (Or for contractors, your employer.)
Tracking and recording RBT
CMS contractors
Contractors working for CMS are required to track their own Role-Based Training, whether they access it from CMS or elsewhere.
CMS Contracting Officers (COs) and Contracting Officer Reps (CORs) must collect training records showing that all CMS contractors with significant security or privacy responsibilities have completed RBT suitable to their roles:
- Within 60 days of beginning work on the contract
- Annually thereafter
- Upon request as needed
CMS employees
For employees within CMS, supervisors are responsible for making sure that their direct reports complete all required information security training, including RBT, within the mandated time.
Identifying which people need RBT
CMS contractors
When beginning new contract work, the COR or Contract Government task lead needs to identify which contractors will need to take Role-Based Training. Use the following steps:
- Review the definition of “significant security or privacy responsibilities” (SSR) provided in the CMS IS2P2.
- Identify all positions in the contract that include duties with SSR. Each of these will require RBT.
- For each job position, determine what RBT is needed by reviewing the NICE Cybersecurity Workforce Framework (NIST SP 800-181). Choose the NICE role(s) that align with each job position. Each position can have up to three roles, listed in order of importance with the most critical job function first.
- Notify all personnel who have SSR and therefore must take RBT. This notification should include the NICE role assignments for the job position.
- Follow this process whenever new job positions are created, and when there are changes to an existing position that involve significant security or privacy responsibilities.
CMS employees
The instructions for identifying federal employees with significant information security and privacy responsibilities (SSR) and RBT requirements are detailed in data calls conducted by Office of Human Capital (OHC). CMS managers must participate in these calls.
Reference
Related documents and resources
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.
Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS
RMH Chapter 2 provides information about the security controls associated with the Awareness & Training (AT) control family
Available security and privacy training offerings for ISPG staff (CMS login required)