Role-Based Training

Role-Based Training: Required at least every three years--or more frequently as needed to address technology changes or patterns of vulnerabilities in information systems--for individuals with significant IT security responsibilities. This training is in addition to the annual security awareness training.

HHS Guidance on who must take Role-based Training

HHS requires role-based training when responsibilities associated with a given role or position, could, upon exception, have the potential to adversely impact the security posture of one or more HHS systems. For further guidance, please read the HHS CISO Memorandum on Role-Based Training of Personnel with Significant Security Responsibilities.

HHS has a more rigorous expectation for the training of individuals who develop or manage sensitive systems. These staff must receive training based on their specific duties and the technologies they use, and on the ability of the courses to help the individual secure the information and information systems user his or her influence. Read additional guidance at: HHS CIO Memorandum on Training of Individuals Developing and Managing Sensitive Systems.

  • Who takes it? Using HHS guidance (see above) your IC CIO and ISSO compile a list of staff that is considered to have significant IT security responsibilities. ISSOs notify staff when they are due for training. HHS defines three major role categories (executive, manager, and system administrator). If you have more than one role, you'll need to take at least one course that is relevant to each role. If in doubt, check with your ISSO.

  • How often is it required? HHS requires that new staff with this designation take relevant training within their first three months, and thereafter, a minimum of one relevant training every three years. However, individuals who develop or manage sensitive systems require a higher level of technical training and their supervisor should review the HHS guidance.

  • What do you take? You can either take a course in the training site or your can take an external course and provide a self-entered training record. If you previously took one of these courses and are due for training, you can repeat the same course to satisfy the every-three year requirement.

  • Courses in the Training Site: Includes HHS and NASA courses. If you take a course through the NIH security training site, you do not need to record it anywhere else, i.e., you don't need a certificate of completion to prove you took the course.

    • HHS Courses: Depending on your role(s), there is an HHS course that is relevant for it. HHS broadly classifies its three courses as relevant for executives, managers, or IT administrators. The course menu provides some advice on which courses are appropriate for the three roles.

    • NASA Courses: Several NASA courses are included in our training menu. Although they have not been tailored to NIH, the information is generic in nature and provides more depth than the HHS courses. Staff can elect to take one or more of these courses based on relevancy to their roles.

  • External Courses: Users can satisfy their training requirements by taking courses/training external to the courses in the Training Site. These include security certification courses (e.g., CISSP, CEH, CAP, GIAC), attending conferences, workshops, educational vendor presentations, other NIH sponsored trainings. The important point is that the training is relevant to their roles. Training should be rigorous enough to satisfy Inspector General (IG) Auditors review.

  • How is it tracked?

    • HHS and NASA courses are automatically tracked in the Training website.

    • Self-Entered Training Records can be added to the training site: To record training, log into the training site. On the menu page, select the option for Add a Role-Based Training Record. This will authenticate you through NIH Login and take you to the screen for entering your information. Please note the feature for uploading a training certificate. The IG Auditors require some form of formal proof that you took a course. In addition, other options are listed below.

  • If NO Training Certificate is Available: The following are examples of PROOF OF TRAINING that are acceptable to the IG Auditors.
    • Please ENSURE that the documentation you upload DOES NOT include any Personally Identifiable Information (e.g., Social Security Number, if included, has been blacked out).
    • Trainee traveled for the training: Copy of Travel Request, Registration, Agenda/Course outline, email confirming participation, etc.
    • No certificate for online training: Copy the information from the last page of the training into a Word document and include your name and date, along with a statement that the training did not issue a certificate. Ensure that you include the name of the course, the URL of the online site and any other pertinent information.
    • Trainee is taking courses: A copy of the student's transcript. Ensure that all personal information is blacked out (including other course titles and grades, if desired).
    • Trainees can post a certified email from their supervisor that the trainee took the course, including the title, course description, date, length of training, etc.
  • Deadline: June 15; however, ICs may establish earlier deadlines. Individuals beginning work at NIH with this designation must complete appropriate role-based training within three months of their initial start dates.