KSI-CED-RST—Reviewing Role-Specific Training
Formerly KSI-CED-02
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express transport encryption as a continuously monitored and publicly graded control — SSL Labs scans running on schedule, TLS configuration dashboards showing grade trends per endpoint, and certificate rotation tracked automatically. Transport encryption becomes a verifiable, measurable property with external grading.
TLS Configuration Report
SSL Labs or equivalent scan results expressing TLS configuration grade and protocol support — automated and recurring
Encryption in Transit Documentation
How encryption-in-transit is implemented — TLS versions, cipher suites, and certificate management as product features
Network Encryption Architecture
Architecture expressing encryption boundaries for all network communication paths
>Programmatic Queries
CLI Commands
gh api repos/{owner}/{repo}/collaborators --jq '.[].{login,role_name,permissions}'gh api repos/{owner}/{repo}/teams --jq '.[].{name,permission}'>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your high-risk role definition include all relevant categories — privileged administrators, security operations staff, data custodians, and personnel with access to production systems?
- •Are role-specific training requirements tailored to each role's actual threat exposure, or is it the same advanced content for all high-risk roles?
- •How do you ensure contractors and third-party personnel in high-risk roles receive the same role-specific training as internal staff?
- •When a staff member transitions into a high-risk role, what process ensures they complete required training before receiving elevated access?
Automation & Validation:
- •What automated controls prevent privileged access from being granted until role-specific training is verified complete?
- •How do you measure whether role-specific training reduces security incidents or misconfigurations attributable to trained roles?
- •What happens when role-specific training expires — is privileged access automatically suspended until recertification, or only flagged?
- •How do you validate that training content for each role addresses the specific tools, threats, and responsibilities relevant to that role?
Inventory & Integration:
- •How does your IAM system integrate with your LMS to enforce the linkage between role assignments and training requirements?
- •What tools maintain the mapping of high-risk roles to their specific training curricula, and is this mapping version-controlled?
- •How do role changes (promotions, lateral moves, departures) automatically trigger training requirement updates?
- •Are training requirements for each role documented alongside the role definition in your access management system?
Continuous Evidence & Schedules:
- •How frequently is role-specific training required, and what evidence demonstrates every high-risk role holder is current?
- •Is role-specific training compliance data available via API or dashboard showing real-time status for every privileged user?
- •How do you demonstrate that training effectiveness reviews are conducted on schedule and result in curriculum improvements?
- •What evidence shows the list of high-risk roles is reviewed periodically and updated as the organization and threat landscape evolve?
Update History
Ask AI
Configure your API key to use AI features.