CMMC Practice AT.2.057
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Bold Coast Security Guidance
For Level 2 compliance, your policy needs to state that all users engaged in security related activities are trained to perform those activities. For Level 3 maturity, you need to have Plan to implement defined, such as assigning a budget category for continuing education, and who is in charge reviewing skill sets and training needs on an annual basis. For Level 4 maturity, you will need to step back and ensure that the training dollars are being used effectively, perhaps has part of the employee annual review, combined with a review of actual dollars spent on training.
DRAFT NIST SP 800-171 R2
Organizations determine the content and frequency of security training based on the assigned duties, roles, and responsibilities of individuals and the security requirements of organizations and the systems to which personnel have authorized access. In addition, organizations provide system developers, enterprise architects, security architects, acquisition/procurement officials, software developers, system developers, systems integrators, system/network administrators, personnel conducting configuration management and auditing activities, personnel performing independent verification and validation, security assessors, and other personnel having access to system-level software, security-related technical training specifically tailored for their assigned duties.
Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Such training can include policies, procedures, tools, and artifacts for the security roles defined. Organizations also provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of organizational information security programs.
NIST SP 800-181 provides guidance on role-based information security training in the workplace. SP 800-161 provides guidance on supply chain risk management.