P-SSCRM Documentation

G.4.1 Role-based training

Control Details

Objective

Provide security training for all personnel involved in software development

Definition

Provide literacy and role-based training on software security and secure software supply chain. This training should include information about the firm's security culture, the secure software development lifecycle, containerization and security orchestration, common security mistakes, technology such as CI/CD, AI models, and DevSecOps, and recognizing insider threat. Require this training as part of onboarding and periodically.

Assessment Questions

  1. Describe the training given to employees and to vendors related to software supply chain security?
  2. Describe your process for scheduling and monitoring team member training in secure software architecture, design, development, testing, and software supply chain management.
  3. How do you customize the training specific to team roles, development tools, and languages?

Reference sources

  1. EO 4e(vi)
  2. SSDF PO.2.2
  3. SSDF-AI PO.2.2
  4. BSIMM T1.1 T1.7 T1.8 T2.5 T2.8 T2.9 T3.1 T3.2
  5. 800-161 AT-2 AT-3 SA-16
  6. SAMM G-EG-2-A