2025 Impact Summary is now live (12/16/25)
[RRCoP Question and Use Cases] [View & Download Full Fraizer & Deeter Responses]
In higher education and collaborative research institutions, personnel roles can be highly fluid. Researchers, principal investigators (PIs), graduate students, and central IT staff often share overlapping responsibilities.
To help our member institutions build compliant, efficient training programs, we would appreciate your perspective on the following areas:
In a research environment, many individuals possess elevated privileges (e.g., local administrative rights on lab instruments or specialized high-performance computing clusters) but are not traditional "IT administrators". Furthermore, institutions must clearly delineate where basic compliance awareness ends and role-based training begins.
How strictly do assessors define "assigned information security-related duties" when evaluating non-traditional IT roles, and what is the specific threshold separating general security awareness (Control 3.2.1) from specialized role-based training (Control 3.2.2)?
To what extent will assessors accept a modular curriculum approach—combining foundational training with technical modules based on specific privileges—and can active professional certifications (e.g., CISSP, Security+) be leveraged to satisfy these requirements?
Academic environments often struggle with decentralized learning management systems (LMS) and rapid
student-employee turnover.
What specific forms of administrative and content evidence do assessors expect to see during an audit? Specifically, will decentralized records (e.g., signed lab rosters, spreadsheets) be accepted in lieu of a centralized LMS
Must institutions present granular module materials (slide decks, quizzes) or simply high-level course syllabi?
Institutions should not view 3.2.2 as a general security awareness requirement. That topic is more appropriately covered under 3.2.1. Instead, 3.2.2 focuses on whether personnel receive the training they need to carry out their assigned security responsibilities.
At a high level, the assessment objectives are straightforward:
Security responsibilities are defined.
Security responsibilities are assigned.
Personnel receive training appropriate to those responsibilities.
In a research environment, not everyone has the same responsibilities for protecting CUI. A Principal Investigator, system administrator, graduate researcher, and sponsored research administrator may each play a different role, and the training they receive should reflect those differences.
A role-based training model is usually the clearest and most supportable approach. At a minimum, institutions should consider separate training paths for:
Researchers and research staff handling CUI.
Principal Investigators and research leadership.
IT and security personnel supporting CUI systems and enclaves.
Training should address the responsibilities assigned to each role. For researchers, that may include handling CUI, applying markings, following sharing restrictions, and reporting incidents. For administrative and technical personnel, the training should focus on the controls, procedures, and system responsibilities they are expected to carry out or support.
One common challenge in higher education is the collaborative nature of research. Personnel are often used to broad information sharing, publication, and coordination with outside parties. Because of that, training should clearly explain when research data qualifies as CUI, who is authorized to access it, how it can be shared, what restrictions apply to cloud platforms and collaboration tools, what is required for visiting researchers, and when incidents must be reported.
Organizations may use awareness platforms such as the DoD Cyber Awareness Challenge, KnowBe4, SANS Security Awareness, or university-developed training to support broader awareness efforts. Those tools can be helpful, but by themselves they are not usually enough to demonstrate compliance with 3.2.2 unless they are supplemented with training tied to each person’s assigned responsibilities.
The same point applies to professional certifications such as CISSP, Security+, CISM, or similar credentials. Certifications may show general knowledge, but they do not by themselves demonstrate that personnel have been trained on the organization’s specific policies, procedures, technologies, or CUI handling requirements.
In practice, stronger evidence would typically include:
A documented role-to-responsibility matrix.
Defined training requirements by role.
Role-specific training content.
Training completion records.
Procedures requiring training before access to the CUI environment.
Periodic refresher training.
For a research university, a practical and supportable approach is to establish distinct training paths for CUI users, research leadership, and IT/security personnel, require completion before access is granted to the CUI environment, and retain evidence showing that the training aligns to each person’s assigned security responsibilities.
Ready to Dive Deeper?
If you have more questions, need a consultation or seek tailored guidance, our team is here to help. At Frazier & Deeter, we are committed to providing the support and expertise you need to navigate your unique circumstances. Contact us today to find out how we can assist you in achieving your goals with confidence.
For more information, Contact: Bob Woosley | Frazier & Deeter National Practice Leader | bob.woosley@frazierdeeter.com