Operating units shall establish IT security awareness and training programs to assure that federal and contractor personnel involved in the management, operation, programming, maintenance or use of IT are aware of their security responsibilities and know how to fulfill them.
All new employees will receive an IT security awareness briefing as part of their orientation within 60 days of their appointment and all employees will be provided with refresher awareness material or briefings at least annually.
IT security training above the awareness level shall be provided to personnel who design, implement or maintain systems regarding the types of security and internal control techniques that should be incorporated into system development, operations and maintenance.
Individuals assigned responsibilities for IT security shall be provided with in-depth training regarding security techniques, methodologies for evaluating threats and vulnerabilities that affect specific IT systems and applications and selection and implementation of controls and safeguards.