OPM outlines four steps for IT security training

The Office of Personnel Management today outlined a four-step process for agencies to follow to ensure employees, contractors and others who access federal systems are adequately trained in IT security.

The final rule, effective today, requires agencies to develop an IT security training plan.

The plan should identify employees with significant cybersecurity responsibilities and provide role-specific training as detailed by the National Institute of Standards and Technology guidance. The rule said:

  • All users of agency systems must be exposed to security awareness materials at least annually.

  • Executives must receive training in IT security basics and policy level training in security and planning management.

  • Program managers, functional managers and IT functional and operations personnel must received training in IT security basics, management and implementation level training in security planning and system security management, application lifecycle management, risk management and contingency planning.

  • CIOs, IT security program managers, auditors and other security personnel, such as system and network administrators, must receive training in security basics and broad training in security planning, system and application security management, and system lifecycle, risk and contingency planning management.

Agencies also must provide all new employees training before granting them access to federal systems. Employees must be given refresher training as determined necessary by the agency based on the sensitivity of the information that the worker uses.

Departments also must provide new training whenever there is a significant change in the IT environment or procedures.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.