U.S. government Edit
Security awareness and training in accepted security practices for Federal employees are mandated by the Computer Security Act of 1987 (the "Act") . . . for "all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency." NIST and the U.S. Office of Personnel Management (OPM) were assigned the joint task of developing and issuing guidelines for the computer security training mandated by the Act. NIST issued NIST Special Publication 500-172, Computer Security Training Guidelines, in November 1989. In January 1992, OPM issued a revision to Federal regulations that made the voluntary guidelines in that publication mandatory.
The OPM regulation requires training: (1) for current employees; (2) for new employees within 60 days of hire; (3) whenever there is a significant change in the agency's IT security environment or procedures; and (4) when an employee enters a new position that deals with sensitive information. It also requires periodic refresher training, based on the sensitivity of the information the employee handles.
OMB Circular A-130, Appendix III restates these mandatory training requirements. It also requires that before receiving access to any IT systems or applications, all employees must receive specialized training focusing on their IT security responsibilities and established system rules.
- ↑ 5 C.F.R. Part 930, RIN 3205-AD43 (hereinafter OPM regulation).
- Overview: U.S. government: Practices for Securing Critical Information Assets, at 6.