According to FISMA, an agencywide information security program must include security awareness training for agency personnel, contractors, and other users of information systems that support the agency's operations and assets. This training must cover (1) information security risks associated with users' activities and (2) users' responsibilities in complying with agency policies and procedures designed to reduce these risks. FISMA also includes requirements for training personnel with significant responsibilities for information security.
In addition, OMB requires that personnel be trained before they are granted access to systems or applications. The training is intended to ensure that personnel are aware of the system or application's rules, their responsibilities, and their expected behavior.