Section



[Code of Federal Regulations]
[Title 5, Volume 2]
[Revised as of January 1, 2008]
From the U.S. Government Printing Office via GPO Access
[CITE: 5CFR930.301]

[Page 604-605]
 
                    TITLE 5--ADMINISTRATIVE PERSONNEL
 
          CHAPTER I--OFFICE OF PERSONNEL MANAGEMENT (CONTINUED)
 
PART 930_PROGRAMS FOR SPECIFIC POSITIONS AND EXAMINATIONS (MISCELLANEOUS)--
 
Subpart C_Information Security Responsibilities for Employees who Manage 
                   or Use Federal Information Systems
 
Sec.  930.301  Information systems security awareness training program.

    Authority: 5 U.S.C. 4118; Pub. L. 107-347, 116 Stat. 2899.

    Source: 69 FR 32836, June 14, 2004, unless otherwise noted.

[[Page 605]]


    Each Executive Agency must develop a plan for Federal information 
systems security awareness and training and
    (a) Identify employees with significant information security 
responsibilities and provide role-specific training in accordance with 
National Institute of Standards and Technology (NIST) standards and 
guidance available on the NIST Web site, http://csrc.nist.gov/
publications/nistpubs/, as follows:
    (1) All users of Federal information systems must be exposed to 
security awareness materials at least annually. Users of Federal 
information systems include employees, contractors, students, guest 
researchers, visitors, and others who may need access to Federal 
information systems and applications.
    (2) Executives must receive training in information security basics 
and policy level training in security planning and management.
    (3) Program and functional managers must receive training in 
information security basics; management and implementation level 
training in security planning and system/application security 
management; and management and implementation level training in system/
application life cycle management, risk management, and contingency 
planning.
    (4) Chief Information Officers (CIOs), IT security program managers, 
auditors, and other security-oriented personnel (e.g., system and 
network administrators, and system/application security officers) must 
receive training in information security basics and broad training in 
security planning, system and application security management, system/
application life cycle management, risk management, and contingency 
planning.
    (5) IT function management and operations personnel must receive 
training in information security basics; management and implementation 
level training in security planning and system/application security 
management; and management and implementation level training in system/
application life cycle management, risk management, and contingency 
planning.
    (b) Provide the Federal information systems security awareness 
material/exposure outlined in NIST guidance on IT security awareness and 
training to all new employees before allowing them access to the 
systems.
    (c) Provide information systems security refresher training for 
agency employees as frequently as determined necessary by the agency, 
based on the sensitivity of the information that the employees use or 
process.
    (d) Provide training whenever there is a significant change in the 
agency information system environment or procedures or when an employee 
enters a new position that requires additional role-specific training.