Security awareness & training requirements, by framework

Evidence an auditor expects

• board-approved cybersecurity policy
• governance meeting minutes showing cybersecurity oversight
• management body sign-off records with dates
• documented delegation of cybersecurity responsibilities
• evidence of regular board-level cybersecurity reporting

Practitioner guidance

This goes beyond any US framework. Board members cannot delegate awareness and walk away. Document every governance touchpoint: approvals, reviews, questions asked, decisions made. If audited, you need a paper trail showing active oversight, not just a signature page.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• management body training attendance records
• training curriculum for board/executive level
• competency assessment for management bodies
• regular employee training schedule and records
• evidence of risk identification skill development

Practitioner guidance

Most US frameworks require employee training. NIS2 requires the board itself to be trained. Build a governance-specific training track that covers: how to read cybersecurity risk reports, how to assess whether controls are working, and how security decisions impact service delivery. Track attendance and comprehension.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• documented risk assessment informing program design
• program scope justification based on entity size and sector
• evidence of program scaling with organizational changes
• risk-proportionate training frequency documentation
• impact assessment records

Practitioner guidance

This is NIS2 embedding a maturity model requirement into law. The proportionality principle means an auditor can challenge a program as insufficient even if all the boxes are checked, if the program is not scaled to the organization's actual risk. It also means a smaller organization with a well-calibrated program can demonstrate compliance without enterprise-scale spend. SEAT's maturity model directly addresses this by measuring program maturity relative to organizational context.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• supply chain security policy
• vendor security evaluation criteria
• employee training on third-party risk
• supplier cybersecurity practice assessments
• contractual security requirements documentation
• supply chain risk awareness materials

Practitioner guidance

The DBIR 2026 shows third-party involvement in breaches jumped 60% to 48%. NIS2 requires formal supply chain security measures. Your awareness program should train employees on: how to evaluate vendor security claims, what to look for in third-party communications, and when to escalate supply chain concerns. This is a maturity differentiator most programs miss entirely.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• documented effectiveness assessment policy
• defined KPIs and metrics for each control
• regular effectiveness review reports with data
• trend analysis showing improvement or regression
• maturity scoring methodology
• gap analysis documentation
• continuous monitoring evidence beyond annual reviews

Practitioner guidance

This is the article that changes everything. HIPAA says addressable. PCI says annual review. NIST CSF is voluntary guidance. NIS2 says: mandatory, prove effectiveness, continuously. A SEAT maturity assessment directly satisfies this requirement by providing a structured, evidence-based measurement of program effectiveness across all four pillars. Build your effectiveness assessment policy around maturity progression, not activity completion.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• documented training program with objectives
• training delivery records showing regularity
• curriculum covering cyber hygiene fundamentals
• role-specific training modules
• new starter onboarding training records
• evidence of multiple delivery methods
• training content update log reflecting current threats

Practitioner guidance

NIS2 says basic cyber hygiene practices AND cybersecurity training -- these are two things, not one. Hygiene practices means documented, enforced operational behaviors (password management, device security, data handling). Training means the educational program that teaches and reinforces those behaviors. Cover both. Update content as threats evolve.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• onboarding security training records
• role-change retraining documentation
• offboarding security checklist completion
• access control policy acknowledgment records
• asset management awareness training
• background screening policy documentation

Practitioner guidance

This requirement connects HR processes to security outcomes. Most awareness programs start training after onboarding is complete. NIS2 implies security awareness is part of onboarding, not a follow-up. Build security expectations into the employment lifecycle from day one through departure.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• incident reporting training records
• documented escalation procedures
• tabletop exercise records with timeline testing
• evidence of 24-hour early warning capability
• incident classification criteria documentation
• post-incident timeline analysis

Practitioner guidance

US frameworks have reporting requirements, but none impose this specific a timeline with this level of granularity. The 24-hour early warning is the critical one for awareness programs. If a frontline employee sees something suspicious at 4pm Friday and does not report it until Monday, the organization has already blown the deadline. Train for speed of recognition and escalation, not just recognition itself.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• independent audit reports covering awareness program
• evidence portfolio of program implementation
• training delivery proof beyond completion certificates
• behavioral change metrics
• program effectiveness data ready for regulatory review
• audit trail of program modifications and rationale

Practitioner guidance

This closes the loop on Article 21(2)(f). The effectiveness mandate says you must assess whether controls work. This article says authorities can audit your evidence of that assessment. Your awareness program needs an evidence portfolio that goes beyond completion rates: behavioral metrics, maturity scores over time, incident correlation data, and documented program evolution in response to findings. SEAT assessment results serve as exactly this kind of structured, audit-ready evidence.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• documented governance accountability chain
• board-level cybersecurity briefing records
• evidence of management body active oversight
• compliance gap remediation tracking
• audit response documentation with timelines

Practitioner guidance

No US framework attaches personal career consequences to cybersecurity governance failures at this level. SOX has personal certification for financial reporting, but nothing comparable for cybersecurity. This provision means CISOs and security awareness managers have a direct line to board attention: the board's personal exposure depends on being able to demonstrate active oversight of the program. Use this as leverage for executive sponsorship and budget conversations.

European Parliament and Council of the European Union · 2022/2555

Evidence an auditor expects

• documented program
• attendance records
• training curriculum
• proof of initial and periodic training

Practitioner guidance

This is the foundational requirement. Everything else in the awareness section builds on this. Use it to justify program budget and scope. The word implement means ongoing, not one-time.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus; 2025 proposed update pending)

Evidence an auditor expects

• reminder archives
• schedule documentation
• receipt records
• risk assessment justification

Practitioner guidance

Addressable does not mean optional. You must implement, implement an equivalent, or document via risk analysis why neither is appropriate. This is low-hanging fruit for demonstrating an active program.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus; 2025 proposed update pending)

Evidence an auditor expects

• written procedures
• incident logs
• training records on reporting
• technical safeguards documentation

Practitioner guidance

This ties your technical controls to your awareness program. Use it to build training content around real threats your org faces. Phishing simulations tie directly here.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus; 2025 proposed update pending)

Evidence an auditor expects

• written procedures
• system logs
• alert configurations
• incident records

Practitioner guidance

Connect this to your training program by teaching staff what suspicious activity looks like on their accounts and how to report it. It bridges IT security and awareness.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus; 2025 proposed update pending)

Evidence an auditor expects

• written password policy
• system controls
• training records

Practitioner guidance

Password training is often the most tangible thing you can point to in an audit. Make sure your policy matches what your systems actually enforce.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus; 2025 proposed update pending)

Evidence an auditor expects

• documented briefing records
• training logs with dates
• pre-access verification

Practitioner guidance

Build this into your onboarding process as a hard gate. No briefing, no access. Document the date and content for every individual.

Defense Counterintelligence and Security Agency (DCSA) · 32 CFR Part 117 (February 2023)

Evidence an auditor expects

• annual training documentation
• attendance logs
• updated policy materials

Practitioner guidance

Schedule this well in advance and track completion religiously. Non-completion has real consequences in this environment.

Defense Counterintelligence and Security Agency (DCSA) · 32 CFR Part 117 (February 2023)

Evidence an auditor expects

• IT security training records
• system access logs showing training prerequisite

Practitioner guidance

Tie system access to training completion. Use your LMS to enforce this as a prerequisite for classified system access.

Defense Counterintelligence and Security Agency (DCSA) · 32 CFR Part 117 (February 2023)

Evidence an auditor expects

• training curriculum showing threat and insider threat modules
• completion certificates

Practitioner guidance

Do not treat insider threat as a separate program from your initial briefing. Integrate it from day one so it becomes part of the security culture.

Defense Counterintelligence and Security Agency (DCSA) · 32 CFR Part 117 (February 2023)

Evidence an auditor expects

• annual training completion records
• certification forms
• training syllabus
• assessment scores

Practitioner guidance

The four content areas (detection, recruitment methods, behavioral indicators, CI reporting) give you a clear curriculum outline. Build your content around these four pillars.

Defense Counterintelligence and Security Agency (DCSA) · 32 CFR Part 117 (February 2023)

Evidence an auditor expects

• documented formal program
• program objectives and scope
• personnel coverage records

Practitioner guidance

This is your program charter for PCI. It must be formal and documented, not ad hoc. Auditors will ask to see it as a standalone artifact.

PCI Security Standards Council · 4.0.1

Evidence an auditor expects

• annual review documentation with dates
• evidence of program updates
• threat assessment records

Practitioner guidance

Schedule this review and make it a formal event. Document what changed and why. This is often missed in audits because teams update content but do not document the review itself.

PCI Security Standards Council · 4.0.1

Evidence an auditor expects

• training records with dates per employee
• signed annual acknowledgments
• evidence of multiple delivery methods

Practitioner guidance

The multiple methods requirement is key. You cannot rely on a single annual video. Mix in newsletters, posters, simulations, lunch-and-learns. The signed acknowledgment is a hard requirement.

PCI Security Standards Council · 4.0.1

Evidence an auditor expects

• training curriculum with threat-specific modules
• phishing simulation results
• delivery records

Practitioner guidance

This is where phishing simulations become compliance evidence, not just a nice-to-have. Document simulation results and tie them back to this requirement.

PCI Security Standards Council · 4.0.1

Evidence an auditor expects

• training materials covering acceptable use
• acceptable use policy documentation

Practitioner guidance

Connect this to your acceptable use policy. Staff should know what devices, apps, and behaviors are permitted and which are not.

PCI Security Standards Council · 4.0.1

Evidence an auditor expects

• written policy documents
• role assignments
• distribution records
• review schedule

Practitioner guidance

AT-1 is your program foundation document. Without it, nothing else in the AT family is compliant. Treat it as your program charter.

National Institute of Standards and Technology (NIST) / FedRAMP Program · NIST SP 800-53 Rev 5

Evidence an auditor expects

• training curriculum
• attendance records
• completion certificates
• incident-driven updates

Practitioner guidance

The incident-driven update requirement means your training should visibly evolve. After a security incident, update your content and document the change.

National Institute of Standards and Technology (NIST) / FedRAMP Program · NIST SP 800-53 Rev 5

Evidence an auditor expects

• role-based training curricula
• prerequisites documentation
• job task analysis
• completion records

Practitioner guidance

The before granting access requirement means this is a hard gate. Build it into your access provisioning workflow.

National Institute of Standards and Technology (NIST) / FedRAMP Program · NIST SP 800-53 Rev 5

Evidence an auditor expects

• attendance records
• content documentation
• duration tracking
• assessment scores

Practitioner guidance

AT-4 is often where programs fail audits. Automate record-keeping through your LMS. Manual tracking breaks down at scale.

National Institute of Standards and Technology (NIST) / FedRAMP Program · NIST SP 800-53 Rev 5

Evidence an auditor expects

• risk awareness training documentation
• training attendance records
• user understanding assessments

Practitioner guidance

CMMC assessors will interview people to verify they actually understand this. Training completion alone is not sufficient. Build knowledge checks into your program.

Defense Counterintelligence and Security Agency (DCSA) / DoD · 2.0

Evidence an auditor expects

• role-specific training curricula
• job task analysis
• NICE framework mapping
• completion records

Practitioner guidance

The NICE framework reference gives you a structured way to build role-based training. Map your roles to NICE categories and use that to define training requirements.

Defense Counterintelligence and Security Agency (DCSA) / DoD · 2.0

Evidence an auditor expects

• insider threat training materials
• testing evidence
• incident reporting procedures
• interview readiness

Practitioner guidance

This overlaps with NISPOM insider threat requirements. If you are already doing 32 CFR 117.12(g), make sure your content also satisfies this CMMC practice.

Defense Counterintelligence and Security Agency (DCSA) / DoD · 2.0

Evidence an auditor expects

• documented ICT awareness program
• resilience training modules
• role-specific curricula
• senior management attendance records

Practitioner guidance

DORA is notable for explicitly requiring board-level training. Use this to justify executive security briefings. The role-appropriate complexity requirement means you need tiered content.

European Union · Regulation (EU) 2022/2554

Evidence an auditor expects

• contractual training provisions
• third-party attendance records

Practitioner guidance

Review your vendor contracts against this. Any critical IT vendor should have a training participation clause. This is a procurement conversation, not just a security one.

European Union · Regulation (EU) 2022/2554

Evidence an auditor expects

• contracts with training clauses
• participation requirements documentation
• vendor assessment of criticality

Practitioner guidance

This turns vendor training from best practice into a contractual obligation. Build standard language for your procurement templates.

European Union · Regulation (EU) 2022/2554

Evidence an auditor expects

• security staff training records
• threat briefing documentation
• certification/continuing education records

Practitioner guidance

This requirement specifically targets your security team, not just general staff. Use it to justify conference attendance, certifications, and dedicated threat briefing time.

Federal Trade Commission (FTC) · 2023 (major revision)

Evidence an auditor expects

• annual written report to board
• documented remediation of gaps
• evidence of QI authority

Practitioner guidance

The Qualified Individual requirement creates a direct line between your training program and executive oversight. Use the annual report to surface training metrics and gaps.

Federal Trade Commission (FTC) · 2023 (major revision)

Evidence an auditor expects

• annual training completion records
• onboarding checklists
• curriculum covering phishing, passwords, data handling, incident reporting

Practitioner guidance

For higher education, this means your financial aid office is in scope. Make sure financial aid staff receive GLBA-specific training, not just general IT security awareness.

Federal Trade Commission (FTC) · 2023 (major revision)

Evidence an auditor expects

• annual awareness training records
• curriculum covering CUI handling and risk awareness
• role-specific content

Practitioner guidance

For universities, this only kicks in if you have a signed federal contract for CUI. Common triggers are DoD research grants, NIH clinical trial data, and NSF research awards.

National Institute of Standards and Technology (NIST) · Revision 3 (December 2024)

Evidence an auditor expects

• role-based training completion records
• documented training plans per position type
• competency verification

Practitioner guidance

Map your university roles to training requirements. Research faculty, lab managers, IT admins, and data handlers all need different content.

National Institute of Standards and Technology (NIST) · Revision 3 (December 2024)

Evidence an auditor expects

• insider threat program documentation
• training records
• reported violations and investigation outcomes

Practitioner guidance

Insider threat in a university context requires careful messaging. Frame it around protecting research integrity and federal data rather than surveillance language.

National Institute of Standards and Technology (NIST) · Revision 3 (December 2024)

Evidence an auditor expects

• staff training records
• documented policies for data collection
• parental consent procedures
• staff sign-off

Practitioner guidance

This applies to ed-tech vendors, not schools directly. But if you are advising schools on vendor selection, COPPA training documentation is a vendor evaluation criterion.

Federal Trade Commission (FTC) · 3.0 (Final Rule amendments effective June 2025)

Evidence an auditor expects

• employee data protection training records
• security awareness program documentation
• incident response procedures

Practitioner guidance

The 2025 COPPA rule update expanded operator obligations. Make sure vendor training covers the broader scope of protected data.

Federal Trade Commission (FTC) · 3.0 (Final Rule amendments effective June 2025)

Evidence an auditor expects

• biennial training completion documentation
• classification task testing
• authorization documents

Practitioner guidance

The emphasis on over-classification avoidance is a content requirement, not just a frequency requirement. Make sure your training material specifically addresses this.

Under Secretary of Defense for Intelligence · Vol 1-3 (February 2012 with updates)

Evidence an auditor expects

• annual training completion certificates
• signed certification of receipt
• suspension notices if applicable

Practitioner guidance

The suspension mechanism is the enforcement tool. Track OCA training separately from general awareness and set up automated reminders well before year-end.

Under Secretary of Defense for Intelligence · Vol 1-3 (February 2012 with updates)

Evidence an auditor expects

• annual training completion certificates
• training roster records
• pre-classification verification

Practitioner guidance

This is the legal foundation for OCA training. DODM 5200.01 implements it. If you track compliance against the EO directly, you cover both.

President of the United States · December 29, 2009

Evidence an auditor expects

• biennial training completion records
• classification task testing results

Practitioner guidance

The EO and DODM requirements align. Track them together to avoid duplicate compliance work.

President of the United States · December 29, 2009

Evidence an auditor expects

• annual training completion records
• curriculum covering consent requirements and disclosure rules
• staff sign-off

Practitioner guidance

While technically recommended, the 2025 guidance with an April 30 certification deadline is pushing this toward mandatory in practice. Treat it as required.

U.S. Department of Education, Student Privacy Policy Office · 20 U.S.C. Section 1232g; 34 CFR Part 99

Evidence an auditor expects

• written policies on legitimate educational interest
• access control procedures
• staff attestation

Practitioner guidance

FERPA does not prescribe training format, but reasonable methods in practice means documented training. This is increasingly being interpreted as requiring annual training per 2025 ED guidance.

U.S. Department of Education, Student Privacy Policy Office · 20 U.S.C. Section 1232g; 34 CFR Part 99

Evidence an auditor expects

• management participation records
• management enforcement documentation
• tone-from-the-top evidence

Practitioner guidance

Use this to get leadership buy-in. FFIEC examiners specifically look at whether management walks the talk. Document executive participation in training.

Federal Financial Institutions Examination Council (FFIEC) · October 2022 (Cybersecurity Resource Guide revision)

Evidence an auditor expects

• role-specific training curricula
• training attendance records
• phishing simulation results
• employee interviews

Practitioner guidance

FFIEC examiners will test effectiveness, not just completion. They interview staff and run simulations. Your program needs to produce behavior change, not just checkmarks.

Federal Financial Institutions Examination Council (FFIEC) · October 2022 (Cybersecurity Resource Guide revision)

Evidence an auditor expects

• training attendance with dates
• role-specific curriculum
• completion certificates
• 6-year retention

Practitioner guidance

HIPAA does not mandate annual training, but regulators expect periodic refreshers. The 6-year retention requirement for documentation is critical. Most orgs default to annual as best practice.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus)

Evidence an auditor expects

• new hire training logs
• policy change logs with retraining documentation
• onboarding checklists

Practitioner guidance

Build training triggers into your onboarding and change management processes. Automate where possible. The key word is reasonable, so define and document what that means for your org.

U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) · Current (2013 Omnibus)

Evidence an auditor expects

• control documentation
• evidence of personnel understanding
• audit committee disclosures

Practitioner guidance

SOX does not directly require security awareness training, but auditors will interview personnel to confirm they understand their IT control responsibilities. Use this to position training as a SOX support mechanism.

U.S. Congress / Securities and Exchange Commission (SEC) · 2002

Evidence an auditor expects

• control documentation
• personnel training records
• segregation of duties documentation
• control testing results

Practitioner guidance

When auditors test Section 404 controls, they test whether people know what to do. Training documentation becomes evidence of control effectiveness.

U.S. Congress / Securities and Exchange Commission (SEC) · 2002

Evidence an auditor expects

• written SAP security training program
• PSO approval documentation
• annual refresher records with HVSACO module
• SETA program documentation

Practitioner guidance

SAP training is the most specialized tier. Build it as a layer on top of your standard classified and SCI training rather than a standalone program.

Under Secretary of Defense for Intelligence · Vol 1-4

Evidence an auditor expects

• BA agreements with training provisions
• breach notification training curriculum
• attendance records
• attestation forms

Practitioner guidance

Use HITECH as leverage when talking to vendors about their training programs. If your BA cannot demonstrate they train their workforce, that is your risk too.

U.S. Congress / HHS OCR · 2009 (with ongoing enforcement updates)

Evidence an auditor expects

• training completion records
• IC standard training curricula
• clearance eligibility records

Practitioner guidance

Use the IC-standardized training templates. Building custom content where standards exist wastes effort and creates compliance risk.

Office of the Director of National Intelligence (ODNI) · June 7, 2012

Evidence an auditor expects

• SCI-specific training documentation
• compartment briefing records
• handling procedure acknowledgments

Practitioner guidance

SCI training is additive to standard classified training. Make sure your training architecture layers properly rather than treating them as separate programs.

Office of the Director of National Intelligence (ODNI) · Current

Evidence an auditor expects

• annual training completion records for all staff
• pre-access contractor training verification
• curriculum on confidentiality and breach notification

Practitioner guidance

New York is stricter than most states. If your institution operates in NY, this is not optional. The enforcement mechanism of mandatory retraining after violations makes documentation critical.

New York State Education Department · 2024

Evidence an auditor expects

• vendor security assessment documentation
• contract security requirements
• annual staff training records on student data privacy

Practitioner guidance

SOPIPA is a vendor management requirement with training implications. Use it to build vendor evaluation criteria that include training documentation as a selection factor.

California State Legislature / California Attorney General · California Education Code Section 49073.1 (SB 1177 2024 amendments)