There are many states in which cybersecurity awareness training is mandated for state employees when they first start working for the state or when they reach a certain paygrade. In these states, training is usually developed and provided by the state´s Chief Technical Officer or a team working on the CTO´s behalf.
For private organizations, cybersecurity awareness training is usually optional unless the organization operates in a regulated industry which mandates cybersecurity awareness training or is a contractor to a federal agency – in which case the organization may be required to comply with various training requirements depending on the federal agency.
This article looks at some of the laws that mandate cybersecurity awareness training in regulated industries, some of the Rules that affect contractors to federal agencies, and the EU´s General Data Protection Regulation, which potentially mandates cybersecurity awareness training for every large organization that collects, maintains, or processes personal data relating to EU subjects.
The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires all financial institutions under the jurisdiction of the Federal Trade Commission to implement safeguards to protect consumer information. One of the required safeguards is an information security program (16 CFR §314.4), and one of the standards relating to the information security program requires organizations to:
“Implement policies and procedures to ensure that personnel are able to enact your information security program by:
(1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by a risk assessment;
(2) Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program;
(3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and
(4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures.”
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act applies to most health plans, health care clearinghouses, healthcare providers, and organizations that provide a service for “Covered Entities” that involves the creation, receipt, storage, or transmission of “Protected Health Information” (individually identifiable health information and any identifiers maintained in the same record set).
Without exception, all Covered Entities and their “Business Associates” are required by 45 CFR §164.308 to “implement a security awareness and training program for all members of the workforce (including management)”. Although not specifying the frequency of training, the inclusion of the word “program” implies the cybersecurity awareness training should be ongoing.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard applies to all organizations that accept credit card payments. Throughout the Standard there are multiple references to data security that organizations need to take into account; however in the context of mandated cybersecurity awareness training, §12.6 is the most relevant inasmuch as it states:
“Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.”
Again, the inclusion of “program” implies that, rather than being a one-off event, cybersecurity awareness training should be ongoing. It should also be repeated whenever there is a change to policies and procedures or when a risk assessment identifies a need for refresher training. As with GLBA training and HIPAA training, it is also a requirement that PCI DSS training is documented.
FISMA, FedRAMP, DFARS, and CMMC
Every organization that supplies goods or services to a federal agency is required to implement a cybersecurity awareness training program. However, the content of the training can depend on what agency goods or services are being supplied to. For example, the requirements for providing services to the Department of Defense are more stringent than those of the Small Business Administration.
It is also the case that the training requirements are frequently changing to respond to evolving threats and advances in cybersecurity defenses. Therefore, organizations required to comply with mandated cybersecurity awareness training in order to supply federal agencies should review the pages relevant to the services and agencies they are supplying:
- FISMA: https://www.nist.gov/risk-management
- FedRAMP: https://www.fedramp.gov/training/
- DFARS: https://www.acquisition.gov/Training
- CMMC: https://niccs.cisa.gov/education-training/catalog/learning-tree-international-inc/understanding-dod-cmmc-requirements
The General Data Protection Regulation (GDPR)
Although a European regulation, GDPR applies to most large organizations anywhere in the world that collects, maintains, and/or processes personal information relating to EU citizens. Importantly, the EU citizen does not have to be in the EU at the time data is collected, maintained, and/or processed for the personal data to be covered by the regulation.
There are many training requirements within the Regulation, but their applicability can vary depending on the nature of an organization´s operations and can be limited to only personnel with access to personal data rather than the entire workforce. However, organizations transferring data between the US and EU may also need to comply with the Privacy Shield requirements.
How to Comply with Mandated Cybersecurity Awareness Training
Although different laws and regulations, many mandated training requirements share similar components. For example, organizations subject to any of the above will need to train workforces on password security, email security, and mobile device security. However, while many off-the-shelf training programs include these components as standard, it is important to implement a program that is relevant to your organization´s operations or that can be customized to be relevant to your organization´s workforce.
This is why organization´s should evaluate the SafeTitan security awareness training and phishing simulation platform. SafeTitan gives organizations the opportunity to tailor a comprehensive library of training material to their unique requirements, conduct awareness tests and quizzes, and assess the impact of cybersecurity awareness training via an intuitive dashboard with a full reporting suite. To find out more, contact SafeTitan to request a demo of the platform in action.