Security Compliance Training Requirements by Framework

Compliance

Why Compliance Frameworks Require Security Training

Nearly every major security and privacy compliance framework mandates security awareness training. Regulators recognize that technology alone cannot protect sensitive data—human behavior is often the weakest link in organizational security.

Security awareness training requirements exist across industries, from financial services and healthcare to government contracting and retail. Understanding which frameworks apply to your organization and their specific requirements is essential for maintaining compliance and avoiding penalties.

This guide breaks down the security awareness training requirements for major compliance frameworks, helping you understand what's required and how to build a training program that satisfies multiple regulatory obligations simultaneously.

GLBA Security Awareness Training Requirements

The Gramm-Leach-Bliley Act (GLBA) applies to financial institutions including banks, credit unions, insurance companies, investment firms, and many organizations that handle consumer financial information.

Who Must Comply

  • Banks and credit unions
  • Securities firms and investment advisors
  • Insurance companies
  • Mortgage lenders and brokers
  • Tax preparers and financial advisors
  • Higher education institutions (updated 2023)

Specific Training Requirements

The FTC Safeguards Rule (updated 2023) requires:

  • Initial and ongoing training: All personnel must receive security awareness training upon hire and regularly thereafter
  • Risk-appropriate content: Training must address identified risks to customer information
  • Documentation: Organizations must maintain records of training completion
  • Qualified personnel: Designate qualified individual(s) responsible for the information security program

CMMC Training Requirements

The Cybersecurity Maturity Model Certification (CMMC) applies to defense contractors and organizations handling Controlled Unclassified Information (CUI) for the Department of Defense.

Requirements by Level

CMMC Level 1 (Foundational)

  • Basic security awareness for all users
  • Recognition of security risks associated with user activities

CMMC Level 2 (Advanced)

  • Comprehensive awareness training program
  • Training on recognizing and reporting insider threats
  • Social engineering and phishing awareness
  • Role-based training for personnel with security responsibilities
  • Annual refresher training requirement

CMMC Level 3 (Expert)

Includes all Level 2 requirements plus enhanced training and practical exercises.

HIPAA Security Awareness Training

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities and business associates to implement security awareness training for all workforce members.

Who Must Comply

  • Healthcare providers (hospitals, clinics, physicians)
  • Health plans and insurers
  • Healthcare clearinghouses
  • Business associates (vendors handling PHI)

Required Training Elements

HIPAA Security Rule §164.308(a)(5) requires:

  • Security reminders: Periodic updates about security policies and threats
  • Protection from malicious software: Training on virus and malware prevention
  • Login monitoring: Awareness of procedures for monitoring login attempts
  • Password management: Policies and procedures for creating and safeguarding passwords

Best Practices for HIPAA Training

  • Train all workforce members within 30 days of hire
  • Provide annual refresher training
  • Document all training with dates and attendees
  • Include role-specific training for those with elevated access

PCI-DSS Security Awareness Requirements

The Payment Card Industry Data Security Standard (PCI-DSS) applies to any organization that stores, processes, or transmits cardholder data.

Requirement 12.6: Security Awareness Training

PCI-DSS v4.0 requires organizations to:

  • 12.6.1: Implement a formal security awareness program
  • 12.6.2: Train personnel upon hire and at least annually thereafter
  • 12.6.3: Personnel must acknowledge they have read and understood security policies
  • 12.6.3.1: Training must include awareness of threats including phishing and social engineering
  • 12.6.3.2: Training must cover acceptable use of end-user technologies

NIST Framework Training Requirements

The National Institute of Standards and Technology provides cybersecurity frameworks widely adopted across industries and often required for government contractors.

NIST Cybersecurity Framework (CSF)

The Protect function includes:

  • PR.AT-1: All users are informed and trained
  • PR.AT-2: Privileged users understand roles and responsibilities
  • PR.AT-3: Third parties understand roles and responsibilities
  • PR.AT-4: Senior executives understand roles and responsibilities
  • PR.AT-5: Physical and cybersecurity personnel are trained

NIST 800-53 (Federal Systems)

Control family AT (Awareness and Training) requires:

  • AT-2: Literacy training and awareness for all users
  • AT-2(2): Insider threat awareness
  • AT-2(3): Social engineering and mining awareness
  • AT-3: Role-based training for personnel with security responsibilities
  • AT-4: Training records documentation

State-Specific Requirements

Several states have enacted their own cybersecurity training requirements:

Texas HB 3834

Requires state and local government employees to complete annual cybersecurity awareness training covering:

  • Phishing and social engineering
  • Password security
  • Safe browsing practices
  • Incident reporting

New York DFS (23 NYCRR 500)

Financial services companies regulated by NY DFS must:

  • Provide regular cybersecurity awareness training
  • Update training to reflect current risks
  • Maintain records of training for examination

Building a Training Program That Meets Multiple Frameworks

Organizations subject to multiple compliance requirements can build a unified training program that satisfies all applicable frameworks:

Core Training Elements

A comprehensive program should include:

  • Onboarding training: All new employees within 30 days of hire
  • Annual refresher training: Required by most frameworks
  • Phishing simulations: Regular testing with immediate feedback
  • Role-based training: Additional content for privileged users
  • Incident reporting procedures: Clear process for reporting suspicious activity

Documentation Requirements

Maintain records including:

  • Training completion dates for all personnel
  • Training content and materials used
  • Assessment scores and phishing simulation results
  • Policy acknowledgment signatures
  • Program review and update history

Key Takeaway

Security awareness training is not optional—it's mandated across virtually every major compliance framework. By implementing a comprehensive training program with proper documentation, organizations can satisfy multiple regulatory requirements while building a security-conscious culture that protects against real-world threats.

Disclaimer: This guide provides general information about compliance requirements. Consult with legal and compliance professionals for guidance specific to your organization. Requirements may change as regulations are updated.

Ready to strengthen your security posture?

Get in touch to learn how INFIMA can help protect your organization with automated security awareness training and phishing simulations.

Contact Us

Continue Reading

Explore more guides to deepen your security knowledge.

Social Engineering

What is Pretexting? A Complete Guide to Pretexting Attacks

Cybersecurity Threats

Supply Chain Attacks: What They Are and How to Prevent Them

View all guides