How often do all cybersecurity workforce personnel take the cybersecurity fundamental training?

National Cyber Security Awareness Month

To support the warfighter in a highly effective and professional manner, the Army must ensure that appropriate levels of Cybersecurity awareness, training, education, certification and workforce management are provided to the Cybersecurity workforce and Information System users that commensurate with their respective responsibilities.

The Army Training and Certification Tracking System, ATCTS, provides managers at all levels a capability to report and manage their Cybersecurity Workforce and General User population training and certification requirements. The Cybersecurity workforce consists of personnel with Information System privilege access (admin or root) and/or working IA functions in technical, management, Computer Network Defense Service Provider and Architect and Engineer positions. Cybersecurity functions are described in DOD 8570.01-M and AR 25-2. The training, certification, and workforce management requirements of DOD 8570.01-M apply to all members of the DOD IA workforce including military, civilians, local nationals, non-appropriated fund personnel and contractors. The requirements apply whether the duties are performed full-time, part-time, or as an embedded duty.

Required training

• All users must complete Cybersecurity Awareness training before receiving network access and annually thereafter.
• All Cybersecurity personnel must be fully trained and certified prior to being deployed to a combat environment.
• All Cybersecurity personnel performing Cybersecurity functions must obtain/maintain a certification corresponding to the highest level function(s) required by their positions.
• All IT services contracts must state that contractor personnel must obtain the appropriate baseline and computing environment certifications.
• All personnel that have privileged access to an information system (including as a local administrator or an OU administrator) must be appointed, trained, and certified as IA Technical l-lll.
• All Cybersecurity personnel must have current appointment orders designating their Cybersecurity category and level and, for IAT I-III personnel, annotating their functions, responsibilities, and scope.

All Cybersecurity personnel performing functions designated as IA Management I-III must complete the following within six months of appointment: Cyber Security (CS) Fundamentals (formerly IA Fundamentals) (https://cs.signal.army.mil);

Baseline certification dependent on the IAM level (CTRs must be certified before performing Cybersecurity duties); Army e-Learning program (i.e. Skillport) course work (as required)

All Cybersecurity personnel performing functions designated as IA Technical I-III must complete the following within six months of appointment: Cyber Security (CS) Fundamentals (formerly IA Fundamentals) course (https://cs.signal.army.mil);

Baseline certification dependent on the IAT level (CTRs must be baseline certified before performing Cybersecurity duties); Appropriate computing environment certification or certification of training. IAT-III personnel must attain a commercial certification instead of a certificate of training; Army e-Learning program (i.e. Skillport) course work (as required); On-the-job training skill practical evaluation, must be validated by the individuals supervisor or manager.

All Cybersecurity personnel performing functions designated as IA System Architect and Engineer I-III must complete the following within six months of appointment: Cyber Security (CS) Fundamentals (formerly IA Fundamentals) (https://cs.signal.army.mil); Baseline certification dependent on the IAT level (CTRs must be certified before performing Cybersecurity duties); If also performing IAT functions, IASAEs must attain appropriate computing environment certification or certification of training. IASAEs performing IAT-III functions must attain a commercial certification instead of a certificate of training; Army e-Learning program (i.e. Skillport) course work (as required).

All Cybersecurity personnel performing functions designated as Computer Network Defense Service Providers (CND-SP) must complete the following within six months of appointment: Cyber Security (CS) Fundamentals (formerly IA Fundamentals) (https://cs.signal.army.mil); Baseline certification dependent on the CND-SP category and level (CTRs must be certified before performing Cybersecurity duties); CND-SP personnel must attain appropriate computing environment certification or certification of training. CND-SP personnel performing level III functions must attain a commercial certification instead of a certificate of training; Army e-Learning program (i.e. Skillport) course work (as required).

Individuals in Cybersecurity positions not meeting qualification requirements must be reassigned to other duties, consistent with applicable law. Until certification is attained, individuals in Cybersecurity positions not meeting qualification requirements may perform those duties under the direct supervision of an appropriately certified individual unless the qualification requirement has been waived due to severe operational or personnel constraints.

CECOM Cyber Security Division