CAC Security Training: What You Need to Know Annually
CAC security training has gotten complicated with all the compliance requirements flying around these days. As someone who managed training compliance for over 2,000 CAC users across multiple commands, I learned everything there is to know about what’s actually required versus what people think is required. Today, I will share it all with you.
That’s what makes annual training endearing to us compliance types — it’s a checkbox, but it’s a checkbox that keeps networks secure. Skip it and you lose access. It’s that simple.
The Mandatory Training Requirement
DoD Directive 8570 (now rolled into DoD 8140) requires Cyber Awareness Challenge completion annually for everyone with CAC-enabled network access. No exceptions.
The training must be completed within 12 months of your last completion. Some organizations enforce stricter timelines — quarterly refreshers or completion within the fiscal year. Check your organization’s specific policy because being technically compliant with DoD but out of compliance locally still loses you access.
If you don’t complete training, expect:
- Network access suspension
- CAC certificate revocation
- An awkward conversation with your manager
- Notes in your performance evaluation
Where to Complete Training
Probably should have led with this section, honestly.
DoD Cyber Exchange: cyber.mil hosts the annual Cyber Awareness Challenge. This is the most widely accepted training across DoD. When in doubt, complete it here.
Your Organization’s LMS: Many organizations host approved training on their learning management systems — ATRRS, Navy e-Learning, Air Force’s MyLearning, etc. These sometimes include organization-specific content alongside standard DoD training.
Contract Training Platforms: Contractors might use KnowBe4 or SANS training. Verify with your security manager that your organization’s training actually meets DoD requirements before assuming it counts. I’ve seen contractors lose access because their corporate training didn’t satisfy DoD requirements.
What the Training Covers
The Cyber Awareness Challenge covers foundational security topics:
Social Engineering: Recognizing phishing emails, pretexting attempts, and manipulation tactics. The scenarios are actually useful — pay attention to them.
Physical Security: Tailgating prevention, clean desk policy, protecting sensitive materials, securing workspaces. Your CAC is a physical security asset, not just a digital one.
Password and PIN Management: Creating strong credentials, protecting them from shoulder surfers, reporting compromises immediately.
Removable Media: Why that USB drive in the parking lot stays in the parking lot. This section has prevented actual compromises.
Mobile Device Security: Protecting phones and tablets that connect to DoD systems or contain work information.
Reporting Requirements: When and how to report security incidents, suspicious contacts, and potential insider threats.
Getting Through Training Efficiently
The Cyber Awareness Challenge takes 1-2 hours depending on your pace. Tips for getting through it:
Block dedicated time: Trying to complete training between meetings leads to rushing and missing content. Schedule an uninterrupted block.
Actually take notes: Even if you’ve done this training five years running, threats evolve. New scenarios contain relevant information.
Don’t skip around: Modules require viewing all content before knowledge checks unlock. Skipping around just wastes time.
First attempt scores matter: Some organizations track first-attempt scores for compliance records. Pay attention.
Documenting Completion
After completing training, get your certificate. This is your proof of compliance:
Save the PDF: Download and save the certificate somewhere accessible. You will need it for audits or access requests.
Mark your calendar: Note when you need to complete training again next year. Don’t wait until access suspension reminds you.
Verify it registered: Some systems report completion automatically. Others require you to submit certificates manually. Know your organization’s process.
Beyond the Checkbox
Annual training provides baseline knowledge, but security is daily practice:
Verify before trusting: That email from “IT support” asking for credentials? Call them using a known number before responding. Every time.
Report anomalies: Something seems off about that email, phone call, or visitor? Report it. False alarms beat missed threats.
Protect your CAC: Your CAC is your digital identity. Don’t leave it in readers. Don’t loan it. Don’t let it out of your sight.
Stay current: Threats evolve faster than annual training updates. Read security bulletins. Pay attention to reported incidents.
Special Training Requirements
Some roles require training beyond basic Cyber Awareness:
Privileged Access: System administrators and database managers with elevated access have additional requirements.
Security Clearances: Cleared personnel may have counterintelligence and insider threat training requirements.
Specific Systems: Access to certain DoD systems requires system-specific training. Your access manager will tell you what’s needed.
Training for Contractors
Contractors with CAC access have identical training requirements as government employees. Your contracting organization should provide access to appropriate platforms.
If you’re new to a contract and haven’t completed DoD cyber training before, prioritize this. Some organizations won’t provision network accounts until training certificates are on file. I’ve seen people sit at empty desks for weeks waiting for training verification.
Making Training Stick
Don’t treat annual training as once-and-forget:
Review during the year: Skim the content occasionally. Threats you learned about in January may be relevant to an email you receive in November.
Discuss with colleagues: Security awareness improves when teams discuss threats openly. Share when you recognize phishing attempts or suspicious activity.
Apply lessons: Training scenarios are based on real incidents. When you encounter similar situations, apply what you learned.
Annual security training ensures everyone maintaining CAC access understands baseline requirements. Take it seriously, complete it on time, and apply the knowledge daily.
Leave a Reply