CAC Security Training: What You Need to Know Annually
That annual Cyber Awareness Challenge isn’t just a checkbox—it’s a condition of maintaining your CAC access. DoD mandates security awareness training for everyone with CAC-enabled network access. This guide covers what’s required, how to complete it, and why it matters beyond compliance.
The Mandatory Training Requirement
DoD Directive 8570 (now incorporated into DoD 8140) establishes information assurance training requirements. For basic CAC users, this means completing Cyber Awareness Challenge (or equivalent approved training) annually.
The training must be completed within 12 months of your last completion. Some organizations enforce stricter timelines—quarterly refreshers or completion within the fiscal year. Know your organization’s specific policy.
Failure to complete training can result in:
- Suspension of network access
- CAC certificate revocation
- Manager notification and counseling
- Impact on performance evaluations
Where to Complete Training
DoD Cyber Exchange: The primary source is cyber.mil, which hosts the annual Cyber Awareness Challenge. This is the most widely accepted training across DoD.
Your Organization’s LMS: Many organizations host approved training on their learning management systems (ATRRS, Navy e-Learning, Air Force’s MyLearning, etc.). These may offer organization-specific content alongside standard DoD training.
Contract Training Platforms: Contractors may use platforms like KnowBe4 or SANS security training. Verify with your security manager that your organization’s training meets DoD requirements before assuming it counts.
Training Content Overview
The Cyber Awareness Challenge covers foundational security topics:
Social Engineering: Recognizing phishing emails, pretexting attempts, and other manipulation tactics. Real-world scenarios help you identify threats in your inbox.
Physical Security: Tailgating prevention, clean desk policy, protecting sensitive materials, and securing workspaces. Your CAC is a physical security asset.
Password and PIN Management: Creating strong credentials, protecting them from observation, and reporting compromises.
Removable Media: Risks of USB drives, external hard drives, and other removable media. Why that USB drive in the parking lot stays in the parking lot.
Mobile Device Security: Protecting smartphones and tablets that may connect to DoD systems or contain work-related information.
Reporting Requirements: When and how to report security incidents, suspicious contacts, and potential insider threats.
Completing Training Efficiently
The Cyber Awareness Challenge takes 1-2 hours depending on your pace and whether you’ve seen similar content before. Tips for efficient completion:
Block dedicated time: Trying to complete training between meetings leads to rushing and poor retention. Schedule an uninterrupted block.
Take notes: Even if you’ve taken the training before, security threats evolve. New scenarios and updates contain relevant information.
Don’t skip sections: Many training modules require viewing all content before knowledge checks unlock. Skipping around wastes time.
First attempt counts: Some organizations track first-attempt scores. Paying attention yields better results than clicking through.
Documenting Completion
After completing training, obtain your completion certificate. This is your proof of compliance:
Save the certificate: Download and save the PDF certificate. Store it somewhere accessible—you may need it for audits or access requests.
Note the completion date: Mark your calendar for next year’s required completion date. Don’t wait until you lose access.
Verify registration: Some training systems report completion to your organization automatically. Others require you to submit certificates manually. Know your process.
Beyond the Checkbox: Practical Security
Annual training provides baseline knowledge, but security is a daily practice. Apply these principles continuously:
Verify before trusting: That email from “IT support” asking for credentials? Call them using known contact information before responding.
Report anomalies: Something seems off about that email, phone call, or visitor? Report it. False alarms are better than missed threats.
Protect your CAC: Training emphasizes this, but it bears repeating: your CAC is your digital identity. Protect it like cash.
Stay current: Security threats evolve faster than annual training updates. Read security bulletins from your organization. Pay attention to reported incidents.
Special Training Requirements
Some roles require additional training beyond basic Cyber Awareness:
Privileged Access: System administrators, database managers, and others with elevated access have additional training requirements.
Security Clearances: Personnel with security clearances may have counterintelligence and insider threat training requirements.
Specific Systems: Access to certain DoD systems requires system-specific training. Your access manager will specify these requirements.
Training for Contractors
Contractors with CAC access have the same training requirements as government employees. Your contracting organization should provide access to appropriate training platforms.
If you’re new to a contract and haven’t completed DoD cyber training previously, prioritize this. Some organizations won’t provision network accounts until training certificates are on file.
Refresher Best Practices
Don’t treat annual training as a once-and-forget exercise:
Review during the year: Skim the training content occasionally. Threats you learned about in January may be relevant to an email you receive in November.
Discuss with colleagues: Security awareness improves when teams discuss threats openly. Share (appropriately) when you recognize phishing attempts or suspicious activity.
Apply lessons: Training scenarios are based on real incidents. When you encounter similar situations, apply what you learned.
Annual security training ensures everyone maintaining CAC access understands baseline security requirements. Take it seriously, complete it on time, and apply the knowledge daily. Your organization’s security—and your own—depends on it.
Leave a Reply