The Basics of DoD Information Assurance Awareness Training

The U.S. military and its extensive network of contractors make up one of the most critical infrastructures in the country. Any threat to Department of Defense (DoD) information, systems, or resources can put national security at risk, both at home and abroad.

To reduce these risks, the DoD requires strict security standards across its workforce and contractor base. DoD information assurance awareness training is a foundational requirement designed to ensure personnel understand how to protect sensitive DoD information from cyber threats, misuse, and human error. This article explains what the training involves, who must complete it, and why it matters.

Basics of DoD Information Assurance Awareness Training

Earning and maintaining preferred contractor status with the Department of Defense can unlock significant long-term opportunities. To qualify, organizations must comply with strict cybersecurity requirements designed to protect DoD information, including frameworks such as NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC).

These frameworks translate Defense Federal Acquisition Regulation Supplement (DFARS) requirements into actionable security controls, including mandatory DoD information assurance awareness training. The goal is to ensure contractors and third parties handle DoD information at a security level consistent with DoD expectations.

This guide explains everything you need to know about DoD training, including:

• What DoD information assurance awareness training includes and who must complete it
• Awareness and assurance training requirements under NIST SP 800-171
• Additional information assurance practices required by the CMMC framework
  

By the end of this guide, you’ll understand your organization’s awareness training responsibilities, the DoD’s expectations for safeguarding information, and the resources available to help you get started

What Is DoD Information Assurance Awareness Training?

DoD Information Assurance Awareness Training consists of baseline and role-specific training programs required for U.S. military personnel to help safeguard DoD information and systems. These requirements are formally defined in DoD Directive 8570.01-M, Information Assurance Workforce Improvement Program, originally issued in 2005 and most recently updated in 2015.

Training content for military personnel is primarily developed or guided by the Defense Information Systems Agency (DISA), ensuring consistent cybersecurity awareness standards across the Department of Defense.

While the core objectives remain consistent, information assurance awareness training is tailored by military branch and, in some cases, by individual units. These variations reflect differences in operational environments, personnel roles, and cybersecurity risk profiles.

The importance of this training has grown alongside rising cyber threats. A 2013 U.S. Army Stand-To directive linked Information Assurance (IA) and cybersecurity awareness training directly to the increasing frequency and sophistication of cybercrime. The directive emphasized the need to train all service members on threats to information that directly or indirectly support national defense operations.

Who Needs DoD Information Assurance Awareness Training?

DoD Directive 8570.01-M requires Information Assurance (IA) awareness training for military personnel who have access to information systems (IS) that handle DoD information. These information systems connect to, process, store, or otherwise interact with covered defense information, as defined by the Defense Federal Acquisition Regulation Supplement (DFARS).

Under DFARS, covered defense information primarily includes Controlled Unclassified Information (CUI), such as:

• Controlled Technical Information (CTI) related to defense programs, including nuclear and weapons systems
• Technical data tied to critical infrastructure, including natural and cultural resources
• NATO-restricted information governed by the North Atlantic Treaty Organization (NATO)
• International Agreement Information, including treaties and bilateral agreements
• Legal, law enforcement, and immigration records relevant to defense operations
  

While IA training is most closely monitored for managerial, administrative, and IT personnel, some level of DoD information assurance awareness training is required for nearly all military members. This broad requirement reflects the reality that most personnel may come into contact with sensitive DoD information during their duties.

The same requirement extends to DoD contractors, particularly those who access, process, or store CUI or other forms of DoD information on behalf of the Department of Defense.

Who Else Is Impacted by DoD Stakeholders’ Assurance Awareness?

While internal military personnel are the primary audience for DoD information assurance awareness training, the DoD also requires similar training and awareness for contractors entrusted with sensitive information.

Organizations working with the DoD as contractors are part of the Defense Industrial Base (DIB) sector, which the Cybersecurity and Infrastructure Security Agency (CISA) estimates includes over 100,000 companies and subcontractors worldwide. The DIB spans nearly every industry involved in research, development, design, manufacturing, and distribution of critical military supplies, products, and services. In short, it forms the operational backbone of the DoD.

Every individual involved in the DIB,  including employees, managers, and stakeholders, is impacted by DoD information assurance awareness training. This impact is often realized through mandatory training requirements designed to align contractor practices with the same security and awareness standards required of military personnel.

Relevant NIST SP 800-171 Awareness Assurance Requirements

To qualify for DoD preferred contractor status, organizations must comply with NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This framework adapts baseline security requirements and best practices from other guides, such as the NIST Cybersecurity Framework (CSF), to meet the specific needs of DoD contractors.

NIST SP 800-171 contains 110 cybersecurity requirements organized into 14 Requirement Families, each addressing a specific cybersecurity domain. One of these families focuses specifically on Information Assurance Awareness for DoD personnel and contractors. This family contains three distinct requirements, all designed to ensure that individuals understand how to handle and protect DoD information effectively.

NIST SP 800-171 Awareness and Training Requirement Family

Within NIST SP 800-171, three requirements specifically address information assurance awareness, grouped under the “Awareness and Training” Requirement Family. Two are classified as Basic, and one is Derived. These requirements and their suggested implementations are:

• 3.2.1 (Basic) – Ensure all managerial and administrative staff, as well as users with privileged access, are aware of risks associated with their roles and responsibilities.
  Implementation suggestions: Formal training sessions, distribution of informational literature, logon screen messages, and email or communication-based assessments.
• 3.2.2 (Basic) – Ensure all personnel, particularly those identified above, are prepared to fulfill responsibilities related to security awareness.
  Implementation suggestions: Dynamic training modules, role-play exercises, and workshops informed by real-world threat intelligence.
• 3.2.3 (Derived) – Ensure personnel can identify, report, and mitigate insider threats, risks, and vulnerabilities.
  Implementation suggestions: Targeted communications and strategies tailored to insider threats specific to individual roles.., 
  

Implementing these Awareness and Training Requirements is critical for a successful NIST SP 800-171 assessment, demonstrating high confidence in your organization’s ability to protect DoD information. While compliance with these requirements is necessary for DoD contract eligibility, achieving preferred contractor status requires additional steps.

This is where RSI Security can help. Our expert team provides end-to-end NIST SP 800-171 advisory services, helping organizations implement all requirements efficiently and securely.

Relevant CMMC Awareness Assurance Domains and Practices

Another critical requirement for future DoD preferred contractor status is compliance with the Cybersecurity Maturity Model Certification (CMMC), which is currently in the early rollout phase. The DoD’s Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S) created CMMC by combining NIST frameworks and other standards into a single, unified certification model.

Based on NIST SP 800-171, CMMC organizes cybersecurity requirements into 17 Domains containing 43 Capabilities. These Capabilities are implemented through 171 distinct Practices, which are analogous to NIST SP 800-171 Requirements. Additionally, Process Maturity goals measure how well these Practices are institutionalized across an organization.

CMMC differs from NIST SP 800-171 by introducing five distinct Maturity Levels, allowing Practices to be gradually adopted. Each level has specific objectives and a corresponding Process Maturity goal:

• Maturity Level 1: Protects Federal Contract Information (FCI) with 15 Practices focused on basic cyber hygiene. Process Maturity: Performed.
• Maturity Level 2: Prepares organizations for CUI protection (Level 3) with 55 Practices emphasizing intermediate cyber hygiene. Process Maturity: Documented.
• Maturity Level 3: Ensures full FCI and CUI protection with 58 Practices representing good cyber hygiene. Process Maturity: Managed.
• Maturity Level 4: Focuses on Advanced Persistent Threat (APT) protection with 25 proactive Practices. Process Maturity: Reviewed.
• Maturity Level 5: Finalizes all safeguards for FCI, CUI, and APT with 17 advanced/progressive Practices. Process Maturity: Optimizing.
  

CMMC controls related to DoD information awareness assurance training are primarily distributed across two Domains, with Practices spanning Maturity Levels 2, 3, and 4. These Practices ensure that personnel and contractors develop the knowledge, skills, and processes necessary to protect DoD information effectively.

CMMC Awareness and Training Capabilities and Practices

Within the CMMC “Awareness and Training” Domain, there are two primary Capabilities:

• Conduct Security Awareness Activities

• Conduct Training

These Capabilities are realized through five specific Practices across Maturity Levels 2, 3, and 4.

Maturity Level 2 Practices

• AT.2.056 – Ensure all administrators and users with privileged access to sensitive DoD information are aware of relevant risks and responsibilities.

• AT.2.057 – Implement measures to confirm all administrators and users uphold information security responsibilities as established in training activities.

Process Maturity goal: Documented

Maturity Level 3 Practice

• AT.3.058 – Provide targeted training modules or other awareness-building practices to establish organization-wide understanding of insider threats and responsibilities for mitigating vulnerabilities.

Process Maturity goal: Managed

Maturity Level 4 Practices

• AT.4.059 – Conduct training modules and awareness-building activities focused on Advanced Persistent Threats (APTs), including social engineering and sophisticated breaches. Training content must be updated at least annually.

• AT.4.060 – Implement dynamic, interactive training sessions addressing current threats and recent attacks identified in peer or local organizations.

Process Maturity goal: Reviewed

Implementing these Awareness and Training Practices according to the Process Maturity goals at each level is critical for achieving DoD information assurance and maintaining compliance with CMMC requirements. Proper execution ensures personnel and contractors are prepared to protect sensitive DoD information effectively.

CMMC Situational Awareness Capabilities and Practices

Beyond the baseline Awareness and Training controls, the CMMC framework includes a Situational Awareness Domain, which focuses on a company’s ability to understand and respond to its specific threat environment.

Capability: Implement Threat Monitoring

This Capability is achieved through three Situational Awareness Practices, starting at Maturity Level 3:

Maturity Level 3 Practice

• SA.3.169 – Receive, confirm, analyze, process, and distribute security information relevant to the company from local and national sources.

Process Maturity goal: Managed

Maturity Level 4 Practices

• SA.4.171 – Establish and maintain a cyber threat hunting capability to proactively identify and mitigate risks or vulnerabilities.
• SA.4.173 – Design, implement, and maintain resources to compile and share indicators of compromise with all relevant stakeholders.

Process Maturity goal: Documented

Implementing these Situational Awareness Practices, alongside the Awareness and Training Practices described above, is critical for achieving DoD information assurance thresholds and CMMC compliance. Proper execution ensures personnel and contractors can detect, respond to, and mitigate threats effectively.

To support organizations in building CMMC-compliant cybersecurity architectures and successfully completing assessments, RSI Security offers comprehensive CMMC advisory services tailored to awareness and situational readiness.

DoD Awareness Assurance, Training, and Compliance

At RSI Security, we understand that compliance is critical for DoD contractors, but we also know that compliance is just the starting point for effective cybersecurity. Our expert team has provided managed IT and security services to organizations across industries for over a decade, helping protect the Defense Industrial Base (DIB) and other critical infrastructures.

As highlighted above, DoD information assurance awareness training is essential to ensure consistent and effective cybersecurity awareness across all DoD personnel and stakeholders. Similar training requirements apply to companies seeking or maintaining DoD preferred contractor status. Both NIST SP 800-171 and CMMC frameworks include controls that guide these training protocols.

To ensure your organization meets DoD information assurance standards and builds a compliant, resilient cybersecurity framework, contact RSI Security today for expert guidance and advisory services.

Download Our CMMC Checklist