AR 25-2 includes this requirement. It applies only to the Army although is is mostly in line with other DoD IA documents.

The responsibilty for ensuring IA training actually falls to the IAM.

According to DoDI 8500.2 Paragraph 5.9.6, the IAM is responsible to:

5.9.6. Ensure that all IAOs and privileged users receive the necessary

technical and IA training, education, and certification to carry out their IA duties.

According to DoDI 8500.2 Paragraph 5.10.1, the IAO is responsible to:

5.10.1. Ensure that all users have the requisite security clearances and supervisory need-to-know authorization, and are aware of their IA responsibilities before being granted access to the DoD information system.

Note that according to DoDI 8500.2 Enclosure 2, the IAO is describe thus:

E2.1.28. IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer).

Also:

DoDD 8500.01E

4.22. All personnel authorized access to DoD information systems shall be adequately

trained in accordance with DoD and Component policies and requirements and certified as required in order to perform the tasks associated with their IA responsibilities.

DoDI 8500.2

PRTN-1 Information Assurance Training

A program is implemented to ensure that upon arrival and periodically thereafter, all

personnel receive training and familiarization to perform their assigned IA

responsibilitieS.

Outside the Army, DoDI 8500.2 states that the IAM has this responsibility, but the Army has obviously delegated this to the IASO, who answers, in turn, to the IAM.

The IASO is responsible to prepare or supervise the preparation of system specific and annual IA awareness training. They are also responsible to track the status of users for compliance with policies and procedures for training. If a user has not received the required training, the IASO is responsible to see that the user is denied authorization to use the information system (e.g. by denying initial account creation or disabling their accounts) until they receive the requisite training. They are free to use any tool or method to track the training but they should be at least keeping track of each user by name, clearance, systems they are assigned to access, training required for the assigned systems, training completed, dates training is completed, and required training not yet completed. Obviously in the case of training that must be repeated on a regular basis such as annual IA awareness, the IASO should be keeping track of when each user is due to repeat their training and reminding them that training is due along with reminding them of the consequences of not completing the training (i.e. loss of privileges to access the systems). This can be especially tricky when the non-compliant individual is high ranking such as a flag officer - in which case it sucks to be the IASO.
AR 25-2 (Army Regulation 25-2) paragraph 3-2 f. (4) requires IASOs to

"Ensure users receive initial and annual IA awareness training."

Outside the Army, DoDI 8500.2 states that the IAM has this responsibility, but the Army has obviously delegated this to the IASO, who answers, in turn, to the IAM.

8510.01M was signed in 2000 was written to go with DITSCAP (DoDI 5200.40 - signed in 1997), which has since been superseded by DIACAP (DODI 8510.01 - signed in 2007)

Ultimately, responsibility for ensuring the training rests with the IAM, but the IAM can, and often does, delegate the responsibility to the IAO.

C3.4.4 requires preparation of the Environment and Threat Description, which, in turn requires:

C3.4.4.2.1.8. Training. Identify the training for individuals associated with the system's operation and determine if the training is appropriate to their level and area of responsibility. This training should provide information about the security policy governing the information being processed as well as potential threats and the nature of the appropriate countermeasures.

C3.4.7 requires identifying C&A Organizations and the Resources Required, which includes:

C3.4.7.2.3. Resources and Training Requirements. Describe the training requirements, types of training, who is responsible for preparing and conducting the training, what equipment is required, and what training devices must be developed to conduct the training, if training is required. Funding for the training must be identified.

C5.1.2 discusses certifying, among other things, "security education, training, and awareness requirements".

C5.2.4.3 requires: The program manager, user representative, and ISSO should ensure that the proper security operating procedures, configuration guidance, and training is delivered with the system. Note that the term ISSO has since been replaced by IASO in current IA terminology.

C5.3.9.2 requires: "that security Rules of Behavior, a Security Awareness and Training Program, and an Incident Response Program are in place and are current."

Appendix 2, the "MINIMAL SECURITY ACTIVITY CHECKLIST" includes the questions:

Table AP2.T11.

10.(h) Do the ISSO duties include the following:

Implementing or overseeing the implementation of the Security and Training

and Awareness Program?

Table AP2.T12.

3.(o) Do employees receive periodic training in the following areas:

(1) Power shut down and start up procedures?

(2) Operation of emergency power?

(3) Operation of fire detection and alarm systems?

(4) Operation of fire suppression equipment?

(5) Building evacuation procedures?

If you examine DoDI 8500.2, you will find requirements dealing with training including:

5.9 Each IA Manager, in addition to satisfying all responsibilities of an Authorized User, shall: (5.9.2) Ensure that all IAOs and privileged users receive the necessary technical and IA training, education, and certification to carry out their IA duties.

E3.3.7. Requires that:

All DoD employees and IT users shall maintain a degree of understanding

of IA policies and doctrine commensurate with their responsibilities. They shall be capable of appropriately responding to and reporting suspicious activities and conditions, and they shall know how to protect the information and IT they access. To achieve this understanding, all DoD employees and IT users shall receive both initial and periodic refresher IA training. Required versus actual IA awareness training shall be a management review item.

E3.4.6. Information Assurance Managers (IAMs) are responsible for establishing,

implementing and maintaining the DoD information system IA program, and for

documenting the IA program through the DoD IA C&A process. The program shall include procedures for:

E3.4.6.6. Tracking compliance with the IA Controls applicable to the DoD information system and reporting IA management review items, such as C&A status, compliance with personnel security requirements, compliance with training and education requirements, and compliance with CTOs, IAVAs, and other directed solutions.

Within the controls of 8500.2, you will find the following controls:

VIIR-1 Incident Response Planning

An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually.

VIIR-2 Incident Response Planning

An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least every 6 months.

PETN-1 Environmental Control Training

Employees receive initial and periodic training in the operation of environmental controls.

PRTN-1 Information Assurance Training

A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.

Templates for validation of the controls by system validators include the following instructions:

For PRRB-1:

1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.

2. The rules shall include the consequences of inconsistent behavior or non-compliance.

3. Signed acknowledgement of the rules shall be a condition of access.

4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.

For PRTN-1

1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.

2. The rules shall include the consequences of inconsistent behavior or non-compliance.

3. Signed acknowledgment of the rules shall be a condition of access.

4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.