AR 25-2 includes this requirement. It applies only to the Army although is is mostly in line with other DoD IA documents.
The responsibilty for ensuring IA training actually falls to the IAM.
According to DoDI 8500.2 Paragraph 5.9.6, the IAM is responsible to:
5.9.6. Ensure that all IAOs and privileged users receive the necessary
technical and IA training, education, and certification to carry out their IA duties.
According to DoDI 8500.2 Paragraph 5.10.1, the IAO is responsible to:
5.10.1. Ensure that all users have the requisite security clearances and supervisory need-to-know authorization, and are aware of their IA responsibilities before being granted access to the DoD information system.
Note that according to DoDI 8500.2 Enclosure 2, the IAO is describe thus:
E2.1.28. IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer).
Also:
DoDD 8500.01E
4.22. All personnel authorized access to DoD information systems shall be adequately
trained in accordance with DoD and Component policies and requirements and certified as required in order to perform the tasks associated with their IA responsibilities.
DoDI 8500.2
PRTN-1 Information Assurance Training
A program is implemented to ensure that upon arrival and periodically thereafter, all
personnel receive training and familiarization to perform their assigned IA
responsibilitieS.
Outside the Army, DoDI 8500.2 states that the IAM has this responsibility, but the Army has obviously delegated this to the IASO, who answers, in turn, to the IAM.
The IASO is responsible to prepare or supervise the preparation of system specific and annual IA awareness training. They are also responsible to track the status of users for compliance with policies and procedures for training. If a user has not received the required training, the IASO is responsible to see that the user is denied authorization to use the information system (e.g. by denying initial account creation or disabling their accounts) until they receive the requisite training. They are free to use any tool or method to track the training but they should be at least keeping track of each user by name, clearance, systems they are assigned to access, training required for the assigned systems, training completed, dates training is completed, and required training not yet completed. Obviously in the case of training that must be repeated on a regular basis such as annual IA awareness, the IASO should be keeping track of when each user is due to repeat their training and reminding them that training is due along with reminding them of the consequences of not completing the training (i.e. loss of privileges to access the systems). This can be especially tricky when the non-compliant individual is high ranking such as a flag officer - in which case it sucks to be the IASO.
AR 25-2 (Army Regulation 25-2) paragraph 3-2 f. (4) requires IASOs to
"Ensure users receive initial and annual IA awareness training."
Outside the Army, DoDI 8500.2 states that the IAM has this responsibility, but the Army has obviously delegated this to the IASO, who answers, in turn, to the IAM.