What document requires that IASO ensure personnel receive system-specific and annual IA awareness training?

Answer 1

AR 25-2 includes this requirement. It applies only to the Army although is is mostly in line with other DoD IA documents.

The responsibilty for ensuring IA training actually falls to the IAM.

According to DoDI 8500.2 Paragraph 5.9.6, the IAM is responsible to:

5.9.6. Ensure that all IAOs and privileged users receive the necessary

technical and IA training, education, and certification to carry out their IA duties.

According to DoDI 8500.2 Paragraph 5.10.1, the IAO is responsible to:

5.10.1. Ensure that all users have the requisite security clearances and supervisory need-to-know authorization, and are aware of their IA responsibilities before being granted access to the DoD information system.

Note that according to DoDI 8500.2 Enclosure 2, the IAO is describe thus:

E2.1.28. IA Officer (IAO). An individual responsible to the IAM for ensuring that the appropriate operational IA posture is maintained for a DoD information system or organization. While the term IAO is favored within the Department of Defense, it may be used interchangeably with other IA titles (e.g., Information Systems Security Officer, Information Systems Security Custodian, Network Security Officer, or Terminal Area Security Officer).

Also:

DoDD 8500.01E

4.22. All personnel authorized access to DoD information systems shall be adequately

trained in accordance with DoD and Component policies and requirements and certified as required in order to perform the tasks associated with their IA responsibilities.

DoDI 8500.2

PRTN-1 Information Assurance Training

A program is implemented to ensure that upon arrival and periodically thereafter, all

personnel receive training and familiarization to perform their assigned IA

responsibilitieS.

Outside the Army, DoDI 8500.2 states that the IAM has this responsibility, but the Army has obviously delegated this to the IASO, who answers, in turn, to the IAM.

The IASO is responsible to prepare or supervise the preparation of system specific and annual IA awareness training. They are also responsible to track the status of users for compliance with policies and procedures for training. If a user has not received the required training, the IASO is responsible to see that the user is denied authorization to use the information system (e.g. by denying initial account creation or disabling their accounts) until they receive the requisite training. They are free to use any tool or method to track the training but they should be at least keeping track of each user by name, clearance, systems they are assigned to access, training required for the assigned systems, training completed, dates training is completed, and required training not yet completed. Obviously in the case of training that must be repeated on a regular basis such as annual IA awareness, the IASO should be keeping track of when each user is due to repeat their training and reminding them that training is due along with reminding them of the consequences of not completing the training (i.e. loss of privileges to access the systems). This can be especially tricky when the non-compliant individual is high ranking such as a flag officer - in which case it sucks to be the IASO.
AR 25-2 (Army Regulation 25-2) paragraph 3-2 f. (4) requires IASOs to

"Ensure users receive initial and annual IA awareness training."

Outside the Army, DoDI 8500.2 states that the IAM has this responsibility, but the Army has obviously delegated this to the IASO, who answers, in turn, to the IAM.

Answer 2

The document that mandates an Information Assurance Security Officer (IASO) to ensure personnel receive system-specific and annual Information Assurance (IA) awareness training is the DoD 8570.01-M, also known as the Department of Defense Directive 8570.01, Information Assurance Workforce Improvement Program. This directive outlines the requirements for training, certification, and management of all government employees, including contractors and military personnel, who have access to DoD information systems, ensuring they are aware of the IA policies and procedures necessary to safeguard information systems and data.

Answer 3

It doesn't necessarily ensure that they get the training, but it does make the IASO and IAM responsible to see that they do.