All users of federal information systems must receive security awareness training before accessing IT resources. This ensures that users understand their responsibilities to protect the data and information systems they use. The term "all users" is inclusive of employees, contractors, students, guest researchers, visitors and others who need access to federal IT resources. OPM also requires that individuals with significant IT responsibilities receive training appropriate for their roles and responsibilities.
Contract staff with access to NIH computer systems must meet a number of computer security training requirements. Initially, contractors must complete the NIH Computer Security Awareness Training at http://irtsectraining.nih.gov prior to beginning work on a contract. Following that, there are requirements for annual computer security awareness refresher courses that must be completed on a schedule announced by NIH each year. Contract personnel designated by the government as having “significant IT security responsibilities” will also be required to take security training related to their role.
Training requirements are as follows:
Consult the HHS CISO Memorandum on Role-Based Training (RBT) of Personnel with Significant Security Responsibilities which provides guidance on what roles should be included. This document lists mandatory roles; however for others, it also give you the latitude to make local decisions about whether a person’s security responsibilities are significant enough to warrant this designation. It’s always helpful to review the list with your CIO.
Below are some courses provided on the NIH Security Training Portal that can be used to fulfill Role Based Training Requirements.