The Army's chief information officer has reduced the requirement for the Cyber Awareness Challenge from annually to once every five years. (Department of Defense)
The Army has relaxed requirements for its cybersecurity awareness and information privacy training from an annual recertification to once every five years, according to a memo from the Army’s chief information officer.
The change took effect Feb. 27, according to the memo from Leonel Garciga posted on his official LinkedIn account that day.
“The Army is making a change that gives Soldiers and civilians more time to focus on their core missions,” said an announcement on the Army Chief Information Officer LinkedIn account.
The memorandum was published on the Army Publishing Directorate website, with similar announcements posted on social media platforms Facebook and X.
“The update supports broader efforts across the Department of War to reduce mandatory training requirements and restore mission focus,” the LinkedIn post states.
The Army's chief information officer has reduced the requirement for the Cyber Awareness Challenge from annually to once every five years. (Department of Defense)
Cybersecurity training originated with the Federal Information Security Modernization Act of 2014. The act required federal agencies to implement security programs and provide training to inform users of the risks associated with their activities and their responsibility to comply with preventative measures.
The change to five-year training was also publicized in a March 27 post on the Army Chief Information Officer’s account on X.
Garciga’s office did not respond to requests for comment by email April 21.
Defense Secretary Pete Hegseth in a memo Sept. 30 called on each military branch to “relax the mandatory frequency for cybersecurity training.”
The memo also called for reduced frequency of Privacy Act training that refreshes the user’s familiarity with how to identify and safeguard personally identifiable information.
An Army veteran and cyber specialist, who requested anonymity because he fears reprisal for publicly criticizing the new policy, said the previous training already saved time for vigilant users by giving them the option to test out.
“The worst part about the mandate is that it still requires the civilian workforce to take the training annually,” he wrote April 27 in an electronic message to Stars and Stripes. “The decades of hype about ongoing ‘cyber warfare’ seem to be being pushed aside in favor of ‘convenience.’ Hardly a good look for a ‘department of war.’ ”
The comment sections across X, Facebook and LinkedIn were divided.
A cybersecurity subject matter expert on LinkedIn asked, “What are we saving by forcing the workforce to go through the same exact training every year?”
A senior data operations warrant officer suggested the training be required when the users change duty locations.
“A typical rotation is about every 3-4 years,” the user wrote. “In my experience, people get complacent and comfortable and mistakes start happening.”
Cybersecurity training for every Defense Department employee, the Cyberawarness Challenge, was overhauled in 2019 when computer-generated characters like Jeff, the narrator, and Tina, a misguided coworker, were replaced with actors or removed altogether.
The characters grew so familiar that they inspired internet memes and Halloween costumes among department personnel.
The annual training usually required about an hour, but test-takers could skip some sections by demonstrating their knowledge in a pre-test.
