Pentagon eyes 3-year cyber training requirement, overriding new Army policy
The Pentagon plans to require service members to complete cybersecurity training once every three years, DefenseScoop has learned, a move that will scrap an annual mandate and is set to upend the Army’s recent shift to a five-year requirement.
In a Sep. 30 memo, Defense Secretary Pete Hegseth directed the military to “restore mission focus” by reducing, consolidating or eliminating a slew of mandatory courses, such as cybersecurity training, that he said were distracting from the military’s core job of fighting wars.
Hegseth did not specify by how much the services should “relax the mandatory frequency” of cybersecurity training, and by February, the Army issued its own directive that required soldiers to take the course once every five years instead of annually, DefenseScoop reported.
But more than a month after the service’s directive, the Pentagon is moving to require troops to conduct cybersecurity training once every three years, according to a recent memo reviewed by the publication and a senior defense official, which would effectively overrule the Army’s move.
“Our warfighters need to focus on the mission, not administrative overhead,” Aaron Bishop, chief information security officer for the Pentagon, told DefenseScoop in a statement. “The shift to a three-year training cycle perfectly balances the Department’s security imperatives with our commitment to restoring warfighter readiness.”
It was unclear why the Army and Defense Department are signaling different frequencies for the training and at what stage the Pentagon’s implementation of the three-year training cycle is in.
When asked, neither Bishop nor an Army spokesperson directly answered questions about whether the two entities coordinated the cybersecurity training reduction given the conflicting cycles. Neither directly confirmed if the Army would adopt the three-year cycle, despite the shift from the higher office of the Pentagon.
“The [Department of War Chief Information Officer] sets the standard for cyber training frequency, but the Military Departments own the execution,” Bishop said in response to the coordination question. “While we establish the baseline to restore mission focus, the Army manages its own coordination and implementation timeline.”
He referred DefenseScoop to the Army when asked if the service will adjust to a three-year cycle.
“The Army’s approach to cybersecurity and privacy training frequency is governed by current policy and remains responsive to higher-level guidance,” said Maj. Sean Minton, a spokesperson for the Army, in response to questions from the publication.
He pointed to a line in the February memorandum announcing the Army’s five-year requirement that said the service will “adjust the training frequency as needed based on updates” from the Defense Department or revisions to its policy.
“Accordingly, the Army will align its training requirements with updated [Office of the Secretary of War] guidance as those policies are finalized and issued,” Minton added. He referred back to the statement when asked again whether the service will adopt the three-year cycle.
At the center of these changes is the Cyber Awareness Challenge, a mandatory course service members have been taking annually for years, often to jokes over its check-the-box nature and iconic virtual avatars that tested troops on topics such as phishing scams and ID protection.
Intended to teach troops basic online hygiene and track the military’s compliance with cybersecurity, officials have questioned the efficacy of the course in the face of rapidly changing cyber threats. Some analysts said reducing the frequency of such training at a time when those threats are at a crescendo and placing the responsibility on busy commanders to prepare their formations against them is risky.
The Pentagon memo reviewed by DefenseScoop said civilian personnel and contractors will continue to complete cybersecurity training annually.
DefenseScoop reported that the Army had reduced the frequency of mandatory cybersecurity training to once every five years, according to a late February memorandum that was “effective immediately until rescinded,” getting rid of the annual requirement and making individual commanders responsible for preparing their formations against cyber risks.
The service’s chief information officer at the time, Leonel Garciga, told DefenseScoop that the change was meant to give commanders more flexibility for tailoring their cyber training against unique risks and that the Army “found no relational improvement difference in cybersecurity outcomes between the annual training and other less burdensome forms of awareness.”
While the reduction cycles differed, Bishop said commanders will be responsible for addressing cyber risks.
“We are moving away from a one-size-fits-all approach,” Bishop said. “Commanders across the Department are empowered—and responsible—for managing their own cybersecurity risks. By working closely with their component CISOs, they will tailor cyber awareness and training to their specific mission needs, ensuring our forces remain both secure and mission-ready.”
