Contractor Employees – Required IT Security Training



Requirements for Training

The Federal Information Security Modernization Act of 2014 requires you to complete both security awareness and specialized IT security training, also known as role-based security training prior to beginning work for the IRS and annually thereafter.

  • IRS Policy, Internal Revenue Manual (IRM) 10.8.1 and 10.8.2 also cover this requirement.
  • Policy & Procedure 24.1 and 39.1(H) provide contract clause information for this training.

Contact your IRS Contracting Officer’s Representative for more details on these policies.

Security Awareness Training (SAT):

This training is also referred to as mandatory awareness briefings.

You will be required to take one or more of the five (5) awareness briefings below, prior to being granted access to IRS facilities, systems and/or SBU data. All certification must be completed and submitted after receiving approval for access from the IRS. The Contracting Officer’s Representative has further information concerning these accesses and awareness briefings. The five (5) SAT components are:

  • Information Systems Security (ISS) – systems access
  • FMSS Facilities Management and Security Services – Physical Security
  • Privacy, Information Protection and Disclosure
  • UNAX Unauthorized Access Briefing
  • Inadvertent Sensitive Information Access

These briefings are available on the IR Web for contractors with IRS LAN access or via text version for contractors without IRS LAN access.

Completion of awareness training must be reported by sending the form 14616, Contractor Security Awareness Training Certification and form 11370 UNAX to the COR of record for upload into applicable systems.

Additional information is available in Policy & Procedures 24.1 or you may contact your Contracting Officer’s Representative for more details on these briefings.

Specialized IT Security (SITS) Training

This training is also referred to as role-based security training.

If you perform tasks/services such as system administration, network administration, database administration, programmer developer or one of the other specialized IT security roles as listed in the table below, or if your work is 50% or more related to FISMA work, you are required to complete security training pertinent to the role.

The table below contains the specialized IT security roles requiring training, along with the hours of training required annually.

Specialized Information Technology Roles,
and Hours of Training Required for Each
Role Per IRM 10.8.1 and IRM 10.8.2
Specialized IT Roles Hours of Training
Computer Audit Specialist 8
Database Administrator (DBA) 8
Enterprise Architect 8
Functional Workstation Specialist 8
Information System Security Engineer 8
Live Data Functional Coordinator (LDFC) 8
Management/Program Analyst 4
Network Administrator (NA) 8
Physical Security Analyst 8
Physical Security Specialist 4
Program Developer/Programmer 8
Security Specialist (SecSpec) 8
System Administrator (SA) 8
System Designer 8
Systems Operations Staff 8
Technical Support Staff (Desktop) 8
Telecommunications Specialist 8
User Administrator (UA) 8
Web Developer 8

IRM 10.8.2 contains a full description of each role. Note that you may not perform the full range of duties listed for each role. However, if any of the tasks listed for a role are performed, then the training is required.

If you perform tasks in multiple roles, then the role carrying the greater number of hours of required training prevails. You must complete training outside the IRS. SITS training is not available via the IRS systems or links.

Completion of SITS training must be reported by sending the certificate received from the provider upon completion of the course or workshop. The certificate must be sent to the COR of record for upload into applicable systems and CSM via fax at 855-816- 9806 or as an e-mail attachment to: NOTE: This reporting method will be changing at the beginning of the next FISMA cycle on July 1, 2016.