Security awareness training requirements vary by compliance framework. This is the complete map: HIPAA, PCI DSS, SOC 2, ISO 27001, GLBA, CMMC, NIST CSF, NYDFS, cyber insurance, and state safe harbor laws, including the specific topics each framework requires.
Most security awareness training conversations focus on whether the training happened. Auditors care about that, but they care just as much about what the training actually covered. A program that ran annually but skipped phishing and social engineering will fail a PCI DSS audit, a SOC 2 review, and a cyber insurance renewal, even if every employee completed every module on time.
The frameworks themselves are specific. HIPAA names four content domains. PCI DSS v4.0 made phishing and acceptable-use modules mandatory in 2025, and CMMC Level 2 requires insider threat awareness on top of general security awareness. ISO 27001:2022 split awareness from malware protection into two separate Annex A controls. None of this is well-documented in one place.
This post is the reference for security awareness training requirements across every major compliance framework. The matrix below maps training topics to specific regulatory citations across ten frameworks. If you operate a security awareness training program, for your team or for your clients if you're an MSP, this is the curriculum requirements list.
The master matrix
Training topics across rows. Frameworks across columns. Each cell shows the regulatory citation. If a cell is blank, that framework does not explicitly require that topic, though related controls may apply.
Training Topic | HIPAA | SOC 2 | PCI DSS v4.0 | ISO 27001:2022 | GLBA / Safeguards Rule | CMMC 2.0 | NIST CSF 2.0 | NYDFS Part 500 | Cyber Insurance | Safe Harbor (state laws) |
|---|---|---|---|---|---|---|---|---|---|---|
Security Awareness Fundamentals | §164.308(a)(5)(i) | CC1.4 / CC2.2 | §12.6.1 | A.6.3 | 16 CFR §314.4(f) | AT.L2-3.2.1 | PR.AT-01 | §500.14(a)(3) | Underwriting requirement | Written program required |
Phishing & Social Engineering | §164.308(a)(5)(ii)(A) | CC6.1 / CC2.2 | §12.6.3.1 | A.6.3 / A.8.7 | 16 CFR §314.4(f)(1) | AT.L2-3.2.1 | PR.AT-01 / DE.CM-08 | §500.14(a)(3) | Phishing simulation required | CIS Controls v8 Control 14.2 |
Malware Prevention & Detection | §164.308(a)(5)(ii)(B) | CC6.8 | §12.6.3 / §5.4.1 | A.8.7 | 16 CFR §314.4(c)(3) | AT.L2-3.2.1 | PR.AT-01 / DE.CM-09 | §500.14(a)(3) | Underwriting requirement | NIST CSF PR.AT-1 / CIS Control 14 |
Login Monitoring & Access Controls | §164.308(a)(5)(ii)(C) | CC6.1 / CC6.2 | §12.6.3 / §8.3.6 | A.8.5 / A.8.2 | 16 CFR §314.4(c)(3) | AT.L2-3.2.2 | PR.AA-01 / PR.AT-01 | §500.14(a)(3) | (related to MFA controls) | (CIS Control 5/6) |
Password Security & Management | §164.308(a)(5)(ii)(D) | CC6.1 | §12.6.3 / §8.3.6 | A.8.5 | 16 CFR §314.4(c)(3) | AT.L2-3.2.1 | PR.AA-02 | §500.14(a)(3) | MFA documentation | CIS Controls v8 Control 5 |
Sensitive Data Handling | §164.530(b)(1) | CC6.1 / A1.2 | §12.6.1 / §3.1 | A.5.12 / A.5.13 | 16 CFR §314.4(a) / §6801(b) | AT.L2-3.2.1 / AT.L2-3.2.2 | PR.DS-01 / PR.AT-01 | §500.14(a)(3) | Underwriting requirement | Administrative safeguard |
Incident Reporting Procedures | §164.308(a)(6) | CC7.3 / CC7.4 | §12.6.3 / §12.10.1 | A.6.8 | 16 CFR §314.4(h) | AT.L2-3.2.1 | RS.CO-02 / PR.AT-01 | §500.14(a)(3) | Underwriting requirement | NIST CSF RS.CO-1 / CIS Control 17 |
Mobile Device & Remote Work Security | §164.310(b) | CC6.6 / CC6.7 | §12.6.3 / §1.3.3 | A.6.7 / A.8.1 | 16 CFR §314.4(c)(5) | AT.L2-3.2.2 | PR.AA-05 / PR.AT-01 | §500.14(a)(3) | Underwriting requirement | CIS Controls v8 Control 4, 13 |
Insider Threat Awareness | (covered under §164.308 broadly) | — | — | — | — | AT.L2-3.2.3 (Level 2) | — | — | — | — |
BEC & Invoice Fraud Awareness | — | — | — | — | 16 CFR §314.4(f)(1) | — | — | — | Funds transfer fraud question | — |
Physical Security Awareness | — | — | §12.6.3 / §9.1 | A.7.1 / A.7.2 | — | — | — | — | — | — |
Change Management Awareness | — | CC8.1 | — | — | — | — | — | — | — | — |
Governance & Security Culture | — | — | — | — | — | — | GV.RR-02 / GV.RR-04 (new in 2.0) | Board oversight required | Board reporting | — |
PHI / Privacy Rule Training | §164.530(b)(1) | — | — | — | — | — | — | — | — | — |
Cells marked with a citation are explicit. Cells marked with a dash mean the framework does not address that topic directly. Cells with descriptive text show a requirement that does not have a single regulatory citation (such as cyber insurance underwriting questions).
Topic-by-topic explainer
Security awareness fundamentals
The baseline. Every framework in the matrix requires it. Personnel must understand basic cybersecurity concepts, the organization's security policies, and their role in the security program.
What's covered: what cybersecurity is, why it matters to the organization, what the workforce is expected to do and not do, who to contact when something goes wrong. Treat this as the foundational module that every employee takes on hire and refreshes annually.
Phishing and social engineering
The single most-required topic across all ten frameworks. PCI DSS v4.0 made phishing training explicitly mandatory under §12.6.3.1 in March 2025. Cyber insurance carriers at mid-market and above now require active phishing simulation programs, not just awareness training.
What's covered: how to recognize phishing emails, common social engineering pretexts (urgency, authority, fear), business email compromise (BEC), voice phishing (vishing), SMS phishing (smishing), and how to report a suspected phishing attempt. Required by HIPAA, SOC 2, PCI DSS, ISO 27001, GLBA, CMMC, NIST CSF, NYDFS, and every cyber insurance underwriter.
Malware prevention and detection
Required by every framework that addresses cybersecurity directly. ISO 27001:2022 split this from general awareness into its own Annex A control (A.8.7).
What's covered: how malware spreads, what to do if a user suspects their device is infected, how to handle suspicious attachments and downloads, the role of endpoint protection software, and how to report a suspected infection.
Login monitoring and access controls
This is the topic where role-based training matters most. CMMC AT.L2-3.2.2 calls out that personnel with significant security responsibilities require role-based training beyond general awareness.
What's covered: what authentication is, why MFA matters, how to recognize unauthorized access attempts on personal accounts, when to escalate suspicious account activity, and the principle of least privilege as it applies to the user's daily workflow.
Password security and management
Foundational across nearly every framework. NIST CSF 2.0 strengthened this with PR.AA-02, which names authentication management as a workforce training topic.
What's covered: password creation rules (length, complexity), reuse policies, password manager usage, MFA enrollment and recovery, and what to do if a password is suspected to be compromised. Not just policy. The workforce needs to be trained on the behaviors that follow from the policy.
Sensitive data handling
Universal across data-protection frameworks. The specifics vary by data type. HIPAA requires PHI handling, PCI DSS requires cardholder data handling, GLBA requires customer financial information handling.
What's covered: what counts as sensitive data in this organization, how to classify data, how to handle data in different storage and transmission contexts (cloud, email, physical media), what's prohibited (storing PHI on personal devices, emailing cardholder numbers, etc.), and what to do if sensitive data is exposed accidentally.
Incident reporting procedures
All ten frameworks require this. The training is less about technical detection and more about behavior: when to escalate, who to contact, and what information to capture.
What's covered: what counts as a security incident, the organization's reporting channels (typically a security email, a phone hotline, or a chat alias), the importance of reporting promptly even when uncertain, and the principle that there is no penalty for reporting in good faith.
Mobile device and remote work security
Remote work pushed this from a niche topic to a baseline. Every cyber insurance underwriter asks about remote access policies. PCI DSS §12.6.3 explicitly requires training on remote access.
What's covered: secure use of personal devices for work, VPN usage, public WiFi risks, physical device security (lock screens, theft prevention), and how to handle work-related data on a personal device.
Insider threat awareness
Required by CMMC at Level 2 (AT.L2-3.2.3) for organizations handling Controlled Unclassified Information. Not explicitly required by other frameworks, but increasingly addressed in modern programs.
What's covered: behavioral indicators of insider threat (changes in work patterns, attempts to access data outside the user's role, requests for credentials), the principle that reporting is not betrayal but protection, and the organization's reporting channels for insider threat concerns.
BEC and invoice fraud awareness
Required by GLBA §314.4(f)(1) (training on social engineering), and called out as a top underwriting question by cyber insurance carriers because BEC is the most common claim type.
What's covered: how BEC schemes work, the typical pretexts (executive impersonation, vendor impersonation, payroll fraud), the importance of out-of-band verification for any payment or wire instruction change, and the organization's escalation procedure for suspicious payment requests.
Physical security awareness
Required by PCI DSS §9.1 (physical access to cardholder data) and ISO 27001 A.7.1 (physical security perimeters). Less universally required than the cybersecurity topics but still a real audit area.
What's covered: tailgating prevention, clean desk policies, visitor management, secure handling of physical media (printed PHI, hardware containing cardholder data), and the workforce's role in physical access challenges.
Change management awareness
Required by SOC 2 CC8.1. The training audience is narrower. Typically engineering, operations, and IT staff who participate in production change management.
What's covered: the organization's change management process, why changes need approval and documentation, the security implications of unauthorized changes, and the role of every team member in maintaining the integrity of the production environment.
Governance and security culture
New as an explicit training topic in NIST CSF 2.0 (GV.RR-02 and GV.RR-04), released February 2024. Also addressed by NYDFS Part 500 board oversight requirements and increasingly by cyber insurance carriers asking about board-level reporting.
What's covered: how cybersecurity decisions get made in the organization, who has accountability for what, how the workforce contributes to a positive security culture, and the role of leadership in modeling secure behavior.
Framework-specific notes
A few quirks worth highlighting that don't fit neatly in the matrix.
HIPAA: HITECH §13412 and the willful neglect determination
Documented security awareness training contributes to the "reasonable diligence" standard under the HITECH Act §13412. OCR's penalty tier structure considers willful neglect as the most severe category, and ongoing documented training is one of the factors OCR weighs when determining whether a covered entity exercised reasonable diligence. A program that runs continuously and produces audit-ready evidence reduces exposure to the highest penalty tiers if a breach is later investigated. Most organizations are aware of HIPAA's training requirements but not aware that the documentation itself is a meaningful penalty-reduction factor.
PCI DSS §12.6.2: written employee acknowledgment
PCI DSS is the only major framework that requires a written sign-off from each employee confirming they have read and understood the security policies. This creates a documentation requirement (per-employee acknowledgment) that other frameworks do not. For organizations subject to multiple frameworks, the PCI DSS acknowledgment requirement is typically the binding constraint, and the documentation that satisfies it tends to satisfy the others.
CMMC AT.L2-3.2.3: insider threat at Level 2
The insider threat awareness training requirement applies at CMMC Level 2 (AT.L2-3.2.3), not just at Level 3. Any contractor handling Controlled Unclassified Information must include insider threat content as a distinct training topic. AT.L2-3.2.1 covers general security awareness and AT.L2-3.2.2 covers role-based training, and AT.L2-3.2.3 sits alongside both as a separate, named requirement. CMMC contractors who built their training program assuming insider threat applied only at Level 3 should review their curriculum.
NIST CSF 2.0: the new Govern function
The Govern function is new in NIST CSF 2.0, released February 2024. GV.RR-02 requires roles, responsibilities, and authorities to be "established, communicated, understood, and enforced," and GV.RR-04 requires cybersecurity to be included in human resources practices. Together these make documented role-and-responsibility communication an explicit training topic. Organizations using NIST CSF as their baseline framework should review whether their current curriculum addresses both subcategories.
Texas SB 2610: tiered safe harbor effective September 2025
Texas's Cybersecurity Safe Harbor law (signed June 2025, effective September 1, 2025) uses employee count to determine which framework applies:
Under 20 employees: basic awareness training
20 to 99 employees: CIS Controls Implementation Group 1
100 to 249 employees: a full framework like NIST CSF, NIST 800-171, ISO 27001, or FedRAMP
Organizations with 250 or more employees do not qualify for safe harbor protection at all. Organizations already in compliance with HIPAA, GLBA, or PCI DSS qualify under those frameworks. Texas is the most prescriptive of the state safe harbor laws, and the model other states are likely to follow.
2023 FTC Safeguards Rule (GLBA) scope expansion
The 2023 amendments brought tax preparers, auto dealers, mortgage brokers, accounting firms, and CPA firms under GLBA for the first time. Many of these organizations are encountering security awareness training documentation requirements for the first time as a result. For these newly-covered entities, the immediate priority is establishing a documented security awareness training program that addresses 16 CFR §314.4(f)(1) social engineering training.
Cyber insurance underwriting since the 2021 to 2023 market shift
Underwriting tightened across 2021 to 2023. Annual training is now the floor, not the ceiling. Most carriers at mid-market and above require active phishing simulation programs and content covering current threat vectors (BEC, AI phishing, smishing). Expect this to be on every cyber insurance renewal questionnaire.
How Kinds maps to these requirements
Kinds's workshop library covers every cybersecurity topic in the matrix above. Each workshop carries compliance-framework metadata at the workshop level. The Phishing and Social Engineering workshop, for example, is tagged with HIPAA §164.308(a)(5)(ii)(A), PCI DSS §12.6.3.1, GLBA §314.4(f)(1), ISO 27001 A.6.3 / A.8.7, CMMC AT.L2-3.2.1, NIST CSF PR.AT-01 / DE.CM-08, SOC 2 CC6.1 / CC2.2, and the relevant cyber insurance underwriting questions. When a Kinds admin generates a compliance PDF report scoped to HIPAA, the report shows which workshops covered which §164.308 sub-requirements. No manual mapping. No spreadsheet reconciliation.
Frequently asked questions
Does HIPAA require security awareness training?
Yes. HIPAA Security Rule §164.308(a)(5)(i) requires covered entities and business associates to implement a security awareness and training program for all workforce members, including management. The rule names four implementation specifications that the training must address: security reminders, malicious software protection, log-in monitoring, and password management.
What are the HIPAA training requirements for new hires?
HIPAA does not specify a fixed deadline for new-hire training, but training must occur "within a reasonable period" of hire and before the employee accesses Protected Health Information. Most organizations train new hires during onboarding, before access to systems containing PHI is granted. Documentation of the initial training date is required for audit response.
Is PCI DSS security awareness training required to be completed annually?
Yes. PCI DSS §12.6.1 requires security awareness training upon hire and at least annually thereafter. PCI DSS v4.0 (mandatory March 2025) added explicit requirements for phishing and social engineering training under §12.6.3.1 and §12.6.3.2. Each employee must also provide a written acknowledgment that they have read and understood the security policies, per §12.6.2.
What does SOC 2 require for security awareness training?
SOC 2's Trust Services Criteria address training under CC1.4 (the entity demonstrates a commitment to attract, develop, and retain competent individuals) and CC2.2 (the entity internally communicates information to support the functioning of internal control). Auditors expect documented evidence of awareness training programs, completion records, and acknowledgment of policies. Type II audits assess whether the training operated effectively across the audit period.
What CMMC level requires insider threat awareness training?
Insider threat awareness training is required at CMMC Level 2 (AT.L2-3.2.3), not Level 3. Any contractor handling Controlled Unclassified Information must include insider threat content as a distinct training topic alongside general security awareness (AT.L2-3.2.1) and role-based training (AT.L2-3.2.2).
Does cyber insurance require phishing simulation?
Most cyber insurance carriers at mid-market and above now require active phishing simulation programs, not just static awareness training. This shift accelerated during the 2021 to 2023 market hardening. Cyber insurance renewal questionnaires typically ask about both annual security awareness training and ongoing phishing simulation as separate underwriting questions.
What security awareness training is required by state law?
Several states have passed cybersecurity safe harbor laws that incentivize documented training: Ohio (2018), Utah (2021), Connecticut (2021), Iowa (2023), and Texas SB 2610 (effective September 2025). Texas is the most prescriptive and uses employee count to determine which framework applies. Additional states have proposed legislation.
What's the difference between security awareness training and role-based training?
Security awareness training is the baseline content every employee receives, covering general topics like phishing, password security, and incident reporting. Role-based training is tailored to specific job functions, covering topics relevant to that role's security responsibilities (such as developers receiving secure coding training or finance staff receiving BEC training). Most major frameworks require both. CMMC explicitly separates them into AT.L2-3.2.1 and AT.L2-3.2.2.
This post describes general patterns in security awareness training requirements across major compliance frameworks. It is not legal or compliance advice. Confirm specific obligations with your compliance advisor, assessor, broker, or relevant regulator. Citations reflect framework versions current as of April 2026. Review the original framework documentation for the most current requirements.
