Pentagon eases rules on frequent cybersecurity training needs

Training rules relaxed

The Pentagon recently issued a memo directing senior leadership to relax the mandatory frequency of certain cybersecurity training requirements. This change comes from Defense Secretary Pete Hegseth.

The goal is to reduce training that isn’t directly tied to mission-critical or warfighting duties. Multiple training topics will see less frequent enforcement or be consolidated.

The new policy is part of a larger effort to streamline administrative burdens. Some view it as freeing up time for other priorities.

Pentagon issues new directive

On September 30, 2025, Secretary Pete Hegseth sent a directive to military departments and field activity directors to modify training mandates. The memo directs the Pentagon’s Chief Information Officer to lead coordination on these changes.

Training topics like Cybersecurity, Controlled Unclassified Information (CUI), and records management are specifically targeted. Some topics may be eliminated or reduced in frequency. Others will be delivered more flexibly. Implementing agencies are asked to act expeditiously.

Memo from Secretary Hegseth

Hegseth’s memo emphasizes that training should support the core mission of the Department, “fighting and winning our Nation’s wars.” Training not directly tied to warfighting may be reduced, consolidated, or eliminated.

“Mandatory Department training will be directly linked to warfighting or otherwise be consolidated, reduced in frequency, or eliminated,” the memo states.

It also wants roles to be considered: training should align with what individuals actually do. The directive reflects a shift in priorities toward mission readiness over administrative training volume.

Reducing cybersecurity training frequency

Cybersecurity training, which had previously been required regularly, will now be required less frequently in many cases. In particular, “Cybersecurity Awareness” and other recurring training may be spaced out or reduced.

This is meant to reduce the cumulative time service members spend on training. The intent is not to eliminate all training but to make it more efficient.

Some classes may be merged or combined with other topics. The expectation is that quality stays high, even if frequency drops. Experts warn, though, that reducing frequency could increase risk.

Training tied to warfighting

The memo makes it clear that only training directly beneficial to warfighting or operational readiness will remain mandatory in many cases. Non-warfighting topics may see reduced frequency or be made optional.

This suggests personnel in combat or high-readiness roles are more likely to retain stricter training obligations, while those in support or lower-risk roles may see reductions or relief in certain mandates.

The policy aims to ensure the training burden doesn’t detract from operational capacities. It aligns training priorities with mission impact. Some training topics may be judged less essential under this new framework.

Controlled Unclassified Information training relaxed

The Pentagon is easing the mandatory frequency of Controlled Unclassified Information (CUI) training, which many personnel must take to handle or process this type of information. Under the new directive, CUI training won’t be required as often.

The goal is to maintain compliance but reduce redundancy. People who rarely work with CUI may get fewer refreshers. The shift aims to focus more frequent training where it matters most. Oversight will likely continue, though perhaps less rigorously.

Removing Privacy Act training

The memo directs that Privacy Act training be removed from the Common Military Training (CMT) list, unless individual roles explicitly require it. This means individuals won’t need to take it on the Former timeline unless their role explicitly requires it.

The idea is that some privacy training is redundant or less relevant for many roles. This removal helps lighten the training load. Some concerned parties believe that privacy awareness may degrade as a result. However, for high-risk roles, privacy training may still be retained.

Eliminating refresher trainings soon

Refresher training on topics like ‘Combating Trafficking in Persons’ may be phased out once appropriate legislation or policy changes are in place. Instead of fixed-interval recurrences, such content might be delivered as needed or incorporated into larger, integrated training modules.

The plan also calls for consolidating topics to avoid repetition. Eliminating standard refresher obligations could save time for personnel. Some believe this streamlining helps efficiency. Critics warn it might lead to knowledge gaps if not carefully monitored.

Consolidated Common Military Training topics

The memo directs that Common Military Training (CMT) topics should be consolidated where appropriate. Instead of many small trainings spread across time, overlapping or less critical topics may be merged.

This aims to reduce redundancy and training fatigue among service members. Consolidation could also streamline administration and tracking.

The goal is to deliver training in a more streamlined, coherent way. It may also free up time for deeper, more mission-relevant training. However, maintaining clarity in what’s required will be essential.

Flexible delivery of training

The Pentagon is pushing for flexibility in how training is delivered. That could mean online modules, role-based content, or automated systems rather than all in-person or standard classroom sessions. Automation of information management systems may eliminate some training requirements.

For many roles, only targeted training will be required. The idea is to lessen disruption while still preserving essential skills and knowledge. This flexibility could help reach people in remote or operational roles more effectively.

Role-specific training emphasized

Rather than a one-size-fits-all approach, training requirements will more sharply depend on what each service member’s role actually demands. Those in cyber, intelligence, or roles handling sensitive information will likely still have stricter, more frequent requirements.

Others may only need baseline cybersecurity hygiene or occasional refreshers. This role-tailoring is intended to make training more relevant and reduce wasted effort. It can also reduce frustration when people feel training is irrelevant to their daily tasks.

Automating information management tasks

Part of the new policy is automating tasks where possible to reduce the manual training burden. For example, information management systems could handle certain compliance tracking and audits automatically.

Automated notifications, self-assessment tools, or systems embedded in workflows may replace some generic training. This could help maintain accountability with less overhead. It’s also seen as a cost-saver. But automation must be implemented carefully to avoid gaps or failures.

Core mission over admin burden

Secretary Hegseth has framed these changes as part of a push to focus more on warfighting readiness and less on administrative burdens.

The memo states that training not directly advancing the combat mission should be consolidated, reduced in frequency, or potentially removed.

Critics say some administrative trainings play key roles (like spotting phishing) and may not always seem “mission-critical” but still matter. The debate is about where to draw the line.

Expert concerns about risks

Experts have expressed concern that scaling back training could weaken cybersecurity posture. Nations like China, Russia, and North Korea are increasingly using cyber threats, which often exploit human error.

Reducing training frequency or eliminating refresher courses may leave personnel less prepared. Some believe that baseline training and awareness are still essential for all service members.

Without updated training, threats like phishing or supply chain attacks could become more likely. There’s a risk if the changes aren’t balanced with effective oversight.

Implementation timeline and scope

The directive is to be implemented “expeditiously,” according to the memo. However, specifics about how quickly changes will roll out vary by department. It’s unclear how soon some training topics will see reductions or eliminations.

Commanders are expected to coordinate with the CIO’s office. Some training (like CUI, Privacy Act, and CMT) will change sooner than others. The scope includes active duty, field activity, and other DoD agencies. Tracking the implementation will be important to see the real effects.

Does your business have the right tools to stop cyberattacks? Explore 19 cybersecurity tools every business should have.

What this means moving forward

hese changes might reframe cybersecurity training for military personnel, from a recurring administrative burden to a mission-aligned obligation. For some, this could mean more time for other duties. For cybersecurity professionals, it raises concerns about readiness and risk exposure.

There may be calls for new baseline standards or external oversight. Contractors and allied partners will be watching closely. The policy could set a precedent for other agencies or nations. Only time will tell if the change improves efficiency without compromising security.

Will startups rethink AI ambitions after this warning? Explore why OpenAI’s chairman says training your own AI could burn your capital.

Do you think cutting back on frequent cybersecurity training weakens national security or lets the military focus better on core missions? Share your thoughts.

Read More From This Brand:

• The Pentagon just inked a $200M AI deal with OpenAI
• Microsoft confirms it will no longer involve Chinese engineers in Pentagon projects
• Microsoft faces scrutiny over alleged Chinese engineers handling DOD systems

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.