How often must employees complete the specified training to maintain access authorization?

To maintain access authorization as per the NERC Critical Infrastructure Protection (CIP) v7 standards, employees are required to complete specified training at least once every 15 calendar months. This frequency is established to ensure that personnel remain up-to-date with the latest security practices, regulatory requirements, and changes in the operational environment that may affect critical infrastructure security.

The rationale behind this timeframe encourages regular reinforcement of knowledge and awareness, which is essential in the dynamic field of cybersecurity and critical infrastructure protection. Regular training helps mitigate risks associated with employee performance that may evolve over time, ensuring that staff is well-prepared to respond to ongoing challenges and threats.

The other options do not align with the standards, as they either suggest too infrequent training (like biennial training) or imply that training is only an initial requirement during onboarding, which would not provide the necessary ongoing education essential for maintaining effective access control related to critical infrastructure.