In December of 2020, HUD published new guidance for security training entitled TRACS External Users Access and Security Training Requirements.
Of note, HUD clarifies that TRACS coordinators and users who have not already completed the Cyber Awareness Challenge within the last year must complete the Cyber Awareness Challenge within 30 days of signing the TRACS ROB.
See Page 3. “Current user(s) or coordinator(s) must complete Security Awareness Training annually. If the Cyber Awareness Challenge has not been completed within the last 12 months, it must be completed within 30 days of accepting the TRACS ROB.”
We have heard from many owner/agents that MOR Reviewers have been issuing MOR findings when the Cyber Awareness Challenge was completed more than 30 days from the date the TRACS ROB was generated and signed even if the Cyber Awareness Challenge was completed within the last year.
HUD's guidance makes it clear that the requirement is to complete the required Security Training either 1) within 12 months before accepting the TRACS ROB or, if the Security Training was not completed in the twelve months before accepting the TRACS ROB, then 2) within 30 days of accepting the TRACS ROB.
The Rules for the EIV Rules of Behavior (ROB) are not the same as the rules for the TRACS Rules of Behavior. For EIV, there are three ways to complete the EIV Rules of Behavior.
EIV Coordinators, EIV Users and people with access to tenant files that contain EIV reports must complete the required Security Training (Cyber Awareness Challenge) annually.