Federal contractors have to deliver employee training in eight regulated areas: EEO and affirmative action under EO 11246, Section 503 disability accommodation, VEVRAA veteran outreach, ethics under FAR Subpart 3.10, anti-trafficking under FAR 52.222-50, cybersecurity under CMMC and NIST 800-171, sexual harassment, and whistleblower-protection awareness. Each one carries its own delivery format, recordkeeping rule, and audit trigger.
Skipping one — even by accident — can knock you off the next solicitation list and pull existing contracts into a DOL or DOJ review. Not fun.
Who Counts as a Government Contractor for Training Purposes?
The trigger is usually $10,000. That’s the floor for “contractor” status under most clauses. Above that, the rules layer on by dollar value. Affirmative action plans? Required at $50,000 if you also have 50+ employees. The big FAR ethics-program clause? Attaches at $6.5 million. Anti-trafficking certifications? $550,000 if any of the work is overseas. CMMC? Anyone in the Defense Industrial Base touching Controlled Unclassified Information, no matter how far down the sub chain.
If you sell to the government — prime, sub, or sub-sub — and you’re at any of those numbers, all of this is on you. Winning government contracts is one thing. Keeping them clean is the part that quietly eats HR’s calendar. And the lift is unfamiliar even to teams that crank out OSHA and HR work all day, which is why picking the right contractor training tools early matters.
What Equal Employment and Affirmative Action Training Is Required?
Executive Order 11246 — the OFCCP’s bread and butter — bars discrimination based on race, color, religion, sex, sexual orientation, gender identity, or national origin. It also obligates contractors to take “affirmative action” to recruit and advance protected groups. Section 503 covers people with disabilities. VEVRAA covers protected veterans. Different statutes, similar enforcement playbook.
The training piece is straightforward. Anyone who hires, fires, promotes, or sets pay needs documented training on the AAP and on equal-employment obligations. That means managers, supervisors, recruiters, and HR business partners. Most contractors run it annually. We’ve seen smaller shops try semi-annual; auditors don’t care, as long as the records exist. Coggno’s Diversity Made Simple for Government course was built for federal contractor supervisors and ticks the EO 11246 disclosure boxes.
The OFCCP audit pattern in 2024 and 2025 has shifted. Inspectors now ask for documentation first — not just whether training happened, but whether you can produce dated, signed completion records for every supervisor. We’ve watched two contractors lose contract eligibility because attendance sheets were undated. One was a multi-decade incumbent. Documentation is the whole game now.
What About Sexual Harassment Prevention?
Federal contractor status doesn’t itself create harassment-training law. But almost every contractor has employees in at least one state — New York, California, Connecticut, Illinois, Maine, Delaware, Washington — that does. Stack Title VII enforcement and EEOC guidance on top, and the practical answer is: every federal contractor delivers harassment training, and the smart ones do it nationally for consistency rather than juggling different versions per state.
Most teams cover this with the Sexual Harassment in the Workplace National course. It was updated in 2025 to fold in the EEOC enforcement guidance from April 2024. State add-ons exist for jurisdictions with extra runtime or content rules. Skip the training and an EEOC investigator will hold it against you in any settlement calculation. Federal contractors get watched harder than non-contractors, full stop.
What FAR-Driven Ethics and Code-of-Conduct Training Is Mandatory?
FAR Subpart 3.10. The threshold is $6.5 million and a contract that runs more than 120 days. If you’re past that line, you need a written code of business ethics, an internal-controls system to detect violations, and ongoing employee training. Smaller? You still have to behave ethically. You just don’t have to run the formal program.
What does the training have to cover? Anti-bribery. Gifts and gratuities. Time-and-billing accuracy. Conflicts of interest. The duty to disclose certain violations to the contracting officer or Inspector General. Annual cadence is normal, with a documented quiz and a signed acknowledgment.
Here’s where it gets tricky: if you’ve been treating ethics training like a generic HR module, the federal version is more demanding. Our piece on business ethics covers the conceptual framing, but for FAR purposes your supervisors also need a refresher on the False Claims Act and on FAR 52.203-13’s mandatory disclosure rule for credible evidence of fraud or violations. That last bit catches people off guard.
What Cybersecurity Training Do Federal Contractors Have to Provide?
Two regimes. NIST SP 800-171, baked into DFARS 252.204-7012, has been law for Defense contractors handling CUI since 2017. CMMC operationalized that into a formal assessment program, and CMMC 2.0 went live under DFARS rule 2024-22905. Solicitations are phasing it in through 2026 and 2027.
What’s required from a training standpoint? Role-based security training. Insider threat awareness. Phishing recognition. Secure handling of CUI. Incident reporting procedures. The frequency isn’t fixed by rule, but practically? Annual training plus quarterly phishing simulations is the going pattern. Coggno’s Data Privacy and Cybersecurity course handles the broad-population module. The implementation guide in CMMC compliance tools for Level 2 is the single best plain-English explainer we’ve published on what assessors actually want to see.
One quiet tip nobody tells you upfront: DCSA wants contractors to retain training rosters and phishing-simulation results for at least three years and produce them on request during an assessment. We’ve watched contractors pass every technical control and then fail the documentation review. It’s avoidable. Painful, but avoidable. The case for executive buy-in is well-made in why cybersecurity compliance training matters for businesses.
What Workplace Violence and Anti-Trafficking Training Applies?
FAR 52.222-50 — the anti-trafficking clause — kicks in when contract work is overseas, or when it’s stateside but involves foreign nationals on H-1B, H-2B, or similar programs. The training piece: brief employees on the prohibition, plus the contractor’s reporting and protection mechanisms. Onboarding plus annual refresh is the pattern.
Workplace violence isn’t a federal-contract clause on its own. But contractors with healthcare, security-services, or facilities components run into state-level rules — California’s SB 553 is the loud one — and OSHA’s general-duty enforcement. The Workplace Violence Prevention course is the standard pick when you need to satisfy both the OSHA expectation and a state mandate from one module. Our deeper guide on workplace violence prevention training covers the policy elements that have to sit alongside the e-learning. The course alone isn’t enough — you need a written program too.
What’s the OSHA and Safety Training Layer?
If your contract involves construction, manufacturing, or any field work, OSHA training sits on top of all of the above. The FAR doesn’t impose OSHA training. The OSH Act does. But federal contracting officers will absolutely check that you’ve delivered it. OSHA 10 General Industry and OSHA 30 for supervisors are the typical baseline, with construction-specific equivalents on the construction side.
Real example. A $4M engineering subcontractor on a Navy facility in Norfolk got hit with a stop-work order in 2024 because the prime couldn’t produce OSHA 10 records for two of the sub’s electricians. Eight days down. $43,000 in delay costs. The records existed — they just weren’t centralized in a way that the prime could pull on demand. That’s the lesson. Records aren’t a paperwork chore. They are the contract.
Get Your Team Trained — Without the Paperwork Headache
If you’re a federal contractor trying to assemble training across all of these mandates from scratch, three Coggno courses cover most of the bulk:
Diversity Made Simple for Government — built specifically for OFCCP and EO 11246 supervisor obligations.
Data Privacy and Cybersecurity — the broad-population module that pairs with role-based CUI training for CMMC.
Workplace Violence Prevention — covers state and federal expectations together.
Browse the full catalog at coggno.com or schedule a federal-contractor-specific walkthrough at coggno.com/book-a-demo.
Frequently Asked Questions About Government Contractor Compliance Training
How often do federal contractors have to deliver compliance training?
Annually, for most clauses. Some training is one-time at hire — anti-trafficking acknowledgments, in some setups. Some is annual: ethics, harassment, CUI awareness. Some is event-driven, after a policy update or an incident, or whenever the OFCCP asks for an AAP refresh. Build the calendar around the strictest clause that touches you, and don’t try to be clever about cadence.
Is one course enough to satisfy multiple federal contractor obligations?
Sometimes. A solid harassment course can satisfy a state mandate and serve as evidence of an EEO good-faith effort. A cybersecurity awareness course can satisfy general DFARS NIST 800-171 awareness expectations. But discrete clauses — anti-trafficking, ethics, AAP-specific supervisor training — usually need their own dedicated module. Don’t bundle everything into one generic “compliance” course unless your legal team explicitly signs off. Most won’t.
What records do federal contractors have to keep, and for how long?
OFCCP wants AAPs and supporting training records retained for at least two years if you have under 150 employees, and longer for bigger shops. DCSA and CMMC assessors want at least three years of cybersecurity training records. FAR ethics records typically run for the contract duration plus three years. Safe baseline: three years, exportable to PDF, with the contractor name, learner name, course title, vendor, and completion date all on one page.
Do small federal contractors and subcontractors really need all of this?
Mostly. At scaled-down thresholds, but yes. A second-tier sub on a Defense contract still has to follow CMMC requirements proportional to the data it touches. A small contractor under the $6.5M FAR ethics threshold doesn’t need a formal program but is still bound by anti-bribery and false-claims rules. The smaller the shop, the more important it is to use a streamlined external training source rather than build everything in-house. The cost math just doesn’t work otherwise.
What happens if an employee fails to complete required training?
Depends on the clause and the contracting officer. For ethics training, an unfinished module is usually a fixable internal-controls finding. For affirmative action and EEO training, missing records are an OFCCP audit deficiency that can trigger a conciliation agreement. For CMMC, missing role-based security training is a finding that can drop your maturity level. None of these get you terminated on the spot. But each one creates an audit paper trail that follows you to the next solicitation.
How do I prove training was delivered if my contracting officer asks?
Dated, learner-signed completion certificates with course title, vendor, and date. An exportable LMS roster. A written training plan that ties each module to the specific clause it satisfies. Auditors don’t want a stack of PDFs — they want the through-line. Our piece on compliance training audit trail documentation walks through what a clean audit binder actually looks like.
