How are you making sure that "personnel are adequately trained to carry out their assigned information security related duties, roles, and responsibilities."?

I've gone through 800-181 NICE Framework and the Workforce Framework for Cybersecurity (NICE Framework) | NICCS, along with the DoD's DoD 8140 spreadsheet. And we're not mature enough to follow these. We got a lot of people just winging it and only 2 or 3 out of 20 that are actually qualified by the DoD 8140 standard.

Also, the OSC has not allocated funds to train current staff or outsource any security related duties to a service provider.