This publication provides guidance for federal agencies and organizations to develop and manage a lifecycle approach to building a cybersecurity and privacy learning program (hereafter referred to as CPLP). The approach is intended to address the needs of large and small organizations as well as those building an entirely new program. The information leverages broadly accepted standards, regulations, legislation, and best practices. The recommendations are customizable and may be implemented as part of an organization-wide process that manages awareness, training, and education programs for a diverse set of employee audiences. The guidance also includes suggested metrics and evaluation methods in order that the program be regularly improved and updated as needs will evolve.