Red
Bike Publishing authors are continuously searching for topics of interest for
the facility security officer (FSO). Many articles have been free flow while
more have reflected how to employ the Self-Inspection
Handbook for NISP Contractors. We are
about to introduce a new limited series of articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).
Many
of the changes are simply administrative such crossed out references no longer
used, updated table of contents, or renumbered paragraphs. This series of
articles will filter and prioritize topics to be address. Topics that have
already been covered in previous articles and simple administrative changes are
filtered out and not addressed. Only major changes not otherwise written about in
previous articles will be added.
This
leads us to today’s article; changes to the Initial Security Briefings and
Refresher Training. Pasted below is the actual verbiage in its original format
and edits, taken from the Summary of Changes.
Paragraph 3-106 3-107. Initial Security Briefings.
Prior to being granted
access to classified information, an employee shall receive an initial security
briefing that
includes the following:
a. A threat awareness security briefing, including insider
threat awareness in accordance with paragraph 3-103b of this Manual.
b.
A defensive security counterintelligence awareness briefing.
c.
An
overview of the security classification
system.
d. Employee reporting obligations and requirements, including
insider threat.
e. Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this Manual).
f.
Security procedures and duties applicable
to the employee's job.
3-107 Summary:
This section is
now moved to paragraph 3-107 and changes the names of briefings and adds new
briefing and training requirements. The FSO should be prepared to conduct a gap
analysis of current practices as compared to what is now required. Once analyzed, the FSO should develop a plan
to update policies, training, memorandums, and practices to ensure compliance.
3-107 Specifics
3-107a. The threat
awareness briefing is now called the threat awareness security briefing. The
name change is noted with the additional of insider threat awareness. This information is covered in an
earlier article that you can read here. All corporate references to threat
awareness briefings should be updated to reflect the change and insider threat awareness should be developed and incorporated
into the training or provided as stand-alone training.
3-107b. The
defensive security briefing is now called the counterintelligence awareness
briefing. The name has changed, but no new training requirement is detailed
other than the administrative name change.
3-107c. No change
3-107d. This sub
paragraph adds insider threat reporting requirement as addressed in the earlier
article. Insider threat reporting is
required for the insider threat program and as a sub element to insider threat awareness.
3-107e. This is a
new sub paragraph that requires initial and annual refresher cybersecurity
awareness training for all authorized IS users (whether or not classified
systems). According to 8-101c, the cybersecurity awareness requirement is:
…all
IS authorized users will receive training on the security risks associated with
their user activities and responsibilities under the NISP. The contractor will
determine the appropriate content of the security training taking into
consideration, assigned roles and responsibilities, specific security
requirements, and the ISs to which personnel are authorized access.
The contractor can design and determine the
content. The content should include the topics of protecting access to the IS,
protecting the content of the IS, recognizing attempts to gain unauthorized
access to the IS, phishing, hacking, and other known adversary methods,
countermeasures to protect the IS, and etc.
Many
training resources address the following IS user responsibilities as described
in NISPOM Paragraph 8-103c:
Employee users with access to IS should
be trained to comply with the following requirements:
(1) Comply with the ISs security program
requirements as part of their responsibilities for the protection of ISs and
classified information.
(2) Be accountable for their actions on
an IS.
(3) Not share any authentication
mechanisms (including passwords) issued for the control of their access to an
IS.
(4) Protect authentication mechanisms at
the highest classification level and most restrictive classification category
of information to which the mechanisms permit access.
(5) Be subject to monitoring of their
activity on any classified network and the results of such monitoring could be
used against them in a criminal, security, or administrative proceeding.
Additionally, there are many resources available
for those who do not have the means to develop their own cyber security
training. The DoD has an excellent training site available for CAC and non CAC
users at https://ia.signal.army.mil/login.asp.
3-107f.
is formerly sub paragraph e and there are no new requirements.
Paragraph 3-107
3-108. Refresher
Training. The contractor
shall provide all cleared employees with some form of security education and
training at least annually. Refresher training shall reinforce the information
provided during the initial security briefing and shall keep cleared employees
informed of appropriate changes in security regulations. See
paragraph 8-103c of chapter 8 of this Manual for the requirement for IS
security refresher training. Training
methods may include group briefings, interactive videos, dissemination of
instructional materials, or other media and methods. Contractors shall maintain
records about the programs offered and employee participation in them. This
requirement may be satisfied by use of distribution lists,
facility/department-wide newsletters, or other means acceptable to the FSO.
3-108
Summary: This paragraph is renumbered to 3-108 and adds the IS Security
Refresher Training requirement to the refresher training.
3-108
Specifics: A quick look at the manual reveals 8-103c does not describe IS
Security Refresher training, but it does address user responsibilities. We feel
that paragraph 3-107e describes to initial training and should be sufficient
for refresher training. The refresher training can also consist of topics found
in 8-103c to ensure coverage of employee responsibilities while using IS. The
same resources cited earlier can be used for the cybersecurity refresher
training.
Application
As written
earlier, the FSO should perform a gap analysis of current practices vs.
required practices. Once analyzed, the FSO should develop a plan to update
policies, training, memorandums, practices and reference materials to ensure
compliance.
Administrative
Changes: This analysis should involve not only processes and procedures, but
also referencing materials. For example, if training reflects a Refresher
training requirement as Paragraph 3-107 and it is now 3-108, the reference
material should be updated. Though this article does not address the
administrative changes and paragraph realignments, the FSO should updated
policies, procedures, instructions, training, and etc that makes specific
references to the NISPOM. Where the references now differ (i.e. paragraph 3-107
is now 3-108) the referring materiel should be updated to reflect the changes.
New requirements:
Where new training, policies or procedures are required, the FSO should ensure
these are integrated into current practices. If processes and procedures are no
longer required, they should be removed.
FSOs who need assistance
can visit www.redbikepublishing.com for books such as the NISPOM and ITAR.
We also have Initial Security Briefings,
Refresher Training, Insider Threat training and more that they can purchase,
download and present to cleared employees. The presenter can read notes word
for word or edit the notes to provide a tailored briefing appropriate for their
organization.