Friday, September 30, 2016

NISPOM Summary Of Changes-Training

Red Bike Publishing authors are continuously searching for topics of interest for the facility security officer (FSO). Many articles have been free flow while more have reflected how to employ the Self-Inspection Handbook for NISP Contractors. We are about to introduce a new limited series of articles reviewing the latest SUMMARY OF CHANGES TO DoDM 5220.22, “National Industrial Security Program Operating Manual” (NISPOM).

Many of the changes are simply administrative such crossed out references no longer used, updated table of contents, or renumbered paragraphs. This series of articles will filter and prioritize topics to be address. Topics that have already been covered in previous articles and simple administrative changes are filtered out and not addressed. Only major changes not otherwise written about in previous articles will be added.

This leads us to today’s article; changes to the Initial Security Briefings and Refresher Training. Pasted below is the actual verbiage in its original format and edits, taken from the Summary of Changes.

Paragraph 3-106 3-107. Initial Security Briefings.

 Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following:
a.      A threat awareness security briefing, including insider threat awareness in accordance with paragraph 3-103b of this Manual.

b.      A defensive security counterintelligence awareness briefing.

c.       An overview of the security classification system.

d.      Employee reporting obligations and requirements, including insider threat.

e.      Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this Manual).

f.        Security procedures and duties applicable to the employee's job.

3-107 Summary:
This section is now moved to paragraph 3-107 and changes the names of briefings and adds new briefing and training requirements. The FSO should be prepared to conduct a gap analysis of current practices as compared to what is now required.  Once analyzed, the FSO should develop a plan to update policies, training, memorandums, and practices to ensure compliance.

3-107 Specifics
3-107a. The threat awareness briefing is now called the threat awareness security briefing. The name change is noted with the additional of insider threat awareness. This information is covered in an earlier article that you can read here. All corporate references to threat awareness briefings should be updated to reflect the change and insider threat awareness should be developed and incorporated into the training or provided as stand-alone training.

3-107b. The defensive security briefing is now called the counterintelligence awareness briefing. The name has changed, but no new training requirement is detailed other than the administrative name change.

3-107c. No change

3-107d. This sub paragraph adds insider threat reporting requirement as addressed in the earlier article.  Insider threat reporting is required for the insider threat program and as a sub element to insider threat awareness.

3-107e. This is a new sub paragraph that requires initial and annual refresher cybersecurity awareness training for all authorized IS users (whether or not classified systems). According to 8-101c, the cybersecurity awareness requirement is:

…all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP. The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access.

The contractor can design and determine the content. The content should include the topics of protecting access to the IS, protecting the content of the IS, recognizing attempts to gain unauthorized access to the IS, phishing, hacking, and other known adversary methods, countermeasures to protect the IS, and etc.

Many training resources address the following IS user responsibilities as described in NISPOM Paragraph 8-103c:

Employee users with access to IS should be trained to comply with the following requirements:
 (1) Comply with the ISs security program requirements as part of their responsibilities for the protection of ISs and classified information.
(2) Be accountable for their actions on an IS.
(3) Not share any authentication mechanisms (including passwords) issued for the control of their access to an IS.
(4) Protect authentication mechanisms at the highest classification level and most restrictive classification category of information to which the mechanisms permit access.
(5) Be subject to monitoring of their activity on any classified network and the results of such monitoring could be used against them in a criminal, security, or administrative proceeding.

Additionally, there are many resources available for those who do not have the means to develop their own cyber security training. The DoD has an excellent training site available for CAC and non CAC users at

3-107f. is formerly sub paragraph e and there are no new requirements.

Paragraph 3-107 3-108. Refresher Training. The contractor shall provide all cleared employees with some form of security education and training at least annually. Refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations. See paragraph 8-103c of chapter 8 of this Manual for the requirement for IS security refresher training. Training methods may include group briefings, interactive videos, dissemination of instructional materials, or other media and methods. Contractors shall maintain records about the programs offered and employee participation in them. This requirement may be satisfied by use of distribution lists, facility/department-wide newsletters, or other means acceptable to the FSO.

3-108 Summary: This paragraph is renumbered to 3-108 and adds the IS Security Refresher Training requirement to the refresher training.

3-108 Specifics: A quick look at the manual reveals 8-103c does not describe IS Security Refresher training, but it does address user responsibilities. We feel that paragraph 3-107e describes to initial training and should be sufficient for refresher training. The refresher training can also consist of topics found in 8-103c to ensure coverage of employee responsibilities while using IS. The same resources cited earlier can be used for the cybersecurity refresher training.

As written earlier, the FSO should perform a gap analysis of current practices vs. required practices. Once analyzed, the FSO should develop a plan to update policies, training, memorandums, practices and reference materials to ensure compliance.

Administrative Changes: This analysis should involve not only processes and procedures, but also referencing materials. For example, if training reflects a Refresher training requirement as Paragraph 3-107 and it is now 3-108, the reference material should be updated. Though this article does not address the administrative changes and paragraph realignments, the FSO should updated policies, procedures, instructions, training, and etc that makes specific references to the NISPOM. Where the references now differ (i.e. paragraph 3-107 is now 3-108) the referring materiel should be updated to reflect the changes.

New requirements: Where new training, policies or procedures are required, the FSO should ensure these are integrated into current practices. If processes and procedures are no longer required, they should be removed.

FSOs who need assistance can visit for books such as the NISPOM and ITAR. We also have Initial Security Briefings, Refresher Training, Insider Threat training and more that they can purchase, download and present to cleared employees. The presenter can read notes word for word or edit the notes to provide a tailored briefing appropriate for their organization. 

No comments: