Monday, September 21, 2020

Conducting Effective Security Training

Some security training and briefings are very discouraging for the workforce. Many times, the training is the exact same video or presentation used year after year. This podcast and article discusses ways to improve training by making it applicable based on skill level. In other words, someone who has been working on classified contracts for five years or more already understands the three levels of classified information; so why not move on.

So, if you go to my website, you might find training and tests that do ask those types of questions. That’s because many of my books and training products are specifically for security managers and includes certification study guides. It’s appropriate for me to ask administrative types of questions. It’s unfair to provide that type of training to the workforce. 

This topic is specifically about how to make your security training more effective for your work force. There are two types of training that I want to clarify. That is required training for security professionals and required training for the workforce. These training topics should be separate and distinguished. For example, an engineer performing on classified work may not need to know security form numbers. They may need to only understand that at the end of the day, they need to use the End of Day Checklist, so why quiz them on the form number (SF 701)?

So here are three problems I see with the current security training trend:
1. Lack of training resources
Security managers are tasked with training a work force, but without the ready resources to do so. Security managers often perform this task as an extra duty without time or resources to accomplish it. They are human resources, contracts managers, engineers, CEOs, and others, filling position to be compliant with security clearance requirements.

What is concrete is that there are various training topics required for cleared defense contractor employees, they include:

This is a huge responsibility. 

This training is easy in the beginning stages with the first two training topics. They are he high-level training and onboarding enough to get cleared employees “authorized” and prepared for the work. This is normally presented by the FSO for newly cleared employees and cover the basics of protecting classified information, what it is and how it’s classified, how to recognize it, how to report violations, and other fundamentals. 

New employees who are already experienced working on classified contracts elsewhere do not need the SF 312 briefing, but may need Initial Security Awareness training to orient them to security policies and procedures in their new work location.

2. One Size Fits all
There are many resources that busy security managers can draw upon to solve the problem of training the workforce. There are downloadable training topics available from vendors and government websites. The problem is, the training never grows up or ever requires growth from members of the cleared workforce. 

Year after year, we present the same presentation or video regardless of skill level. A person who has been working for 5 years or more as a cleared employee knows the three classification levels (TOP SECRET, SECRET, CONFIDENTIAL). Yet we keep feeding them baby food and insulting their intelligence with quizzes asking them the three levels while trying to trick them with a non existent fourth (UNCLASSIFIED).

3. Making a nation of Security Professionals
The very resources we use to present to our cleared force comes from security professional targeted websites. For example, Defense Counterintelligence and Security Agency trains security professionals and their courses are designed for that purposes. Many times because of problem statements 1 and 2, we are forced to use these canned presentations. In here the workforce is tested on their knowledge of security forms, how to conduct security investigations, and how to challenge classification. In fact they need to understand better that a cover sheet exists, how to recognize and report a violation, and who to talk to if something is over or under classified. The workforce does not usually take care of security administrative functions such as ordering security forms (security does), they don’t conduct investigations (security does), and they don’t contact the GCA, DCSA, ISOO, etc. (security does) so why force them to learn the intimate details.

The solution

There are a few simple ways for a security manager to improve the security training without incurring a huge resource burden.

1. Begin with the Contract Security Classification Specification or DD Form 254. 

This DD Form 254 provides direct information to complete your training so that you can perform well. Keep in mind that if you will be working on multiple contracts, you should understand the contents for each contract. The security manager may create training requirements based on the contract. The DD Form 254 addresses every security requirement for each classified contract and can be used as a roadmap for security training. In fact, almost each section is a training topic in and of itself. 

2. Incorporate workforce peers, supervisors and program managers. 

While the security manager will provide the training reflecting National Industrial Professional Operating Manual (NISPOM), the workforce will provide more work specific training tailored for the classified contract. 

Training will reflect how to write classified documents, assemble subsystems, collect raw data from sensors, or other specific work required by your contract.  They will also teach how to correctly mark, assemble, store and protect the classified work products. 

the FSO and supervisors should attempt to structure security training by experience level. The training does not necessarily need to be conducted as a presentation or assembly or in a canned computer setting. The security manager and employee supervisor can work together to develop training topics that can be validated in day to day work activities. 

Learn more about security training at

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".