National Industrial Security - training requirement

For U.S. Defense Contractors, the National Industrial Security Program Operating Manual (NISPOM) is the bible of process, procedure and how things are accomplished for every contractor.  Additionally, every cleared employee must be provided security training.  And you the contractor or the contractor’s security representative are responsible for its creation and presentation.  Your cleared personnel are also individually responsible, as noted in Security – Who is Responsible?” each employee is both responsible and accountable for the security of their customer’s data and their own company’s data.  U.S. defense contractors have a bit of assistance in the preparation of their training in the form of  the U.S. NISPOM Chapter 1-205. Security Training and Briefings manual which states, “Contractors are responsible for advising all cleared employees, including those outside the United States, of their individual responsibility for safeguarding classified information. In this regard, contractors shall provide security training as appropriate, according to Chapter 3, to cleared employees by initial briefings, refresher briefings, and debriefings.”  In NISPOM Chapter 3-100 through 3-108  the Department of Defense goes on to discuss the specifics of the Security Training and Briefings requirement – Chapter 3 contains all the information necessary to ensure your training program meets the NISPOM Training Requirement.  Let’s discuss some of the content for an effective NISPOM training program.

Prevendra - NISPOM - Security Training

NISPOM Chapter 3

What do you have in your training deck?  The answer best be appropriate content, and lots of it.  It’s not enough anymore to buy a training kit and roll it to you population, you must adjust your training content to accomplish the goals and objectives of the Cognizant Security Agency (CSA) and your company.

Threat awareness briefing? How do you design your Threat Assessment briefing? Can your colleagues answer the questions of a CSA auditor in an appropriate manner? Perhaps more appropriately, should a hostile individual approach your colleagues who have been through your training recognize the threat if it appeared before their eyes, or in front of their person either via their network connection or in person and respond appropriately?  How do you test for comprehension?

Defensive security briefing? What is the company’s defense?  How does it align with the CSA? Will your defensive security brief prepare you for all encounters which may occur involving a person or entity with deleterious designs on your company and CSA.  And don’t forget the counterintelligence component. Regardless of your overall security budget and posture, there is no reason why an individual can’t be fully prepared with a defensive security brief, and access to ongoing dynamic education.

Classification system (Government and Company)?  Pay attention to your customer’s data classification system, and if the NISPOM applies, ensure all personnel know how and where classified information is to be stored, transported and created.  Furthermore, every company should have their own data classification system, the more complex, the less it will be used, so do keep it simple.  Many companies have been able to survive with three – Public, Company Private and Company Restricted.

Reporting Obligations and Requirements? Every individual with a security clearance is obliged to adhere to a series of reporting requirements.  These include the basic travel and fraternization with foreign nationals for US cleared personnel, all the way to the highly sophisticated nuances of a Special Access Program.

Security Procedures and Duties applicable to the employee’s job?  Does your training take into account the subtle nuances between internal locations and if dealing with multiple CSA’s to ensure the Standard Operating Procedure (SOP) is correct and applicable to all jobs, all positions and all locations?

What is your cadence?  The NISPOM requires you to have an annual security education and training program for every cleared employee.  Is once a year sufficient?  Do you refresh your content?  What is your content?  Lectures?  Video-on-Demand? Interactive self-paced training?  At Prevendra, we advocate ongoing and continuous training and refreshing, with an annual comprehensive review.  Once and done, may make you compliant with the NISPOM, but your employees won’t have the same retention as an ongoing comprehensive training regime.

All the above constitutes the bare-bones training regime to satisfy the NISPOM training requirement, with a bit of creativity and investment, a comprehensive ongoing training program can be created, which ensures your cleared employees are always be exposed to new training materials.

Here is a training film from the US Government archives, circa 1963: Cold War Espionage

At Prevendra, knowledge is shared, secrets are protected. 

——————————————

Loose Lips Can Cost Lives – Photo credit: Creative Commons License James Vaughan via Compfight