Insider Threat Training Requirement for US Gov't Contractors (Deadline May 31, 2017)
SANS just alerted US federal contractors that wish to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats.
The June 1 deadline focuses on individual training with all third-party vendor employees who hold a security clearance having until that day to have completed their training course. The courses teach the workers to how to recognize types of suspicious activity, identify information likely to be targeted by cyberespionage attacks, and be able to identify foreign collection attempts targeting U.S. critical technologies.
Specifically, the DoD Instruction 5220.22, "National Industrial Security Program" NISP Operating Manual (PDF) which was updated May 18, 2016 lists:
e. Initial and annual refresher cybersecurity awareness training for all authorized IS users (see chapter 8, paragraph 8-101c, of this Manual). Here is a short excerpt out of the NISP Operating Manual:
"8-101. ISs Security Program. The contractor will maintain an ISs security program that incorporates a risk-based set of management, operational and technical controls, consistent with guidelines established by the CSA. The ISs security program must include, at a minimum, the following elements:
a. Policies and procedures that reduce information security risks to an acceptable level and address information security throughout the IS life cycle.
b. Plans for providing adequate information security for data resident in the IS or on the networks, facilities, or groups of ISs, as appropriate.
c. In addition to the training requirements outlined in paragraphs 3-107 and 3-108 of chapter 3 of this Manual, all IS authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP.
The contractor will determine the appropriate content of the security training taking into consideration, assigned roles and responsibilities, specific security requirements, and the ISs to which personnel are authorized access."
If you have not stepped employees through their initial or annual cybersecurity refresher training, you need to do this ASAP. The KnowBe4 Kevin Mitnick Security Awareness Training 45- minute qualifies for this training:
This is a high quality, 45-minute web-based interactive training using common traps, live demonstration videos, short tests and the new scenario-based Danger Zone exercise. Kevin Mitnick Security Awareness Training specializes in making sure employees understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day job. The training is split in 4 modules that an employee can do over time. This module is available in SIX additional language versions: French - European, French - Canadian, German, Polish, Spanish, and British English.
You Can be Up And Running In An Hour
If you need to immediately train employees to maintain their clearances, KnowBe4 can help. You can be up & running in an hour, all users uploaded and a training invitation emailed to them.
I strongly suggest you get a quote for our new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the GRU or the Chinese cyber army will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.
Don't like to click on redirected buttons? Cut & Paste this link in your browser:
Let's stay safe out there.
Founder and CEO, KnowBe4, Inc