Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor

An XCCDF Rule

Description

<VulnDiscussion>Failure to provide security training to ALL employees results in a weak security program and could lead to the loss or compromise of classified or sensitive information. REFERENCES: DoD 5220.22-M (NISPOM), February 2006, Incorporating Change 2, May 18, 2016 Chapter 1, para 1-206 and Chapter 3. NIST Special Publication 800-53 (SP 800-53) Controls: AT-1, AT-2, AT-3 and AT-4 DoD Manual 5200.01, Volume 1, 24 February 2012, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification Encl 2, para 7.c., 7.d., 7.g., 9.f.; Encl 3, para 5.f.; Encl 4 para 10.c.; Encl 5, para 3.b. CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), 9 February 2011 Encl A, para 11; Encl B, para 4.h., 4.i., 6.m.; Encl C para 5., 7.f., 21.h.(2), 27e.(8)(d) and 31.b. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information Enclosure 5</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245872r822940_rule
Severity: Medium
Updated: 9 months ago

1. Ensure initial and recurring (annual minimum) information security training is provided to each employee. 

2. Ensure the following training topics are covered at a MINIMUM:   

a. Classified Handling (physical (storage) security, transportation/transmission & marking of documents, equipment and media)
b. Communications Securityc. Computer (AKA: cybersecurity) Security requirements
d. Counter-intelligence briefings
e. Penalties for engaging in espionage activities
f. Courier briefing (if applicable)
g. Reporting of derogatory information
h. Reporting of Security Incidents
i. Security of Laptop computers when traveling
j. Special access programs, NATO, COSMIC TS, etc. (as applicable)
k. Use of personal computers for conducting official business                                     
l. Concerns identified during Component self-inspections
m. Procedures to be followed when using classified removable data storage media.
n. Procedures to be followed if an individual believes an unauthorized disclosure of classified data has occurred on an information system or network (typically called a "data spill").           
o. Ensure 100% of initial training and termination briefings are accomplished and at least 95% of employees have annual training. While 100% annual training is the goal, things like extended employee TDY or leave make this difficult to achieve.

All training accomplished must be documented. Anything less will be a finding.

Security Training - Information Security (INFOSEC) for ALL Employees; Military, Government Civilian and Contractor

Description

Remediation - Manual Procedure