Training Requirement for the Computer Security Act
OFFICE OF PERSONNEL MANAGEMENT
5 CFR Part 930
RIN 3205-AD43
AGENCY: Office of Personnel Management
ACTION: Final regulation
SUMMARY: This regulation implements Public Law 100-235, the Computer Security Act of 1987, which requires training for all employees responsible for the management and use of Federal computer systems that process sensitive information. Under the regulation agencies will be responsible for identifying the employees to be trained and providing appropriate training.
EFFECTIVE DATE: January 3, 1992.
FOR FURTHER INFORMATION CONTACT: Ms. Constance Guitian, (202) 632-9769.
SUPPLEMENTARY INFORMATION
On June 12, 1991, the Office of Personnel Management published proposed rules on this subject (56 FR 26942). Four comments were received. The Department of Education suggested that the regulations apply to all computer information systems. The regulation cannot exceed the scope of the law which gives as its purpose (section 2(b)(4) "to require mandatory periodic training for all persons involved in management, use, or operation of Federal computer systems that contain sensitive information." The law limits training to only those systems which contain sensitive information.
A Naval Supply Center wanted the initial training for new employees to be given within the first 180 days of appointment rather than the first 60. In the testimony for this law, it was pointed out that the vast majority of security breaches are caused by employee negligence . The law states (section 5(b)) that required training should start within 60 days of the issuance of regulations. The same should apply to any new employees. Furthermore, the current interim regulations have the same requirement because it is a sound management practice to training employees early in computer security to establish good security habits.
A Marine Corps installation informed us of their concurrence with the regulation. A Naval Weapons Center asked where they can find training materials. OPM has prepared some generic computer security awareness training packages that are available from the National Audiovisual Center. Attn: Customer Service Staff, 8700 Edgeworth Drive, Capitol Heights, MD 20743-3701, (301) 763-1891. There is a videocassette, a one-day course a desk guide, an executive briefing, and an independent study course. The National Institutes of Standards and Technology's "Computer Security Training Guidelines" NIST Special Publication 500-172is available from the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402-9325. The GPO publication number is 003-003-029575-1. Requests must be accompanied by a check or money order for $2.50. It can also be ordered by phone with a VISA or Mastercard and the telephone number is 202-783-3228.
E.O. 12291, Federal Regulation
I have determined that this is not a major rule as defined under section 1(b) of E.O. 12291, Federal Regulation.
Regulatory Flexibility Act
I certify that this regulation will not have a significant economic impact on a substantial number of small entities, including small businesses, small organizational units, and small governmental jurisdictions, because it will affect only Federal employees.
 | Constance Berry Newman
| Director, Office of Personnel Management.
| |
Accordingly, the Office of Personnel Management is revising 5 CFR part 930, subpart C. to read as follows:
PROGRAMS FOR SPECIFIC POSITIONS
PART 930 - PROGRAMS FOR SPECIFIC POSITIONSAND EXAMINATIONS (MISCELLANEOUS)
| Subpart C-Employees Responsible for the Management or Use
of Federal Computer Systems Sec.
|
Subpart C-Employees Responsible for the Management or Use of Federal Computer Systems
Authority: 40 U.S.C. 759 notes.
Section 930.301 Definitions.
| (a) The amount and type of training different groups of employees will receive will be distinguished by the following knowledge levels identified in the Computer Security Training Guidelines developed by the National Institute of Standards and Technology: |
| Awareness level training creates the sensitivity to the threats
and vulnerabilities and the recognition of the need to protect
data, information, and the means of processing them;
| Policy level training provides the ability to understand computer
security principles so that executives can make informed policy
decisions about their computer and information security programs;
| Implementation level training provides the ability to recognize
and assess the threats and vulnerabilities to automated information
resources so that the responsible managers can set security requirements
which implement agency security policies; and
| Performance level training provides the employees with the
skill to design, execute, or evaluate agency computer security
procedures and practices. The objective of this training is that
employees will be able to apply security concepts while performing
the tasks that relate to their particular positions. It may require
education in basic principles and training in state-of-the-art
applications.
| |
| Training audiences are groups of employees with similar training needs. Consistent with the Computer Security Training Guidelines, they are defined as follows: |
| Executives are those senior managers who are responsible for
setting agency computer security policy, assigning responsibility
for implementing the policy, determining acceptable levels of
risk, and providing the resources and support for the computer
security program.
| Program and Functional Managers are those managers and supervisors
who have a program or functional responsibility (not in the area
of computer security) within the agency. They have primary responsibility
for the security of their data. This means that they designate
the sensitivity and criticality of data and processes, assess
the risks to those data, and identify security requirements to
the supporting data processing organization, physical facilities
personnel, and users of their data. Functional managers are responsible
for assuring the adequacy of all contingency plans relating to
the safety and continuing availability of their data.
| Information Resources Managers (IRM), Security, and Audit
Personnelare all involved with the daily management of the agency's
information resources, including the accuracy, availability, and
safety of these resources. Each agency assigns responsibility
somewhat differently, but as a group these persons issue procedures,
guidelines, and standards to implement the agency's policy for
information security, and to monitor its effectiveness and efficiency.
They provide technical assistance to users, functional managers,
and to the data processing organization in such areas as risk
assessment and available security products and technologies.
They review and evaluate the functional and program groups' performance
in information security.
| Automated Data Processing (ADP) Management Operations and
Programming Staff are all involved with the daily management and
operations of the automated data processing services. They provide
for the protection of the data in their custody and identify to
the data owners what those security measures are. The group includes
such diverse positions as computer operators, schedulers, tape
librarians, data base administrators, and systems and applications
programmers. They provide the technical expertise for implementing
security-related controls within the automated environment. They
have primary responsibility for all aspects of contingency planning.
| End Users are any employees who have access to an agency computer
system that processes sensitive information. This is the largest
and most heterogenous group of employees. It consists of everyone
from the executive who has a personal computer with sensitive
information to data entry clerks.
| |
| (c) The training guidelines developed by the National Institute of Standards and Technology identify five subject areas. they are: |
| Computer security basics is the introduction to the basic
concepts behind computer security practices and the importance
of the need to protect the information from vulnerabilities to
known threats;
| Security planning and management is concerned with risk analysis,
the determination of security requirements, security training,
and internal agency organization to carry out the computer security
function;
| Computer security policies and procedures looks at Governmentwide
and agency-specific security practices in the areas of physical,
personnel software, communications, data, and administrative security;
| Contingency planning covers the concepts of all aspects of
contingency planning, including emergency response plans, backup
plans and recovery plans. It identifies the roles and responsibilities
of all the players involved; and
| Systems life cycle management discusses how security is addressed
during each phase of a system's life cycle (e.g. system design,
development, test and evaluation, implementation and maintenance).
It addresses procurement, certification, and accreditation.
| |
| (d) The statute defines the term "sensitive information" as any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5. United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy. |
Section 930.302 Training requirement
The head of each agency shall identify employees responsible for the management or use of computer systems that process sensitive information and provide the following training (consult "Computer Security Training Guidelines." NIST Special Publication 500-172 for more detailed information) to each of these groups:
| (a) Executives shall receive awareness training in computer
security basics, computer security policy and procedures, contingency
planning, and systems life cycle management and policy level training
in security planning and management.
| (b) Program and functional managers shall receive awareness
training in computer security basics; implementation level training
in security planning and management and computer security policy
and procedures; and performance level training in contingency
planning and systems life cycle management.
| (c) IRM, security, and audit personnel shall receive awareness
training in computer security basics; and performance level training
in security planning and management computer security policies
and procedures, contingency planning, and systems life cycle management.
| (d) ADP management and operations personnel shall receive
awareness training in computer security basics; and performance
level training in security planning and management, computer security
policies and procedures; contingency planning, and systems life
cycle management.
| (e) End users shall receive awareness training in computer
security basics; security planning and management; and systems
life cycle management; and performance level training in computer
security policies and procedures, and contingency planning.
| |
Section 930.303 Initial training
The head of each agency shall provide the training outlined in 930.302 of this subpart to all such new employees within 60 days of their appointment.
Section 930.304 Continuing training
The head of each agency shall provide training whenever there is a significant change in the agency information securityenvironment or procedures or when an employee enters a new position which deals with sensitive information.
Section 930.305 Refresher training
Computer security refresher training shall be given as frequently as determined necessary by the agency based on the sensitivity of the information that the employee uses or processes.