Training Requirement for the Computer Security Act
OFFICE OF PERSONNEL MANAGEMENT
5 CFR Part 930
AGENCY: Office of Personnel Management
ACTION: Final regulation
SUMMARY: This regulation implements Public Law 100-235, the Computer
Security Act of 1987, which requires training for all employees
responsible for the management and use of Federal computer systems
that process sensitive information. Under the regulation agencies
will be responsible for identifying the employees to be trained
and providing appropriate training.
EFFECTIVE DATE: January 3, 1992.
FOR FURTHER INFORMATION CONTACT: Ms. Constance Guitian, (202)
On June 12, 1991, the Office of Personnel Management published
proposed rules on this subject (56 FR 26942). Four comments were
received. The Department of Education suggested that the regulations
apply to all computer information systems. The regulation cannot
exceed the scope of the law which gives as its purpose (section
2(b)(4) "to require mandatory periodic training for all persons
involved in management, use, or operation of Federal computer
systems that contain sensitive information." The law limits
training to only those systems which contain sensitive information.
A Naval Supply Center wanted the initial training for new employees
to be given within the first 180 days of appointment rather than
the first 60. In the testimony for this law, it was pointed out
that the vast majority of security breaches are caused by employee
negligence . The law states (section 5(b)) that required training
should start within 60 days of the issuance of regulations. The
same should apply to any new employees. Furthermore, the current
interim regulations have the same requirement because it is a
sound management practice to training employees early in computer
security to establish good security habits.
A Marine Corps installation informed us of their concurrence with
the regulation. A Naval Weapons Center asked where they can find
training materials. OPM has prepared some generic computer security
awareness training packages that are available from the National
Audiovisual Center. Attn: Customer Service Staff, 8700 Edgeworth
Drive, Capitol Heights, MD 20743-3701, (301) 763-1891. There
is a videocassette, a one-day course a desk guide, an executive
briefing, and an independent study course. The National Institutes
of Standards and Technology's "Computer Security Training
Guidelines" NIST Special Publication 500-172is available
from the Superintendent of Documents, U.S. Government Printing
Office, Washington, DC 20402-9325. The GPO publication number
is 003-003-029575-1. Requests must be accompanied by a check
or money order for $2.50. It can also be ordered by phone with
a VISA or Mastercard and the telephone number is 202-783-3228.
E.O. 12291, Federal Regulation
I have determined that this is not a major rule as defined under
section 1(b) of E.O. 12291, Federal Regulation.
Regulatory Flexibility Act
I certify that this regulation will not have a significant economic
impact on a substantial number of small entities, including small
businesses, small organizational units, and small governmental
jurisdictions, because it will affect only Federal employees.
|Constance Berry Newman
|Director, Office of Personnel Management.
Accordingly, the Office of Personnel Management is revising 5
CFR part 930, subpart C. to read as follows:
PROGRAMS FOR SPECIFIC POSITIONS
PART 930 - PROGRAMS FOR SPECIFIC POSITIONSAND EXAMINATIONS (MISCELLANEOUS)
|Subpart C-Employees Responsible for the Management or Use
of Federal Computer Systems Sec.
|930.302 Training requirement
|930.303 Initial training
|930.304 Continuing training
|930.305 Refresher training.
Subpart C-Employees Responsible for the Management or Use of Federal
Authority: 40 U.S.C. 759 notes.
Section 930.301 Definitions.
|(a) The amount and type of training different groups of employees
will receive will be distinguished by the following knowledge
levels identified in the Computer Security Training Guidelines
developed by the National Institute of Standards and Technology:
|Awareness level training creates the sensitivity to the threats
and vulnerabilities and the recognition of the need to protect
data, information, and the means of processing them;
|Policy level training provides the ability to understand computer
security principles so that executives can make informed policy
decisions about their computer and information security programs;
|Implementation level training provides the ability to recognize
and assess the threats and vulnerabilities to automated information
resources so that the responsible managers can set security requirements
which implement agency security policies; and
|Performance level training provides the employees with the
skill to design, execute, or evaluate agency computer security
procedures and practices. The objective of this training is that
employees will be able to apply security concepts while performing
the tasks that relate to their particular positions. It may require
education in basic principles and training in state-of-the-art
|Training audiences are groups of employees with similar training
needs. Consistent with the Computer Security Training Guidelines,
they are defined as follows:
|Executives are those senior managers who are responsible for
setting agency computer security policy, assigning responsibility
for implementing the policy, determining acceptable levels of
risk, and providing the resources and support for the computer
|Program and Functional Managers are those managers and supervisors
who have a program or functional responsibility (not in the area
of computer security) within the agency. They have primary responsibility
for the security of their data. This means that they designate
the sensitivity and criticality of data and processes, assess
the risks to those data, and identify security requirements to
the supporting data processing organization, physical facilities
personnel, and users of their data. Functional managers are responsible
for assuring the adequacy of all contingency plans relating to
the safety and continuing availability of their data.
|Information Resources Managers (IRM), Security, and Audit
Personnelare all involved with the daily management of the agency's
information resources, including the accuracy, availability, and
safety of these resources. Each agency assigns responsibility
somewhat differently, but as a group these persons issue procedures,
guidelines, and standards to implement the agency's policy for
information security, and to monitor its effectiveness and efficiency.
They provide technical assistance to users, functional managers,
and to the data processing organization in such areas as risk
assessment and available security products and technologies.
They review and evaluate the functional and program groups' performance
in information security.
|Automated Data Processing (ADP) Management Operations and
Programming Staff are all involved with the daily management and
operations of the automated data processing services. They provide
for the protection of the data in their custody and identify to
the data owners what those security measures are. The group includes
such diverse positions as computer operators, schedulers, tape
librarians, data base administrators, and systems and applications
programmers. They provide the technical expertise for implementing
security-related controls within the automated environment. They
have primary responsibility for all aspects of contingency planning.
|End Users are any employees who have access to an agency computer
system that processes sensitive information. This is the largest
and most heterogenous group of employees. It consists of everyone
from the executive who has a personal computer with sensitive
information to data entry clerks.
|(c) The training guidelines developed by the National Institute
of Standards and Technology identify five subject areas. they
|Computer security basics is the introduction to the basic
concepts behind computer security practices and the importance
of the need to protect the information from vulnerabilities to
|Security planning and management is concerned with risk analysis,
the determination of security requirements, security training,
and internal agency organization to carry out the computer security
|Computer security policies and procedures looks at Governmentwide
and agency-specific security practices in the areas of physical,
personnel software, communications, data, and administrative security;
|Contingency planning covers the concepts of all aspects of
contingency planning, including emergency response plans, backup
plans and recovery plans. It identifies the roles and responsibilities
of all the players involved; and
|Systems life cycle management discusses how security is addressed
during each phase of a system's life cycle (e.g. system design,
development, test and evaluation, implementation and maintenance).
It addresses procurement, certification, and accreditation.
|(d) The statute defines the term "sensitive information"
as any information, the loss, misuse, or unauthorized access to
or modification of which could adversely affect the national interest
or the conduct of Federal programs, or the privacy to which individuals
are entitled under section 552a of title 5. United States Code
(the Privacy Act), but which has not been specifically authorized
under criteria established by an Executive order or an Act of
Congress to be kept secret in the interest of national defense
or foreign policy.
Section 930.302 Training requirement
The head of each agency shall identify employees responsible for
the management or use of computer systems that process sensitive
information and provide the following training (consult "Computer
Security Training Guidelines." NIST Special Publication 500-172
for more detailed information) to each of these groups:
|(a) Executives shall receive awareness training in computer
security basics, computer security policy and procedures, contingency
planning, and systems life cycle management and policy level training
in security planning and management.
|(b) Program and functional managers shall receive awareness
training in computer security basics; implementation level training
in security planning and management and computer security policy
and procedures; and performance level training in contingency
planning and systems life cycle management.
|(c) IRM, security, and audit personnel shall receive awareness
training in computer security basics; and performance level training
in security planning and management computer security policies
and procedures, contingency planning, and systems life cycle management.
|(d) ADP management and operations personnel shall receive
awareness training in computer security basics; and performance
level training in security planning and management, computer security
policies and procedures; contingency planning, and systems life
|(e) End users shall receive awareness training in computer
security basics; security planning and management; and systems
life cycle management; and performance level training in computer
security policies and procedures, and contingency planning.
Section 930.303 Initial training
The head of each agency shall provide the training outlined in
930.302 of this subpart to all such new employees within 60 days
of their appointment.
Section 930.304 Continuing training
The head of each agency shall provide training whenever there
is a significant change in the agency information securityenvironment
or procedures or when an employee enters a new position which
deals with sensitive information.
Section 930.305 Refresher training
Computer security refresher training shall be given as frequently
as determined necessary by the agency based on the sensitivity
of the information that the employee uses or processes.