it security procedural guide: security awareness …...2016/10/25 · it security procedural guide:...

Office of the Chief Information Security Officer

IT Security Procedural Guide:

Security Awareness and Role Based

Training Program

CIO-IT Security-05-29

Revision 5

October 25, 2016

CIO-IT Security-05-29 Security Awareness and Role Based Training Program

U.S. General Services Administration

VERSION HISTORY/CHANGE RECORDS

Change Number

Person Posting Change

Change Reason for Change Page Number

of Change

Revision 4 – November 11, 2015

1 Graham/ Sitcharing

Changes throughout the document to correspond with revisions made to CIO-IT-Security-06-30 and CIO P2100. 1

Updated to reflect correlation of the CIO-IT Security Guide and CIO P2100. 1

Throughout

2 Heard/Mott/ Searcy/ Sitcharing

Inclusion of OCISO program common controls and privacy information

To ensure consistency with current agency policies and guidelines/800-53 Rev4

Throughout

Revision 5 – October 20, 2016

1 Pierce/ Wilson/Desai

Updated the guide’s formatting and structure, updated the guide name, updated the role based training section, updated the role based course mapping section, and modified the annual training hours requirements.

Updated guide to better reflect current Federal and GSA requirements.

Multiple


U.S. General Services Administration

Approval

IT Security Procedural Guide: Security Awareness and Role Based Training Program, CIO-IT Security-05-29, Revision 5 is hereby approved for distribution.

Invalid signature

X Kurt Garbars

Kurt Garbars

GSA Chief Information Security Officer

Signed by: KURT GARBARS

Contact: GSA Office of the Chief Information Security Officer (OCISO), Policy and Compliance Division, at [email protected].


U.S. General Services Administration i

Table of Contents

1 Introduction ................................................................................................................... 1

1.1 Purpose ........................................................................................................................................ 1 1.2 Scope ........................................................................................................................................... 1 1.3 Policy ............................................................................................................................................ 1 1.4 References ................................................................................................................................... 3

2 Roles and Responsibilities .............................................................................................. 3

2.1 GSA Chief Information Officer (CIO) ............................................................................................ 4 2.2 GSA Administrator ....................................................................................................................... 4 2.3 GSA Chief Information Security Officer (CISO) ............................................................................ 4 2.4 GSA Senior Agency Official for Privacy (SAOP) ............................................................................ 4 2.5 Office of CISO Division Directors ................................................................................................. 4 2.6 Information Systems Security Manager (ISSM) ........................................................................... 5 2.7 Information Systems Security Officer (ISSO) ............................................................................... 5 2.8 System Owners ............................................................................................................................ 5 2.9 Data Owners ................................................................................................................................ 5 2.10 Contracting Officers (CO)/Contracting Officer’s Representative (COR) ...................................... 5 2.11 Authorized Users of IT Resources ................................................................................................ 6 2.12 Supervisors .................................................................................................................................. 6

3 User Training ................................................................................................................. 6

3.1 New User Training ....................................................................................................................... 6 3.1.1 Agency Personnel .................................................................................................................................. 6

3.2 Annual Security Awareness Training ........................................................................................... 7 3.2.1 Annual Security Awareness Training Notification .................................................................................. 7 3.2.2 Agency Employees and Contractor/Vendor Personnel with GSA Accounts .......................................... 7 3.2.3 Contractor /Vendor Personnel without GSA Accounts .......................................................................... 8

3.3 New User and Annual Security Awareness Training Tracking ..................................................... 8

4 Accessing New User & Annual Training (via OLU) ............................................................ 9

4.1 Disabled Accounts Due to Non-Compliant Training .................................................................... 9

5 Role Based Security Training .......................................................................................... 9

5.1 Individuals with Significant Security Responsibilities ................................................................ 10 5.1.1 Executives ............................................................................................................................................ 10 5.1.2 Information Systems Security Managers (ISSM), Information Systems Security Officers (ISSO) and Regional Information System Security Officers (RISSO) ..................................................................................... 10 5.1.3 Privileged Account User / Short Name Accounts (SNA) ....................................................................... 10

5.2 Monthly Information Security Town Hall Training .................................................................... 10 5.3 Role Based Course Map (IT Security Courses on GSA OLU) ...................................................... 12

6 NIST Controls ............................................................................................................... 14

6.1 AT-1: Security Awareness and Training Policy and Procedures ................................................ 14 6.2 AT-2: Security Awareness Training ............................................................................................ 15 6.3 AT-3: Role Based Security Training ............................................................................................ 15 6.4 AT-4: Security Training Records ................................................................................................. 16


U.S. General Services Administration ii

APPENDIX A: ACRONYMS .................................................................................................... 17

APPENDIX B: GLOSSARY OF TERMS ...................................................................................... 18


U.S. General Services Administration 1

1 Introduction

1.1 Purpose

This procedural guide describes the Security Awareness and Role Based Training requirements for all General Services Administration (GSA) employees and contractor employees with significant security responsibilities as set forth in Federal Information Security Modernization Act (FISMA) of 2014, and Office of Personnel Management (OPM) 5 CFR Part 930, Subpart C. In addition, it describes the IT security training requirements for all GSA employees and contractors, as identified in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.

1.2 Scope

This document applies to all GSA employees and contractors and all other users of GSA information and information systems that support the security operations and assets of GSA.

1.3 Policy

Chapter 4, of the GSA Information Technology (IT) Security Policy, CIO 2100.1, CHGE 1 states:

h. Security and privacy awareness, training, and education.

(1) A security and privacy awareness, training and education program must be established by the OCISO to ensure all GSA, other agency, and contractor support staff involved in the management, design, development, operation, and use of IT systems are aware of their responsibilities for safeguarding GSA systems and information.

(2) All GSA employees and contractors (internal and external*) must provide verification that Security Awareness Training and Privacy Training approved by GSA has been completed within 30 days of notification to complete the training and annually thereafter.

(3) All GSA employees and contractors (internal and external*), who have significant information security responsibilities as defined by OPM 5 CFR Part 930 and GSA IT security training policy, must complete specialized IT security training as defined in the policy.

(4) Failure to comply with annual awareness and specialized IT security training requirements will result in termination of access to GSA information systems. Authorizing Officials can terminate system accounts.

(5) Privacy 201 training is for managers, supervisors and employees that receive privacy data in the course of conducting GSA business. All employees and contractors shall complete “IT Security Awareness and Privacy 101 Training,” “Privacy Training 201,” and the “Sharing in a Collaborative Environment” training before being provided access to any PII, as defined in OMB Memorandum M-07-16 and M-10-23.

https://www.congress.gov/bill/113th-congress/senate-bill/2521/text


http://www.ecfr.gov/cgi-bin/text-idx?SID=46865b6558eb9d16be58fde34c44b219&mc=true&node=pt5.2.930&rgn=div5#sp5.2.930.c

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf



http://www.gsa.gov/portal/mediaId/129634/fileName/CIO_21001J_CHGE_1_GSA_Information_Technology_(IT)_Security_Policy_(Posted_Version_4-28-2016).action

https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf


https://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf



* An external contractor is defined as someone who has access to GSA information but doesn't have a GSA e-mail account.

i. Incident response capability.

(2) All authorized IT users must be trained annually to promptly report suspected vulnerabilities, security violations, and security incidents to their IT Service Desk. Refer to GSA-CIO-IT Security 01-02 for additional details.

t. Separation of Duties (FIPS 199 Moderate and High Impact Systems Only).

(13) Conduct annual reviews of staff training records to ensure annual Privacy Act, Security Training, and application specific training was completed for all users. The records shall be forwarded to application ISSO/System Owners as part of the annual recertification efforts.

w. Personally Identifiable Information (PII).

(10) Comply with security and privacy awareness training requirements for employees and contractors (internal and external). All employees and contractors shall complete “IT Security Awareness and Privacy 101 Training,” “Privacy Training 201,” and the “Sharing in a Collaborative Environment” training before being provided access to any PII, as defined in OMB Memorandum M-07-16 and M-10-23.

The GSA CIO 2100.3C, Mandatory Information Technology (IT) Security Training Requirement for Agency and Contractor Employees with Significant Security Responsibilities states:

5. Policy. Individuals who hold a position defined within any of the OPM roles described below are required to fulfill all the training requirements identified for that role within sixty (60)-days from the time they are given the role and annually thereafter.

a. Executives, who are Authorizing Officials (AOs) as determined by GSA, must receive training in information security basics or policy level training in security planning and management or emerging technologies. AOs are the GSA executives that accept risk for IT systems. Executives may also complete other security training in support of the S/SO functions they support. Completion is defined as at least one (1)-hour of training annually by either completing one course from GSA Online University (OLU) or by completing the training provided by the Chief Information Security Officer (CISO) on emerging threats and/or security best practices as directed in the IT Security Procedural Guide, CIO-IT Security 05-29: IT Security Awareness and Role Based Training Program.

b. IT Security and other security-oriented personnel must receive training in information security basics and broad training in security planning, or system/application security management, or system/application life cycle management, or risk management, and/or contingency planning. GSA has determined these roles to be the Information Systems Security Managers (ISSMs), Information Systems Security Officers (ISSOs), and Regional ISSOs (RISSOs) as defined in the IT Security Point of Contact (POC) list. ISSMs, ISSOs and RISSOs

https://insite.gsa.gov/portal/getMediaData?mediaId=515961

https://insite.gsa.gov/portal/content/524373






must complete at least three (3)-hours of training annually by either completing CISO approved courses from OLU and/or CISO provided in-person or remote training as documented in the IT Security Procedural Guide, CIO-IT Security 05-29: IT Security Awareness and Role Based Training Program.

c. IT Functional Management and Operations Personnel must receive training in information security basics; management and implementation level training in security planning or system/application security management; or management and implementation level training in system/application life cycle management, or risk management, and/or contingency planning. GSA has determined these roles to be Privileged Users with Short Name Accounts (SNA). A Privileged User is a GSA employee, contractor, and other affiliates with privileged access that are able to modify systems or view highly confidential information. These personnel must satisfy their training requirement by completing the annual OLU Privileged Account Training.

1.4 References

• Office of Personnel Management (OPM) 5 CFR Part 930, Subpart C. • Federal Information Security Modernization Act (FISMA) of 2014 • NIST SP 800-53, Revision 4, Security and Privacy Controls for Federal Information

Systems and Organizations • GSA IT Security Policy, CIO 2100.1 • Federation Information Protection Standards (FIPS) 199, Standards for Security

Categorization of Federal Information and Information Systems • OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of

Personally Identifiable Information • OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and

Applications • GSA IT Security Procedural Guide: Incident Response (IR), CIO-IT Security 01-02 • GSA CIO 2100.3C, Mandatory Information Technology (IT) Security Training

Requirement for Agency and Contractor Employees with Significant Security Responsibilities

• Public Law 100-235, the Computer Security Act of 1987 • GSA Order ADM 2400.1A, Insider Threat Program • GSA IT Security Procedural Guide: Managing Enterprise Risk, Security Assessment and

Authorization, Planning, and Risk Assessment (CA, PL, & RA), CIO-IT Security-06-30 • Privacy Act of 1974 (5 USC § 552a)

2 Roles and Responsibilities

The roles and responsibilities provided in this section have been extracted or summarized from GSA CIO 2100.1 or Federal policies and guidance. Throughout this guide additional specific processes and procedures for implementing the GSA security training and awareness program are described.

http://www.ecfr.gov/cgi-bin/text-idx?SID=46865b6558eb9d16be58fde34c44b219&mc=true&node=pt5.2.930&rgn=div5#sp5.2.930.c




http://www.gsa.gov/portal/mediaId/129634/fileName/CIO_21001J_CHGE_1_GSA_Information_Technology_(IT)_Security_Policy_(Posted_Version_4-28-2016).action

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf









https://www.gpo.gov/fdsys/pkg/STATUTE-101/pdf/STATUTE-101-Pg1724.pdf

http://www.gsa.gov/portal/mediaId/131474/fileName/ADM_24001A_Insider_Threat_Program_(Posted_Version_-_5-18-2016).action



http://www.gpo.gov/fdsys/pkg/USCODE-2012-title5/pdf/USCODE-2012-title5-partI-chap5-subchapII-sec552a.pdf




2.1 GSA Chief Information Officer (CIO)

Security Awareness and Role Based Training responsibilities of GSA CIO consist of the following:

Ensuring the agency effectively implements and maintains information security policies and guidelines.

Establishing reporting requirements within GSA to assess GSA’s IT security posture, verifying compliance with Federal requirements and approved policies, and identifying agency-wide IT security needs.

Overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained.

2.2 GSA Administrator

Security Awareness and Role Based Training responsibilities of GSA Administrator consist of the following:

Ensuring that the agency has trained personnel to support compliance with information security policies, processes, standards, and guidelines.

2.3 GSA Chief Information Security Officer (CISO)

Security Awareness and Role Based Training responsibilities of the GSA CISO consist of the following:

Directing the planning and implementation of the GSA IT Security Awareness and Privacy Training Program to ensure agency personnel, including contractors, receive appropriate security and privacy awareness training including “Sharing Information in a Collaborative Environment” training.

Ensuring that the ISSMs and ISSOs receive applicable security and privacy awareness training to carry out their duties.

2.4 GSA Senior Agency Official for Privacy (SAOP)

Security Awareness and Role Based Training responsibilities of the GSA SAOP consist of the following:

Directing the planning and implementation of the GSA Privacy Program to ensure agency personnel, including contractors, receive appropriate privacy awareness training to include IT Security and Privacy Awareness annual training, Privacy 201 training and Sharing Information in a Collaborative Environment training.

2.5 Office of CISO Division Directors

Security Awareness and Role Based Training responsibilities of OCISO Division Directors consist of the following:

Ensuring GSA security and privacy awareness training requirements for individuals under their responsibility are complied with.



2.6 Information Systems Security Manager (ISSM)

Security Awareness and Role Based Training responsibilities of ISSMs consist of the following:

Reviewing and coordinating reporting of Security Advisory Alerts (SAA), compliance reviews, security and privacy awareness training, incident reports, contingency plan testing, and other IT security program elements.

Complying with GSA security and privacy awareness training requirements for individuals with significant security responsibilities.

2.7 Information Systems Security Officer (ISSO)

Per CIO 2100.1, Regional ISSOs (RISSOs) have the same responsibilities as designated ISSOs. Security Awareness and Role Based Training responsibilities of ISSOs consist of the following:


2.8 System Owners

Security Awareness and Role Based Training responsibilities of System Owners consist of the following:

Ensuring that system users and support personnel receive the requisite security and privacy awareness training (e.g., instruction in rules of behavior) and assisting in the identification, implementation, and assessment of the common security controls.


Working with Data Owners with assistance from the ISSO, will ensure system access is restricted to authorized users that have completed required background investigations, are familiar with internal security practices, and have completed requisite security and privacy awareness training programs, such as the annual IT Security & Privacy Act training curriculum.

2.9 Data Owners

Security Awareness and Role Based Training responsibilities of Data Owners consist of the following:

Working with the System Owner, with assistance from the ISSO, to ensure system access is restricted to authorized users that have completed required background investigations, are familiar with internal security practices, and have completed requisite security and privacy awareness training programs, such as the annual IT Security & Privacy Act and Sharing Information in a Collaborative Environment training curriculum.

2.10 Contracting Officers (CO)/Contracting Officer’s Representative (COR)

Security Awareness and Role Based Training responsibilities of the CO/COR consist of the following:



Ensuring that all personnel with responsibilities in the agency’s procurement process are properly trained in information security.

2.11 Authorized Users of IT Resources

Security Awareness and Role Based Training responsibilities of Authorized Users consist of the following:

Complying with security and privacy awareness training, education, and awareness sessions commensurate with their duties.

2.12 Supervisors

Security Awareness and Role Based Training responsibilities of supervisors consist of the following:

Conducting annual reviews of staff training records to ensure annual IT Security Awareness, Privacy Act, Security Training, and application specific training was completed for all users. The records shall be forwarded to application ISSO/System Owners as part of the annual recertification efforts.

3 User Training

3.1 New User Training

3.1.1 Agency Personnel

All new GSA employees and contractors being granted access to GSA information and information systems must receive and sign the GSA Rules of Behavior prior to being granted access. Within 30 days of access being granted, all new GSA employees and contractors must provide verification that the required new user training has been completed. This training will consist of the following:

Current Fiscal Year (FY) IT Security Awareness and Privacy 101 Training which includes the Rules of Behavior

The information contained within the training describes the expectations for use of GSA IT resources. A number of security, privacy and Controlled Unclassified Information (CUI) topics are covered to help users become aware of concepts to properly and securely handle GSA information and information systems. This training also facilitates a means to garner signatures for compliance with the GSA IT Rules of Behavior.

All new employees and contractors/vendor personnel with a Short Name Account (SNA) MUST also complete the following training:

Privileged Account Training.

Program Managers (PM) must ensure training is completed, as soon as the associated accounts and proper equipment are issued to the individual. All contractor/vendor personnel (internal and external) must provide verification through their PM to the Office of the Chief Information Security Officer (OCISO) that GSA approved awareness training has been completed within 30-days of start of employment and annually thereafter.



Note: New user training is hosted in GSA’s Online University (OLU) for those with a GSA email account. Thus, it cannot be completed until the individual has been granted GSA network access and an OLU account, which takes approximately three (3) weeks to establish. Supervisors (for employees) and PM (for contractors) must ensure training is completed, as soon as the associated accounts and proper equipment are issued to the individual. An email acknowledging access will be sent to the employee via the Active Directory Team.

3.1.1.1 Contractor /Vendor Personnel without GSA Accounts

All contractor/vendor personnel without a GSA account are expected to receive security and awareness training from their employer prior to being granted access to GSA systems. Contractors/Vendors with no GSA email account may have the paper version of the training administered via the PM and/or Information System Security Manager (ISSM) for the system on which they provide support. With approval by the Office of the Chief Information Security Officer, contractors/vendors may supplement the GSA FY IT Security Awareness and Privacy 101 Training with their own security awareness training. The PM and/or ISSM is responsible for coordinating with the Privacy Office and providing the training scores and date completed to the Privacy Office for each individual within 30-days from receipt of the training material.

3.2 Annual Security Awareness Training

The Security Awareness Training Program is designed to focus attention on and establish recognition of security and security issues. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Annual security awareness training is mandatory for all GSA employees and GSA contractor personnel, per Public Law 100-235, the Computer Security Act of 1987. To fulfill this requirement, all GSA employees and contractors/vendors will complete the following training:

Current FY IT Security Awareness and Privacy 101 Training.

3.2.1 Annual Security Awareness Training Notification

In support of training requirements, on an annual basis, an Office of the Chief Information Security Officer (OCISO) representative will send an email detailing the annual training requirements to all GSA employees and contractors/vendors. This email will contain the following details:

Course Name (IT Security Awareness and Privacy 101 Training, etc.)

Course Hyperlink (GSA’s OLU)

Deadline for Course Completion

3.2.2 Agency Employees and Contractor/Vendor Personnel with GSA Accounts

Upon receipt of the Annual Awareness Training request, all GSA employees and contractors/vendors (internal and external) with a GSA account will have 30 days to provide verification that the required training is completed. Personnel who fail to complete the training during the required timeframe will have their GSA E-Mail account and other GSA systems access disabled.

https://www.gpo.gov/fdsys/pkg/STATUTE-101/pdf/STATUTE-101-Pg1724.pdf



Note: Contractors/vendors may opt to supplement the required annual GSA security awareness training with their own security awareness training topics.

3.2.3 Contractor /Vendor Personnel without GSA Accounts

All contractor/vendor personnel who do not have a GSA account but require access to GSA information systems and/or data will receive annual security awareness training based upon their GSA role and responsibilities. This training may take the form of GSA paper based training, GSA provided security briefings/training, outside vendor training and/or equivalent employer provided training. Each project office will track the training that the contractor/vendor personnel under their purview receive. On an annual basis, each project office will provide OCISO with a list of these individuals and the training they have received along with the date completed. OCISO will transfer this data to the OCISO training tracker and provide a copy to the OLU Administrator.

If upon a review it is determined that adequate training has not been completed, OCISO will coordinate with the Chief Information Officer (CIO) and CISO for approval to deny GSA system and data access to the applicable contractor/vendor. Once this approval is granted, the applicable PM, ISSM, ISSO and/or RISSO will be notified to perform the steps necessary to ensure the system and data denial is performed.

3.3 New User and Annual Security Awareness Training Tracking

The OCISO will monitor the completion of new user training and annual training via GSA OLU. A report with information on non-compliant new users will be provided to the GSA Information Security Policy and Compliance Division (ISP) Point of Contact (POC) responsible for account deactivations to enforce deactivations for dissemination to applicable ISSM, ISSO and RISSOs on a monthly basis. If training is not completed within the specified follow up time the GSA network account is disabled.

For existing employee and/or contractor/vendor accounts, deactivation occurs upon approval of the CISO.

If training is not confirmed as completed during the regularly allotted training timeframe, follow-up notifications are sent to the user via the Communications Team and then through the RISSO for a period of up to 60 days. If there is no response, OCISO makes a request to the Chief Information Officer (CIO) and CISO for approval to disable the GSA network account immediately. Once approval is granted to disable GSA network access, each system Authorizing Official (AO) will ensure/approve the disabling of all application level accounts that the employee and/or contractor/vendor may have. The applicable system administrator will perform the disabling of accounts. ISSOs and PMs will follow-up as needed.

Note: GSA’s OLU tracks course completions and allows an individual to print a completion certificate for verification at any time once the course has been successfully completed. An OLU Administrator provides monthly reports for verification of compliance and/or non-compliance with training hosted in that program.



4 Accessing New User & Annual Training (via OLU)

Following are instructions on accessing the IT Security Awareness and Privacy 101 Training:

Log on to https://gsaolu.gsa. gov.

The training is under the pull down menu that states, "Make a selection for GSA Contractor Mandatory Training, then click “Go”" on the home page, or you can find it using the course catalog on the left navigation bar.

If you have forgotten your OLU password or need assistance logging in, you can receive assistance in one (1) of three (3) ways:

Click the “Need help logging in to OLU? Click here for assistance” text directly above the login box, or

Click the “Live Support" link in the upper right corner of the login page; there is information on using OLU under the "FAQ" section next to the "Live Support” link, or lastly,

Click the “Forgot password?” text directly below the login box.

Passwords can only be established or reset by the OLU Administrator or the OLU helpdesk. The GSA email account is the Userid.

Note: GSA IT Security courses are available at Online University 24 X 7. Course completion is indicated by obtaining a passing score from related tests presented within the course, and receiving an electronic completion certificate.

4.1 Disabled Accounts Due to Non-Compliant Training

OLU can only be accessed by users with an active GSA email account. If GSA network access is disabled due to failure to meet training requirements, the account owner will lose the ability to complete training using OLU. In the event the individual’s account has been deactivated due to non-compliance of the training requirement it is imperative the individual work with the RISSO to complete training. A list of RISSOs may be found on the GSA Enterprise Architecture (EA) Integration via the GSA EA Analytics and Reporting (GEAR) site. Confirmation of completion must be provided to the OCISO ISSO Support Division (IST) for approval of re-activation. Re-activation is based on the individual being able to provide documentation of training completion.

5 Role Based Security Training

The OPM requires that each agency identify employees with significant information security responsibilities and provide role-specific training in accordance with NIST standards and guidance. GSA’s role-specific training provides workplace related security knowledge and skills. It supports competency development and helps personnel understand and learn how to better perform their specific security role. OCISO is responsible for the management and coordination of role-based security training within GSA. As such, OCISO develops and updates training materials (e.g., computer based training (CBT), slides) for role-based security training periodically. Personnel with security roles and responsibilities must be trained prior to performing their duties and annually thereafter. These personnel may also receive specialized

https://gsaolu.gsa.gov/

https://ea.gsa.gov/EAWEB/#!/RISSO_POC

https://ea.gsa.gov/EAWEB/#!/RISSO_POC



training, as deemed necessary by significant system changes. The following sections outline GSA’s role based responsibilities and their associated annual training requirements.

5.1 Individuals with Significant Security Responsibilities

5.1.1 Executives

GSA has determined that the Executive role includes all AOs, the Executives that accept risk for GSA IT systems under their purview. AOs identified on the FISMA inventory/POCs list located on the security webpage must receive training in information security basics and policy level training in security planning and management or emerging technologies on emerging threats. Executives may also complete other security training in support of the S/SO functions they support.

5.1.2 Information Systems Security Managers (ISSM), Information Systems Security Officers (ISSO) and Regional Information System Security Officers (RISSO)

ISSMs, ISSOs, and RISSOs must receive training in information security basics and broad training in security planning, system and application security management, system/application life cycle management, risk management, emerging technologies, ,and contingency planning. Periodically, at least every three years, OCISO ISP reviews and updates, as necessary, the topics covered in the security training provided to users with role-based security responsibilities to ensure training is relevant and topical. Individuals holding these designations are identified on the FISMA inventory/POC list. Three (3)-hours of training must be completed annually. This may be accomplished by:

• Completing OCISO-approved courses in GSA’s OLU; • Participating in OCISO provided in-person or remote training (typically during monthly

GSA Security Meetings); • Completing OCISO-approved vendor-based security training relating to a specific

security certification or an emerging security topic.

5.1.3 Privileged Account User / Short Name Accounts (SNA)

All employees and contractors/vendors whose job it is to perform information system roles and responsibilities using access rights above what is granted to a normal user must do so with a Privilege User Account also known as SNA. SNA user must be vetted through the Service Center request for SNA process. The Privileged User Account Rules of Behavior must be signed in the process of receiving the FOB and activating the account. Privileged User must take the “Privileged User Account Training” prior to their account being created and annually thereafter to maintain their access and agree to abide by the associated standards. This training will also be provided when system changes indicate additional training is necessary. Once the mandatory training and required paperwork is completed, the account will be created and an email acknowledging access will be sent to the employee via the Active Directory Team.

5.2 Monthly Information Security Town Hall Training

During the monthly Information Security Town Hall meeting, the ISP staff provides specialized role awareness training. This training portion of the monthly meeting is open to GSA employees



and contractors who have the responsibility to manage, operate, or authorize operations for a GSA information system. The topics are selected based on emerging technologies, interdepartmental process improvements, input from team member surveys, and documentation changes that impact the group.

Tracking is done by the GSA Meeting Space application based on individual login as well as manually by an in-person attendance sheet supplied and maintained by ISP.



5.3 Role Based Course Map (IT Security Courses on GSA OLU)

The following table maps the GSA IT Security roles identified in the IT Security Policy to courses that satisfy the training requirements within OLU. Other options for training, where applicable, are identified in Section 5.1, Individuals with Significant Security Responsibilities.

Table 5-1: Role Course Map

GSA Role Online University IT Security Courses Authorizing Officials (AO) The Information Technology Industry Overview: Version 4

This course is designed to help learners understand key concepts, terminology, issues, and challenges associated with the information technology industry, and strategies employed to meet some of those challenges. It will identify the main sectors of the information technology industry and its business drivers, and review the key aspects of the industry business model, its competitive environment and the current trends in the industry. Finally this course outlines some key challenges that this industry is facing and presents common strategies that the industry stakeholders are adopting to overcome its challenges. This course was updated in 2015.

Duration = 1 hour

ISSMs/ISSOs/RISSOs CompTIA Server+ 2009: IT Environment This course covers the documentation, policies, and procedures that are the most necessary to server architecture. It provides a description of what each one is and how to go about creating the various elements. Along with good documentation, a well planned design of server space is key to a well managed network. The proper physical environment for optimal operation along with the physical security measures that should be put in place are also described in this course. The course maps to CompTIA's Server+ exam, SK0-003, and covers the following exam objectives: 4.1 Write, utilize, and maintain documentation, diagrams, and procedures; 4.2 Given a scenario, explain the purpose of industry best practices; 4.3 Determine an appropriate physical environment for the server location; 4.4 Implement and configure different methods of server access; 4.5 Given a scenario, classify physical security measures for a server location.

Duration = 1.5 hours

Identity, Presence, and Privacy This course ensures you are familiar with identity and access management (IAM) and the common industry protocols used to extend identity to the cloud. It covers the concept of federation between different CSPs and businesses, the need for proper identity and access control management, and it also explores the use of a Cloud Identity as a Service (IDaaS) offering. The course also discusses the importance of understanding the presence and privacy factors when conducting business in the cloud and how it is crucial to understand the CSP's responsibility to not only provide security but also a proper level of privacy.

Duration = 1.5 hours

https://gsaolu.gsa.gov/courseredirect.asp?courseid=11037&sessionid=3-DC371F7C-9417-4738-89EC-3D8D38A0AE21





GSA Role Online University IT Security Courses SNA (and others who work with PII)

Note: The listed courses are mandatory for the SNA role.

Privileged Account Training This training is designed for all GSA employees and contractors who have short name accounts and use computers and information systems in the performance of their official duties.

Duration = .5 hours

Privacy Training 201 Privacy Training 201 provides information on how to properly access, handle, and store Personally Identifiable Information (PII). It is directed to individuals who work with PII as part of their work duties and it is a requirement for those who need to access PII.

Duration = .5 hours

Note: Personnel holding two roles, e.g., AO and ISSM, must satisfy the annual training requirement for both roles.





6 NIST Controls

The GSA-defined parameter settings included in the control requirements are offset by brackets in the control text. As stated in Section 1.2, Scope, the requirements in this guide apply to GSA Federal Employees and contractors and all other users of GSA information and information systems that support the security, operations and assets of GSA. Unless otherwise specified, each control/control enhancement applies to FIPS 199 Low, Moderate, and High impact systems.

AT-1, Security Awareness and Training Policy and Procedures, has been identified as a Common Control for all GSA/internally operated systems by GSA. The AT-2 to AT-4 controls are either provided as a Common Control by a General Support System, a system specific control by the system, or as a Hybrid Control with shared responsibilities for control implementation.

6.1 AT-1: Security Awareness and Training Policy and Procedures

Control: The organization:

a. Develops, documents, and disseminates to [Information System Security Manager, Information System Security Officer, System Owners (e.g., System Program Managers, System Project Managers), Acquisitions/Contracting Officers, Custodians]:

1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and

b. Reviews and updates the current:

1. Security awareness and training policy [biennially]; and 2. Security awareness and training procedures [biennially].

GSA Implementation Guidance: AT-1, Security Awareness Training Policy and Procedures, is a common control provided by GSA OCISO/ISP for all GSA/internally operated systems and a hybrid control for all vendor/contractor operated systems. Security Awareness and Training Policy is included in CIO 2100.1, Chapter 4, Policy on Operational Controls, as indicated in Section 1.3, Policy. The policy states, "A security awareness, training and education program must be established by the OCIO to ensure all GSA, other agency, and contractor support staff involved in the management, design, development, operation, and use of IT systems are aware of their responsibilities for safeguarding GSA systems and information.

GSA OCISO ISP has also defined agency-wide security awareness training and awareness procedures in this procedural guide, CIO-IT Security-05-29. Both this guide and CIO 2100.1 are reviewed/updated biennially.

Additional Contractor System Considerations: Contractors/Vendors may defer to the GSA policy and guide or implement their own security awareness and training policies and procedures. Contractors/vendors who implement their own



security awareness training policy, procedures will need approval from the AO and concurrence from the CISO.

6.2 AT-2: Security Awareness Training

Control: The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

a. As part of initial training for new users; b. When required by information system changes; and c. [Annually] thereafter.

Control Enhancements:

(2) SECURITY AWARENESS | INSIDER THREAT The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.

GSA Implementation Guidance: Enhancement AT-2(2) is only applicable at the FIPS 199 Moderate and High levels.

AT-2, Security Awareness Training, is a common control provided by the GSA OCISO. All GSA Federal employees and contractors with a GSA account will be provided training by the GSA OCISO for all GSA/internally operated systems and a hybrid control for all vendor/contractor operated systems. The ISP division is responsible for the management and coordination of security related training for GSA. For new users entering GSA, employee or contractor, ISP ensures new users take the required training as soon as they receive network access using GSA OLU and the Comprehensive Human Resources Integrated System (CHRIS). ISP utilizes OLU to provide training to all GSA users. ISP develops and updates training materials for security awareness training on an annual basis. Users are required to complete annual training after the update is complete. If significant changes occur requiring additional training, ISP will coordinate the development and tracking of training.

Per enhancement AT-2(2), GSA Order ADM 2400.1A, Insider Threat Program, describes GSA’s roles, responsibilities, and policy regarding its insider threat program (ITP). ITP personnel, under the Associate Administrator for Mission Assurance, are responsible for ensuring insider threat information and training is provided at a minimum annually. ITP training is included in the annual refresher training required by the main control, AT-2.

Additional Contractor System Considerations: Contractors/vendors with GSA email accounts are required to receive training by OLU. Individuals without a GSA email account receive training using hardcopy materials. GSA’s mandatory training may be supplemented by the contractors/vendors. Ensuring the required training is accomplished is administered and tracked by the program office utilizing the contractor/vendor.

6.3 AT-3: Role Based Security Training

Control: The organization provides role-based security training to personnel with assigned security roles and responsibilities:

a. Before authorizing access to the information system or performing assigned duties; b. When required by information system changes; and

http://www.gsa.gov/portal/mediaId/131474/fileName/ADM_24001A_Insider_Threat_Program_(Posted_Version_-_5-18-2016).action



c. [Every three years] thereafter.

GSA Implementation Guidance: AT-3, Role-Based Security Training, is a common control provided by OCISO/ISP for all GSA/internally operated systems and a hybrid control for all vendor/contractor operated systems. ISP is responsible for the management and coordination of role-based security training for GSA. ISP develops and updates training materials (e.g., CBTs, slides) for role-based security training periodically as the need arises (e.g., a system change requires new training). In the event ISP employs vendors to provide role-based training, ISP will coordinate with the vendor on the type of training that is required. Users with security roles and responsibilities are trained prior to performing their duties and every three years thereafter. Section 5, Role Based Security Training, provides details on role base security training. When appropriate, System Owners must provide system specific role based security training for roles within their information system.

Additional Contractor System Considerations: System Owners are required to provide system specific role based training to users of the information system. Contractors/Vendors may supplement GSA mandatory role based training with additional role based training for their employees or personnel with security roles and responsibilities. Ensuring the required training is accomplished is administered and tracked by the program office utilizing the contractor/vendor.

6.4 AT-4: Security Training Records

Control: The organization:

a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and

b. Retains individual training records for [three years].

GSA Implementation Guidance: AT-4, Security Training Records, is a common control provided by OCISO/ISP for all GSA/internally operated systems and a hybrid control for all vendor/contractor operated systems. ISP is responsible for the management and retaining of security awareness and role based security training records. If the security training is provided using GSA OLU, then OLU provides reports to ISP on the completion status of training for individuals requiring the security training. If OLU is not used, a tracking spreadsheet is used to track completion status. If ISP employs a vendor for training, ISP coordinates with the vendor to determine a method of tracking the completion status of individuals assigned to take specific training. ISP retains training records of individuals, either via OLU or in an electronic record, for at least three years.

System owners are required to maintain training records for any system specific role based training provided to users of the information system.

Additional Contractor System Considerations: Contractors/vendors are required to track and retain the completion of security training that is provided to their employees.



APPENDIX A: ACRONYMS

Acronym Definition

AO Authorizing Official

CBT Computer Based Training

CHRIS Comprehensive Human Resources Integrated System

CIO Chief Information Officer

CISO Chief Information Security Officer

CO Contracting Officer

COR Contracting Officer’s Representative

CUI Controlled Unclassified Information

FIPS Federation Information Protection Standards

FISMA Federal Information Security Modernization Act

FY Fiscal Year

GSA General Services Administration

IAM identity and access management

IDaaS Identity as a Service

IR Incident Response

ISP Information Security Policy and Compliance Division

ISSM Information Systems Security Manager

ISSO Information Systems Security Officer

IST ISSO Support Division

IT Information Technology

ITP Insider Threat Program

NIST National Institute of Standards and Technology

OCISO Office of the Chief Information Security Officer

OLU Online University

OMB Office of Management and Budget

OPM Office of Personnel Management

PII Personally Identifiable Information

PM Program Managers

POC Point of Contact

RISSO Regional Information System Security Officer

SAOP Senior Agency Official for Privacy

SNA Short Name Accounts

SP Special Publication



APPENDIX B: GLOSSARY OF TERMS

Term Definition

Authorizing Official A senior (federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

Availability Ensuring timely and reliable access to and use of information.

Awareness (Information Security)

Activities which seek to focus an individual’s attention on an (information security) issue or set of issues.

Computer Based Training

Any course of instruction whose primary means of delivery is a computer. It may be delivered via a software product installed on a single computer, through a corporate or educational intranet, or over the Internet as Web-based training.

Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Controlled Unclassified Information

Category of unclassified categories issued in a directive on May 9, 2008. CUI replaces categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU) and Law Enforcement Sensitive (LES) categories.

Identity and Access Management

Security discipline that "enables the right individuals to access the right resources at the right times and for the right reasons."

Identity as a Service Authentication infrastructure that is built, hosted and managed by a third-party service provider. Can be thought of as single sign-on (SSO) for the cloud.

Information An instance of an information type

Information Security The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information Security Policy

Aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.

Information System A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.



Term Definition

Information Technology

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the executive agency. For purposes of the preceding sentence, equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which: (i) requires the use of such equipment; or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term information technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.

Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Internal Network A network where: (i) the establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or (ii) cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints, provides the same effect (at least with regard to confidentiality and integrity). An internal network is typically organization-owned, yet may be organization-controlled while not being organization-owned.

Management Controls Management controls include policy, IT security program management, risk management and life-cycle security.

Operational Controls Operational controls include personnel and user issues, contingency planning, incident handling, awareness and training, computer support and operations, and physical and environmental security issues.

Organization A federal agency or, as appropriate, any of its operational elements.

Personally Identifiable Information

Information which can be used to distinguish or trace the identity of an individual (e. g. , name, social security number, biometric records, etc. ) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e. g. , date and place of birth, mother’s maiden name, etc. ).

Physical Access Control System

An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.

Privacy Act of 1974 (5 The Privacy Act, as amended, affords individuals the right to privacy of records that are maintained in systems of records by Federal




Term Definition

USC § 552a) agencies.

Privacy Act Statement A disclosure statement required by Section (e)(3) of the Privacy Act of 1974, as amended, to appear on documents used by organizations to collect personally identifiable information from individuals to be maintained in a Privacy Act System of Records (SORN).

Program Manager Official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

Record The recordings of evidence of activities performed or results achieved (e. g., forms, reports, test results) which serve as the basis for verifying that the organization and the information system are performing as intended. Also used to refer to units of related data fields (i. e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

Role Based Security Training

Security training focused on teaching skills/competencies related to a person’s specific IT role and responsibilities.

User Individual, or (system) process acting on behalf of an individual, authorized to access an information system.

Security Advisory Alert Alerts designed to provide timely information about current security issues, vulnerabilities.

Short Name Account Privilege User Account which can be used to perform information system roles and responsibilities using access rights above what is granted to a normal user.

Technical Control Technical controls include identification and authentication, logical access controls and audit trails, and cryptography.

Threat Any circumstance or event with the potential to adversely impact Agency operations (including mission, functions, image, or reputation), Agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Training (Information Security)

Training strives to produce relevant and needed (information) security skills and competencies.

Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited.
