(a) General. Contractors will provide all cleared employees with security training and briefings commensurate with their involvement with classified information.

(b) Training materials. Contractors may obtain security, threat awareness, and other education and training information and material from their CSA or other sources.

(c) Government provided briefings. The CSA is responsible for providing initial security briefings to the FSO and for ensuring other briefings required for special categories of information are provided to the FSO.

(d) FSO training. Contractors will ensure the FSO and others performing security duties complete training considered appropriate by the CSA. Training requirements will be based on the contractor's involvement with classified information. Training may include an FSO orientation course, and for FSOs at contractor locations with a classified information safeguarding capability, an FSO program management course. Contractor FSOs will complete training within six months of appointment to the position of FSO. When determined by the applicable CSA, contractor FSOs must complete an FSO program management course within six months of the CSA approval to store classified information at the contractor.

(e) Initial security briefings. Prior to being granted access to classified information, contractors will provide employees with an initial security briefing that includes:

(1) Threat awareness, including insider threat awareness in accordance with paragraph (g) in this section.

(2) Counterintelligence (CI) awareness.

(3) Overview of the information security classification system.

(4) Reporting obligations and requirements, including insider threat.

(5) Cybersecurity training for all authorized information system users in accordance with CSA-provided guidance pursuant to § 117.18(a)(1) and (a)(2).

(6) Security procedures and duties applicable to the employee's position requirements (e.g. marking and safeguarding of classified information) and criminal, civil, or administrative consequences that may result from the unauthorized disclosure of classified information, even though the individual has not yet signed an NDA.

(f) CUI training. While outside the requirements of the NISPOM, when a classified contract includes provisions for CUI training, contractors will comply with those contract requirements.

(g) Insider threat training. The designated ITPSO will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees complete training consistent with applicable CSA provided guidance.

(1) The contractor will provide training to insider threat program personnel, including the contractor's designated ITPSO, on:

(i) CI and security fundamentals.

(ii) Procedures for conducting insider threat response actions.

(iii) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information.

(iv) Applicable legal, civil liberties, and privacy policies and requirements applicable to insider threat programs.

(2) The contractor will provide insider threat awareness training to all cleared employees on an annual basis. Depending upon CSA specific guidance, a CSA may instead conduct such training. The contractor must provide all newly cleared employees with insider threat awareness training before granting access to classified information. Training will address current and potential threats in the work and personal environment and will include at a minimum:

(i) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.

(ii) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems.

(iii) Indicators of insider threat behavior and procedures to report such behavior.

(iv) CI and security reporting requirements, as applicable.

(3) The contractor will establish procedures to validate all cleared employees who have completed the initial and annual insider threat training.

(h) Derivative classification—(1) Initial training. The contractor will ensure all employees authorized to make derivative classification decisions are trained in the proper application of the derivative classification principles, in accordance with CSA direction. Employees are not authorized to conduct derivative classification until they receive such training.

(2) Refresher training. In addition to the initial training, contractors will ensure all employees who conduct derivative classification receive training at least once every two years. Contractors will suspend an employee's derivative classification authority for any employee who does not receive such training at least once every two years. Training will emphasize the avoidance of over-classification and address:

(i) Classification levels.

(ii) Duration of classification.

(iii) Identification and markings.

(iv) Classification prohibitions and limitations.

(v) Sanctions and classification challenges.

(vi) Security classification guides.

(vii) Information sharing.

(3) Record of training. Contractors will retain records of the date of the most recent training (initial or refresher) and type of training provided to employees.

(i) Information systems security. All information system authorized users will receive training on the security risks associated with their user activities and responsibilities under the NISP. The contractor will determine the appropriate content of the training, taking into consideration assigned roles and responsibilities, specific security requirements, and the information system to which personnel are authorized access.

(j) Temporary help suppliers. A cleared temporary help supplier, or other contractor who employs cleared individuals solely for dispatch elsewhere, will be responsible for ensuring that required briefings (both initial and refresher training) are provided to their cleared personnel. The temporary help supplier or the using contractor may conduct these briefings.

(k) Refresher training. The contractor will provide all cleared employees with security education and training every 12 months. Refresher training will reinforce the information provided during the initial security briefing and will keep cleared employees informed of changes in security regulations and should also address issues or concerns identified during contractor self-reviews. Training methods may include group briefings, interactive videos, dissemination of instructional materials, or other media and methods. Contractors will maintain records about the programs offered and employee participation in them.

(l) Debriefings. Contractors will debrief cleared employees and annotate the debriefing in the appropriate contractor records when access to classified information is no longer needed; at the time of termination of employment (discharge, resignation, or retirement); when an employee's eligibility for access to classified information is terminated, suspended, or revoked; and upon termination of the entity eligibility determination.