OFFICE OF PERSONNEL MANAGEMENT
                         5 CFR Part 930
                          RIN 3205-AD43



Training Requirement for the Computer Security Act


AGENCY:  Office of Personnel Management 

ACTION:  Final regulation

SUMMARY:  This regulation implements Public Law 100-235, the
Computer Security Act of 1987, which requires training for all
employees responsible for the management and use of Federal
computer systems that process sensitive information.  Under the
regulation agencies will be responsible for identifying the
employees to be trained and providing appropriate training.

EFFECTIVE DATE:  January 3, 1992.

FOR FURTHER INFORMATION CONTACT:  Ms. Constance Guitian, (202) 632-
9769.

SUPPLEMENTARY INFORMATION:

On June 12, 1991, the Office of Personnel Management published
proposed rules on this subject (56 FR 26942).  Four comments were
received.  The Department of Education suggested that the
regulations apply to all computer information systems.  The
regulation cannot exceed the scope of the law which gives as its
purpose (section 2(b)(4) "to require mandatory periodic training
for all persons involved in management, use, or operation of
Federal computer systems that contain sensitive information."  The
law limits training to only those systems which contain sensitive
information.  

A Naval Supply Center wanted the initial training for new employees
to be given within the first 180 days of appointment rather than
the first 60.  In the testimony for this law, it was pointed out
that the vast majority of security breaches are caused by employee
negligence .  The law states (section 5(b)) that required training
should start within 60 days of the issuance of regulations.  The
same should apply to any new employees.  Furthermore, the current
interim regulations have the same requirement because it is a sound
management practice to training employees early in computer
security to establish good security habits.


A Marine Corps installation informed us of their concurrence with
the regulation.  A Naval Weapons Center asked where they can find
training materials.  OPM has prepared some generic computer
security awareness training packages that are available from the
National Audiovisual Center.  Attn:  Customer Service Staff, 8700
Edgeworth Drive, Capitol Heights, MD   20743-3701, (301) 763-1891. 
There is a videocassette, a one-day course a desk guide, an
executive briefing, and an independent study course.  The National
Institutes of Standards and Technology's "Computer Security
Training Guidelines" NIST Special Publication 500-172 is available
from the Superintendent of Documents, U.S. Government Printing
Office, Washington, DC 20402-9325.  The GPO publication number is
003-003-029575-1.  Requests must be accompanied by a check or money
order for $2.50.  It can also be ordered by phone with a VISA or
Mastercard and the telephone number is 202-783-3228.  

E.O. 12291, Federal Regulation

I have determined that this is not a major rule as defined under
section 1(b) of E.O. 12291, Federal Regulation.

Regulatory Flexibility Act

I certify that this regulation will not have a significant economic
impact on a substantial number of small entities, including small
businesses, small organizational units, and small governmental
jurisdictions, because it will affect only Federal employees.

Constance Berry Newman
Director, Office of Personnel Management.

Accordingly, the Office of Personnel Management is revising 5 CFR
part 930, subpart C. to read as follows:

PART 930 - PROGRAMS FOR SPECIFIC POSITIONS AND EXAMINATIONS
(MISCELLANEOUS)

Subpart C-Employees Responsible for the Management or Use of
Federal Computer Systems

Sec. 
930.301   Definitions
930.302   Training requirement
930.303   Initial training
930.304   Continuing training
930.305   Refresher training.

Subpart C-Employees Responsible for the Management or Use of
Federal Computer Systems

Authority:  40 U.S.C. 759 notes.


Section 930.301 Definitions.

(a) The amount and type of training different groups of employees
will receive will be distinguished by the following knowledge
levels identified in the Computer Security Training Guidelines
developed by the National Institute of Standards and Technology:

     (1) Awareness level training creates the sensitivity to
     the threats and vulnerabilities and the recognition of
     the need to protect data, information, and the means of
     processing them;

     (2) Policy level training provides the ability to
     understand computer security principles so that
     executives can make informed policy decisions about their
     computer and information security programs;

     (3) Implementation level training provides the ability
     to recognize and assess the threats and vulnerabilities
     to automated information resources so that the
     responsible managers can set security requirements which
     implement agency security policies; and

     (4) Performance level training provides the employees
     with the skill to design, execute, or evaluate agency
     computer security procedures and practices.  The
     objective of this training is that employees will be able
     to apply security concepts while performing the tasks
     that relate to their particular positions.  It may
     require education in basic principles and training in
     state-of-the-art applications.

(b) Training audiences are groups of employees with similar
training needs.  Consistent with the Computer Security Training
Guidelines, they are defined as follows:

     (1) Executives are those senior managers who are
     responsible for setting agency computer security policy,
     assigning responsibility for implementing the policy,
     determining acceptable levels of risk, and providing the
     resources and support for the computer security program.

     (2) Program and Functional Managers are those managers
     and supervisors who have a program or functional
     responsibility (not in the area of computer security)
     within the agency.  They have primary responsibility for
     the security of their data.  This means that they
     designate the sensitivity and criticality of data and
     processes, assess the risks to those data, and identify
     security requirements to the supporting data processing
     organization, physical facilities personnel, and users
     of their data.  Functional managers are responsible for
     assuring the adequacy of all contingency plans relating
     to the safety and continuing availability of their data.

     (3) Information Resources Managers (IRM), Security, and
     Audit Personnel are all involved with the daily
     management of the agency's information resources,
     including the accuracy, availability, and safety of these
     resources.  Each agency assigns responsibility somewhat
     differently, but as a group these persons issue
     procedures, guidelines, and standards to implement the
     agency's policy for information security, and to monitor
     its effectiveness and efficiency. They provide technical
     assistance to users, functional managers, and to the data
     processing organization in such areas as risk assessment
     and available security products and technologies.  They
     review and evaluate the functional and program groups'
     performance in information security.

     (4) Automated Data Processing (ADP) Management Operations 
     and Programming Staff are all involved with the daily
     management and operations of the automated data
     processing services.  They provide for the protection of
     the data in their custody and identify to the data owners
     what those security measures are.  The group includes
     such diverse positions as computer operators, schedulers,
     tape librarians, data base administrators, and systems
     and applications programmers.  They provide the technical
     expertise for implementing security-related controls
     within the automated environment.  They have primary
     responsibility for all aspects of contingency planning.

     (5) End Users are any employees who have access to an
     agency computer system that processes sensitive
     information.  This is the largest and most heterogenous
     group of employees.  It consists of everyone from the
     executive who has a personal computer with sensitive
     information to data entry clerks.

(c) The training guidelines developed by the National Institute of
Standards and Technology identify five subject areas.  they are:

     (1) Computer security basics is the introduction to the
     basic concepts behind computer security practices and
     the importance of the need to protect the information
     from vulnerabilities to known threats;

     (2) Security planning and management is concerned with
     risk analysis, the determination of security
     requirements, security training, and internal agency
     organization to carry out the computer security function;

     (3) Computer security policies and procedures looks at
     Governmentwide and agency-specific security practices in
     the areas of physical, personnel software,
     communications, data, and administrative security;

     (4) Contingency planning covers the concepts of all
     aspects of contingency planning, including emergency
     response plans, backup plans and recovery plans.  It
     identifies the roles and responsibilities of all the
     players involved; and

     (5) Systems life cycle management discusses how security
     is addressed during each phase of a system's life cycle
     (e.g. system design, development, test and evaluation,
     implementation and maintenance).  It addresses
     procurement, certification, and accreditation.

(d) The statute defines the term "sensitive information" as any
information, the loss, misuse, or unauthorized access to or
modification of which could adversely affect the national interest
or the conduct of Federal programs, or the privacy to which
individuals are entitled under section 552a of title 5.  United
States Code (the Privacy Act), but which has not been specifically
authorized under criteria established by an Executive order or an
Act of Congress to be kept secret in the interest of national
defense or foreign policy.


Section 930.302 Training requirement

The head of each agency shall identify employees responsible for
the management or use of computer systems that process sensitive
information and provide the following training (consult "Computer
Security Training Guidelines." NIST Special Publication 500-172
for more detailed information) to each of these groups:

     (a) Executives shall receive awareness training in
     computer security basics, computer security policy and
     procedures, contingency planning, and systems life cycle
     management and policy level training in security planning
     and management.

     (b)  Program and functional managers shall receive
     awareness training in computer security basics;
     implementation level training in security planning and
     management and computer security policy and procedures;
     and performance level training in contingency planning
     and systems life cycle management.

     (c) IRM, security, and audit personnel shall receive
     awareness training in computer security basics; and
     performance level training in security planning and
     management computer security policies and procedures,
     contingency planning, and systems life cycle management.

     (d) ADP management and operations personnel shall receive
     awareness training in computer security basics; and
     performance level training in security planning and
     management, computer security policies and procedures;
     contingency planning, and systems life cycle management.
     
     (e) End users shall receive awareness training in
     computer security basics; security planning and
     management; and systems life cycle management; and
     performance level training in computer security policies
     and procedures, and contingency planning.


Section 930.303 Initial training

The head of each agency shall provide the training outlined in
930.302 of this subpart to all such new employees within 60 days
of their appointment.


Section 930.304 Continuing training

The head of each agency shall provide training whenever there is
a significant change in the agency information security environment
or procedures or when an employee enters a new position which deals
with sensitive information.


Section 930.305 Refresher training

Computer security refresher training shall be given as frequently
as determined necessary by the agency based on the sensitivity of
the information that the employee uses or processes.


*************************  END  OF  TEXT  *********************