FISMA Training

The Federal Information Security Management Act of 2002 was intended to provide a security framework for US government agencies to use in securing their respective networks and information.  Unfortunately, many agencies and government contractors have found some of the guidelines to be vague, leaving room for each organization to interpret what security measures are needed and how to implement them correctly.  This ambiguity can be seen in the security training mandated by the National Institute of Standards and Technology (NIST) Special Publication 800-16 (http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf).  The NIST Training Model emphasizes a role-based security training program that revolves around a standard core of knowledge that every user of an organization should know.  

Fortunately, The National Initiative for Cybersecurity Education (NICE) has developed some basic content to assist course developers in the creation of common user training that should satisfy FISMA training requirements.  Unfortunately, this content is not formatted into curricula, forcing IT security personnel to develop their own courses around these principles.  

This project will create a set of standard open source learning modules that can be modified easily and quickly to suit most user environments.  To ensure FISMA compliance, each module's subject has been selected as one of the topics identified in NIST SP 800-50 (para 4.1.1) (http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf).  To ensure adaptability to any Learning Management System, each module will be SCORM compliant with minimal themeing to allow for easier organizational branding.  The intent is that these modules will provide course developers with a best practice foundation for the development and completion of their own organizational training.  Each module will include:

    1. Background - Topical background information in sufficient detail to satisfy both user and administrator training requirements (text-based documents from recognized information security best practices).  This content will serve as a doctrinal basis for each module.

    2. Training - User focused slide presentation outlining basic topical principles (slides will not use themes or branding allowing for organizational branding/customization).  This content will not possess the same level of detail as background information, but will include relevant illustrations and examples intended to teach security fundamentals to basic users.

    3. Assessment - Learning assessment for each module including meaningful and measurable forms of assessment that specifically support the learning objectives outlined in each module.

    4. Awareness - Topical Security Awareness content intended to reinforce concepts and principles taught in each module.  Most of this content will be in the form of educational posters and flyers.  There already is a great deal of content available from existing public awareness campaigns that may be incorporated in order to support learning objectives.


                The modules that have been identified for this project have been selected based on their general applicability to most computing environments.  These initial modules may be used by almost any organization to establish a foundation of user information security education or strengthen/supplement an existing education program.  These modules will include:

                1. Password Management – A brief background on how/why password management is critical to a secure computing environment, with an overview of password best practices and 2-tier authentication.

                2. Email Scams / Anti-phishing – An overview of many of the current email-borne attacks; the purpose of those attacks; and user tips on identifying and avoiding email attacks.

                3. Portable Device Security - An overview of some of the portable devices that are prevalent and some of the threats they can present.  These devices include smartphones, tablets, and USB storage devices.