NISPOM Training Compliance: What to track (and how to stay ahead)
What training is required for cleared employees?
Under NISPOM (32 CFR Part 117), cleared employees typically require initial briefings before access, annual refresher training, annual insider threat awareness training, and other training based on role and contract requirements.
| Training type | Frequency | Notes |
|---|---|---|
| Initial security briefing | Before access granted | Threat awareness, safeguarding procedures, reporting expectations |
| Security refresher training | Annual (every 12 months) | Reinforces initial briefing and covers changes |
| Insider threat awareness | Annual (every 12 months) | Indicators, reporting procedures, methodologies |
| Derivative classification | Every 2 years | For employees with derivative classification authority |
| Cybersecurity awareness | Annual | For authorized information system users |
| Counterintelligence awareness | As required | Often contract-specific (e.g., CIAR requirements) |
What training records must FSOs maintain?
FSOs should maintain records documenting:
- Date of most recent training for each employee
- Type of training provided
- Employee participation/completion confirmation
- Certificate or acknowledgment documentation
These records are commonly reviewed during DCSA security reviews.
How far in advance should I track training expirations?
Best practice is to start reminders 30–60 days before expiration so you have time to schedule, deliver, and document training before the due date — especially with travel, PTO, or distributed teams.
What happens if training lapses?
For most training, remediate gaps as quickly as possible. For derivative classification training specifically, NISPOM requires suspending an employee’s derivative classification authority if they do not receive training at least once every two years. Training gaps can also become findings during DCSA reviews.
Does FCL Simple provide training content?
FCL Simple tracks training completion and certificates — it doesn’t deliver training content directly. Training is commonly sourced from:
- CDSE (Center for Development of Security Excellence)
- Commercial training providers
- Internal briefings delivered by your security team
If you’re building your program from scratch, start with the FCL guide and DD254 basics.