13 FAM 300
Agency Mandated training
13 FAM 301
13 FAM 301.1
Mandatory security training for all department employees
(Office of Origin: FSI)
13 FAM 301.1-1 CYBER SECURITY AWARENESS TRAINING (PS800)
(Civil Service and Foreign Service Employees)
a. In order to meet the requirements of the Federal Information Security Modernization Act of 2014 (44 U.S.C. 3551), all Department computer users are required to complete and pass the annual online Cyber Security Awareness course (PS800) before the 1-year anniversary of their last cyber security awareness test. Any user that fails to meet this requirement may have their OpenNet Plus access revoked, pending completion of the course and exam.
b. It is primarily each employee’s responsibility to ensure he or she completes any mandatory cyber security awareness training requirement identified in this subchapter.
c. Individuals can enroll for cyber security awareness training online through the Foreign Service Institute (FSI) OpenNet Web site.
13 FAM 301.1-2 COUNTERINTELLIGENCE AND INSIDER THREAT TRAINING (EX250/EX251)
a. In order to meet the requirements of Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, dated October 7, 2011, executive branch departments and agencies must establish an Insider Threat Program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure. The Bureau of Diplomatic Security (DS) is responsible for the Department’s Insider Threat Program. A key tenet, and a minimum standard, of a successful insider threat program is robust employee training and awareness. The Department’s policy can be found in 12 FAM 513.
b. Annual online training, as described in 12 FAM 513.5, is required for all Department employees, contractors, and persons who fall under chief-of-mission (COM) authority, regardless of agency, who have an OpenNet account. It is each employee’s responsibility to ensure he or she completes the mandatory counterintelligence and insider threat awareness training annually.
c. To deliver this mandatory training, DS developed two online 1-hour courses, Annual Counterintelligence and Insider Threat Awareness Training for Cleared Americans (EX250) and Annual Counterintelligence Awareness Training for Uncleared Americans and LE Staff (EX251) through the Foreign Service Institute (FSI). DS also offers in-person oral briefings for employees without computer access or for those who may have language barriers. Domestically, these briefings are conducted by the Counterintelligence Division (DS/ICI/CI), and overseas, by the regional security office.
d. DS/ICI/CI is responsible for administering and monitoring compliance via data from FSI’s Student Training Management System (STMS) for direct-hire employees (FS, GS, and locally employed staff), the iPost database for contractors, and sign-in sheets from in-person briefings.
13 FAM 301.1-3 MANDATORY TRAINING FOR CLASSIFIERS and users OF NATIONAL SECURITY INFORMATION (PK400)
(All State Employees)
a. To meet the requirements of the Reducing Over-Classification Act of 2010 (Public Law 111-258) and Executive Order 13526, Classified National Security Information, all Department of State employees and contractors with a security clearance must complete training in proper classification, declassification, marking, and handling of classified national security information (see 5 FAM 480). The prescribed Foreign Service Institute (FSI) course is PK400, Mandatory Training for Classifiers and Users of National Security Information. This course is an augmented replacement of PK323, Classified and Sensitive But Unclassified Information: Identifying and Marking.
b. This training is mandatory on an annual basis for employees and contractors with a security clearance. Those employees and contractors with a security clearance who fail to complete the training on an annual basis will lose access to OpenNet.
c. Bureaus and posts are responsible for:
(1) Ensuring covered employees and contractors complete the prescribed training prior to classifying information; and
(2) Suspending classification authority for covered employees or contractors who fail to complete the training, and reporting those names to A/GIS/IPS annually with a description of how the classification authority was suspended.
d. Department employees and contractors are responsible for reviewing and updating their security clearance information (see link below), monitoring their training to ensure timely completion on an annual basis and should provide a certificate of completion upon request.
e. Users may access an online training dashboard to manage and track this and other training required for OpenNet access.
13 FAM 301.1-4 RECORDS MANAGEMENT (PK217)
Statutory requirements of the Federal Records Act and mandates by the U.S. National Archives and Records Administration (NARA) Bulletin 2017-01 require all State Department employees (Civil Service, Foreign Service, Locally Employed Staff), contractors (PSC and Third Party), and other agency personnel with OpenNet access to complete Records Management for Everyone (PK217) once each calendar year.
(1) This training is mandatory on an annual basis for all Department personnel with OpenNet access. Those employees who fail to complete the training on an annual basis will lose access to OpenNet.
(2) Bureaus and posts are responsible for ensuring covered personnel complete the prescribed training.
(3) All Department personnel are responsible for monitoring their training to ensure timely completion on an annual basis and should provide a certificate of completion upon request.
(4) Users may access an online training dashboard to manage and track this and other training required for OpenNet access.
13 FAM 301.1-5 PROTECTING PERSONALLY IDENTIFIABLE INFORMATION (PII) TRAINING (PA318)
a. In order to meet the requirements of The Privacy Act of 1974, as amended (5 U.S.C. 552a), Office of Management and Budget (OMB) Circular A-130 "Managing Information as a Strategic Resource" and OMB Directive M-17-12 "Preparing for and Responding to a Breach of Personally Identifiable Information", all OpenNet users must enroll in and satisfactorily complete the mandatory distance learning course PA318, Protecting Personally Identifiable Information (PII) ever two years.
b. Per 5 FAM 469.2 b(2), supervisors are responsible for protecting PII by ensuring their workforce members complete Protecting Personally Identifiable Information, PA318, every two years. It is each OpenNet user's responsibility to ensure timely completion of this mandatory training requirement.
c. Individuals can enroll for PA318 training online through the FSI OpenNet website.
d. The Department’s Privacy Office (A/GIS/PRV) oversees implementation of the Department’s policies regarding protecting PII and will provide guidance if bureaus have questions about this mandatory training requirement or the course content. See 5 FAM 460 for guidance on Department policy and procedures regarding PII.