But many are still unclear if they have to take it.
A recent rollout of new operations security training for all Defense Department personnel has been met with confusion, with many individuals unsure if they need to take it and one module already withdrawn from the training website for updates.
In a July 20 memo, Secretary of Defense Mark Esper announced new OPSEC training requirements for all Defense personnel, including service members, civilians and contractors working on site. The updated training requirements followed Senate testimony where Esper told lawmakers he’d launched an investigation into a recent unauthorized disclosure of information to the New York Times.
The training, which is publicly available through the department’s Center for the Development of Security Excellence (CDSE), consists of four web modules and a video message from Esper. The memo directs employees to watch the video and complete the four modules within 60 days.
But many security officers say they’re unclear which contractors are required to take the training, particularly with many now working remotely who may previously have worked at Defense facilities.
Another problem involved the first module, “OPSEC Awareness for Military Members, DoD Employees and Contractors.” Because the training is publicly available, critics quickly homed in on a section that seems to refer to members of the press as “adversaries.” While Defense officials initially doubled down on the language when asked for comment, Esper later directed the term “adversaries” be changed to “unauthorized recipients.” The training module has since been removed from the CDSE website, and as of August 4, remained unavailable for completion.
The aggressive timeline, particularly with one module still unavailable, has also been criticized. And while many agree more OPSEC training is generally a good idea, the deadline for completion may work against the goal.
“The Secretary intimates that there have been a number of issues of unauthorized disclosures and people sharing information to others—colleagues—without a need to know, which is always a problem and worthy of calling out anytime,” noted Christopher Burgess, a security consultant and 30-year CIA veteran. “To ram these four training courses down every civilian and military personnel within the next 60 days will in essence create a situation where folks are being asked to get their boxes checked on their ‘accountability card’ and not based on the intent of retaining the knowledge.”
OPSEC Training for Who?
Uncertainty over who is considered an “on-site contractor,” particularly in pandemic working environments where contractors who may typically be on site are now temporarily working remotely, has contributed to the confusion. Facility Security Officers with contract companies are largely reporting that they’ve received no notification about the training from their government security representatives, but have been told the management of the training will trickle down from Cognizant Security Officers (CSO) with the government, and only be required for individuals currently working at government facilities.
The training itself is not new, but consists of training modules that have been around since 2010. But while some modules were required for certain personnel, the July 20 memo expands the requirement to all DoD personnel. If you’re a Defense civilian or service member, your CSO should be providing accountability for those training requirements. It’s worth noting that personnel will need to save a copy of the certificate of completion, because completion is not tracked by the CDSE website.
Government personnel are already required to undertake significant amounts of training. According to the 2018 Training Industry Report by Training Magazine, government and military organizations spend more per learner—$1,433—than other organizations. The same survey found that large employers (which includes the federal government) averaged 49.3 hours of training per year. That’s more than one week every year spent just in required training.