Carnegie Mellon University
Computing Services  ›  Information Security Office  ›  Training and Awareness  ›  Security 101  ›  Compliance Requirements satisfied by Security 101

The following Cybersecurity regulations, rules and contracts require at least the basic security training provided by Security 101.  Additional, topic-specific training may be required.

HEOA

The Higher Education Opportunity Act(HEOA) requires that students are made aware of federal copyright laws and the institutional policies and sanctions related to violations of copyright law.


GLBA

Gramm-Leach-Bliley Act (GLBA) is required through our Title IV Program Participation Agreement with the Department of Education to administer student financial aid.  This requirement applies to all users (staff and faculty) of S3 and PowerFAIDS.

“(e) Implement policies and procedures to ensure that personnel are able to enact your information security program by:

(1) Providing your personnel with security awareness training that is updated as necessary to reflect risks identified by the risk assessment;”


NSPM-33

National Security Presidential Memorandum 33 requires that all US Government supported research and development comply with research security standards (among other requirements).  This requirement applies to all individuals (faculty, students, and staff) who work on any research that is funded in whole or in part by the US government (including subcontracts).


“Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.” (section 6)


NIST 800-171/CMMC

National Institutes of Standards and Technology (NIST) Special Publication 800-171 (NIST SP800-171) describes controls that must be in place to protect Controlled Unclassified Information (CUI).  Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense program that requires third-party certification of compliance with NIST SP800-171. Carnegie Mellon University is subject to CMMC and NIST SP 800-171 through contracts and subcontracts from the Department of Defense.  The specific training requirements (3.2.1, 3.2.2, 3.2.3) apply to all individuals (faculty, staff, students) who work on any Department of Defense contracts or subcontracts.


“3.2.1 Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

3.2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.”

In addition to the explicit requirements for training (3.2.1, 3.2.2, 3.2.3), there is a requirement that all employees of a defense contractor (of which we are one) understand what CUI is and how to report it if seen outside of protected environments (3.1.3).  

“3.1.3 Control the flow of CUI in accordance with approved authorizations.”



Research Contracts/Data Use Agreements

Many contracts and data use agreements that researchers are subject to to get access to sponsored data require cybersecurity awareness training, which our Security 101 training course generally provides.  Any individual (faculty, staff, students) with access to such data are required to take cybersecurity awareness training.  This is very common language in contracts with private companies or involving sensitive data from public entities.


PCI-DSS

Payment Card Industry - Data Security Standards (must agree to the License Agreement for access to the PCI-DSS source documents) requires that all individuals involved with the handling of credit cards or that can affect the security of cardholder data receive training on how to properly meet their responsibilities under the PCI-DSS.

“12.6.1 A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.”

“12.6.3 Personnel receive security awareness training as follows: 

  • Upon hire and at least once every 12 months. 
  • Multiple methods of communication are used. 
  • Personnel acknowledge at least once every 12 months that they have read and understood the information security policy and procedures. “

Upcoming regulations that may also affect cybersecurity training requirements

The Department of Education has stated their intention to require that all Federal student aid information will be subject to NIST 800-171, which includes a training requirement as described above.