The NISPOM Rule (32 CFR Part 117) requires every cleared defense contractor under DCSA oversight to deliver recurring security training, run an Insider Threat Program, and document it all for the DCSA Security Review & Rating. CyberICS provides 300+ ready-to-run ICS/OT and insider-threat tabletop scenarios, AI-generated After Action Reports, and audit-ready completion records — turning a recurring compliance obligation into demonstrable readiness across the cleared Defense Industrial Base.
The NISPOM Rule binds roughly 12,500+ cleared facilities under DCSA's National Industrial Security Program oversight. Every cleared contractor — and the named officials who run its security program — carry recurring training, insider-threat, and self-inspection duties that DCSA verifies during the Security Review & Rating.
Any entity granted a facility clearance to access, generate, or store classified information must implement the NISPOM program and submit to DCSA's routine Security Reviews. Covered Defense Contractors carry additional cyber-incident reporting duties on covered systems.
NISPOM assigns personal responsibility to specific officials. Each must complete role-based training (§117.12) and can present exercise and training records during the DCSA Security Review to demonstrate an active, mature program.
§117.12(k) requires security education and training for every cleared employee every 12 months, with participation records retained for DCSA. The regulation explicitly allows "interactive videos … or other media and methods." A standing CyberICS exercise program turns that annual requirement into a repeatable, evidence-generating cycle — in your team's working language.
NISPOM names specific training, insider-threat, and reporting duties. Tabletop exercises directly satisfy the insider-threat response, annual-refresher, and incident-reporting requirements, and generate evidence for several more.
| Section | Obligation | Requirement Summary | CyberICS Capability | Coverage |
|---|---|---|---|---|
| §117.12(g)(1)(ii) | Insider threat response training | ITP personnel (incl. the ITPSO) must be trained on "procedures for conducting insider threat response actions" | The Insider-Threat TTX pack rehearses detection, escalation, and response actions end-to-end; the AI AAR documents the response workflow taken and gaps surfaced | Core |
| §117.12(g)(2)–(3) | Annual insider-threat awareness | Insider-threat awareness training for all cleared employees annually; contractor must validate completion | Awareness scenarios + per-participant completion tracking provide the validated annual record DCSA expects | Core |
| §117.12(k) | Annual refresher training | Security education & training every 12 months for all cleared employees; maintain participation records; "interactive videos … or other media and methods" permitted | A standing exercise program is the refresher system-of-record — recurring sessions, participation logs, and AARs retained as evidence | Core |
| §117.8(f) | CDC cyber-incident reports | Covered Defense Contractors must rapidly report cyber incidents on covered systems to the designated DoD CSO | The DIB cyber-incident-reporting drill rehearses the who / what / timeline of the DoD CSO report under realistic pressure | Core |
| §117.12(e) | Initial security briefing | Before access: threat awareness, CI awareness, cybersecurity training, and reporting obligations | Onboarding scenario set and AI briefings reinforce threat/CI awareness, cybersecurity, and reporting duties for newly cleared staff | Supporting |
| §117.7(d) | Insider Threat Program | Establish & maintain an ITP consistent with E.O. 13587 and the National Insider Threat Policy minimum standards | The ITP exercise pack plus program-maturity gap analysis exercises the ITP's detection, integration, and response functions | Supporting |
| §117.7(h) | Self-inspection | Annual self-inspection (incl. the ITP); formal report; SMO certifies in writing and briefs KMP | The DCSA Security Review Evidence Pack assembles exercise, training, and drill records into the self-inspection file | Supporting |
| §117.12(i) | Information-system user training | All authorized IS users trained on the security risks of their activities and responsibilities | Role-based scenarios reinforce IS-user responsibilities; completion is logged per user as evidence | Supporting |
| §117.18 | Information system security (incl. embedded/OT) | IS security controls under ISSM/ISSO oversight; "embedded systems" that control a function are information systems in scope | OT/ICS and embedded-system scenarios exercise incident response on the control systems inside cleared manufacturing facilities | Partial |
Three core capabilities work together to deliver, document, and evidence your §117.12 training and §117.7(d) insider-threat obligations.
Live Session mode runs real-time, multi-participant exercises. Every step, response, and host action is timestamped — producing the auditable training and insider-threat response record NISPOM requires you to retain.
Immediately after each exercise, CyberICS generates a structured AAR documenting the response actions taken, gaps, and NISPOM section references — the artifact an ITPSO or FSO files as proof the drill happened and what it found.
The Compliance Dashboard assembles a NISPOM evidence package — training completion, insider-threat drill records, incident-reporting rehearsals, and a self-inspection summary — so an FSO walks into the DCSA Security Review with the file already built.
Six high-fidelity scenarios built for cleared contractors — insider threat, CDC cyber-incident reporting, and OT/embedded-system response — ready to run with AI facilitator briefing included.
A cleared engineer with authorized access begins staging and exfiltrating export-controlled program data. Exercises ITP detection, multi-disciplinary integration, and the response actions an ITPSO must execute.
Intrusion is detected on a covered contractor information system holding CUI. The team must scope impact and execute the cyber-incident report to the designated DoD CSO under time pressure.
A cleared shipyard's production OT / embedded control systems are manipulated, threatening both safety and a classified delivery schedule. Tests ISSM-led IS incident response across the IT/OT boundary.
A trusted lower-tier cleared supplier is breached, creating a pivot toward your classified program. Exercises supply-chain incident coordination, reporting, and insider-threat overlap.
A cleared employee is targeted for recruitment by a foreign intelligence entity. Exercises CI awareness, indicator recognition, and the reporting pathways NISPOM training must instill.
A facility-wide security incident escalates to FSO, ITPSO, ISSM, and the SMO. A leadership-level annual refresher that simultaneously produces self-inspection and management-briefing evidence.
Plus 300+ additional ICS/OT and enterprise scenarios spanning the sectors the cleared DIB operates in. Browse the full library →
Every CyberICS exercise generates four categories of evidence supporting NISPOM training, insider-threat, and self-inspection demonstration during a DCSA Security Review & Rating.
Per-employee participation and completion roster for every 12-month training cycle — the retained record §117.12(k) requires.
AAR + validated completion list documenting an insider-threat response exercise and the actions the ITP team executed.
Timestamped log of a DoD CSO reporting drill — who decided what, and how fast — demonstrating §117.8(f) readiness for covered contractors.
Consolidated PDF bundling training, insider-threat, and incident records into the self-inspection file, with an SMO certification page.
CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.
Start with a free 14-day trial — no credit card required. Or speak with our DIB team about a standing NISPOM training & insider-threat exercise program that pairs with your CMMC 2.0 effort.
Also explore: CMMC 2.0 Toolkit · NIST SP 800-82 Toolkit · CISA CTEP Toolkit