🛡️ NISPOM / DCSA Toolkit

Meet NISPOM §117.12 Training & Insider Threat Obligations with
Ready-to-Run Tabletop Exercises

The NISPOM Rule (32 CFR Part 117) requires every cleared defense contractor under DCSA oversight to deliver recurring security training, run an Insider Threat Program, and document it all for the DCSA Security Review & Rating. CyberICS provides 300+ ready-to-run ICS/OT and insider-threat tabletop scenarios, AI-generated After Action Reports, and audit-ready completion records — turning a recurring compliance obligation into demonstrable readiness across the cleared Defense Industrial Base.

§117.12(g) — Insider threat response training
§117.12(k) — Annual refresher (every 12 months)
§117.8(f) — CDC cyber-incident reporting
§117.7(h) — Self-inspection evidence
Pairs with CMMC 2.0 & DFARS 7012
Start Free — 14-Day Trial 🛡️ See the CMMC 2.0 Toolkit → Talk to Our DIB Compliance Team
Compliance & Handling Note: CyberICS exercise scenarios and evidence artifacts support NISPOM (32 CFR Part 117) security education, insider threat, and self-inspection obligations as part of a structured readiness program. They are not a determination of NISP compliance — that rests with your Cognizant Security Agency (DCSA) and qualified counsel. The platform handles only unclassified training and exercise content and completion records. Classified information must never be entered into, processed by, or stored on any commercial SaaS, including this platform.
Who NISPOM Applies To

Cleared Contractors & Their Key Management Personnel

The NISPOM Rule binds roughly 12,500+ cleared facilities under DCSA's National Industrial Security Program oversight. Every cleared contractor — and the named officials who run its security program — carry recurring training, insider-threat, and self-inspection duties that DCSA verifies during the Security Review & Rating.

Cleared Defense Contractors (CDCs)

Under DCSA NISP Oversight

Any entity granted a facility clearance to access, generate, or store classified information must implement the NISPOM program and submit to DCSA's routine Security Reviews. Covered Defense Contractors carry additional cyber-incident reporting duties on covered systems.

  • Defense manufacturing & shipbuilding (classified IT + OT/embedded systems)
  • Aerospace, missile & munitions producers
  • C4ISR, electronics & systems integrators
  • R&D labs, FFRDCs & university affiliated research centers
  • IT/cloud, logistics & professional-services subcontractors
Tabletop exercises directly evidence §117.12(g) insider-threat response training, §117.12(k) annual refresher, and §117.8(f) cyber-incident reporting readiness.
Key Management Personnel (KMP)

Named, Accountable Security Roles

NISPOM assigns personal responsibility to specific officials. Each must complete role-based training (§117.12) and can present exercise and training records during the DCSA Security Review to demonstrate an active, mature program.

  • FSO — Facility Security Officer: overall program, security education
  • ITPSO — Insider Threat Program Senior Official: ITP & response actions
  • ISSM / ISSO — Information System Security Manager/Officer (§117.18)
  • SMO — Senior Management Official: annual self-inspection certification
  • All cleared employees — annual refresher & insider-threat awareness
§117.7(h): the SMO must annually certify in writing that a self-inspection occurred and KMP were briefed on results — the exercise evidence pack supplies that file.
🔄

A Recurring, Audited Obligation — Not a One-Time Checkbox

§117.12(k) requires security education and training for every cleared employee every 12 months, with participation records retained for DCSA. The regulation explicitly allows "interactive videos … or other media and methods." A standing CyberICS exercise program turns that annual requirement into a repeatable, evidence-generating cycle — in your team's working language.

🇬🇧 English 🇫🇷 Français 🇵🇹 Português 🇪🇸 Español 🇩🇪 Deutsch 🇮🇹 Italiano
32 CFR Part 117 Mapping

NISPOM Obligations → CyberICS Capability

NISPOM names specific training, insider-threat, and reporting duties. Tabletop exercises directly satisfy the insider-threat response, annual-refresher, and incident-reporting requirements, and generate evidence for several more.

32 CFR Part 117 Requirements Reference

Coverage: Core = exercise directly satisfies the obligation  |  Supporting = exercise validates / documents  |  Partial = scenario content covers the risk domain

Section Obligation Requirement Summary CyberICS Capability Coverage
§117.12(g)(1)(ii) Insider threat response training ITP personnel (incl. the ITPSO) must be trained on "procedures for conducting insider threat response actions" The Insider-Threat TTX pack rehearses detection, escalation, and response actions end-to-end; the AI AAR documents the response workflow taken and gaps surfaced Core
§117.12(g)(2)–(3) Annual insider-threat awareness Insider-threat awareness training for all cleared employees annually; contractor must validate completion Awareness scenarios + per-participant completion tracking provide the validated annual record DCSA expects Core
§117.12(k) Annual refresher training Security education & training every 12 months for all cleared employees; maintain participation records; "interactive videos … or other media and methods" permitted A standing exercise program is the refresher system-of-record — recurring sessions, participation logs, and AARs retained as evidence Core
§117.8(f) CDC cyber-incident reports Covered Defense Contractors must rapidly report cyber incidents on covered systems to the designated DoD CSO The DIB cyber-incident-reporting drill rehearses the who / what / timeline of the DoD CSO report under realistic pressure Core
§117.12(e) Initial security briefing Before access: threat awareness, CI awareness, cybersecurity training, and reporting obligations Onboarding scenario set and AI briefings reinforce threat/CI awareness, cybersecurity, and reporting duties for newly cleared staff Supporting
§117.7(d) Insider Threat Program Establish & maintain an ITP consistent with E.O. 13587 and the National Insider Threat Policy minimum standards The ITP exercise pack plus program-maturity gap analysis exercises the ITP's detection, integration, and response functions Supporting
§117.7(h) Self-inspection Annual self-inspection (incl. the ITP); formal report; SMO certifies in writing and briefs KMP The DCSA Security Review Evidence Pack assembles exercise, training, and drill records into the self-inspection file Supporting
§117.12(i) Information-system user training All authorized IS users trained on the security risks of their activities and responsibilities Role-based scenarios reinforce IS-user responsibilities; completion is logged per user as evidence Supporting
§117.18 Information system security (incl. embedded/OT) IS security controls under ISSM/ISSO oversight; "embedded systems" that control a function are information systems in scope OT/ICS and embedded-system scenarios exercise incident response on the control systems inside cleared manufacturing facilities Partial
Platform Capabilities

How CyberICS Supports Your NISPOM Program

Three core capabilities work together to deliver, document, and evidence your §117.12 training and §117.7(d) insider-threat obligations.

🎲
§117.12(g) · (k)

Structured Exercise Execution

Live Session mode runs real-time, multi-participant exercises. Every step, response, and host action is timestamped — producing the auditable training and insider-threat response record NISPOM requires you to retain.

  • Per-employee participation & completion record
  • Step-by-step response walkthrough log
  • Session date, scope, and duration metadata
  • Validated completion list for §117.12(g)(3)
📋
§117.12(g) · §117.8(f)

AI-Generated After Action Report

Immediately after each exercise, CyberICS generates a structured AAR documenting the response actions taken, gaps, and NISPOM section references — the artifact an ITPSO or FSO files as proof the drill happened and what it found.

  • Insider-threat response action sequence
  • NISPOM §117 section references per gap
  • Corrective-action recommendations
  • Multilingual output (EN/FR/PT/ES/DE/IT)
📄
§117.7(h) Self-inspection

DCSA Security Review Evidence Pack

The Compliance Dashboard assembles a NISPOM evidence package — training completion, insider-threat drill records, incident-reporting rehearsals, and a self-inspection summary — so an FSO walks into the DCSA Security Review with the file already built.

  • Annual refresher completion roster
  • Insider-threat & incident drill records
  • Gap & remediation timeline
  • SMO self-inspection certification page
Scenario Library

NISPOM-Relevant Scenarios for the Cleared Defense Industrial Base

Six high-fidelity scenarios built for cleared contractors — insider threat, CDC cyber-incident reporting, and OT/embedded-system response — ready to run with AI facilitator briefing included.

Insider Threat · CDC
§117.7(d) · 117.12(g)
Trusted Insider Exfiltration of Classified Program Data

A cleared engineer with authorized access begins staging and exfiltrating export-controlled program data. Exercises ITP detection, multi-disciplinary integration, and the response actions an ITPSO must execute.

§117.7(d) §117.12(g) E.O. 13587
Cyber Incident · CDC
§117.8(f)
Covered System Compromise → DoD CSO Report

Intrusion is detected on a covered contractor information system holding CUI. The team must scope impact and execute the cyber-incident report to the designated DoD CSO under time pressure.

§117.8(f) DFARS 7012 CMMC 2.0
Defense Manufacturing · OT
§117.18
Embedded Control-System Attack at a Cleared Plant

A cleared shipyard's production OT / embedded control systems are manipulated, threatening both safety and a classified delivery schedule. Tests ISSM-led IS incident response across the IT/OT boundary.

§117.18 IEC 62443 §117.8(f)
Supply Chain · Subcontractor
§117.8 · 117.7(d)
Compromised Cleared Subcontractor

A trusted lower-tier cleared supplier is breached, creating a pivot toward your classified program. Exercises supply-chain incident coordination, reporting, and insider-threat overlap.

Supply Chain §117.8(f) §117.7(d)
Foreign Targeting / CI
§117.12(g)(2)
Foreign Recruitment of a Cleared Insider

A cleared employee is targeted for recruitment by a foreign intelligence entity. Exercises CI awareness, indicator recognition, and the reporting pathways NISPOM training must instill.

§117.12(g)(2) CI Awareness FOCI
Leadership / KMP
§117.12(k) Refresher
Annual KMP Security Crisis Exercise

A facility-wide security incident escalates to FSO, ITPSO, ISSM, and the SMO. A leadership-level annual refresher that simultaneously produces self-inspection and management-briefing evidence.

§117.12(k) §117.7(h) Governance

Plus 300+ additional ICS/OT and enterprise scenarios spanning the sectors the cleared DIB operates in. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation for the DCSA Security Review

Every CyberICS exercise generates four categories of evidence supporting NISPOM training, insider-threat, and self-inspection demonstration during a DCSA Security Review & Rating.

📋
Annual Refresher Completion Record

Per-employee participation and completion roster for every 12-month training cycle — the retained record §117.12(k) requires.

§117.12(k)
🕵️
Insider-Threat Drill Record

AAR + validated completion list documenting an insider-threat response exercise and the actions the ITP team executed.

§117.12(g)(1)–(3)
📧
Cyber-Incident Report Rehearsal

Timestamped log of a DoD CSO reporting drill — who decided what, and how fast — demonstrating §117.8(f) readiness for covered contractors.

§117.8(f)
📁
DCSA Security Review Evidence Pack

Consolidated PDF bundling training, insider-threat, and incident records into the self-inspection file, with an SMO certification page.

§117.7(h)

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Make Your Next DCSA Security Review the Easy One?

Start with a free 14-day trial — no credit card required. Or speak with our DIB team about a standing NISPOM training & insider-threat exercise program that pairs with your CMMC 2.0 effort.

Also explore: CMMC 2.0 Toolkit  ·  NIST SP 800-82 Toolkit  ·  CISA CTEP Toolkit