Creating an Insider Threat Program – Adjusting to NISPOM Change 2 | By: Christopher Burgess / Jun 13, 2016:
Change 2 to the NISPOM requires all contractors to set up a formal insider threat program. Counterespionage capabilities will now be the norm within cleared contractor workforces.
“Trust but verify.” It’s an old Russian proverb, “Доверяй, но проверяй” used often by President Ronald Reagan in the late-1980s during his discussions with Russian General Secretary Mikhail Gorbachev on US-USSR relations.
This proverb is also applicable when discussing the trustworthiness of a fellow employee, as insider threat programs are created across the cleared contracting community.
On May 18 2016 the Department of Defense (DOD) issued Change 2 to DOD 5220.22-M, “National Industrial Security Operating Manual (NISPOM).” The change “requires contractors to establish and maintain an insider threat program.”
Insider threat detection is counterespionage – finding those within your organization who have broken trust.
For the many entities with a robust counterintelligence and counterespionage programs, this change may require an adjustment in the manner in which the information is reported to the Cognizant Security Agency (CSA).
It may require adjustments in the content of the counterintelligence training regime; and may also require internal adjustments on accessing broader amounts of information. The Defense Security Service (DSS) in their ISL 2016-02 notes that size does matter, and DSS will consider the size and complexity of the cleared facility in assessing its implementation of an insider threat program to comply with NISPOM Change 2.
What does a cleared contractor need to do?
Appoint from within the contracting organization the “Insider Threat Program Senior Official” (ITPSO).
Ensure the contracting organization has the capability to gather, store and analyze relevant insider threat information. Evolve processes and procedures to ensure the ITPSO has broad access to this information.
This includes access to human resource, security, information assurance, legal, etc). Smaller entities may find this easier to implement than larger entities, as larger entities tend to silo information. The ITPSO will require cross-entity access.
Report relevant information covered by the “13 personnel security adjudicative guidelines that may be indicative of a potential or actual insider threat.”
Ensure DSS is aware, “through self-certification, that a written program plan is implemented and current.” DSS wishes to ensure that the role of the ITPSO is not simply a figurehead who is trotted-out during each DSS inspection, and thus articulates with a bit of granularity the role of the ITPSO in their ISL 2016-2.
ITPSO will be a US citizen employee and a senior official of the company.
ITPSO will hold a clearance associated with the Facility Clearance (FCL) and is the responsible individual with respect to the company’s insider threat program.
The need for the individual to be a senior official is explained, as the individual must have the “authority to provide management, accountability and oversight to effectively implement and manage the requirements of the NISPOM related to insider threat.”
The FSO (if senior within the company) may be the ITPSO, if not, then the FSO will be an integral member of the implementation program.
Larger organizations may appoint a single ITPSO for the corporate-wide program.
Annual insider threat self-inspections will be certified as having been conducted to DSS. These self-inspection reports will be available to DSS.
Contractor entities must have a system and process in place to identify patterns of negligence or carelessness in handling classified materials.
Insider Threat Training must be provided to employees whose duties place them within the insider threat program management. The DSS CDSE insider-threat training courses satisfies this requirement.
All cleared employees are required to receive training on insider threats. Currently employees must receive the training within 12 months, new employees prior to accessing classified materials. This training must be documented and annual refresher training implemented.
Information systems must implement DSS-provided information system security controls on classified information systems in order to detect activity indicative of insider threat behavior.
To read full article – please click here.
To read or download a PDF version of the full National Industrial Security Program Manual (Incorporating Change 2) – please click here.
