On May 18, 2016, the Defense Security Service (DSS) issued a much anticipated Change 2 to DoD-5220.22-M, known as the National Industrial Security Program Operating Manual (NISPOM). Change 2 requires all contractors that hold facility security clearances to adopt and maintain an "Insider Threat" program that conforms to certain standards, including those outlined in Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.
Among other things, the contractor’s insider threat program must do the following:
- Develop a capability to gather threat information commensurate with the contractor’s size and operations, to include gathering, integrating, and reporting relevant and credible information covered by any of the 13 personnel security adjudicative guidelines indicative of a potential or actual insider threat.
- Formally appoint a senior company official as the insider threat program senior official (ITPSO).
- Conduct and document annual self-inspections.
- Report information indicative of a potential or actual insider threat that is covered by any of the 13 personnel security adjudicative guidelines.
- Develop a system or process to identify patterns of negligence or carelessness in handing classified information.
- Implement protection measures to monitor user activity on classified information systems in order to detect activity indicative of insider threat behavior.
- Provide insider threat program management and awareness training to cleared employees.
Cleared contractors must have this written program plan in place to begin implementing insider threat requirements of Change 2 no later than November 30, 2016.