On May 18, 2016, the Department of Defense published “Change 2” to the National Industrial Security Program Operating Manual (NISPOM) that requires contractors to establish and maintain a program to detect, deter and mitigate insider threats by November 30, 2016. Although cleared contractors are already obligated to protect classified information to which they have access, these changes to the NISPOM impose new requirements for contractors to implement programs that the US Government hopes will provide some ability to predict the future, i.e., a “risk” of or “potential” insider threat before one occurs. According to the Change 2 amendments to the NISPOM and an accompanying Industrial Security Letter (ISL), the program must:
- gather, integrate, and report relevant and credible information indicative of a potential or actual insider threat from cleared contractor personnel;
- detect insiders who pose a risk to classified information; and
- mitigate the risk of an insider threat.
Among other things, the insider threat program will require the contractor to (1) establish a new “key” personnel position (the Insider Threat Program Senior Official); (2) implement some means to centrally collect certain data about cleared personnel (“gather” and “integrate”) and define what that data might be; (3) develop some trigger for reviewing the data and making reports of potential “insider threats;” (4) conduct training on the insider threat program; and (5) consider making changes to corporate governance and internal policies to implement this program, such as establishing a new corporate position and changes to internal policies on sharing employee information across departments or monitoring employee activity.
Although the changes to the NISPOM are narrowly focused on classified contracts, cleared government contractors may wish to consider implementing the “insider threat program” as part of an overall effort to meet the requirements of new cybersecurity rules at FAR 52.204–21, which addresses the safeguarding of “covered contractor information systems,” and DFARS 252.204-7012, which addresses safeguarding and reporting breaches of “covered defense information.” Some of the elements necessary to “safeguard” covered contractor or defense information could be used as part of a cleared contractors’ insider threat program.
This advisory provides a high-level overview of the new requirements for this program under the NISPOM as further explained in the ISL.
Insider Threat Minimum Standards for Contractors
NISPOM section 1-202 requires the contractor to establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat. DSS’s Industrial Security Letter takes the NISPOM one step further, providing that the “program must gather, integrate, and report relevant and credible information covered by any of the 13 personnel security adjudicative guidelines,” which DSS contends “is indicative of a potential or actual insider threat.” Those “adjudicative guidelines,” listed here, address areas such as allegiance to the United States, sexual behavior, personal conduct, alcohol and drug consumption, and other outside activities.
Although the terms “insider threat” may initially be associated with bad actors intent on espionage, the NISPOM broadly defines it to include malicious actors with clearance as well as innocent, “unwitting” cleared personnel who may “do harm to the national security of the United States”:
“the likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency’s obligations to protect classified national security information.”
An “insider” also is not limited to employees. The amended NISPOM defines insider as “cleared contractor personnel” and, therefore, could include subcontractors or other cleared individuals over which the contractor has some control. Therefore, in considering and implementing these new changes, cleared contractors will need to recognize the broad scope of potentially relevant factors and these broad definitions, but also develop a program that is clearly defined in scope as well as feasible and consistent with the work being performed by the contractor. In implementing these changes, DSS has indicated that it will consider the size and complexity of a contractor’s work when assessing programs.
According to DSS’s Industrial Security Letter, programs are to include the following elements:
- 1-202a. A plan endorsed by the insider threat program senior official (ITPSO) describing:
- Capability to gather relevant insider threat information across the contractor facility (e.g., human resources, security, information assurance, legal), commensurate with the organization’s size and operations.
- Procedures to: access, share, compile, identify, collaborate among the cleared contractor’s functional elements (including those listed above), and report relevant information covered by the 13 personnel security adjudicative guidelines that may be indicative of a potential or actual insider threat; deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and to mitigate the risk of an insider threat.
- Any corporate-wide program plans that address requirements for all cleared facilities within the corporate family and address effective implementation at each cleared entity within the business structure.
Contractors will be required to self-certify to DSS that a written program plan is implemented and current.
- 1-202b. Formal appointment by the contractor of an ITPSO who is a US citizen employee and a senior official of the company, and a key management employee for the Facility clearance:
- The ITPSO will be cleared in connection with the FCL and is responsible for establishing and executing the contractor’s insider threat program.
- The ITPSO must serve in a position with the authority to provide management, accountability, and oversight to effectively implement and manage the program.
- The facility security officer (FSO) may also serve as the ITPSO. (If the ITPSO is not the FSO, the FSO will need to be an integral member of the team implementing the insider threat program.)
- 1-202c. Appointment of an ITPSO for the corporate family:
- A corporate family may choose to establish a corporate-wide insider threat program with one senior official responsible for the program.
- Each cleared legal entity in the corporate family using the corporate-wide ITPSO must separately appoint that person as the ITPSO for that cleared legal entity in e-FCL.
- If the corporate family chooses to have the corporate-wide ITPSO also serve as the senior official for cleared divisions or branches within a multiple-facility organization, the ITPSO will provide DSS a list of facilities by Commercial and Government Entity (CAGE) code for which the ITPSO serves as the senior official.
- When a corporate family appoints a single ITPSO, that individual must be able to effectively manage the insider threat requirements for each entity for which they are appointed or maintain a record of the individuals at each cleared facility who are trained to support implementation of insider threat program requirements.
- 1-207b. Contractor must conduct “self-inspection” reviews:
- A senior management official at the cleared facility will certify annually to DSS in writing that a self-inspection has been completed as required by NISPOM ¶ 1-207b and to maintain and make available to DSS “self-inspection reports” during the next security vulnerability assessment.
- 1-300. Reporting requirements:
- Contractors must report relevant and credible information coming to their attention regarding cleared employees. Such reporting includes information indicative of a potential or actual insider threat that is covered by any of the 13 personnel security adjudicative guidelines, or when that information constitutes adverse information, in accordance with NISPOM 1-302a.
- Training and information on the adjudicative guidelines is available from the DSS Center for Development of Security Excellence (CDSE).
- 1-304. Individual culpability reports: Contractors must have a system or process to identify patterns of negligence or carelessness in handling classified information to ensure reporting under NISPOM 1-304c, even for incidents that do not initially warrant a culpability or individual incident report.
- 3-103. Insider threat training:
- 3-103.a. Management of the Program. Training on insider threat program management is required for all personnel assigned duties related to insider threat program management. Contractors must provide internal training for insider threat program personnel that includes, at a minimum, the topics outlined in NISPOM 3-103a (which may include existing training). CSA-designated training that meets the minimum topics outlined in NISPOM 3-103 is available through the CDSE catalog under Insider Threat here.
- After November 30, 2016, this training will be required within 30 days of being assigned to insider threat program management.
- 3-103.b. Employee awareness: Training on insider threat awareness is required for all cleared employees before being granted access to classified information and annually thereafter (see 3-108 regarding “refresher training”). Contractors must provide internal training programs that include, at a minimum, the topics outlined in NISPOM 3-103b (which may include existing training).
- 3-103b. Insider threat awareness training: All cleared employees who are not currently in access must complete insider threat awareness training prior to being granted access. Cleared employees already in access must complete insider threat awareness training within 12 months of the issuance date of NISPOM Change 2, no later than May 31, 2017.
- 3-103c. Training records management: Contractors must create and maintain records of all employee insider threat awareness programs initial and refresher training and those records must be available for review during DSS security vulnerability assessments.
- 8-100d. User activity monitoring on classified information systems:
- Contractors must implement the DSS-provided information system security controls on classified information systems in order to detect activity indicative of insider threat behavior. These controls are based on Federal requirements and standards (Federal Information Security Management Act, National Institute of Standards and Technology, and Committee for National Security Systems).
- Additional guidance for information systems under DSS industrial security cognizance has been incorporated into the DSS Office of the Designated Approving Authority (ODAA) Process Manual for the Certification and Accreditation of Classified Systems under the NISPOM, known as the ODAA Process Manual. The ODAA Process Manual is available here.
- 8-200. Overview. The term “authorizing official” has replaced the term “designated approving authority” in the NISPOM. The DSS ODAA serves as the authorizing official to render an operational authorization decision for contractors based on the results of security assessment activities and the implementation of the set of security controls provided by DSS.