NISPOM Change 2: Start By Focusing on These 4 Requirements [UPDATED]

By Greg Cullison


In a previous post we discussed a new update to the National Industrial Security Policy Operating Manual or NISPOM. Officially released on May 18, 2016, Conforming Change 2 requires that all classified government contractors create and maintain their own Insider Threat Program.

This is the second in a series of articles covering NISPOM Conforming Change 2.
Learn more about the new policy and how you can prepare your organization for compliance on our CONFORMING CHANGE 2 RESOURCE CENTER page.

As was widely anticipated, Conforming Change 2 states that government contractors must conform to the same standards as the U.S. Government, based on two documents: Executive Order 13587 and the National Insider Threat Policy (NITP).

Section 1-202 of the NISPOM covers the Insider Threat program.

As you consider building out your company's Insider Threat program, we suggest you focus on these four areas that form the core of the new requirements:

Requirement 1 - Insider Threat Program Manager

It should be no surprise that the government is taking a top-down approach to mandating the management of an Insider Threat problem with Conforming Change 2. You need solid leadership to run your program effectively, so this is not just a requirement but an excellent practice.

Specifically, the NISPOM change requires you to designate a cleared U.S citizen who is a senior company official to enforce the operation of your Insider Threat program. A single responsible person with accountability for the program’s success must be chosen by name and empowered to run it, along with taking on a spiffy new title: Insider Threat Program Senior Officer (ITPSO). You are allowed to have your company's Facility Security Officer (FSO) also serve as the ITPSO, because, hey --who doesn't love wearing several hats? But if the FSO and ITPSO are in fact separate people, the FSO needs to be an integral member of your company's Insider Threat program.

If your company has several facilities, you are permitted to set up one corporate-wide program.

Requirement 2 - Data Availability to the Insider Threat Program

Your program must have the means to "gather, integrate, and report relevant and available information indicative of a potential or actual insider threat."

This will require a centralized place where the information is consolidated. In its own policy documents, the U.S. Government refers to this as the "Hub". The Hub is the place where multiple data streams come together for analysis. Conforming Change 2 requirements are vauge on how this information must flow into the Insider Threat program, indicating that the Hub can be assembled in a way that is suited to your organization. This could look like a virtual program office, or a dedicated Security Operations Center. The main factor to consider is that information must be freed from its various stovepipes within the functional areas of your company and collected in a central, shared location in order to be useful for identifying patterns leading to the mitigation of Insider Threats.

While not specifically directed in Change 2, we strongly urge you to establish a cross-cutting Insider Threat Working Group (headed by the ITPSO), so your company can better track potential threats based on information from across the enterprise, rather than leaving the data in silos where it loses the potential for matching up with other critical pieces of information.

Requirement 3 - Insider Threat Training

An informed workforce is better able to spot Insider Threat activity early and avoid unintentional data leaks. The training as outlined in Conforming Change 2 must contain specific and targeted information, delivered to two separate audiences:

Employees who are responsible for managing or supporting operations of your Insider Threat program need to be trained on:

  • Counterintelligence and security fundamentals, including applicable legal issues.
  • Procedures for conducting insider threat response actions.
  • Applicable laws and regulations regarding gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information.
  • Applicable legal, civil liberties, and privacy policies.

All employees who hold a security clearance must participate in training about:

  • The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the Insider Threat program designee.
  • Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems.
  • Indicators of insider threat behavior, and procedures to report such behavior.
  • Counterintelligence and security reporting requirements, as applicable.

Generally, the training should be given before employees are granted a clearance, and then annual refresher training is required for all clearance holders. As for the exact contents of the training, Change 2 only dictates that DSS must consider the training to be "appropriate".

True, the U.S. Government may allow you to check the compliance box just by showing that you plan to present an annual training slide deck. But consider whether this "one and done" requirement will be enough for your employees to maintain an defensive mindset and avoid slipping back into bad habits. It pays to make the effort to create a culture of security Awareness.

Requirement 4 - Monitor User Behavior on Classified Networks

In many cases, the classified networks will be operated by the government, so this responsibility will devolve to the government itself. If your company maintains classified networks, you need to be able to monitor user activity in such a way that you can "detect activity indicative of insider threat behavior." Your information security plan will be under the watchful eye of the Information Systems Security Manager (ISSM) that the government requires you to designate as part of compliance with myriad other Federal information security regulations.

Of course, compliance is important, but...

If you want to truly protect your proprietary information from internal bad actors -- regardless of whether it forms part of the government supply chain -- you will need to go beyond the minimum standards and conduct a true threat vs. risk assessment for your own operations. 

If creating an Insider Threat Program under Conforming Change 2 will require you to conduct organizational process redesign, our Insider Threat Guide can help you take the necessary steps in the right direction to both be compliant, and protect your employees and assets.  

 How to Combat the Insider Threat Through Process Improvement - Download Your Free Guide Now