NISPOM Conforming Change 2 is a new U.S. government regulation released on May 18, 2016 that mandates Insider Threat programs for cleared contractors. Here we answer some of the basic questions you may have about the program.
This is the first in a series of articles covering NISPOM Conforming Change 2.
Learn more about the policy changes and how you can prepare your organization for compliance on our Conforming Change 2 Resource Center page.
What is NISPOM?
NISPOM is the National Industrial Security Policy Operating Manual. It represents the “rules of the road” for U.S. government contractors who deal with classified data. The compliance requirements fall under the Defense Security Service (DSS) of the U.S. Department of Defense (DOD). DSS acts as the industrial security manager for 31 agencies. So, even if you don’t have a DOD contract, you may still be subject to NISPOM rules if you are a contractor at one of these agencies (click here for a list of agencies). If you have, or aspire to have, a classified U.S. Government contract, you will be subjected to the rules of the NISPOM for your Facility Security Clearance (FCL).
What is Conforming Change 2?
Conforming Change 2 went into effect on May 18, 2016. It mandates that all cleared contractors have in place an insider threat program that adheres to certain standards. The Insider Threat program must be consistent with requirements outlined in Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. In effect, the government is using the template it created for its own agencies' programs and applying it to the cleared contractor community.
Why is this important?
From pencils to aircraft carriers, the government depends on what is broadly called the Defense Industrial Base to make the products that run the machinery of government. Private companies supply boatloads of contractors to augment government staffing shortfalls. The government realizes that your vulnerabilities become their vulnerabilities when adequate security is not in place. Remember, Edward Snowden was a contractor, not a government employee, and he had access to extremely sensitive information.
Who will be affected?
All cleared contracting companies subject to NISPOM will be required to have an Insider Threat program.
What are the rules I must follow?
In addition to standing NISPOM requirements, Conforming Change 2 also requires cleared contractors to:
- Be able to gather, integrate and analyze information on potential or actual Insider Threats
- Designate a key person in charge of the Insider Threat program
- Maintain records relative to Insider Threat information
- Conduct self-inspections of the Insider Threat program
- Report Insider Threat incidents
- Conduct Insider Threat training that includes adversary capabilities, counterintelligence concepts, means to respond to Insider Threat incidents, and legal and privacy issues, among other areas.
Your company will be judged against the requirements of Conforming Change 2 when it comes time for a DSS audit known as a security vulnerability assessment, or SVA.
Is compliance with Conforming Change 2 enough?
As with the predecessor documents, EO 13587 and the Minimum Standards noted above, the government realized that it had to set a low bar when rolling out its initial rules. According to the National Insider Threat Task Force, your company should consider these three things when you begin to build an Insider Threat Program:
What are your most important assets (your “crown jewels”)?
Who are your ‘insiders’? (Do these include just employees or also contractors and suppliers) Note that the government definition centers "cleared contractor personnel" and is agnostic about whether they are your employees.
What is the right organizational culture for you to most effectively protect ourselves?