Posted on by Insider Threatin
On May 18, 2016, the DOD published Change 2 to DoD 5220.22-M, "National Industrial Security Operating Manual (NISPOM)," which requires contractors to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. The intent of this blog post is to describe the summary of changes required by Change 2 and the impact it will have on contracting organizations.
The Defense Security Service (DSS) has done a great job of providing policy and guidance documents, resource documents, training material, and toolkits to assist in meeting the requirements to build an insider threat program. I suggest you visit the Industry Insider Threat Information and Resources page on the DSS website.
With the implementation of this change, contracting organizations will need to build an insider threat program to (as taken from the Insider Threat Industrial Security Letter) "gather, integrate, and report relevant and credible information covered by any of the 13 personnel security adjudicative guidelines that is indicative of a potential or actual insider threat to deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risk of an insider threat."
NISPOM Appendix C defines a "contractor" as "any industrial, educational, commercial, or other entity that has been granted a facility security clearance (FCL) by a Cognizant Security Agency (CSA)." If you are an entity that fits this description, you are affected by these requirements.
The adjudicative guidelines are described in Title 32, National Defense, Code of Federal Regulations, and include
CONTRACTORS MUST HAVE A WRITTEN PLAN IN PLACE TO BEGIN IMPLEMENTING INSIDER THREAT REQUIREMENTS NO LATER THAN NOVEMBER 30, 2016.
Contractors must establish and maintain a program that is consistent with Executive Order 13587: Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information and the National Insider Threat Policy (Minimum Standards for Executive Standards for Executive Branch Insider Threat Programs).
According to Executive Order 13587, "This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals."
It is essential that organizations work with general/legal counsel, making them part of the insider threat program team to ensure the insider threat program protects the civil liberties, civil rights, and privacy protections of its employees.
As I suggested earlier, please refer to NISPOM Change 2 for the requirements for the program and the Insider Threat Industrial Security Letter (ISL). Here is a summary of the new requirements that contractors must meet that I've pulled from these referenced documents:
The Insider Threat Center at Carnegie Mellon University's Software Engineering Institute, a Federally Funded Research and Development Center (FFRDC), has been researching insider threats for over a decade. We have published over 100 reports, including best practices for the mitigation of insider threats, which are publicly available on our website.
As an FFRDC, we are able to work with many different organizations, including the DoD, U.S. federal government, law enforcement, industry, and academia to transfer our knowledge, including how insider incidents evolve over time, how to recognize potential insider threat risk indicators, and how to build and evaluate an effective ITP.
We also perform insider threat vulnerability assessments, deliver insider threat training, which includes an Insider Threat Program Manager Certificate Program, and conduct customized insider threat research.
If we can help you as you work toward meeting the new requirements of NISPOM Change 2 or Executive Order 1357, or if you are anywhere along the path of building an insider threat program, please contact us.
Visit the SEI Digital Library for other publications by Randy.