Responding to New Federal Requirements for Contractors
On May 18, 2016, the DOD published Change 2 to DoD 5220.22-M, "National Industrial Security Operating Manual (NISPOM)," which requires contractors to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. The intent of this blog post is to describe the summary of changes required by Change 2 and the impact it will have on contracting organizations.
The Defense Security Service (DSS) has done a great job of providing policy and guidance documents, resource documents, training material, and toolkits to assist in meeting the requirements to build an insider threat program. I suggest you visit the Industry Insider Threat Information and Resources page on the DSS website.
With the implementation of this change, contracting organizations will need to build an insider threat program to (as taken from the Insider Threat Industrial Security Letter) "gather, integrate, and report relevant and credible information covered by any of the 13 personnel security adjudicative guidelines that is indicative of a potential or actual insider threat to deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risk of an insider threat."
NISPOM Appendix C defines a "contractor" as "any industrial, educational, commercial, or other entity that has been granted a facility security clearance (FCL) by a Cognizant Security Agency (CSA)." If you are an entity that fits this description, you are affected by these requirements.
The adjudicative guidelines are described in Title 32, National Defense, Code of Federal Regulations, and include
- allegiance to the United States
- foreign influence
- foreign preference
- sexual behavior
- personal conduct
- financial considerations
- alcohol consumption
- drug involvement
- emotional, mental, and personality disorders
- criminal conduct
- security violations
- outside activities
- misuse of information technology systems
CONTRACTORS MUST HAVE A WRITTEN PLAN IN PLACE TO BEGIN IMPLEMENTING INSIDER THREAT REQUIREMENTS NO LATER THAN NOVEMBER 30, 2016.
Contractors must establish and maintain a program that is consistent with Executive Order 13587: Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information and the National Insider Threat Policy (Minimum Standards for Executive Standards for Executive Branch Insider Threat Programs).
According to Executive Order 13587, "This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals."
It is essential that organizations work with general/legal counsel, making them part of the insider threat program team to ensure the insider threat program protects the civil liberties, civil rights, and privacy protections of its employees.
As I suggested earlier, please refer to NISPOM Change 2 for the requirements for the program and the Insider Threat Industrial Security Letter (ISL). Here is a summary of the new requirements that contractors must meet that I've pulled from these referenced documents:
- Assign an insider threat program (ITP) senior official.
- Establish and maintain an ITP to gather, integrate, and report information (from HR, Security, Information Assurance, Legal, counterintelligence) about a potential or actual insider threat.
- Establish procedures to access, share, identify, and collaborate across the contractor organization to report information related to the 13 personnel security adjudicative guidelines. (Contractors are required to report relevant and credible information regarding potential and actual insider threats.)
- Ensure that insider threat programs address all cleared facility locations owned and operated by the contractor.
- Perform yearly self-inspections and certify with DSS.
- Allow independent assessments of their ITP.
- Develop a system or process to identify and report patterns of negligence and carelessness in handling classified information.
- Ensure that insider threat training is provided to all members of the contractor's ITP team and that new ITP team members complete the training within 30 days of joining the program team.
- Require insider threat awareness training for all employees before they are granted access to classified information and refresh their training yearly afterwards. To confirm training is complete, the contractor must have in place a training records management system.
- Implement the DSS-provided information security controls on classified information systems to detect insider threat behavior.
- Establish an oversight mechanism to ensure the proper handling and use of information collected through the ITP.
- Establish procedures and processes for insider threat response actions.
- Develop a process to document each insider inquiry, investigation, and remediation.
The Insider Threat Center at Carnegie Mellon University's Software Engineering Institute, a Federally Funded Research and Development Center (FFRDC), has been researching insider threats for over a decade. We have published over 100 reports, including best practices for the mitigation of insider threats, which are publicly available on our website.
As an FFRDC, we are able to work with many different organizations, including the DoD, U.S. federal government, law enforcement, industry, and academia to transfer our knowledge, including how insider incidents evolve over time, how to recognize potential insider threat risk indicators, and how to build and evaluate an effective ITP.
We also perform insider threat vulnerability assessments, deliver insider threat training, which includes an Insider Threat Program Manager Certificate Program, and conduct customized insider threat research.
If we can help you as you work toward meeting the new requirements of NISPOM Change 2 or Executive Order 1357, or if you are anywhere along the path of building an insider threat program, please contact us.