search menu icon-carat-right cmu-wordmark

SEI Helps Government Contractors Ramp Up to Meet New NISPOM Mandate


Change 2 Insider Threat Rules to Go Into Effect November 30, 2016

July 5, 2016—In May 2016, the Department of Defense (DoD) released Change 2 to the National Industrial Security Program Operating Manual (NISPOM). This change, which comes in the wake of a number of high-profile insider incidents involving government contractors, requires cleared federal government contractors to establish an insider threat program in their organizations. The clock is already ticking on this requirement: Change 2 stipulates that contractors must have a written plan in place to begin implementing the new insider threat requirements no later than November 30, 2016.

The SEI will be conducting a free webinar on the impact of Change 2: “How to Build an Effective Insider Threat Program to Comply with the New NISPOM Mandate.” This webinar will take place Thursday, July 7, from 10:30 a.m. to 11:30 a.m. EDT.

Writing in a recent Insider Threat Blog post, the SEI’s Randy Trzeciak, technical manager of the CERT Division’s Enterprise Threat and Vulnerability Management Team and the CERT Insider Threat Center, noted “The Defense Security Service (DSS) has done a great job of providing policy and guidance documents, resource document, training material, and toolkits to assist in meeting the requirements to build an insider threat program.” DSS has made these resources available on its Industry Insider Threat Information Resources Page.

In addition, Trzeciak stresses, “It is essential for organizations to work with their general/legal counsel, making them part of the insider threat program team to ensure the insider threat program protects civil liberties, civil rights, and the privacy of their employees.”

“Our years of research, modeling, and analysis in this area have provided a foundation on which we’ve developed socio-technical best practices to help organizations deter, detect, and respond to insider threats,” said Trzeciak.

Organizations seeking to come up to speed on cybersecurity and physical security issues involving insider threat, and to develop insider threat programs that comply with Change 2 of the NISPOM (DoD 5220.22-M), are encouraged to review the ways in which the SEI can support their efforts. Interested organizations can take advantage of a number of SEI classes on detecting and responding to insider threat, including Building an Insider Threat Program. The SEI also offers a certificate program for Insider Threat Program Managers, Insider Threat Program Evaluation services, and an Insider Threat Program Development Workshop.

For more information about SEI tools and resources available to support organizations working to meet the new NISPOM mandate, visit