Creating an Insider Threat Program – Adjusting to NISPOM Change 2

Defense Contractors

“Trust but verify.” It’s an old Russian proverb, “Доверяй, но проверяй” used often by President Ronald Reagan in the late-1980s during his discussions with Russian General Secretary Mikhail Gorbachev on US-USSR relations. This proverb is also applicable when discussing the trustworthiness of a fellow employee, as insider threat programs are created across the cleared contracting community.

On May 18 the Department of Defense (DOD) issued Change 2 to DOD 5220.22-M, “National Industrial Security Operating Manual (NISPOM).” The change “requires contractors to establish and maintain an insider threat program.” Insider threat detection is counterespionage – finding those within your organization who have broken trust. For the many entities with a robust counterintelligence and counterespionage programs, this change may require an adjustment in the manner in which the information is reported to the Cognizant Security Agency (CSA). It may require adjustments in the content of the counterintelligence training regime; and may also require internal adjustments on accessing broader amounts of information. The Defense Security Service (DSS) in their ISL 2016-02 notes that size does matter, and DSS will consider the size and complexity of the cleared facility in assessing its implementation of an insider threat program to comply with NISPOM Change 2.

What does a cleared contractor need to do?

  1. Appoint from within the contracting organization the “Insider Threat Program Senior Official” (ITPSO).
  2. Ensure the contracting organization has the capability to gather, store and analyze relevant insider threat information. Evolve processes and procedures to ensure the ITPSO has broad access to this information. This includes access to human resource, security, information assurance, legal, etc). Smaller entities may find this easier to implement than larger entities, as larger entities tend to silo information. The ITPSO will require cross-entity access.
  3. Report relevant information covered by the “13 personnel security adjudicative guidelines that may be indicative of a potential or actual insider threat.”
  4. Ensure DSS is aware, “through self-certification, that a written program plan is implemented and current.” DSS wishes to ensure that the role of the ITPSO is not simply a figurehead who is trotted-out during each DSS inspection, and thus articulates with a bit of granularity the role of the ITPSO in their ISL 2016-2.
    • ITPSO will be a US citizen employee and a senior official of the company.
    • ITPSO will hold a clearance associated with the Facility Clearance (FCL) and is the responsible individual with respect to the company’s insider threat program.
    • The need for the individual to be a senior official is explained, as the individual must have the “authority to provide management, accountability and oversight to effectively implement and manage the requirements of the NISPOM related to insider threat.”
    • The FSO (if senior within the company) may be the ITPSO, if not, then the FSO will be an integral member of the implementation program.
    • Larger organizations may appoint a single ITPSO for the corporate-wide program.
  5. Annual insider threat self-inspections will be certified as having been conducted to DSS. These self-inspection reports will be available to DSS.
  6. Contractor entities must have a system and process in place to identify patterns of negligence or carelessness in handling classified materials.
  7. Insider Threat Training must be provided to employees whose duties place them within the insider threat program management. The DSS CDSE insider-threat training courses satisfies this requirement.
  8. All cleared employees are required to receive training on insider threats. Currently employees must receive the training within 12 months, new employees prior to accessing classified materials. This training must be documented and annual refresher training implemented.
  9. Information systems must implement DSS-provided information system security controls on classified information systems in order to detect activity indicative of insider threat behavior.

Implementation and counterintelligence reality

As noted in supra, implementation of the insider threat program may be less cumbersome for the smaller entities than the larger entities, as adjusting the access to required information by the ITPSO may require less hurdles to be cleared. The training program for those who have been given the role of deterring, detecting and mitigating the insider threat is important, is more than just a coupon-punch exercise. Furthermore, those within the insider threat program must heighten their own vigilance, cyber hygiene, and personal affairs, as they are very attractive targets to any hostile foreign intelligence officer.

The ITPSO and their team are charged with verifying the trustworthiness of their colleagues. They have been issued a hammer by DSS with this NISPOM change. They will be called upon to exercise great patience and understanding as they implement their Insider Threat Program. With this hammer in hand, one must take to heart Maslow’s 1962 admonishment within his book “Toward a Psychology of Being: ‘I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.’”

The team will be accessing and compiling information which will give both a complete picture of the actions of each of their individual colleagues. They will also be compiling and collating information across the company’s internal boundaries which may have been previously separated to protect from accidental or nefarious disclosure.

The insider threat program is a necessary program, designed to protect the classified information handled by the company and their employees/contractors.


Background on the creation of the NISPOM Change 2

On October 7, 2011, President Barak Obama issued Executive Order 13587 (Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information). Thus putting the onus on all entities which handled classified information to establish an insider threat detection and prevention program. The executive order went on to direct the creation of the “Insider Threat Task Force develop a Government-wide program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise or unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.” The Insider Threat Task Force, “shall include development of policies, objectives, and priorities for establishing and integrating security, counterintelligence, user audits and monitoring, and other safeguarding capabilities within agencies.”

The NISPOM Change 2 is the natural progression in the DOD adherence with the Executive Order 13587.


NISPOM DOD 5220.22.M – National Industrial Security Program Operating Manual – February 2006 incorporating Change 2, May 18 2016:  PDF of Manual

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008).