The government recently issued long-awaited amendments to the National Industrial Security Program Operating Manual (“NISPOM”). The amendments, known as Conforming Change 2, are targeted at combating insider threats and impose several new requirements warranting immediate action by contractors holding facility clearances.
There are four key elements to Change 2: (1) a mandated Insider Threat Program (“ITP”); (2) new cyber incident reporting requirements; (3) newly defined NISPOM components; and, (4) an updated standard for foreign-owned or controlled companies seeking access to proscribed information. We summarized these changes and provide implementation suggestions below.
I. Insider Threat – Mandated Insider Threat Program
Change 2 requires cleared contractors to have a written Insider Threat Program plan no later than November 30, 2016. The ITP must detect, deter, and mitigate insider threats consistent with the ITP requirements currently imposed on executive branch agencies (as set forth in Executive Order 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs).
Change 2 requires contractors to implement their program to gather, integrate, and report relevant and credible information covered by the government’s personnel security adjudicative guidelines indicative of a potential or actual insider threat to deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risk of an insider threat.
We highlight the key components of the ITP under Change 2 (and DSS’s corresponding Industrial Security Letter regarding Change 2).
A. Designation of Insider Threat Program Senior Official (NISPOM 1-202)
Change 2 requires the ITP to be led by an “Insider Threat Program Senior Official” (“ITPSO”). Contractors must designate an individual to hold this position (and he or she must be a U.S. citizen employee and senior company official). The ITPSO can be the same individual who serves as the Facility Security Officer (“FSO”). In any event, the FSO must serve as an integral member of ITP implementation. Change 2 also permits corporate-families to appoint a corporate-wide ITPSO.
B. Conducting Insider Threat Training (NISPOM 3-103)
Change 2 mandates ITP training that requires: (1) training of personnel charged with implementing the ITP and (2) training of cleared personnel company-wide.
ITP Personnel Training. The level of training required for ITP managers is more rigorous than other cleared personnel, and requires awareness of legal issues surrounding counterintelligence and security fundamentals, the specific laws and regulations applicable to records and data gathering, as well as other legal, civil liberties, and privacy issues. After November 30, 2016, new ITP personnel must complete training within 30 days of being assigned ITP duties.
Cleared Personnel Training. Beyond the ITP personnel, all other cleared employees must receive insider threat training prior to gaining access to classified information, and annually thereafter. This training must address current and potential threats in the work and personal environment, and is to cover detecting and reporting, adversary methodologies, indicators of threats, as well as reporting requirements. Training of cleared employees already in access of classified information must be completed no later than May 31, 2017.
C. Self-Inspection of Contractor Insider Threat Program (NISPOM 1.207b)
Change 2 requires contractors to conduct formal self-inspections of the ITP. Completion of the self-inspection must be certified to DSS annually and contractors are required to make inspection reports available to DSS during their security vulnerability assessments. Change 2 further provides that the self-inspections must be executed with the support of company management.
In conducting self-inspections of the ITP, contractors should look to the 2016 Self-Inspection Handbook for NISP Contractors published by DSS. The Handbook provides guidance on implementing insider threat program requirements and includes detailed inspection checklists organized by NISPOM requirement.
D. Insider Threat Reporting Requirements (NISPOM 1-300)
Change 2 also broadens the NISPOM’s reporting requirements to specifically include insider threats posed by cleared employees. Now, contractors must report relevant and credible information coming to their attention regarding cleared employees, including adverse information (defined below) or information indicative of a potential or actual insider threat that under any of the government’s 13 “personnel security adjudicative guidelines” set forth at 32 C.F.R. 147.
II. Cybersecurity – New Cyber Incident Requirements
Change 2 adds NISPOM requirements related to the reporting of “cyber incidents” on classified networks for Cleared Department of Defense Contractors (“CDCs”). The NISPOM now defines “cyber incidents” as “actions taken through the use of computer networks that result in an actual or potentially adverse effect on an [Information System] or the information residing therein.”
These amendments are consistent with other recent regulations applicable to cleared contractors such as Section 1632 of the 2015 NDAA and the recent FAR and DFARS provisions imposing cybersecurity compliance requirements on contractors.
A. Cyber Incident Reporting (NISPOM 1-401)
Change 2 requires CDCs to report cyber incidents on a “classified covered information system” to the Department of Defense (“DOD”) and include information relating to the methods used, samples of any malicious software used, along with a summary of potentially compromised information. The NISPOM now defines such systems as those owned or operated by the CDC that process, store, or transmit information created by or for the DOD.
B. DOD Access to Equipment and Information (NISPOM 1-402)
Under Conforming Change 2, DOD personnel may also obtain access to equipment or information of cleared defense contractors that DOD determines is “necessary to conduct forensic analysis” beyond the analysis of a cyber incident conducted by the contractor.
III. Key Terms to Know – Newly Defined NISPOM Components
Conforming Change 2 also added and modified several important definitions within the NISPOM. The most notable are:
- Adverse Information. Any information that adversely reflects on the integrity or character of a cleared employee, that suggests that his or her ability to safeguard classified information may be impaired, or that his or her access to classified information clearly may not be in the interest of national security, or that the individual constitutes an insider threat.
- Cybersecurity. Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation.
- Insider. Cleared contractor personnel with authorized access to any government or contractor resource, including personnel, facilities, information, equipment, networks, and systems.
- Insider Threat. The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency’s obligations to protect classified national security information.
IV. National Interest Determinations – Updated Standard under Conforming Change 2
Finally, Change 2 updates the standard by which the government will issue a National Interest Determination (“NID”) to conform with Directive-Type Memorandum (DTM) 09-019 issued by the Under Secretary of Defense (Intelligence).
Under NISPOM 2-303c(2), a Government Contracting Activity is to determine whether the release of “proscribed information” to a foreign-owned or controlled contractor operating under a Special Security Agreement “is consistent with the national security interests of the United States.”
Such “proscribed information” includes Top Secret, COMSEC information or material, excluding controlled cryptographic items when unkeyed or utilized with unclassified keys; Restricted Data (“RD”) as defined at 42 U.S.C. § 2014(y), Special Access Program (“SAP”) information; or Sensitive Compartmented Information (“SCI”).
V. Implementation Suggestions
We include below three suggestions for contractors to consider as part of their Change 2 implementation efforts:
- Establish an Insider Threat Program Committee. Companies should consider establishing a formal Insider Threat Program Committee chaired by the FSO/Insider Threat Program Senior Official, with representatives from Legal, HR, IT, and senior executive management. Setting regular meetings with these key stakeholders during the implementation period will help ensure needed feedback is timely received and incorporated in compliance efforts.
- Coordinate IT/Cybersecurity Compliance with the Insider Threat Program. Given the parallels between Change 2 and recent regulatory developments imposing cybersecurity compliance requirements, the ITP Committee should pay particular attention to the overlap between the technology/reporting requirements of Change 2 and broader company-wide cybersecurity and IT practices.
- Cast a Wide Net for Resources. DSS maintains a wealth of public information regarding Change 2 implementation, with additional information available through industry organizations like the National Classification Management Society. Contractors should leverage these resources—and reach out to their DSS representatives during implementation as needed—during Change 2 implementation.
Some of these resources include:
- The summary of all of the Conforming Change 2 amendments released by the government, available here.
- DSS Industrial Security Letter (2016-02) providing implementation guidance specific to the Change 2 Insider Threat Program, available here.
- The DSS Self-Inspection Handbook for NISP Contractors, which includes guidance on implementing insider threat program requirements as well as detailed self-inspection resources, available here.
Continue to follow the Government Contracts Navigator as we cover emerging issues with the Change 2 rollout and how contractors can best navigate this and other important regulatory developments.