• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Crucial Point LLC

Accelerating Technology

  • About Crucial Point
    • About Bob Gourley
    • Announcements
    • Corporate Events
    • Press
    • CTOvision
      • Go Pro!
  • Contact Us
  • Services
    • Technology Due Diligence
    • CTO Advisory Services
    • Compliance and Cybersecurity
    • CTO-as-a-Service
    • CISO-as-a-Service
    • Corporate Events
  • Crucial Point Clients
  • Cybersecurity Best Practices
    • Cybersecurity Best Practices
    • Cybersecurity At Home
    • Health Insurance Portability and Accountability Act (HIPAA) Security Rule Compliance
    • The FFIEC Cybersecurity Assessment Tool Can Be Used To Raise Your Security Posture
    • Companies Who Interact With European Citizens Must Check Architecture For Compliance With New Data Rules

The NISPOM Regulation Guides Federal Security Clearance Actions

Home » The NISPOM Regulation Guides Federal Security Clearance Actions

All businesses that deal with classified information must follow government rules that flow from the NISPOM (National Industrial Security Program Operating Manual).  The NISPOM establishes the standard procedures and requirements for all government contractors with regards to classified information. Individual agencies all add on additional requirements, but the NISPOM provides the foundation/base that all must follow.

On May 18, 2016, the Under Secretary of Defense for Intelligence issued NISPOM Change 2. NISPOM Change 2 requires cleared contractors to establish and implement insider threat programs. As part of the NISPOM Change 2 requirements, cleared contractors are required to appoint an Insider Threat Program Senior Official (ITPSO) and develop and certify their written insider threat program plans.

Contractors must report on these steps as they are done.

Regarding insider threat plans, the Defense Security Service (DSS) has provided helpful information on how to get started with a program, including templates that firms can use as a starting point for the plan. But of course the template they provide needs to be tailored for each firm’s unique situation.  The template sample is hosted on the site of DSS’s Center for Development of Security Excellence. Download a copy here.

As for the ITPSO, this must be a U.S. citizen employee who is a senior official and cleared in connection with the FCL. A corporate family may choose to establish a corporate-wide insider threat program with a single ITPSO. The requirement is to separately designate that person as the ITPSO at each legal entity within the corporation. A Corporate ITPSO must be on the KMP list for each facility to which he/she is appointed, but does not need to be an employee of each legal entity within a corporate family, only an employee of the corporation.

Designating an ITPSO and building a plan is just the beginning of a functioning insider threat program. The program must be effective and be supportive of preventing the insider threat and, if prevention fails, mitigating risks to the greatest potential possible.

The cost of standing up and running an insider threat program in accordance with the NISPOM is an allowable cost under Federal Acquisition Regulation (FAR)/Cost Accounting Standards (CAS).

Crucial Point has helped clients stand up NISPOM compliant insider threat programs and has assisted many clients in compliance reviews and would be glad to tell you more or answer any questions you may have. Contact us today for a free consultation and we will provide more information.

Primary Sidebar

Our Latest

OODA LLC: Put our team of experts on your side

Crucial Point is now part of OODA LLC. OODA helps our clients identify, manage, and respond to global risks and uncertainties while exploring emerging opportunities and developing robust and … [Read More...] about OODA LLC: Put our team of experts on your side