All businesses that deal with classified information must follow government rules that flow from the NISPOM (National Industrial Security Program Operating Manual). The NISPOM establishes the standard procedures and requirements for all government contractors with regards to classified information. Individual agencies all add on additional requirements, but the NISPOM provides the foundation/base that all must follow.
On May 18, 2016, the Under Secretary of Defense for Intelligence issued NISPOM Change 2. NISPOM Change 2 requires cleared contractors to establish and implement insider threat programs. As part of the NISPOM Change 2 requirements, cleared contractors are required to appoint an Insider Threat Program Senior Official (ITPSO) and develop and certify their written insider threat program plans.
Contractors must report on these steps as they are done.
Regarding insider threat plans, the Defense Security Service (DSS) has provided helpful information on how to get started with a program, including templates that firms can use as a starting point for the plan. But of course the template they provide needs to be tailored for each firm’s unique situation. The template sample is hosted on the site of DSS’s Center for Development of Security Excellence. Download a copy here.
As for the ITPSO, this must be a U.S. citizen employee who is a senior official and cleared in connection with the FCL. A corporate family may choose to establish a corporate-wide insider threat program with a single ITPSO. The requirement is to separately designate that person as the ITPSO at each legal entity within the corporation. A Corporate ITPSO must be on the KMP list for each facility to which he/she is appointed, but does not need to be an employee of each legal entity within a corporate family, only an employee of the corporation.
Designating an ITPSO and building a plan is just the beginning of a functioning insider threat program. The program must be effective and be supportive of preventing the insider threat and, if prevention fails, mitigating risks to the greatest potential possible.
The cost of standing up and running an insider threat program in accordance with the NISPOM is an allowable cost under Federal Acquisition Regulation (FAR)/Cost Accounting Standards (CAS).
Crucial Point has helped clients stand up NISPOM compliant insider threat programs and has assisted many clients in compliance reviews and would be glad to tell you more or answer any questions you may have. Contact us today for a free consultation and we will provide more information.