In the wake of the fall-out of former contractor Edward Snowden’s leaks of highly confidential information, the government recently implemented new requirements for private businesses hoping to obtain federal contracts. These requirements, which are known as Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM), include a series of measures aimed at establishing an Insider Threat Program (ITP) based on frequent self-inspection and training.
Companies today are feeling increasingly vulnerable to the threat that negligent or malicious insiders may pose to their information security. According to a recent article in the New York Times, the tech firm Haystax found in a survey that 74% of organizations feel vulnerable to insider threats and only 42% feel they have the proper oversight to prevent an insider attack. These threats are compounded by the increasing use of third-party contractors; and providing these contractors with access to important company information, but not subjecting them to the same degree of control faced by internal employees. The new amendments to NISPOM are meant to ensure that individuals employed directly by the federal government, as well as those who are temporarily contracted for government work, are aware of how to identify an internal threat in their organization and understand the consequences associated with breaching security.
According to a report by Philadelphia-based law firm, Blank Rome LLP, NISPOM Change 2 specifies training for general company personnel who will handle classified information as well as specialized training for employees designated with implementing wider ITP measures. The general training for employees includes identification of the current and potential threat environment, procedures for detecting and reporting, and consequences for stealing secure information.
Training for ITP personnel is more rigorous than that of general cleared personnel, and incorporates content on legal issues surrounding security and counterintelligence, as well as civil liberties. Both of the prescribed training programs must be completed by a certain time and trained employees must take an assessment after they complete the training to measure retention. These training programs raise awareness on how contractors can identify possible risks within their organization to avoid malicious activity that may compromise classified information.
Beyond insider threat training, NISPOM Change 2 also compels contractors to implement other elements of an Insider Threat Program. Companies are required to assign an individual to act as an “Insider Threat Program Senior Official” (“ITPSO”), and take the lead on all matters related to implementing an ITP. Contracting companies are also expected to conduct annual self-inspections of their ITP and report any potential or actual insider threats to the Defense Security Service (DSS).
Apart from requirements regarding the establishment of an ITP, NISPOM Change 2 adjusted the reporting requirements for defense contractors that experience “cyber incidents.”
The emergence of NISPOM Change 2 is significant for any company that is currently contracted with the federal government or plans to do business with the federal government in the future. These amendments demonstrate a change in how the government views information security threats, as well as more generally how threats are being identified in new places. Organizations should take note of the potential dangers posed by insider threats ─ especially threats originating from third-party organizations ─ and implement programs aimed at identifying and mitigating these risks.