NISPOM Conforming Change 2 and Insider Threat
(What does it mean to you?)
- Establish an insider threat program that will identify and report suspicious activities or threats
- Designate a senior contractor official
- Comply with "Minimum Reporting Requirements for Personnel with National Security Eligibility Determinations"
- Provide records pertinent to insider threat
- Train relevant personnel
- Implement protective measures pertinent to user activity monitoring on classified networks
What you need to know.
The NISP Operating Manual, also called NISPOM, establishes the standard procedures and requirements for government contractors interacting with classified information. The NISPOM was updated in March 2013 with the release of Conforming Change 1.
At the March 2014 meeting of NISPPAC, it was reported that the NISPOM Conforming Change 2 DoD formal coordination process was nearing completion. It was finally released on May 21, 2016. This change will incorporate the minimum standards for insider threat and the cyber intrusion reporting requirements.
NISPOM and Insider Threat
The new program requirements within NISPOM are based on the National Insider Threat Policy Minimum Standards. There are 6 key requirements that must be met by Nov 30, 2016.
6 Key Requirements
Establishment of an insider threat program
Contractors will establish and maintain an insider threat program that gathers, integrates and reports relevant and available information on potential or actual insider threat in accordance with E.O. 13587
Designation of a senior contractor official
The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program.
Reporting indications of an insider threat
Contractors will report all information specified in the "Minimum Reporting Requirements for Personnel with National Security Eligibility Determinations"
Providing records pertinent to insider threat
Per the National Insider Threat Policy, records pertinent to insider threat include but are not limited to:
A. Counterintelligence and Security records. These records include personnel security files, polygraph examination reports, facility access records, security violation files, travel records, foreign contact reports, and financial disclosure filings.
B. Information Assurance. All relevant network data generated by IA elements including, usernames and aliases, levels of network access, audit data, unauthorized use of removable media, print logs, and other data needed for clarification or resolution of an insider threat concern.
Human Resources. Records that include: personnel files, payroll and voucher files, outside work and activities, disciplinary files, and personal contact records.
Insider Threat training
The program must include Insider Threat Training. The Senior Contractor Official must ensure that the contractor program personnel assigned insider threat program responsibilities are trained, as well as all other cleared employees.
The training must include:
A. Counterintelligence and security fundamentals including applicable legal issues
B. Procedures for conducting insider threat response actions
C. Laws and regulations on gathering, integration, retention, safeguarding and use of records and data and the consequences of misuse of such information
D. Legal, civil liberties and privacy policies
Specific insider threat related training must include:
A. The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee
B. Methodologies that adversaries use to recruit trusted insiders
C. Indicators of insider threat behavior and how to report such behavior
D. Counterintelligence and security reporting requirements
Training must be satisfactorily completed within 30 days of initial employment or prior to being granted access to classified information, and annually thereafter. The contractor is responsible for establishing a system to validate and maintain records of all cleared employees who have completed the training.
Protection measures pertinent to user activity monitoring on classified networks
The contractor must implement protection measures to monitor user activity on classified networks to detect activity indicative of insider threat behavior. The measures must be in accordance with guidance issued by the Cognizant Security Agency (CSA) and include the tools or capabilities that they require. In addition, the measures must adhere to Federal systems requirements as specified by FISMA, NIST, CNSS and others.
User Activity Monitoring- CNSS Directive No. 504, Directive on Protecting National Security Systems from Insider Threat, defines User Activity Monitoring (UAM) as "the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing U.S. Government information in order to detect insider threats and to support authorized investigations. "Annex B also states, "Each D/A must have the following minimum capabilities to collect user activity data: key stroke monitoring and full application content (e.g., email, chat, data import, data export), obtain screen captures, and perform file shadowing for all lawful purposes. UAM data must be attributable to a specific user. The D/A should incorporate this data into an analysis system capable of identifying anomalous behavior. .. "