New Insider Threat Program Requirements for Cleared Contractors

June 6, 2016

The U.S. Department of Defense has recently announced a new requirement for cleared contractors to establish an insider threat program. Contractors must create and begin implementing a written insider threat program plan by November 30, 2016. The purpose of the program is to detect insiders who pose a threat to classified information, deter employees from becoming an insider threat, and mitigate risks from insider threats. The key requirements for an insider threat program are outlined below. Wiley Rein can provide additional insight on these new requirements and assist with your program implementation.

  • A contractor must appoint an Insider Threat Program Senior Official (ITPSO) to oversee the insider threat program.
    • A corporate family can establish a corporate-wide ITPSO but still must have a separate ITPSO for each cleared legal entity in the corporate family.
  • The ITPSO must endorse the contractor’s insider threat program plan.
  • A contractor must conduct self-inspections of its security programs, including an insider threat self-assessment, and develop reports documenting the self-inspection. The contractor must certify annually in writing to the Defense Security Service (DSS) that a self-inspection was completed. The contractor must make the self-inspection reports available to DSS for review upon request.
  • A contractor must report to the appropriate agency any relevant and credible information that indicates potential or actual insider threats.
  • A contractor must implement procedures to identify employees who have a history of negligence in handling classified information, so the contractor can report the information regarding those employees.
  • A contractor must provide four types of insider threat training as follows, which also must cover the topics outlined in NISPOM 3-103:
    • Personnel who are assigned duties related to insider threat program management must receive training on management;
    • All cleared employees must receive training on insider threat awareness;
    • All employees who are not yet cleared but are going to be granted clearance must receive insider threat awareness training prior to obtaining clearance;
    • All cleared employees must receive annual refresher training on insider threat awareness.
  • A contractor must establish and retain records of all employee trainings that occur.
  • A contractor must implement the information systems security controls required by DSS for monitoring user activity and detecting potential insider threats.
  • The Information Systems Security Manager (ISSM) must work with the ITPSO to ensure the contractor’s Information Systems Program addresses insider threat awareness.
Read Time: 2 min


Jump to top of page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.