New Insider Threat Program Requirements for Cleared Contractors
The U.S. Department of Defense has recently announced a new requirement for cleared contractors to establish an insider threat program. Contractors must create and begin implementing a written insider threat program plan by November 30, 2016. The purpose of the program is to detect insiders who pose a threat to classified information, deter employees from becoming an insider threat, and mitigate risks from insider threats. The key requirements for an insider threat program are outlined below. Wiley Rein can provide additional insight on these new requirements and assist with your program implementation.
- A contractor must appoint an Insider Threat Program Senior Official (ITPSO) to oversee the insider threat program.
- A corporate family can establish a corporate-wide ITPSO but still must have a separate ITPSO for each cleared legal entity in the corporate family.
- The ITPSO must endorse the contractor’s insider threat program plan.
- A contractor must conduct self-inspections of its security programs, including an insider threat self-assessment, and develop reports documenting the self-inspection. The contractor must certify annually in writing to the Defense Security Service (DSS) that a self-inspection was completed. The contractor must make the self-inspection reports available to DSS for review upon request.
- A contractor must report to the appropriate agency any relevant and credible information that indicates potential or actual insider threats.
- A contractor must implement procedures to identify employees who have a history of negligence in handling classified information, so the contractor can report the information regarding those employees.
- A contractor must provide four types of insider threat training as follows, which also must cover the topics outlined in NISPOM 3-103:
- Personnel who are assigned duties related to insider threat program management must receive training on management;
- All cleared employees must receive training on insider threat awareness;
- All employees who are not yet cleared but are going to be granted clearance must receive insider threat awareness training prior to obtaining clearance;
- All cleared employees must receive annual refresher training on insider threat awareness.
- A contractor must establish and retain records of all employee trainings that occur.
- A contractor must implement the information systems security controls required by DSS for monitoring user activity and detecting potential insider threats.
- The Information Systems Security Manager (ISSM) must work with the ITPSO to ensure the contractor’s Information Systems Program addresses insider threat awareness.