Thursday, September 8, 2016

Insider Threat Training

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

The current series of articles will be temporarily reset while the author considers the new self-inspection guidelines and requirements, especially as addressed in section (Y) Insider Threat.

A cleared contractor under NISP is required to establish an Insider Threat Program (IPT); this IPT will be reviewed by the cognizant security agency (CSA) (Defense Security Services is the CSA for the Department of Defense). This IPT is emphasized in the Self-Inspection Handbook and NISPOM:

These self-inspections will be related to the activity, information, information systems (ISs), and conditions of the overall security program, to include the Insider Threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy. [1-207b, 1-207b(1) NISPOM]

While the NISPOM requires all participants in the NISP to conduct their own self-inspections, to include an insider threat self-assessment, the Self-Inspection Handbook is designed as a job aid and designed to assist with developing a viable self-inspection program. This article focuses on how NISP participants can tailor the NISPOM requirements and Self-Inspection Handbook questions for their own organizations.

For the purpose of this article series, we’ll address the questions per the spirit of the Self-Inspection Handbook; first generally, then later with specific questions as the handbook leads.

General Application:

Question: Does your company implement insider threat training as outlined in NISPOM 3-103 and CSA guidance?

NISPOM 3-103 states:
Insider Threat Program Senior Official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees complete training that the CSA considers appropriate.
a. Contractor insider threat program personnel, including the contractor designated Insider Threat Program Senior Official, must be trained in:
(1) Counterintelligence and security fundamentals, including applicable legal issues.
(2) Procedures for conducting insider threat response actions.
(3) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information.
(4) Applicable legal, civil liberties, and privacy policies.
b. All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to report such behavior.
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training. Depending on CSA-specific guidance, a CSA may, instead, conduct such training and retain the records.

This is a broad question demonstrating the requirement that the company develop, document, and present insider threat training to compliment the ITP and industrial security requirements.  According to 3-103b, all cleared employees and employees with ITP duties should receive insider threat awareness training.  Interestingly enough, the Insider Threat Training is now required prior to giving a cleared employee access to classified information.

Did you get that? Not only is it required annually, but must be provided as initial security training as well.  A further analysis of the training requirements suggest that the insider threat awareness and annual refresher address the same issues; it’s just repackaged. As such a NISP contractor’s initial security briefing and annual refresher should be repackaged to demonstrate requirements. Either the insider threat topic is added or it is incorporated into existing training programs.

·         Requirements PRIOR to the recent changes to NISPOM:
o   The FSO provided initial security training and annual refresher training
o   The holder of classified information validated an employee’s access (clearance level) and need to know.

·         Requirements AFTER the NISPOM updates:
o   The FSO demonstrates that cleared employees have completed ITP awareness training before being granted access to classified information, and annually thereafter.

Contractors under NISP should develop and implement insider threat initialization and annual refresher training for all cleared employees.


1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.

2. Provide sign in sheet or other medial to demonstrate that required employees have received the required training.

3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.

If your company needs insider threat training, consider purchasing, downloading, and presenting our Insider Threat Training presentation. It's designed with notes that you can read word for word or tailor for your enterprise.

No comments: