Monday, July 9, 2018

Selecting the Insider Threat Program Senior Official

This article addresses the designation of the Insider Threat Program Senior Official (ITPSO). The article is derived from the Self Inspection Handbook for NISP Contractors, and uses the format to walk through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.
Topic Question(s):

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?
EVIDENCE: Name of Senior Official in writing

NISPOM Reference(s):
1-202b, 1-202c, 2-104

The Insider Threat Program (ITP) is established to prevent, detect, or stop a trusted employee from committing espionage or sabotage to the Cleared Defense Contactor (CDC) and their product or contract deliverables. The ITP is also scoped to protect the CDC employees from the insider threat actions. The ITP is a requirement as covered in both the National Industrial Security Program Operating Manual (NISPOM), E.O. 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.

Cleared Defense Contractors (CDC) should designate an employee to manage the Insider Threat Program (ITP). The contractor will designate an employee to establish and execute an insider threat program. The first step is to designate a “Senior Official” with the following qualifications:

1. U.S. citizen

2. Company Employee

3. Senior official within the company

4. Security Clearance at the same level as the facility clearance (FCL) to establish and execute an insider threat program

· If the FCL is TOP SECRET, then the ITPSO must also have a TOP SECRET clearance

5. Could be the FSO is not the designated official, the FSO is an integral member of the program

Some larger corporations may have separate legal entities. If the corporation desires one ITPSO to serve corporate wide, each cleared legal entity should each designate that person as their ITPSO.

Once the ITPSO is designated, the enterprise can begin to create an Insider Threat Program that will be endorsed by the ITPSO. The ITPSO should begin the next tasks to build the ITP team and develop the ITP and the required Insider Threat Training. These topics will be covered in future articles.


ITPSO is designated in writing and documentation is available for review
Designated ITPSO meets all the qualifications required as demonstrated in training records available for review.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: