Monday, July 29, 2019

Insider Threat Program Compliance

This article addresses the NISPOM based Insider Threat Program (ITP) compliance requirements and is inspired by questions from the Self Inspection Handbook for NISP Contractors. The article uses the handbook’s format to through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):
Does your ITPSO ensure compliance with insider threat requirements established in the NISPOM and in the implementing guidance provided by DSS?

EVIDENCE: Explain who and how and how often oversight reviews are conducted

NISPOM Reference(s):


The NISPOM references provided are to measure application of the cleared contractor’s Insider Threat Program (ITP). However, the compliance is applicable to the broad implementation of NISPOM and security disciplines and not just the ITP.  For example, the NISPOM requires cleared contractors to conduct a security review incorporating the entire security program designed to protect classified information. This includes information security, access controls, classified storage, shipping and receiving, classified processing and not just for the purposes of implementing the ITP.

The Facility Security Officer (FSO) should demonstrate compliance in each area of security discipline falling under the NISPOM. In this case, they should be able to demonstrate specific requirements as identified for the ITP oversight. This includes providing artifacts and documentation demonstrating their actions. Again, the task does not have to be daunting as the exact countermeasures and mitigations to protect against insider threats could be applied across all security programs. We discuss some practical applications of NISPOM concerning ITP compliance and ways to document FSO actions.

According to NISPOM 1-207b, contractors should conduct internal security reviews on a recurring basis. These reviews could occur annually per self-inspection requirements or more frequently as risk analysis or other needs require. Some methods could include calendar reminders with posted agendas. For example, an FSO may want to break up the insider threat compliance review into monthly segments. One example agenda would include classified Information Systems (IS) as a focus topic one month and the following month, review access control, and even later, classified holdings. The agenda could use the self- inspection handbook as the nexus of review questions based on self-inspection topic.

NISPOM 1-202 addresses requirements to establish an Insider Threat Program (ITP) capable of gathering, integrating, and reporting relevant and available information indicative of a potential or actual insider threat. The ITP should be under the cognizance of a designated Insider Threat Program Senior Official (ITPSO) who is either a Facility Security Officer (FSO) or ensures that an FSO is a member of the ITP team.

To accomplish this, employees should have a method of reporting information that could indicate insider threat actions. This should be credible information and could include suspicious activities covered in the security awareness program. These activities may include: working long or unusual hours, undue affluence, emailing many documents, downloading massive files, suspicious contacts and other actions that may allow the exfiltration of information or sabotage of mission.

The ITPSO and members of ITP team should have a way of receiving that information and protecting reportable information as sensitive until required actions are accomplished. The information should be received and incorporated into company actions such as investigations, report writing, or referral of report to appropriate entities such as law enforcement or Defense Counterintelligence and Security Agency (DCSA). It’s a good idea to integrate ITP actions with the enterprise policies and entities such as security, ethics, legal counsel and human resources.

As mentioned earlier, IS should also be assessed with other NISP considerations for insider threat potential. This guidance falls under NISPOM chapter 8-101h discussion self-inspection program of IS section as found in the Self-Inspection Handbook for NISP Contractors, Element of Inspection T, Information systems

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: