Alert

New Insider Threat Program Requirements for Cleared Contractors

June 6, 2016

The U.S. Department of Defense has recently announced a new requirement for cleared contractors to establish an insider threat program. Contractors must create and begin implementing a written insider threat program plan by November 30, 2016. The purpose of the program is to detect insiders who pose a threat to classified information, deter employees from becoming an insider threat, and mitigate risks from insider threats. The key requirements for an insider threat program are outlined below. Wiley Rein can provide additional insight on these new requirements and assist with your program implementation.

  • A contractor must appoint an Insider Threat Program Senior Official (ITPSO) to oversee the insider threat program.
    • A corporate family can establish a corporate-wide ITPSO but still must have a separate ITPSO for each cleared legal entity in the corporate family.
  • The ITPSO must endorse the contractor’s insider threat program plan.
  • A contractor must conduct self-inspections of its security programs, including an insider threat self-assessment, and develop reports documenting the self-inspection. The contractor must certify annually in writing to the Defense Security Service (DSS) that a self-inspection was completed. The contractor must make the self-inspection reports available to DSS for review upon request.
  • A contractor must report to the appropriate agency any relevant and credible information that indicates potential or actual insider threats.
  • A contractor must implement procedures to identify employees who have a history of negligence in handling classified information, so the contractor can report the information regarding those employees.
  • A contractor must provide four types of insider threat training as follows, which also must cover the topics outlined in NISPOM 3-103:
    • Personnel who are assigned duties related to insider threat program management must receive training on management;
    • All cleared employees must receive training on insider threat awareness;
    • All employees who are not yet cleared but are going to be granted clearance must receive insider threat awareness training prior to obtaining clearance;
    • All cleared employees must receive annual refresher training on insider threat awareness.
  • A contractor must establish and retain records of all employee trainings that occur.
  • A contractor must implement the information systems security controls required by DSS for monitoring user activity and detecting potential insider threats.
  • The Information Systems Security Manager (ISSM) must work with the ITPSO to ensure the contractor’s Information Systems Program addresses insider threat awareness.
Read Time: 2 min

Authors

Jump to top of page

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek