On 18 May 2016 NISPOM Conforming Change 2 was released to the general public formulating the creation of the Insider Threat Program requirement along with numerous other changes we’ve begun to see within FAR SP 800-171 with its 109 control measures and DFARS clauses’ 252-204-7012, appendixes c, and d found in some contracts today.
The SDG team has reviewed Change 2 and created a few cliff notes for your review. Please note this first breakdown is a general overview and we will provide chapter or program specific newsflashes as warranted in the coming days.
On Wednesday, DoD published its long awaited NISPOM change 2 (DoD 5220.22-M). All cleared contractors are required to implement the revised provisions no later than six months from the date of their publication.
The DoD Manuals webpage has been updated with the DoD 5220.22-M (http://www.dtic.mil/whs/directives/corres/pdf/522022M.pdf), and its summary of changes.
Please note that the Industrial Security Letter on Insider Threat for cleared contractors under DoD security cognizance is not yet approved. We do expect it to be published soon.
Our own high-level summary of the most significant changes incorporated into the publication are as follows:
NISPOM Change 2 CLIFF NOTES:
- All aspects must be implemented six months (17 November 2016) with the exception of any and all areas related to US-UK and or US-Australia treaties which are spoken to within Chapters 4 and 10.
- Previous paragraphs have been renumbered throughout the document due to new guidance being inserted into the Manual. This means that you will find instances where the references you’ve used in the past will now be in a new location. For example paragraph 1-202 became 1-203 in light of 1-202 now speaking to the Insider Threat Program.
- The development of an Insider Threat Program has six months, or until 17 November 2016, to complete the implementation of the program. The initial program requirements are as follows:
- The company must officially name and appoint an Insider Threat Program Security Officer (ITPSO) who must be cleared to the level of the FCL.
- The appointment of the ITPSO will include an internal appointment letter and cause each cleared company to submit a Changed Condition Package in e-FCL.
- The ITPSO will have four classes to complete via the STEPP database and CDSE.
- All currently cleared staff will have six months to be briefed on the Insider Threat Program and their individual responsibilities. Any future cleared individuals will have to be briefed prior to them being afforded access to classified information.
- Each year the ITPSO will submit a report to DSS to provide notification a self-inspection has been conducted, to include a review of the Insider Threat Program, and report on any deficiencies found and how they were corrected.
- For years One Person Facilities (Sole Proprietorships) were not allowed, but in light of the new language spoken to within 1-204 these Facilities will now be allowed. The policy shift does not, however, remove other limitations placed upon a company such as JPAS access requirements as spoken to by DMDC policies.
- Self-Inspections now must be done on an annual basis and not within “sound risk management principles” as previously stated. While the new language states within 1-207b. Contractor Reviews that “Contractors shall review their security system on a continuing basis and shall conduct a formal self-inspection…” Which is then further clarified in 1-207b(3) “A Senior Management Official (SMO) at the cleared facility will certify to the CSA, in writing on an annual basis, …” Thus a self-inspection must now be done annually and the ITPSO will certify this has occurred with a report submitted to DSS which will speak to the following items:
- SMO has been briefed on the results
- The self-inspection included checks on the Contractor’s Insider Threat Program
- All corrective actions have been taken
- How Management fully supports the program
- If applicable the report will include a review of the Contractors derivative classification actions
- CIA Hotline has been removed and replaced by the DNI Hotline which is;
- DNI Hotline, Director of National Intelligence, Office of the Inspector General, Washington, DC 20511
- DOE Hotline address changed to show Room SD-031
- DOE Hotline, Department of Energy, Office of the Inspector General, 1000 Independence Ave., SW, Room SF-031
- 202-586-4073 or 800-51-1623
- CIA Hotline has been removed and replaced by the DNI Hotline which is;
- In keeping with the required implementation of the Contractor’s Insider Threat program Chapter 1, Section 3 has been revised to include language within 1-300 speaking to the need to report instances on employees who may indicate the person poses an insider threat. Subsequent paragraphs throughout the Manual, i.e., Paragraph 2-104 provide further clarification on the Insider Threat Program and how it applies overall to Cleared Defense Contractors.
- Chapter 1, Section 4 is a brand new section all about the reporting of cyber related issued discovered/uncovered by Cleared Defense Contractors. The section is specific to Cleared Defense Contractors who have been approved to process Classified Information at their facility. The section is in keeping with recent changes to the DFARS related to cyber reporting as well as the implementation of the Insider Threat Program.
- Paragraph 3-103 has been inserted into the Manual and speaks on the required Insider Threat Training for all concerned and on the how and when the training is conducted.
- Insider Threat Program Security Officer
- Security Staff
- Initial Training
- Annual Training
- Record keeping
- Paragraph 3-105 – training for Temp Help – would be something of immediate value to the service industry, ala HVAC companies and Access Control System/Intrusion Detection System installer companies. This would further strengthen the need for “service companies” to be cleared as it speaks to who has the overall responsibilities for the briefing of the temporary help personnel.
- Paragraph 3-107, previously 3-106, Initial Security Briefings has been revised to add in language about the Insider Threat Program training and cybersecurity awareness training for all authorized IS users.
- Threat Awareness must include Insider Threat training
- Defensive security now called Counterintelligence Awareness
- Classification system overview
- Employee reporting requirements now includes Insider Threats
- Initial & Annual Cyber Security Awareness training for all authorized classified IS users
- Security procedures specific to an individual’s job
- Chapter 4, Classification and Markings has several small revisions within the individual paragraphs mainly speaking to who the “identity of the person” responsible for an action is so as to speak to the persons’ name and position or personal identifier. Additional clarity is provided to where the portion markings are to be placed in a document, email, photograph, etc. Paragraph 4-220 speaks to the marking requirements for transfers of defense articles without a license or other written authorization and points the reader to Chapter 10 Section 8.
- Chapters 5 and 8 primarily pertain to companies cleared for safeguarding and or for those tasked with safeguarding responsibilities on a classified site and as such we will be crafting a separate newsflash related to how these individual Chapters will apply to you accordingly.
- Chapter 10 Section 8 codifies a previously released Industrial Security Letter which updated the manner in which information is marked, labeled and, transferred.
- Chapter 9 has in many ways shifted to Appendix D and is placed in the hands of individual Agencies or Agency Heads. For example; Intelligence Information is under the jurisdiction and control of the DNI and the release of SCI level material cannot be performed without the prior written authorization of the originating IC element.