Friday, September 23, 2016

Appointing the Threat Program Senior Official (ITPSO)


This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP).  As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.

Question:

Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel (KMP) who will serve as the Insider Threat Program Senior Official (ITPSO)?

NISPOM Reference: 1-202b, 1-202c, 2-104

 1-202b. The contractor will designate a U.S. citizen employee, who is a senior official and cleared in connection with the FCL, to establish and execute an insider threat program. This Insider Threat Program Senior Official may also serve as the FSO. If the designated senior official is not also the FSO, the contractor’s Insider Threat Program Senior Official will assure that the FSO is an integral member of the contractor’s implementation program for an insider threat program.

 1-202c. A corporate family may choose to establish a corporate-wide insider threat program with one senior official designated to establish and execute the program. Each cleared legal entity using the corporate-wide Insider Threat Program Senior Official must separately designate that person as the Insider Threat Program Senior Official for that legal entity.

 2-104 PCLs Required in Connection with the FCL. The senior management official, the FSO and the Insider Threat Program Senior Official must always be cleared to the level of the FCL. Other officials, as determined by the CSA, must be granted PCLs or be excluded from classified access pursuant to paragraph 2-106.

Discussion:

The best method for ensuring compliance is to begin the Insider Threat Program with the appointment in of an Insider Threat Program Senior Official. This appointment can be executed on corporate letterhead and signed by the authority responsible for approving such actions.

 The appointed individual could be the FSO, but if not the FSO, should include the FSO as the primary purpose of the ITP is to address the threat to national security. Who better to include than the person responsible for the security program to protect national security information.



The qualifications of the ITPSO follow:
  • U.S. citizen
  • Employee
  • Senior official
  • Security Clearance at the same level as the facility clearance to establish and execute an insider threat program

If FSO is not the designated official, the FSO is an integral member of the program

 The appointment letter can be a simple paragraph stating the following as provided by the CDSE in their Sample Insider Threat Program Plan:

 _(ITPSO Name)_______ is designated as the Insider Threat Program Senior Official (ITPSO) for __(Company Name)_.  As such, the ITPSO will lead the effort to establish policy and assign responsibilities for the Insider Threat Program (ITP). The ITPSO will lead the ITP as they seek to establish a secure operating environment for personnel, facilities, information, equipment, networks, or systems from insider threats.

The ITP applies to all staff offices, regions, and personnel with access to any government or contractor resources to include personnel, facilities, information, equipment, networks, or systems.

The ITPSO is responsible for daily operations, management, and ensuring compliance with the minimum standards derived from Change 2 to DoD 5220.22-M, “National Industrial Security Program Operating Manual (NISPOM).”

Cleared contractors under the NISP should time to review the NISPOM and the questions in The Handbook for further guidance on the ITP. The ultimate goal is to assign a ITPSO who will lead a team of trained ITP personnel to implement an effective insider threat program. The program begins with a plan and that plan begins with the designation of the ITPSO adn documenting the activity in writing.

EVIDENCE: Name of Senior Official in writing

Validation:
Provide a copy of the ITPSO appointment memorandum.

For insider threat awareness training and security awareness training, visit our page @:http://www.redbikepublishing.com/training/



No comments: