This
article continues the series covering the Self-Inspection
Handbook For NISP Contractors and
guidance found in the National Industrial Security Program Operating Manual (NISPOM)
Incorporating Change 2.
Since the NISPOM update adds to requirements, there is now a sixth element to the “Elements of Inspection” that are common to ALL cleared companies participating in the National Industrial Security Program (NISP). As mentioned in the first article in the series, all should be incorporated into your customized self-inspection check list: (A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.
Question:
Has
the company appointed a U.S. citizen employee, who is a senior official, as a
key management personnel (KMP) who will serve as the Insider Threat Program
Senior Official (ITPSO)?
NISPOM
Reference: 1-202b, 1-202c, 2-104
1-202b. The contractor will designate a U.S.
citizen employee, who is a senior official and cleared in connection with the
FCL, to establish and execute an insider threat program. This Insider Threat
Program Senior Official may also serve as the FSO. If the designated senior
official is not also the FSO, the contractor’s Insider Threat Program Senior
Official will assure that the FSO is an integral member of the contractor’s
implementation program for an insider threat program.
1-202c. A corporate family may choose to establish
a corporate-wide insider threat program with one senior official designated to
establish and execute the program. Each cleared legal entity using the
corporate-wide Insider Threat Program Senior Official must separately designate
that person as the Insider Threat Program Senior Official for that legal
entity.
2-104
PCLs
Required in Connection with the FCL.
The senior management official, the FSO and the Insider Threat Program Senior
Official must always be cleared to the level of the FCL. Other officials, as
determined by the CSA, must be granted PCLs or be excluded from classified
access pursuant to paragraph 2-106.
Discussion:
The best method for ensuring compliance is to begin the Insider Threat Program with the appointment in of an Insider Threat Program Senior Official. This appointment can be executed on corporate letterhead and signed by the authority responsible for approving such actions.
The
appointed individual could be the FSO, but if not the FSO, should include the
FSO as the primary purpose of the ITP is to address the threat to national
security. Who better to include than the person responsible for the security
program to protect national security information.
The qualifications of the ITPSO follow:
- U.S. citizen
- Employee
- Senior official
- Security Clearance at the same level as the facility clearance to establish and execute an insider threat program
If FSO is not the designated official, the FSO is an integral member of the program
The
appointment letter can be a simple paragraph stating the following as provided
by the CDSE in their Sample Insider Threat Program Plan:
_(ITPSO Name)_______ is designated as the Insider Threat
Program Senior Official (ITPSO) for __(Company Name)_. As such, the ITPSO will lead the effort to
establish policy and assign responsibilities for the Insider Threat Program
(ITP). The ITPSO will lead the ITP as they seek to establish a secure operating
environment for personnel, facilities, information, equipment, networks, or
systems from insider threats.
The ITP applies to all staff offices, regions, and personnel
with access to any government or contractor resources to include personnel,
facilities, information, equipment, networks, or systems.
The ITPSO is responsible for daily operations, management,
and ensuring compliance with the minimum standards derived from Change 2 to DoD
5220.22-M, “National Industrial Security Program Operating Manual (NISPOM).”
Cleared contractors under the NISP should time to review the NISPOM and the questions in The Handbook for further guidance on the ITP. The ultimate goal is to assign a ITPSO who will lead a team of trained ITP personnel to implement an effective insider threat program. The program begins with a plan and that plan begins with the designation of the ITPSO adn documenting the activity in writing.
EVIDENCE:
Name of Senior Official in writing
Validation:
Provide a copy of the
ITPSO appointment memorandum.
For insider threat awareness training and security awareness training, visit our page @:http://www.redbikepublishing.com/training/
No comments:
Post a Comment