This
article continues the series covering the Self-Inspection
Handbook For NISP Contractors and
guidance found in the National Industrial Security Program Operating Manual (NISPOM)
Incorporating Change 2.
Since
the NISPOM update adds to requirements, there is now a sixth element to the
“Elements of Inspection” that are common to ALL cleared companies participating
in the National Industrial Security Program (NISP). As mentioned in the first article in the
series, all should be incorporated into your customized self-inspection check list:
(A) Facility Security Clearance (FCL), (B) Access Authorizations, (C) Security
Education, (D) FOCI, (E) Classification, and (Y) Insider Threat.
The
current series of articles will be temporarily reset while the author considers
the new self-inspection guidelines and requirements, especially as addressed in
section (Y) Insider Threat.
A
cleared contractor under NISP is required to establish an Insider Threat
Program (IPT); this IPT will be reviewed by the cognizant security agency (CSA)
(Defense Security Services is the CSA for the Department of Defense). This IPT
is emphasized in the Self-Inspection Handbook and NISPOM:
These self-inspections will be related to the activity,
information, information systems (ISs), and conditions of the overall security
program, to include the Insider Threat program; have sufficient scope, depth,
and frequency; and management support in execution and remedy. [1-207b, 1-207b(1) NISPOM]
While
the NISPOM requires all participants in the NISP to conduct their own self-inspections,
to include an insider threat self-assessment, the Self-Inspection Handbook is
designed as a job aid and designed to assist with developing a viable
self-inspection program. This article focuses on how NISP participants can
tailor the NISPOM requirements and Self-Inspection Handbook questions for their
own organizations.
For
the purpose of this article series, we’ll address the questions per the spirit
of the Self-Inspection Handbook; first generally, then later with specific
questions as the handbook leads.
General
Application:
Question:
Does your company implement insider threat training as outlined in NISPOM 3-103
and CSA guidance?
NISPOM
3-103 states:
Insider Threat Program Senior Official will ensure that
contractor program personnel assigned insider threat program responsibilities and
all other cleared employees complete training that the
CSA considers appropriate.
a. Contractor insider threat program personnel, including
the contractor designated Insider Threat Program Senior Official, must be
trained in:
(1) Counterintelligence and security fundamentals, including
applicable legal issues.
(2) Procedures for conducting insider threat response
actions.
(3) Applicable laws and regulations regarding the gathering,
integration, retention, safeguarding, and use of records and data, including
the consequences of misuse of such information.
(4) Applicable legal, civil liberties, and privacy policies.
b. All cleared employees must be provided insider threat
awareness training before being granted access to classified information, and
annually thereafter. Training will address current and potential threats in the
work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by
cleared employees and reporting suspected activity to the insider threat
program designee.
(2) Methodologies of adversaries to recruit trusted insiders
and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to
report such behavior.
(4) Counterintelligence and security reporting requirements,
as applicable.
c. The contractor will establish and maintain a record of all
cleared employees who have completed the initial and annual insider threat
training. Depending on CSA-specific guidance, a CSA may, instead, conduct such
training and retain the records.
This
is a broad question demonstrating the requirement that the company develop,
document, and present insider threat training to compliment the ITP and
industrial security requirements.
According to 3-103b, all cleared employees and employees with ITP duties
should receive insider threat awareness training. Interestingly enough, the Insider Threat
Training is now required prior to giving a cleared employee access to
classified information.
Did
you get that? Not only is it required annually, but must be provided as initial
security training as well. A further
analysis of the training requirements suggest that the insider threat awareness
and annual refresher address the same issues; it’s just repackaged. As such a
NISP contractor’s initial security briefing and annual refresher should be
repackaged to demonstrate requirements. Either the insider threat topic is
added or it is incorporated into existing training programs.
·
Requirements PRIOR to the recent
changes to NISPOM:
o The
FSO provided initial security training and annual refresher training
o The
holder of classified information validated an employee’s access (clearance
level) and need to know.
·
Requirements AFTER the NISPOM updates:
o The
FSO demonstrates that cleared employees have completed ITP awareness training
before being granted access to classified information, and annually thereafter.
Validation:
1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.
2. Provide sign in sheet or other medial to demonstrate that required employees have received the required training.
3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.
If your company needs insider threat training, consider purchasing, downloading, and presenting our Insider Threat Training presentation. It's designed with notes that you can read word for word or tailor for your enterprise.
No comments:
Post a Comment