The first part of the template demonstrates outlines the purpose, policies, and demonstrates the contractor understands the ITP requirements. The organization identifies themselves by name and lists the responsibilities of the ITP and positions within that organization. The remainder of the plan should spell out the ITP logistics:
A. Written designation of ITPSO.
B. The ITPSO responsibilities as addressed in NISPOM Change 2. Responsibilities include:
·
Self-certify the Insider Threat Program Plan in
writing to DSS (Suspense has passed).
·
Provide copies of the Insider Threat Plan upon
request and will make the plan available to the DSS.
·
Establish an Insider Threat Program based on the
organization’s size and operations.
·
Provide Insider Threat training for Insider
Threat Program personnel and awareness for cleared employees.
·
Demonstrate user activity monitoring on
classified information systems in order to detect activity indicative of
insider threat behavior.
·
Produce procedures to access, gather, integrate,
and provide for reporting of relevant and credible adverse information across
the contractor.
·
Demonstrate system or process to identify
patterns of negligence or carelessness in handling classified information.
·
Conduct and document self-inspections of the
Insider Threat Program.
·
Oversee the collection, analysis, and reporting
of information across the company to support the identification and assessment
of insider threats.
·
Provide proof of implementing and documenting
all ITP assessments and reports to the Senior Management.
C. Insider Threat Training.
·
Provide documentation of ITPSO Training
completed by November 30, 2016 and within for recently appointed ITPSO within
30-days of being assigned responsibilities.
·
ITP Personnel Training.
o
Provide to all contractor personnel assigned ITP
duties within 30-days of being assigned duties and refresher training each year
as long as they continue to serve.
o
Provide insider threat awareness training to all
cleared employees before being granted access to classified information, prior
to May 31, 2017, and each year as long as they maintain their clearance.
o
Incorporate Insider Threat Awareness into annual
refresher training
D. Insider Threat Training Records Management.
· Maintain training attendance records,
certificates, or other documentation that verify completed initial and
refresher training for review during DSS security vulnerability assessments.
E. Insider Threat Reporting Requirements. Develop reporting requirements that capture:
·
Adverse information regarding cleared employees.
·
Suspicious contacts
·
Actual, probable or possible espionage, sabotage,
terrorism, or subversive activities at any of its locations
·
Information determined to be any possible or
potential successful penetration of a classified information system
You may notice that the above summarization follows the DSS Template, requirements in the NISPOM Change 2, pattern in the Self-Inspection Handbook for NISP Contractors, and other resources. Though not required in particular format, the information DSS is looking for remains consistent. Using the above format may suffice with proper documentation of compliance. Refer to the strategically placed hyperlinks for NISPOM, publications, and downloadable training that can help meet NISPOM and DSS requirements.
No comments:
Post a Comment