Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Government Contractors Required to Provide Insider Threat Awareness Training

Change Two to the National Industrial Security Program Operating Manual (NISPOM 2) came into force at the end of May 2017. One of the biggest changes involves a new requirement for contractors to implement extensive insider threat training for all staff with access to government classified information. These new requirements are specified in section 3-103.

Change Two to the National Industrial Security Program Operating Manual (NISPOM 2) came into force at the end of May 2017. One of the biggest changes involves a new requirement for contractors to implement extensive insider threat training for all staff with access to government classified information. These new requirements are specified in section 3-103.

NISPOM 2 (PDF) defines the insider threat as “The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States.” Section 3-103 places new burdens on contractors to mitigate this threat.

There are three sub-sections. Section 3-103 (a) concerns the contractor’s insider threat program personnel. These must be trained in counterintelligence; response procedures; applicable laws and regulations; and applicable civil liberties and privacy issues. 

Section 3-103 (b) specifies the training that all cleared personnel must receive prior to gaining access to classified information. This includes training in the detection and reporting of suspicious activity; methodologies used by adversaries to recruit insiders; indicators of insider threat behavior; and counterintelligence.

Section 3-103 (c) specifies the maintenance of “a record of all cleared employees who have completed the initial and annual insider threat training.”

The effect of the new requirements has been summarized by Bay Dynamics federal systems engineer Thomas Jones as threefold: to ensure contractors understand the consequences of breaking the rules; to teach contractors how to spot indications of insider threat behavior in others; and to make it clear who should be contacted if anything is spotted. In other words, a key aspect of NISPOM 2 is to cultivate contractors monitoring contractors. “It’s letting people know that they are being watched, and that changes behavior,” he said.

While there is universal acknowledgement of the serious nature of the insider threat, there is also some concern that NISPOM 2 may not have its desired effect. Failure to abide by the conditions will mean that untrained contract personnel will not be able to access classified information, while the contractor itself could lose the contract. Fully conforming to NISPOM 2, however, places a substantial financial burden on the contractor with no clear way to recover costs.

Those costs are likely to affect smaller contractors to a greater extent than larger firms who will be better positioned to absorb at least some of them. As such, some of the smaller firms may be squeezed out of bidding; and a dynamic and agile part of the market may be lost to government contracts.

But there is also another concern — NISPOM 2 may have the opposite effect to its purpose; it could reduce rather than enhance security. Government agencies, including the DoD, are required to operate their own insider threat mitigations. Members of Bryan Cave LLP’s national security practice have pointed out (Bloomberg) that these requirements are not being met ‘uniformly or quickly’. 

The danger, they suggest, is that if confidential data is withdrawn from non-compliant contractors, it “may simply place sensitive information where it may be no more secure from outsider access than it was in the hands of the contractor, and it may be less secure.” Furthermore, removing data from contractors and centralizing it on improperly secured government systems “may provide cyber threat actors with a much more lucrative target for attack by focusing on the data from numerous, threatened contractors stored in a single government site, making it unnecessary to attack numerous contractors’ individual systems.”

The bottom-line, however, is that NISPOM 2 is here and in effect. Any contractor wishing to bid for government contracts that involve handling sensitive data must now have the insider threat mitigation requirements of NISPOM 2 in place and operational.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Funding/M&A

More than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability, attack surface management firm Censys warns.

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies