Change Two to the National Industrial Security Program Operating Manual (NISPOM 2) came into force at the end of May 2017. One of the biggest changes involves a new requirement for contractors to implement extensive insider threat training for all staff with access to government classified information. These new requirements are specified in section 3-103.
NISPOM 2 (PDF) defines the insider threat as “The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States.” Section 3-103 places new burdens on contractors to mitigate this threat.
There are three sub-sections. Section 3-103 (a) concerns the contractor’s insider threat program personnel. These must be trained in counterintelligence; response procedures; applicable laws and regulations; and applicable civil liberties and privacy issues.
Section 3-103 (b) specifies the training that all cleared personnel must receive prior to gaining access to classified information. This includes training in the detection and reporting of suspicious activity; methodologies used by adversaries to recruit insiders; indicators of insider threat behavior; and counterintelligence.
Section 3-103 (c) specifies the maintenance of “a record of all cleared employees who have completed the initial and annual insider threat training.”
The effect of the new requirements has been summarized by Bay Dynamics federal systems engineer Thomas Jones as threefold: to ensure contractors understand the consequences of breaking the rules; to teach contractors how to spot indications of insider threat behavior in others; and to make it clear who should be contacted if anything is spotted. In other words, a key aspect of NISPOM 2 is to cultivate contractors monitoring contractors. “It’s letting people know that they are being watched, and that changes behavior,” he said.
While there is universal acknowledgement of the serious nature of the insider threat, there is also some concern that NISPOM 2 may not have its desired effect. Failure to abide by the conditions will mean that untrained contract personnel will not be able to access classified information, while the contractor itself could lose the contract. Fully conforming to NISPOM 2, however, places a substantial financial burden on the contractor with no clear way to recover costs.
Those costs are likely to affect smaller contractors to a greater extent than larger firms who will be better positioned to absorb at least some of them. As such, some of the smaller firms may be squeezed out of bidding; and a dynamic and agile part of the market may be lost to government contracts.
But there is also another concern — NISPOM 2 may have the opposite effect to its purpose; it could reduce rather than enhance security. Government agencies, including the DoD, are required to operate their own insider threat mitigations. Members of Bryan Cave LLP’s national security practice have pointed out (Bloomberg) that these requirements are not being met ‘uniformly or quickly’.
The danger, they suggest, is that if confidential data is withdrawn from non-compliant contractors, it “may simply place sensitive information where it may be no more secure from outsider access than it was in the hands of the contractor, and it may be less secure.” Furthermore, removing data from contractors and centralizing it on improperly secured government systems “may provide cyber threat actors with a much more lucrative target for attack by focusing on the data from numerous, threatened contractors stored in a single government site, making it unnecessary to attack numerous contractors’ individual systems.”
The bottom-line, however, is that NISPOM 2 is here and in effect. Any contractor wishing to bid for government contracts that involve handling sensitive data must now have the insider threat mitigation requirements of NISPOM 2 in place and operational.