As Steptoe previously reported, May 2016 the DoD published updates to the National Industrial Security Operating Manual (“NISPOM,” Change 2 to DoD 5220.22-M) and an accompanying Industrial Security Letter requiring government contractors holding a facility security clearance (“FCL”) to establish or maintain a written policy by November 30, 2016 to detect, deter, and mitigate insider threats. In particular, an FCL holder’s insider threat policy must: gather, integrate, and report relevant and credible information that indicates a potential or actual insider threat; detect insiders – defined to include cleared contractor personnel with authorized access to any US government or contractor resources – who pose a risk to classified information; and take steps to mitigate the risk of any insider threats.

The DoD Industrial Security Letter sets forth the following eight elements that FCL holders should include in their insider threat policies as best practices:

  1. Endorsement by the Insider Threat Program Senior Official (“ITPSO”) and self-certification to the Defense Security Service (“DSS”) that the policy has been implemented
  2. Appointment of a US citizen cleared senior official as the ITPSO
  3. Appointment of an ITPSO for the whole corporate family
  4. Annual self-inspection and certification to DSS of the inspection’s completion
  5. Reporting requirements when an FCL holder is made aware of relevant and credible information indicative of a potential or actual insider threat regarding a cleared employee, based on 13 guidelines for determining whether a person is eligible to access classified information
  6. Implementation of processes to identify negligence or carelessness in handling classified information and making individual culpability and/or incident reports
  7. Training regarding employee awareness, insider threat program management, and records management for all cleared employees and insider threat program managers
  8. User activity monitoring on classified information systems

More information about implementing these requirements by November 30, 2016 is available on the DSS Industry Insider Threat Information and Resources webpage.