Time Crunch: Federal Contractors Scramble to Clear NISPOM Change 2

By: Carlos Soto
November 13, 2016


Upon winning a government contract, many corporate executives breathe a sigh of relief. But these sighs may now be replaced by moans of frustration upon realizing what it takes to remain compliant with federal cybersecurity standards.

The National Industrial Security Policy Operating Manual (NISPOM) is a perfect example of tightening cybersecurity requirements for federal contractors, especially in the defense sector. Thousands of companies now are scrambling to meet the November 17 deadline to become compliant with the requirements of NISPOM Change 2, which targets insider threats in contractors’ organizations.

In light of insiders such as Edward Snowden and most recently Harold Thomas Martin III, who was arrested in August for taking classified NSA information home, the Department of Defense has increased efforts to regulate the need for insider threat detection programs for organizations contracting with the federal government.

NISPOM is the definitive guide for all U.S. government contractors who deal with classified information and need to understand the requirements their insider threat detection programs must meet in order to continue working with the federal government. NISPOM is administered by the Defense Department’s Defense Security Service (DSS) and NISPOM requirements are mandatory.

Change 2, which was approved in May, gave all contractors working with 31 government agencies with national security roles (as well as the DOD) six months to establish insider threat programs. Agencies covered are:

  • Department of Agriculture
  • Department of Commerce
  • Department of Education
  • Department of Health and Human Services
  • Department of Homeland Security
  • Department of Housing and Urban Development
  • Department of Justice
  • Department of Labor
  • Department of State
  • Department of the Interior
  • Department of the Treasury
  • Department of Transportation
  • Environmental Protection Agency
  • Executive Office of the President
  • Federal Communications Commission
  • Federal Reserve System
  • General Services Administration
  • Government Accountability Office
  • Millennium Challenge Corporation
  • National Aeronautics and Space Administration
  • National Archives and Records Administration
  • National Science Foundation
  • Nuclear Regulatory Commission
  • Office of Personnel Management
  • Overseas Private Investment Corporation
  • Small Business Administration
  • Social Security Administration
  • United States Agency for International Development
  • United States International Trade Commission
  • United States Postal Service
  • United States Trade Representative

Passing NISPOM

Contracting companies must create an effective insider threat detection program that meets the requirements of Executive Order 13587 in order to receive a Facility Security Clearance (FCL) under NISPOM. Change 2 outlines three main tasks contractors must take to receive an FCL:

1: Build an Insider Threat Detection Program

Contractors must put together a program capable of aggregating and analyzing cybersecurity data to extract actionable intelligence on potential insider threats. Contractors also must archive potential threats and routinely perform self-inspections, as well as report insider threat incidents to the government.

2: Name an Insider Threat Program Senior Official (ITPSO)

The ITPSO must be a U.S. citizen, a senior official in the company, and will be responsible for establishing and executing the insider threat program. This is crucial to meeting the requirements of NISPOM Change 2. Establishing a single point of contact and accountability is also a major requirement in several other cybersecurity regulations for organizations doing business in Europe, including Germany’s IT Security Act (ITSG), which addresses the IT security of organizations that interact with German citizens and German companies.

3: Provide insider threat training

Training is a significant component of NISPOM Change 2. Training must cover such basic concepts as counterintelligence. Companies must also establish a process for responding to insider threat incidents.

Stronger with automation

The sand in the hourglass is running out for contracting companies that must meet the requirements of NISPOM Change 2. By working with Tenable Network Security solutions, organizations have access to the experience and tools necessary to build a state-of-the-art insider threat detection program and successfully navigate NISPOM Change 2.

For more on this story please visit our @tenablesecurity blogs.