Does your company have a classified U.S. Government contract? Do you and your staff currently hold a Facility Security Clearance (FCL)? If so, there is no policy change more vitally important to the success of your business than Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM).
Recent major insider threat incidents involving both information and personnel security have helped to shed some light on the shortcomings and vulnerabilities that agencies open themselves up to when working with contractors, and policy is evolving accordingly. Remember, Edward Snowden wasn’t a government employee; he was a contractor who abused legitimately-obtained access to extremely sensitive information.
Conforming Change 2 requirements are intended to facilitate the early identification and prevention of insider threat within organizations working under the purview of DSS. This means that even if you aren’t working directly with the Department of Defense (but you do hold a contract with the U.S. Department of State or one of over 30 agencies affected by NISPOM), your company will be held to the standards of Conforming Change 2 when audited by DSS.
The requirements outlined in the newly released NISPOM update are designed to ensure a baseline level of risk management across the industrial base. Because it is essentially setting out the minimum acceptable standards, you may find that your organization already has some of the security measures in place, such as insider threat awareness training or a procedure for reporting security violations. However: before you assume you can check the compliance boxes and call it a day, here are some things to keep in mind:
- Achieving compliance with CC2 standards does not mean that your company’s assets are effectively protected from insider threat risk. If your goal as a security executive is to preserve the integrity of your business by protecting your people and the assets of your company against hostile internal threats, CC2 is only the first step.
- CC2 is expected to require a few insider threat mitigation measures that you likely do not have in place currently:
- A mechanism for identifying and tracking behavior that indicates “carelessness or negligence” in handling classified information – but does not reach the threshold of a reportable security violation.
- Initial and annual refresher Insider Threat Program Management training for all employees that are assigned duties related to management or operation of your company’s Insider Threat program.
- Procedures to share and integrate information indicative of a potential or actual threat, across the organization. This requirement implies that your company must identify indicators associated with insider threat and set up a way for these analytics to be shared across different functional areas on a regular basis in order to flag patterns of risk and address them before an incident occurs. Having an incident reporting process in place that dictates what happens once a violation occurs is insufficient to comply with this mandate.