Time Crunch: Federal Contractors Scramble to Clear NISPOM Change 2

Upon winning a government contract, many corporate executives breathe a sigh of relief. But these sighs may now be replaced by moans of frustration upon realizing what it takes to remain compliant with federal cybersecurity standards.

The National Industrial Security Policy Operating Manual (NISPOM) is a perfect example of tightening cybersecurity requirements for federal contractors, especially in the defense sector. Thousands of companies now are scrambling to meet the November 17 deadline to become compliant with the requirements of NISPOM Change 2, which targets insider threats in contractors’ organizations.

In light of insiders such as Edward Snowden and most recently Harold Thomas Martin III, who was arrested in August for taking classified NSA information home, the Department of Defense has increased efforts to regulate the need for insider threat detection programs for organizations contracting with the federal government.

NISPOM is the definitive guide for all U.S. government contractors who deal with classified information and need to understand the requirements their insider threat detection programs must meet in order to continue working with the federal government. NISPOM is administered by the Defense Department’s Defense Security Service (DSS) and NISPOM requirements are mandatory.

Change 2, which was approved in May, gave all contractors working with 31 government agencies with national security roles (as well as the DOD) six months to establish insider threat programs. Agencies covered are:

Passing NISPOM

Contracting companies must create an effective insider threat detection program that meets the requirements of Executive Order 13587 in order to receive a Facility Security Clearance (FCL) under NISPOM. Change 2 outlines three main tasks contractors must take to receive an FCL:

1: Build an Insider Threat Detection Program

Contractors must put together a program capable of aggregating and analyzing cybersecurity data to extract actionable intelligence on potential insider threats. Contractors also must archive potential threats and routinely perform self-inspections, as well as report insider threat incidents to the government.

2: Name an Insider Threat Program Senior Official (ITPSO)

The ITPSO must be a U.S. citizen, a senior official in the company, and will be responsible for establishing and executing the insider threat program. This is crucial to meeting the requirements of NISPOM Change 2. Establishing a single point of contact and accountability is also a major requirement in several other cybersecurity regulations for organizations doing business in Europe, including Germany's IT Security Act (ITSG), which addresses the IT security of organizations that interact with German citizens and German companies.

3: Provide insider threat training

Training is a significant component of NISPOM Change 2. Training must cover such basic concepts as counterintelligence. Companies must also establish a process for responding to insider threat incidents.

Stronger with automation

The sand in the hourglass is running out for contracting companies that must meet the requirements of NISPOM Change 2. By working with Tenable Network Security solutions, organizations have access to the experience and tools necessary to build a state-of-the-art insider threat detection program and successfully navigate NISPOM Change 2.

The Insider Threat Dashboard and Report included in SecurityCenter Continuous View® (SecurityCenter CV™) empowers organizations to better understand the network activity of trusted sources and to identify suspicious and potentially malicious behavior. The report and dashboard help to monitor the activities of insiders—whether they are employees, contractors, or partners—the users who already have access to your organization's network and resources. The threat is that these insiders may either accidentally or intentionally do something to harm the network, compromise resources, or leak private data. Insider threats are different from external security threats in that they come from a "trusted” location within the network. Organizations trying to detect these threats face the challenge not only of differentiating attacks from "normal" traffic, but also of ensuring that security analysts and system administrators are not inundated with false positives from users performing legitimate tasks.

SecurityCenter CV also monitors and collects system data via the Log Correlation Engine® (LCE®). The information collected using passive and events-based sources assist security operations teams with monitoring users and their activities. Potential suspicious activity is noted, as well as the top users engaging in activity of interest. Login activity by user and users per host is also presented. In these latter two cases, potentially suspicious activity is noted on a per user or per host basis, to assist an analyst in connecting users to questionable activity and thus identifying insider threats.

An effective insider threat program that complies with NISPOM Change 2 requires that organizations know who and what is on their networks. Leveraging cutting-edge technologies can provide contractors with the visibility and understanding needed to protect their networks and to establish effective insider threat programs.