NISPOM 2 Adds Insider Threat Rule, But Does It Go Far Enough?

By Adam Lurie, July 14, 2016 | SHARE

After years of deliberation, the Department of Defense has published Change 2 to its National Industrial Security Operating Manual (NISPOM). With this release, DoD requires the cleared community to formally stand up insider threat detection programs by November 30. Requiring an insider threat program for the community is a welcome and needed change given the extent to which such threats have proliferated in recent years across the commercial and government sectors. Acknowledging the need to drive increased insider threat detection, NISPOM 2 sets minimum standards for compliance, including the appointment of an Insider Threat Program Senior Official (ITPSO) who will oversee corporate initiatives to gather and report relevant information (as specified by the NISPOM’s 13 personnel security adjudicative guidelines) and share this information across the organization. While NISPOM 2 does put a spotlight on the insider threat issue within organizations and forces every member of the cleared industrial base to determine an appropriate solution – clearly developments to be applauded – the requirement allows contractors to get a passing grade with only minimal effort. A truly proactive insider threat solution to protect against an internal adversary goes much further and requires the use of a broad and diverse data set, including:

  • Internal organizational data (HR, security, badge data, etc.)
  • Public records (arrest, divorce, bankruptcy, etc.)
  • Network/user activity monitoring data
  • Social media activity

By fusing these assorted streams of information together into a consolidated program and performing advanced analytics on top of the data, an organization can more than meet basic NISPOM 2 requirements in a cost-efficient manner and ensure that future Defense Security Service (DSS) security assessments are met with praise from the DSS representative. While NISPOM 2 may tempt a newly appointed ITPSO to implement a simple check-the-box solution, we hope and encourage government customers to reward companies based on the quality of their insider threat programs, especially those that go above and beyond the minimums. After all, this policy applies to companies responsible for national security interests – only our most critical data.

Adam Lurie is Director of Predictive Analytics at Haystax.