Site Map | A-Z Index | Facebook | Twitter

• Home
• About Us
  • Director
  • Deputy Director
  • Vision and Mission
  • History
  • Electronic Reading Room
  • Locations
  • Press Room
  • Organizational Structure
  • Careers at DSS
  • Doing Business with DSS
  • Frequently Asked Questions
• Directorates
  • Industrial Security Field Operations (ISFO)
  • Industrial Security Integration & Application (IP)
  • Counterintelligence (CI)
  • Center for Development of Security Excellence (CDSE)
• Services
  • Oversee and assist the defense industrial base
  • Provide counterintelligence support
  • Accredit information systems
  • Facilitate personnel security clearance for industry
  • Manage foreign ownership, control, or influence
  • Deliver security education and training
• Information Systems
  • Defense Central Index of Investigations (DCII)
  • Electronic Facility Clearance System (e-FCL)
  • Industrial Security Facilities Database (ISFD)
  • Joint Personnel Adjudication System (JPAS)
  • National Industrial Security Program (NISP) Central Access Information Security System (NCAISS)/DSS Applications
  • National Industrial Security Program (NISP) Contracts Classification System (NCCS)
  • National Industrial Security System (NISS)
  • ODAA Business Management System (OBMS)
  • Secure Web Fingerprint Transmission (SWFT)
  • Security Training, Education and Professionalization Portal (STEPP)
• Contact Us
  • Feedback on website
  • Acquisitions Office
  • Center for Development of Security Excellence
  • Knowledge Center
  • Equal Employment Opportunity Office
  • FOIA and Privacy Office
  • Human Capital Management Office
  • Inspector General's Office
  • ISFO Field Office Locations
  • Legislative Affairs Office
  • Public Affairs Office
  • Mailing Addresses

Home + Industry Insider Threat Information and Resources

Industry Insider Threat Information and Resources

Policy and Guidance

• NISPOM Change 2
• NISPOM Summary of Changes
• Insider Threat Industrial Security Letter (ISL)
• ODAA Process Manual
• Vulnerability Assessment Rating Matrix 2016 Update

Resources

• Industry Insider Threat Program Plan Template
• NISP Self-Inspection Handbook for NISP Contractors
• Industry Insider Threat Job Aid
• Appointments of ITPSO (e-FCL)
• Other Insider Threat Related Job Aides

Training

• CI122.16, Establishing an Insider Threat Program for Your Organization
• CI121.16, Insider Threat Awareness
• CI112.16, Counterintelligence Awareness and Security Briefing
• Other Insider Threat Training and Resources
• CS200.16, Continuous Monitoring

Toolkits

• Insider Threat
• Facility Security Officer
• Other

Contact

For questions or concerns, please email: dss.quantico.dss-hq.mbx.policyhq@mail.mil.

Notices

DSS Provides Update on Industry Insider Threat Program Implementation

On May 18, 2016, the Under Secretary of Defense for Intelligence issued NISPOM Change 2. NISPOM Change 2 requires cleared contractors to establish and implement insider threat programs that are consistent with E.O. 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. During the past several months DSS and industry have partnered to communicate requirements, address challenges, and pave the way for implementation success. As part of the NISPOM Change 2 requirements, cleared contractors are required to appoint an Insider Threat Program Senior Official (ITPSO) and develop and certify their written insider threat program plans.

As we are nearing the end of the implementation period for the NISPOM Change 2, contractors are reminded and encouraged to continue reporting ITPSO appointments, developing and certifying their plans, implementing training, and establishing their insider threat programs. Information on how to appoint your ITPSO as well as an insider threat program plan template can be found on the Industry Insider Threat Information and Resources webpage. While DSS has provided a plan template, all plans must be tailored to fit your company’s insider threat program, endorsed by the ITPSO, and self-certified to DSS that the plan is in place.

As part of our oversight and support we are working to keep industry informed on the implementation requirements and providing clarification when needed. In this notice we address Corporate ITPSO requirements. In accordance with NISPOM 1-202 and ISL 2016-02, the ITPSO must be a U.S. citizen employee who is a senior official and cleared in connection with the FCL. A corporate family may choose to establish a corporate-wide insider threat program with a single ITPSO. The requirement is to separately designate that person as the ITPSO at each legal entity within the corporation. A Corporate ITPSO must be on the KMP list for each facility to which he/she is appointed, but does not need to be an employee of each legal entity within a corporate family, only an employee of the corporation.

As an effort to ensure cleared contractors are informed of NISPOM Change 2 requirements and to address implementation questions, DSS has been hosting online workshops. The workshops which began on September 20, 2016 will continue through November 15, 2016. See, “NISPOM Change 2, Insider Threat Workshops,” notice for additional information. The workshops will be held on Tuesdays from 1:00-2:30pm. To register for a workshop, go to https://dss.adobeconnect.com/iits1/event/registration.html

BY the NUMBERS, Industry Insider Threat Program Implementation as of October 18, 2016

• ITPSO’s Appointed: 3,943
• Certified Insider Threat Program Plans: 259
• Industry Course Completions:
  • CI122.16, “Establishing an Insider Threat Program for Your Organization”: 4,354
  • CI121.16, “Insider Threat Awareness”: 24,624

NISPOM Change 2, Insider Threat Workshops

To further support the implementation of NISPOM Change 2, Insider Threat Program requirements, DSS will present a series of online workshops to continue discussions regarding program implementation and to provide information on NISPOM Change 2, Insider Threat Program requirements. For more information on the workshops, go to the DSS Industry Insider Threat Information and Resources webpage at http://www.dss.mil/it/index.html.

Commencing on September 20, 2016, DSS will present a series of online workshops to continue discussions and further support industry in their implementation of NISPOM Change 2, Insider Threat Program requirements. During the workshops, DSS will answer questions and discuss establishment and maintenance of contractor Insider Threat Program requirements.
Please join us for the first workshop which will be conducted via Adobe Connect on September 20, 2016. Additional workshops will run through November 15, 2016. To register for the workshop, go to https://dss.adobeconnect.com/iits1/event/registration.html

Feel free to contact dss.quantico.dss-hq.mbx.policyhq@mail.mil, with any registration difficulties!

The workshops will be held on Tuesday’s from 1 - 2:30 p.m. The dates are as follows:

• Sept. 20, 2016
• Sept. 27, 2016
• Oct. 4, 2016
• Oct. 11, 2016
• Oct. 25, 2016
• Nov. 1, 2016
• Nov. 8, 2016
• Nov. 15, 2016

DoD Releases Change 2 to DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM)

On May 18, 2016, the Department of Defense approved Change 2 to DoD 5220.22-M, "National Industrial Security Program Operating Manual (NISPOM)."

The change includes requirements for contractors to implement an insider threat program consistent with national policy; adds reporting requirements for Cleared Defense Contractors (CDC) relative to cyber incidents on CDC information systems approved to process classified information and can include activities occurring on unclassified information systems; addresses alignment with Federal standards for classified information systems, incorporates and cancels Supplement 1 to the NISPOM.

Change 2 to DoD 5220.22-M can be found here.
A Summary of Changes can be found at here.

In order to keep industry updated with new insider threat program information as it becomes available the DSS website will be updated soon to include a webpage under "Most Requested Links" for insider threat implementation information. The webpage, "Industry Insider Threat Information and Resources," will serve as a single entry point to access information, tools, training, and resources for implementing your insider threat programs.

DSS Releases ISL 2016-02, “Insider Threat”

DSS releases ISL 2016-02, which provides DoD implementation guidance for NISPOM Change 2, Insider Threat Program Implementation. Click here to view ISL 2016-02.

Additional information on implementing the requirements of NISPOM Change 2 related to insider threat can be found in the Most Requested Links section on the home page of www.dss.mil.

Appointments of Insider Threat Program Senior Officials (e-FCL)

The Key Management Personnel section within the e-FCL Submission site has been updated to accommodate the submission of the Insider Threat Program Senior Official. The KMP list now has a checkbox labeled “Is Insider Threat Program Senior Official (ITPSO)?” This checkbox has a help icon with mouse-over text to provide further guidance. Only one KMP entry can have the “Is ITPSO” column checked, just as only one entry can be the FSO. When printing the KMP list, the text “(ITPSO)” will be appended to the KMP’s name in the first column. If that person is also the FSO, the appended text will be changed to “(FSO, ITPSO).”

Corporate ITPSO Appointments and Notifications to DSS of Responsibility for Cleared Divisions and Branches

There are two options for informing DSS of the appointment of your ITPSO (expedited processing or traditional processing). Please review the August 2016 Voice of Industry Newsletter for additional information on these options and criteria. Companies appointing corporate-wide ITPSOs must submit a list to DSS of the cleared divisions and branches for which the Corporate ITPSO is responsible. For appointment of corporate-wide ITPSOs, this notification shall be provided to the IS Rep at your Home Office or Parent company. Branch/division and subsidiary locations do not need to separately notify DSS if an ITPSO is being appointed corporate wide. (NOTE: if a single corporate-wide ITPSO is used among multiple separate legal entities within the corporate family, the individual must be an employee of each legal entity).

Self-Certification of Insider Threat Plans

In addition to appointing an ITPSO, all contractors must self-certify to DSS that a written program plan has been implemented within the six month implementation period (deadline November 30, 2016). Once you have a program plan in place you will need to notify your assigned IS Rep through an email, letter, or other written format. If you are a corporate ITPSO submitting self-certification(s) of a program plan for multiple legal entities, or a multi-facility organization with cleared divisions or branches, the self-certification (to include all CAGE Codes to which the ITPSO is responsible) must be submitted to the IS Rep of the home office or parent company. In order to facilitate communication regarding the implementation and oversight of corporate-wide insider threat plans between IS Reps and each level within your organization, each branch/division location and/or subsidiary must also notify their assigned IS Rep that the program plan has been implemented as applicable at the local level (i.e., each cleared facility).