On May 18, 2016, the Department of Defense issued Conforming Change 2 of the “National Industrial Security Operating Manual” (“NISPOM”). NISPOM Change 2 requires all U.S. government contractors who require access to U.S. classified information to implement an Insider Threat Program (“ITP”) that will gather, integrate and report relevant information related to potential or actual insider threats among cleared employees by November 30, 2016. Insider threats – a growing phenomenon – arise when employees or contractors exploit legitimate access to an organization’s data for unauthorized or malicious purposes. Much of the impetus for the new rule appears to be a valid concern about large-scale thefts of classified data, as exemplified by Edward Snowden’s release of a vast trove of sensitive documents stolen from the U.S. National Security Agency.

Contractors Must Weigh Risks -

Under the new rule, affected contractors must determine how to “identify and report relevant and credible information that may be indicative of an insider threat, deter cleared employees from becoming insider threats, detect those who pose an actual risk to classified information and mitigate the risk of an insider incident.” The rule requires in-house Legal, Information Security and Human Resources departments to collect and share information related to the 13 personnel security adjudicative guidelines, monitor access – and attempted access – to classified databases, and establish an insider threat training program to educate employees on how to identify potential insider threats. Any suspected compromise of classified information must be immediately reported to the Defense Security Service (“DSS”).