Industry Insider Threat Information and Resources

Policy and Guidance





For questions or concerns, please email:


June 11, 2018: Evaluating Insider Threat Program Effectiveness

As industry continues to establish and maintain their programs, DSS is verifying that minimum insider threat program requirements are in place including:

However, in follow-on assessments, DSS will also evaluate the effectiveness of industry’s insider threat programs. According to the current plan, DSS will begin evaluating the effectiveness of insider threat programs in calendar year 2019.

Please review the May 2018 Voice of Industry Newsletter for more information about the status of the plan to evaluate effectiveness.

Previous Notices

NISPOM Change 2 insider threat employee awareness training requirement

Industry is reminded that insider threat employee awareness training is required for all cleared employees before being granted access to classified information and annually thereafter. The suspense for the completion of training for those employees currently in access is May 31, 2017. After May 31, 2017, all cleared contractor employees must complete the employee awareness training prior to being placed into access for classified information and thereafter annually.

Information on the employee awareness training requirements can be found in NISPOM 3-103b and in ISL 2016-02; and information on industry insider threat programs is available here.

Training is also available through the Center for Development of Security Excellence, in the CDSE catalog under Insider Threat.

CDSE Available Training Courses:

Guidance for ITPSO Records in JPAS

Insider Threat Program Senior Officials (ITPSO) must be identified as Key Management Personnel (KMP) and must have eligibility equivalent or higher to the level of the Facility (Security) Clearance (FCL). Facilities must establish an owning relationship with the ITPSO's record in JPAS.

In cases where a corporate-wide ITPSO has been appointed, each subsidiary (legal entity) must also identify the ITPSO as a KMP and must grant the ITPSO access to the level of the FCL. Subsidiary facilities must take an owning relationship with the ITPSO's record in JPAS.

Since a corporate-wide ITPSO is not required to be cleared in connection to the FCLs at branch/division locations, the ITPSO's record does not need to be owned in JPAS by those facilities. However, when the ITPSO requires access to classified information at branch/division locations, those facilities must take a servicing relationship with the ITPSO's record in JPAS and document the ITPSO's level of access to classified information.

DSS Provides Update on Industry Insider Threat Program Implementation

On May 18, 2016, the Under Secretary of Defense for Intelligence issued NISPOM Change 2. NISPOM Change 2 requires cleared contractors to establish and implement insider threat programs that are consistent with E.O. 13587 and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs. During the past several months DSS and industry have partnered to communicate requirements, address challenges, and pave the way for implementation success. As part of the NISPOM Change 2 requirements, cleared contractors are required to appoint an Insider Threat Program Senior Official (ITPSO) and develop and certify their written insider threat program plans.

As we are nearing the end of the implementation period for the NISPOM Change 2, contractors are reminded and encouraged to continue reporting ITPSO appointments, developing and certifying their plans, implementing training, and establishing their insider threat programs. Information on how to appoint your ITPSO as well as an insider threat program plan template can be found on the Industry Insider Threat Information and Resources webpage. While DSS has provided a plan template, all plans must be tailored to fit your company’s insider threat program, endorsed by the ITPSO, and self-certified to DSS that the plan is in place.

As part of our oversight and support we are working to keep industry informed on the implementation requirements and providing clarification when needed. In this notice we address Corporate ITPSO requirements. In accordance with NISPOM 1-202 and ISL 2016-02, the ITPSO must be a U.S. citizen employee who is a senior official and cleared in connection with the FCL. A corporate family may choose to establish a corporate-wide insider threat program with a single ITPSO. The requirement is to separately designate that person as the ITPSO at each legal entity within the corporation. A Corporate ITPSO must be on the KMP list for each facility to which he/she is appointed, but does not need to be an employee of each legal entity within a corporate family, only an employee of the corporation.

As an effort to ensure cleared contractors are informed of NISPOM Change 2 requirements and to address implementation questions, DSS has been hosting online workshops. The workshops which began on September 20, 2016 will continue through November 15, 2016. See, “NISPOM Change 2, Insider Threat Workshops,” notice for additional information. The workshops will be held on Tuesdays from 1:00-2:30pm. To register for a workshop, go to

BY the NUMBERS, Industry Insider Threat Program Implementation as of October 18, 2016

NISPOM Change 2, Insider Threat Workshops

To further support the implementation of NISPOM Change 2, Insider Threat Program requirements, DSS will present a series of online workshops to continue discussions regarding program implementation and to provide information on NISPOM Change 2, Insider Threat Program requirements. For more information on the workshops, go to the DSS Industry Insider Threat Information and Resources webpage at

Commencing on September 20, 2016, DSS will present a series of online workshops to continue discussions and further support industry in their implementation of NISPOM Change 2, Insider Threat Program requirements. During the workshops, DSS will answer questions and discuss establishment and maintenance of contractor Insider Threat Program requirements.
Please join us for the first workshop which will be conducted via Adobe Connect on September 20, 2016. Additional workshops will run through November 15, 2016. To register for the workshop, go to

Feel free to contact, with any registration difficulties!

The workshops will be held on Tuesday’s from 1 - 2:30 p.m. The dates are as follows:

DoD Releases Change 2 to DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM)

On May 18, 2016, the Department of Defense approved Change 2 to DoD 5220.22-M, "National Industrial Security Program Operating Manual (NISPOM)."

The change includes requirements for contractors to implement an insider threat program consistent with national policy; adds reporting requirements for Cleared Defense Contractors (CDC) relative to cyber incidents on CDC information systems approved to process classified information and can include activities occurring on unclassified information systems; addresses alignment with Federal standards for classified information systems, incorporates and cancels Supplement 1 to the NISPOM.

Change 2 to DoD 5220.22-M can be found here.
A Summary of Changes can be found at here.

In order to keep industry updated with new insider threat program information as it becomes available the DSS website will be updated soon to include a webpage under "Most Requested Links" for insider threat implementation information. The webpage, "Industry Insider Threat Information and Resources," will serve as a single entry point to access information, tools, training, and resources for implementing your insider threat programs.

DSS Releases ISL 2016-02, “Insider Threat”

DSS releases ISL 2016-02, which provides DoD implementation guidance for NISPOM Change 2, Insider Threat Program Implementation. Click here to view ISL 2016-02.

Additional information on implementing the requirements of NISPOM Change 2 related to insider threat can be found in the Most Requested Links section on the home page of

Appointments of Insider Threat Program Senior Officials (e-FCL)

The Key Management Personnel section within the e-FCL Submission site has been updated to accommodate the submission of the Insider Threat Program Senior Official. The KMP list now has a checkbox labeled “Is Insider Threat Program Senior Official (ITPSO)?” This checkbox has a help icon with mouse-over text to provide further guidance. Only one KMP entry can have the “Is ITPSO” column checked, just as only one entry can be the FSO. When printing the KMP list, the text “(ITPSO)” will be appended to the KMP’s name in the first column. If that person is also the FSO, the appended text will be changed to “(FSO, ITPSO).”

Corporate ITPSO Appointments and Notifications to DSS of Responsibility for Cleared Divisions and Branches

There are two options for informing DSS of the appointment of your ITPSO (expedited processing or traditional processing). Please review the August 2016 Voice of Industry Newsletter for additional information on these options and criteria. Companies appointing corporate-wide ITPSOs must submit a list to DSS of the cleared divisions and branches for which the Corporate ITPSO is responsible. For appointment of corporate-wide ITPSOs, this notification shall be provided to the IS Rep at your Home Office or Parent company. Branch/division and subsidiary locations do not need to separately notify DSS if an ITPSO is being appointed corporate wide.

Self-Certification of Insider Threat Plans

In addition to appointing an ITPSO, all contractors must self-certify to DSS that a written program plan has been implemented within the six month implementation period (deadline November 30, 2016). Once you have a program plan in place you will need to notify your assigned IS Rep through an email, letter, or other written format. If you are a corporate ITPSO submitting self-certification(s) of a program plan for multiple legal entities, or a multi-facility organization with cleared divisions or branches, the self-certification (to include all CAGE Codes to which the ITPSO is responsible) must be submitted to the IS Rep of the home office or parent company. In order to facilitate communication regarding the implementation and oversight of corporate-wide insider threat plans between IS Reps and each level within your organization, each branch/division location and/or subsidiary must also notify their assigned IS Rep that the program plan has been implemented as applicable at the local level (i.e., each cleared facility).