Insider Threat Program Requirements for Government Contractors

NISPOM Conforming Change 2 (CC2), originally issued in May 2016 and now incorporated into 32 CFR § 117.7(j), established the baseline requirements for insider threat programs at cleared contractor facilities. The regulation requires contractors to establish and maintain an insider threat program that will gather, integrate, and report relevant information from across the enterprise to detect and mitigate insider threats.

The regulation defines an "insider threat" as the threat that a cleared person with authorized access to classified information will use that access to harm the security of the United States. This includes espionage, unauthorized disclosure, terrorism, and other activities that could compromise classified information or national security. The definition is deliberately broad to encompass the full spectrum of potential threats.

The insider threat program must be documented in writing, approved by senior management, and maintained as a component of the facility's overall security program. DCSA evaluates insider threat program compliance during routine security reviews and may conduct focused reviews if concerns arise. Non-compliance can result in adverse findings, increased oversight, and in severe cases, revocation of the facility clearance.

All cleared contractor facilities — every company that holds an FCL at any level (Confidential, Secret, or Top Secret) — must establish and maintain an insider threat program. There is no size exemption. A two-person company with a Secret FCL has the same fundamental obligation as a 50,000-person defense contractor. However, the scale and sophistication of the program should be proportionate to the size of the organization, the number of cleared employees, and the volume and sensitivity of classified information handled.

The program must designate an Insider Threat Program Senior Official (ITPSO), who may be the FSO or another senior management official. The ITPSO must be a U.S. citizen with an active personnel clearance and must have completed insider threat program training. In smaller organizations, the ITPSO role is typically filled by the FSO. Larger organizations often establish a dedicated insider threat team that includes representatives from security, human resources, information technology, legal, and counterintelligence.

Beyond establishing the program itself, cleared contractors have several specific obligations under the insider threat requirements. These include maintaining written insider threat program documentation (an Insider Threat Program Plan), conducting and documenting self-assessments of program effectiveness, maintaining records of insider threat referrals and their disposition, and ensuring that all program activities are conducted in compliance with applicable laws and regulations.

Contractors must also ensure that insider threat program activities do not create a chilling effect on legitimate whistleblowing. The program must include safeguards to distinguish between insider threat indicators and protected disclosures under the Intelligence Community Whistleblower Protection Act and Presidential Policy Directive 19. Employees must be informed that the insider threat program does not supersede their right to make lawful disclosures to Congress, the Inspector General, or other authorized recipients.

User Activity Monitoring (UAM) is the technical component of the insider threat program that monitors and audits user activity on classified information systems. 32 CFR § 117.7(j) requires contractors operating classified information systems to implement UAM capabilities that can detect unauthorized activity, including unauthorized data transfers, access to information beyond the user's need-to-know, and anomalous user behavior.

UAM capabilities must include, at a minimum: keystroke monitoring, screen capture or session recording, application monitoring, removable media usage tracking, and print job monitoring on classified systems. The specific UAM requirements depend on the classification level of the systems and any agency-specific requirements in the DD Form 254. DCSA provides guidance on acceptable UAM solutions through its Assessment and Authorization process.

Contractors must notify cleared employees that their activity on classified information systems is subject to monitoring. This notification is typically provided through login banners, user agreements, and the initial security briefing. UAM data must be stored securely, accessed only by authorized insider threat program personnel, and retained in accordance with applicable records management requirements. UAM implementation is a significant cost for contractors operating classified systems, but it is a non-negotiable requirement.

Cleared contractors must report insider threat-related incidents to DCSA through the established reporting channels. Reports of actual or suspected espionage, sabotage, terrorism, or other intelligence-related activities must be reported immediately to the FBI and DCSA. Other insider threat indicators — such as security violations, suspicious foreign contacts, unauthorized disclosures, or concerning behavioral changes — should be reported through NISS adverse information reporting procedures.

DCSA has established the Insider Threat and Counterintelligence Division to support cleared contractor insider threat programs. This division provides guidance, training resources, and analytic support to contractors. Contractors should establish a relationship with their DCSA Industrial Security Representative and the Insider Threat and Counterintelligence Division as resources for program development and incident response.

During security reviews, DCSA evaluates the contractor's insider threat program for compliance with all requirements. Common findings include inadequate training documentation, failure to designate an ITPSO, lack of written program documentation, and insufficient integration of information sources. Contractors should conduct regular self-assessments using DCSA's published evaluation criteria to identify and correct deficiencies before they become formal findings.