Skip to main content

NISPOM Change 2 and H.R.666

Monitor insider activity. Detect anomalies. Respond to incidents. ALL-IN-ONE

What is NISPOM?

NISPOM was created with the purpose of protecting all sensitive information regarding national security, and as a result, any company that has contracts with the Department of Defense or the Defense Security Service (DSS) can be a subject to NISPOM regulations.

An additional NISPOM requirement related to insider threats took effect on 18 May. Called Change 2, it requires companies to establish a fully-fledged insider threat program in order to deter, detect and respond to potential incidents.

NISPOM Change 2 requirements

Establish and maintain an insider threat program

NISPOM requires that companies maintain an insider threat program, including gathering, integrating and reporting any information potentially relevant to insider threats. This program should be consistent with other legislation in this area, including the National Insider Threat Policy, Minimum Standards for Executive Branch Insider Threat Programs, and E.O. 13587.

Designate a senior employee as the chief manager of an insider threat program

Companies need to designate an employee to establish and manage their insider threat program as a senior official. Such an employee needs to have US citizenship, and be cleared in connection with the FCL.

Conduct insider threat training

The insider threat program senior official needs to ensure that all employees involved with the program, as well as any employees with a sufficient level of clearance complete insider threat training that CSA considers appropriate.

Such training should generally include counterintelligence and security fundamentals, laws and regulations regarding gathering and handling of data, as well as general indicators of insider threats and methods used by adversaries to recruit personnel, among other things.

Monitor user activity on classified networks

Department of Homeland Security Insider Threat and Mitigation Act of 2017

  • Development of a holistic strategy for a department-wide detection, prevention, and mitigation of insider threats
  • Implementation of the said strategy across all DHS branches and offices
  • Creation of formal insider threat policies and controls
  • A basic risks assessment with regard to insider threats
  • Examination of existing technologies and best practices for insider threat protection, as well as deployment of new tools and implementation of new procedures
  • Assessment of the effectiveness of the insider threat program

Training and education that allows for the detection of, and responding to, insider threats, should be provided to personnel as part of the insider threat program. The program should also be used to support investigations into various incidents involving insider threats.

Why insider threat programs are important

NISPOM Change 2 and the Department of Homeland Security Insider Threat and Mitigation Act of 2017 introduced much tighter insider threat controls both for the DoD and for private subcontractors working with it. This wave of legislation represents a paradigm shift that has occurred lately regarding insider threats, both from the government and from private business standpoints.

Many more organizations have come to realize the importance of an effective insider threat program. The main benefits of an insider threat program include:

  • Protection from leaks, data theft, and misuse by trusted employees
  • Timely insider attack detection
  • The ability to issue a quick targeted response and mitigate damage
  • Compliance with numerous regulations

Training and education that allows for the detection of, and responding to, insider threats, should be provided to personnel as part of the insider threat program. The program should also be used to support investigations into various incidents involving insider threats.

How Syteca can help you fight insider threats

Monitoring

Syteca provides full video recording of the user screen, including mouse movement. All recordings are stored in a centralized database in an indexed format, specifically optimized for low storage and bandwidth requirements.

Along with video recording, Syteca also records numerous additional metadata, such as keystrokes, names of windows opened and applications launched, websites visited, commands executed in Linux, connected devices, etc. There are extensive options for filtering recording, allowing recording to start automatically, recording only at specific times, or even recording only certain applications.

Any recording can be reviewed at any time along with the corresponding metadata via a convenient web-based management tool. Recordings are easily searchable, allowing for easy investigation and analysis.

Detection

Syteca monitors all Windows server and desktop, macOS desktop, Linux SSH/Telnet, and various Unix sessions regardless of the level of privilege a user has, or the applications or network protocols used. Automatic license provisioning makes Syteca ideal for virtual environments, as it allows the redistribution of licenses automatically as you shut down and create new virtual machines.

Syteca also features robust alerting capabilities to facilitate incident detection. It has a set of built-in predefined alerts, specifically designed to cover most common incidents linked to insider threats. Users can also create custom alerts based on their specific needs and situation.

When an alert is triggered, a notification will be sent to your security personnel, allowing them to quickly review the incident and issue an appropriate response.

Response

When an alert is triggered, security personnel will receive a notification with a link to the corresponding session recording. If the session is still ongoing, then it can be viewed live, and if malicious activity is detected, the user can be blocked immediately. For high-risk actions, you can configure automatic user and/or process blocking when the corresponding alert is triggered.

Apart from allowing users to be blocked manually, Syteca can also monitor and optionally block any USB devices connected automatically. This allows you to protect your infrastructure from mass storage devices and infected USB drives.

Reporting and analysis

Syteca – a powerful tool for fighting insider threats

Let’s get the conversation started

Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.