NISPOM Change 2 and H.R.666

Monitor insider activity. Detect anomalies. Respond to incidents. ALL-IN-ONE

NISPOM Conforming Change 2 and Insider Threat and Mitigation Act of 2017 specified a new set of requirements for your insider threat program. Learn more about these regulations, the importance of the introduced changes, and tools to help you empower insider threat protection within your company.

What is NISPOM?

DoD 5220.22-M National Industrial Security Policy Operating Manual (NISPOM) is a set of requirements and guidelines for implementation, published by the US Department of Defense and applicable to all third party providers and subcontractors working with US government on any projects that may involve classified information.

NISPOM was created with the purpose of protecting all sensitive information regarding national security, and as a result, any company that has contracts with the Department of Defense or the Defense Security Service (DSS) can be a subject to NISPOM regulations.

An additional NISPOM requirement related to insider threats took effect on 18 May. Called Change 2, it requires companies to establish a fully-fledged insider threat program in order to deter, detect and respond to potential incidents.

NISPOM Change 2 requirements

The insider threat program requirement states that any data related to insider threats needs to be collected and stored in a single centralized location for analysis and reporting. The form of this central hub and the methods of collecting and centralizing all the necessary data can depend on the specifics of your organization.

The main set of requirements for compliance with Conforming Change 2 include:

Establish and maintain an insider threat program

NISPOM requires that companies maintain an insider threat program, including gathering, integrating and reporting any information potentially relevant to insider threats. This program should be consistent with other legislation in this area, including the National Insider Threat Policy, Minimum Standards for Executive Branch Insider Threat Programs, and E.O. 13587.

Designate a senior employee as the chief manager of an insider threat program

Companies need to designate an employee to establish and manage their insider threat program as a senior official. Such an employee needs to have US citizenship, and be cleared in connection with the FCL.

Conduct insider threat training

The insider threat program senior official needs to ensure that all employees involved with the program, as well as any employees with a sufficient level of clearance complete insider threat training that CSA considers appropriate.

Such training should generally include counterintelligence and security fundamentals, laws and regulations regarding gathering and handling of data, as well as general indicators of insider threats and methods used by adversaries to recruit personnel, among other things.

Monitor user activity on classified networks

Companies need to implement measures that allow detection activity indicative of insider threats on classified networks. Such measures need to correspond to the guidance issued by the CSA (Cognizant Security Agency), as well as other federal regulations with regard to tools that can be used in federal agencies.

The capability to collect screen captures, full application content, and keystrokes are only some of the requirements that federal laws (in this case, CNSS Directive No. 504) pose for monitoring tools used for insider threat detection.

Department of Homeland Security Insider Threat and Mitigation Act of 2017

The Department of Homeland Security Insider Threat and Mitigation Act of 2017 was approved by the House of Representatives on 31 January. This legislation is similar to NISPOM Change 2 in that it requires the establishment of an insider threat program, but this time the subject is the Department of Homeland Security itself.

The main requirements of the Department of Homeland Security Insider Threat and Mitigation Act of 2017 include:

Development of a holistic strategy for a department-wide detection, prevention, and mitigation of insider threats
Implementation of the said strategy across all DHS branches and offices
Creation of formal insider threat policies and controls
A basic risks assessment with regard to insider threats
Examination of existing technologies and best practices for insider threat protection, as well as deployment of new tools and implementation of new procedures
Assessment of the effectiveness of the insider threat program

Training and education that allows for the detection of, and responding to, insider threats, should be provided to personnel as part of the insider threat program. The program should also be used to support investigations into various incidents involving insider threats.

Why insider threat programs are important

NISPOM Change 2 and the Department of Homeland Security Insider Threat and Mitigation Act of 2017 introduced much tighter insider threat controls both for the DoD and for private subcontractors working with it. This wave of legislation represents a paradigm shift that has occurred lately regarding insider threats, both from the government and from private business standpoints.

Many more organizations have come to realize the importance of an effective insider threat program. The main benefits of an insider threat program include:

Protection from leaks, data theft, and misuse by trusted employees
Timely insider attack detection
The ability to issue a quick targeted response and mitigate damage
Compliance with numerous regulations

Syteca is a insider threat management software that can help you reap all of these benefits and establish an insider threat program that is actually effective. Whether you want to improve your cyber security by introducing insider threat detection tools, or are simply looking for more effective and affordable tools, Syteca will be able to help you.

How Syteca can help you fight insider threats

With a great feature set that includes robust monitoring and incident response capabilities, Syteca can serve as a solid foundation for any insider threat program. The main features it offers include:

Monitoring

Syteca provides full video recording of the user screen, including mouse movement. All recordings are stored in a centralized database in an indexed format, specifically optimized for low storage and bandwidth requirements.

Along with video recording, Syteca also records numerous additional metadata, such as keystrokes, names of windows opened and applications launched, websites visited, commands executed in Linux, connected devices, etc. There are extensive options for filtering recording, allowing recording to start automatically, recording only at specific times, or even recording only certain applications.

Any recording can be reviewed at any time along with the corresponding metadata via a convenient web-based management tool. Recordings are easily searchable, allowing for easy investigation and analysis.

Detection

Syteca monitors all Windows server and desktop, macOS desktop, Linux SSH/Telnet, and various Unix sessions regardless of the level of privilege a user has, or the applications or network protocols used. Automatic license provisioning makes Syteca ideal for virtual environments, as it allows the redistribution of licenses automatically as you shut down and create new virtual machines.

Apart from multi-factor authentication, privileged account and session management (PASM), one-time passwords and other access management features, the platform includes a secondary authentication tool. Secondary authentication is used to distinguish between users of shared accounts, allowing Syteca to clearly attribute each recording to a specific user.

Syteca also features robust alerting capabilities to facilitate incident detection. It has a set of built-in predefined alerts, specifically designed to cover most common incidents linked to insider threats. Users can also create custom alerts based on their specific needs and situation.

When an alert is triggered, a notification will be sent to your security personnel, allowing them to quickly review the incident and issue an appropriate response.

Response

When an alert is triggered, security personnel will receive a notification with a link to the corresponding session recording. If the session is still ongoing, then it can be viewed live, and if malicious activity is detected, the user can be blocked immediately. For high-risk actions, you can configure automatic user and/or process blocking when the corresponding alert is triggered.

Apart from allowing users to be blocked manually, Syteca can also monitor and optionally block any USB devices connected automatically. This allows you to protect your infrastructure from mass storage devices and infected USB drives.

Reporting and analysis

Syteca has a number of built-in reports that can be both scheduled and generated manually, allowing you to prove compliance and quickly assess the effectiveness of your insider threat program.

The data collected is also a great asset for investigation and analysis. Syteca allows you to export any part of a recording in a fully protected and encrypted format that guarantees that the said data has not been tampered with. This data can be used as evidence in an official investigation. The internal Management Tool Log also guarantees that system administrators have not tampered with the data

Syteca – a powerful tool for fighting insider threats

Syteca is aimed at helping organizations with insider threat detection, as well as employee and subcontractor monitoring. Large organizations will undoubtedly find the robust set of features, including high availability, database archiving, and automatic agent updates to be more than enough to cover their needs.

Meet other IT security requirements with Syteca

NISPOM Change 2 and H.R. 666

Let’s get the conversation started

Contact our team to learn how our insider risk management software can safeguard your organization’s data from any risks caused by human factors. Book a call with us at a time that suits you best, and let’s explore how we can help you achieve your security goals.

Get in Touch