Insider Threat Program for Licensees

On this page:

• What is the National Industrial Security Program Operating Manual (NISPOM) Insider Threat Program (ITP)?
• To whom do the NISPOM ITP requirements apply?
• When will NISPOM ITP requirements be implemented?
• What are the new NISPOM ITP requirements?
• How can stakeholders stay informed of new NRC developments regarding the new requirements?
• Contact Information
• Resources

What is the National Industrial Security Program Operating Manual (NISPOM) Insider Threat Program (ITP)?

Executive Order 13587, "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information," was issued in October 2011. The Executive Order requires all Federal agencies to establish and implement an insider threat program (ITP) to cover contractors and licensees who have exposure to classified information. On February 24, 2021, 32 CFR Part 117, "National Industrial Security Program Operating Manual (NISPOM)" became effective as a federal rule. Pursuant to this rule and cognizant security agency (CSA)-provided guidance to supplement unique CSA mission requirements, contractors are required to establish and maintain an insider threat program to gather, integrate, and report relevant and available information indicative of a potential or actual insider threat, consistent with Executive Order 13587 and Presidential Memorandum "National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs."

To whom do the NISPOM ITP requirements apply?

The NISPOM ITP requirements apply to all individuals who have received a security clearance from the federal government granting access to classified information.  The NRC must ensure that all cleared individuals for which the NRC is the CSA comply with these requirements.  At the NRC, this includes all cleared licensees, cleared licensee contractors, and certain other cleared entities and individuals for which the NRC is the CSA.

When will NISPOM ITP requirements be implemented?

The NRC staff issued guidance to affected stakeholders on March 19, 2021. This guidance included the NISPOM ITP minimum requirements and implementation dates. Each licensee is expected to establish its ITP program and report the assignment of its ITP Senior Official (ITPSO) via its revised Standard Practice Procedure Plan (SPPP) within 180 days of the guidance letter. Supplemental insider threat information, including a SPPP template, was provided to licensees.

What are the new NISPOM ITP requirements?

The NISPOM establishes the following ITP minimum standards:

• Formal appointment by the licensee of an ITPSO who is a U.S. citizen employee and a senior official of the company.
• Annual licensee self-review including self-inspection of the ITP.
• Initial and refresher insider threat training for the awareness of cleared program management and cleared individuals.
• Required reporting to the NRC of any detection of an insider threat to the licensee.
• Establishment of user activity monitoring on any classified IT system.

The NRC has granted facility clearances to its cleared licensees, licensee contractors and certain other cleared entities and individuals in accordance with 10 Code of Federal Regulations (CFR) Part 95.  Some of those receiving a clearance that both have access to and possess classified information are granted a "possessing" facility clearance.  Some of those receiving a clearance that have access to but do not actually possess classified information are granted a "non-possessing" facility clearance.

All five of the NISPOM ITP requirements apply to holders of a possessing facility clearance.  Only the first four requirements apply to holders of a non-possessing facility clearance (since holders of a non-possessing facility clearance do not possess classified information at their facility, they presumably do not have a classified IT system that needs to be monitored).

How can stakeholders stay informed of new NRC developments regarding the new requirements?

Stakeholders should continue to check this website for any new developments. NRC staff guidance or other pertinent information regarding NISPOM ITP implementation will be posted on this website. Additionally, interested persons should check the NRC's Public Meeting Notice website for public meetings held on the subject.

Contact Information

For more information on the NISPOM ITP requirements applicable to NRC licensees, licensee contractors, and other cleared entities and individuals please contact:

Office of Nuclear Security and Incident Response
Information Security Branch
E-mail: insiderthreatprogram.resource@nrc.gov

Office of Nuclear Security and Incident Response
Operations Center
Phone: 301-816-5100
E-mail:  H001@nrc.gov

Resources

Insider Threat Program information links:

• Executive Order 13587, "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information" (dated October 7, 2011)
• 32 CFR Part 117 – National Industrial Security Program Operating Manual (NISPOM)
• Defense Security Services – Industry Insider Threat Information and Resources
• 2017 Insider Threat Guide
• Insider Threat Program Maturity Framework
• National Insider Threat Task Force (NITTF) Mission
• Self-Inspection Handbook for NISP Contractors