Security Policies and Procedures for Contractor Facilities

Standard Practice Procedures (SPP) and Insider Threat Program Plans (ITP)
All cleared contractor facilities are required to have written procedures in place that dictate how their facility will implement and maintain a system of security controls within the organization in alignment with the requirements of 32 CFR Part 117 (NISPOM rule) and other U.S. Government laws and policies.

Organizations may have many different security policy documents however, two written policies that every cleared facility should have are:

1. A Security Standard Practice Procedures (SPP)
2. An Insider Threat Program Plan (ITP)
   

The Security Standard Practice Procedures
The Security Standard Practice Procedures (SPP) is a written document that implements requirements for the contractor’s operations and involvement with classified information.

Key aspects of a SPP include, but may not be limited to:

• Opening Statement: Outlines the purpose of the document and includes a statement of support for the National Industrial Security Program (NISP).
• Facility Information: States the company’s facility clearance level, classified storage requirements (if applicable), and outlines the security roles within the organization. If applicable, this section will also outline the company’s Foreign Ownership Control or Influence (FOCI) mitigation agreement.
• Personnel Security Clearances: Outlines how personnel clearances for employees and consultants are handled within your organization.
• Reporting Requirements: Outlines reporting requirements for both personnel and the facility, and establishes the necessary processes and procedures all company personnel are required to follow.
• FCL Changed Conditions: Outlines what, how, and when organizational changes must be reported to DCSA.
• Insider Threat Program: Outlines the requirements for the organization to implement an insider threat program.
• Security Education: Outlines the training requirements for the organization per U.S. Government and contractual requirements, how those training requirements are met, recorded, and maintained.
• Self-Inspections (Contractor Reviews): Outlines how the organization will meet self-inspection requirements and the intervals at which the company will perform these inspections.
• Classified Visits and Meetings: Outlines how classified visits and meetings will be handled, both to the organization’s facility and to other facilities, and how employees will notify security of classified visits and meetings.
• Safeguarding Classified Information: Establishes the organization’s procedures for protecting classified information.
• Marking Classified Information, if applicable: Establishes the organizations procedures for marking classified information within the company’s possession.

 
The Insider Threat Program Plan
The Insider Threat Program Plan (ITP) is a comprehensive strategy designed to deter, detect, and mitigate potential threats posed by individuals within an organization who have authorized access to sensitive information or systems, who could potentially use that access to harm the company or our Nation, whether intentionally or unintentionally.  The Insider Threat Program Plan includes measures like employee monitoring, security awareness training, and incident response procedures to mitigate these risks.
 
Key aspects of an insider threat plan include, but may not be limited to:

• Risk assessment: Identifying critical assets and evaluating the likelihood of an insider threat occurring, considering factors like employee access levels, job functions, and personal situations.
• Employee screening: Conducting thorough background checks and reference verifications during hiring process.
• Access controls: Implementing strong user access management practices, including least privilege principle, to limit access to sensitive data based on job requirements.
• User activity monitoring: Continuously monitoring employee actions on company systems to detect suspicious behavior, such as unusual access patterns, large data transfers, or unusual working hours.
• Security awareness training: Regularly educating employees about insider threat risks, proper data handling practices, and reporting procedures for suspicious activity.
• Incident response plan: Defining clear steps for investigating and responding to potential insider threats, including containment, evidence collection, and remediation strategies.

 
Insider Threat Program Plans must consider:

• Balancing privacy concerns: Ensuring that monitoring activities are conducted ethically and within legal boundaries, avoiding unnecessary intrusion into employees' personal lives.
• Reporting mechanisms: Establishing clear channels for employees to report suspicious activity without fear of retaliation.
• Culture of security: Promoting a company culture that values security awareness and encourages employees to report potential risks

 
Note: Some companies may choose to incorporate their written Insider Threat Program Plan into their Security Standard Practice Procedures.
 
How and Why Is This Relevant to You?
All cleared contractor personnel, both employees and consultants, are required to follow all policies and procedures set forth in company and U.S. Government policies. If you are receiving this newsletter, you work for a cleared contractor facility that is required to have (at a minimum), a Security SPP and Insider Threat Program Plan, and you are required to follow the policies and procedures outlined in them.
 
Your organization is required to make security policy documents available to you and all personnel within your organization. If you do not know where to find them, please contact your company’s security team immediately.
 
Additionally, policy documents can be a lot to wade through. If you have any questions or concerns about the security policies within your organization, your FSO and Insider Threat Program Senior Official can certainly assist. You should never hesitate to reach out to your FSO and ITPSO for guidance. We’re here to help!
 
Resources and Additional Learning
If you do not have access to your company’s Security Standard Practice Procedures (SPP) manual and Insider Threat Plan (ITP), please contact your FSO!
 

• CDSE Resources for Standard Practice Procedures
• Written Standard Practice Procedures for Industry Video
• Standard Practice Procedures for Industry Short
• CDSE Insider Threat
• DCSA Information about Insider Threat
• Deliver Uncompromised Toolkit
• Reporting Job Aid
• Case Study Library
• 32 CFR Part 117 (NISPOM Rule)

 
As always, if you have any questions about security or reporting requirements, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.  As security professionals, FSO PROS® is here to help you navigate things to ensure you fulfill all requirements.