Security Policies and Procedures for Contractor Facilities

All cleared contractor facilities are required to have written procedures in place that dictate how their facility will implement and maintain a system of security controls within the organization in alignment with the requirements of 32 CFR Part 117 (NISPOM rule) and other U.S. Government laws and policies.

Two written policies that every cleared facility should have are:

1. A Security Standard Practice Procedures (SPP)
2. An Insider Threat Program Plan (ITP)

The Security Standard Practice Procedures (SPP)

The Security Standard Practice Procedures (SPP) is a written document that implements requirements for the contractor’s operations and involvement with classified information. Key aspects of a SPP include:

• Opening Statement: Outlines the purpose of the document and includes a statement of support for the National Industrial Security Program (NISP).
• Facility Information: States the company’s facility clearance level, classified storage requirements, and outlines security roles within the organization.
• Personnel Security Clearances: Outlines how personnel clearances for employees and consultants are handled.
• Reporting Requirements: Outlines reporting requirements for both personnel and the facility, and establishes the necessary processes and procedures all company personnel are required to follow.
• Security Education: Outlines the training requirements for the organization per U.S. Government and contractual requirements.
• Self-Inspections: Outlines how the organization will meet self-inspection requirements and the intervals at which the company will perform these inspections.
• Classified Visits and Meetings: Outlines how classified visits and meetings will be handled.
• Safeguarding Classified Information: Establishes the organization’s procedures for protecting classified information.

The Insider Threat Program Plan (ITP)

The Insider Threat Program Plan (ITP) is a comprehensive strategy designed to deter, detect, and mitigate potential threats posed by individuals within an organization who have authorized access to sensitive information or systems. Key aspects include:

• Risk assessment: Identifying critical assets and evaluating the likelihood of an insider threat occurring.
• Employee screening: Conducting thorough background checks and reference verifications during the hiring process.
• Access controls: Implementing strong user access management practices, including the least privilege principle.
• User activity monitoring: Continuously monitoring employee actions on company systems to detect suspicious behavior.
• Security awareness training: Regularly educating employees about insider threat risks and reporting procedures.
• Incident response plan: Defining clear steps for investigating and responding to potential insider threats.

Insider Threat Program Plans must also consider balancing privacy concerns, establishing clear reporting mechanisms without fear of retaliation, and promoting a culture of security awareness.

How and Why Is This Relevant to You?

All cleared contractor personnel, both employees and consultants, are required to follow all policies and procedures set forth in company and U.S. Government policies. Your organization is required to make security policy documents available to you and all personnel. If you do not know where to find them, please contact your company’s security team immediately.

If you have any questions or concerns about the security policies within your organization, your FSO and Insider Threat Program Senior Official can certainly assist. You should never hesitate to reach out to your FSO and ITPSO for guidance.

Resources and Additional Learning

• CDSE Resources for Standard Practice Procedures
• Written Standard Practice Procedures for Industry Video
• DCSA Information about Insider Threat
• Deliver Uncompromised Toolkit
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about security or reporting requirements, ask your FSO! FSO PROS® is here to help you navigate things to ensure you fulfill all requirements.