United States Nuclear Regulatory Commission - Protecting People and the Environment
Home > Nuclear Security and Safeguards > Insider Threat Program for Licensees

Insider Threat Program for Licensees

On this page:

To top of page

What is the National Industrial Security Program Operating Manual (NISPOM) Insider Threat Program (ITP)?

Executive Order 13587, "Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information," was issued in October 2011. The Executive Order requires all Federal agencies to establish and implement an insider threat program (ITP) to cover contractors and licensees who have exposure to classified information. On May 18, 2016, the Department of Defense issued NISPOM Change 2.  NISPOM Change 2 modified the NISPOM to require that cognizant security agencies (CSA), including the U.S. Nuclear Regulatory Commission (NRC), ensure that all cleared individuals for whom the agency is the CSA implement an ITP consistent with the NISPOM ITP requirements.

To top of page

To whom do the NISPOM ITP requirements apply?

The NISPOM ITP requirements apply to all individuals who have received a security clearance from the federal government granting access to classified information.  The NRC must ensure that all cleared individuals for which the NRC is the CSA comply with these requirements.  At the NRC, this includes all cleared licensees, cleared licensee contractors, and certain other cleared entities and individuals for which the NRC is the CSA.

To top of page

When will NISPOM ITP requirements be implemented?

The NRC staff plans to develop appropriate guidance to facilitate affected stakeholders' implementation of the NISPOM ITP requirements.  The NRC is aware that licensees will require time to develop programs based on these procedures to implement the new Security Exchange Agency Directive (SEAD) 3 and NISPOM ITP requirements. Please check this website for updates and further information on an updated implementation schedule.

To top of page

What are the new NISPOM ITP requirements?

The NISPOM establishes the following ITP minimum standards:

  • Formal appointment by the licensee of an ITP Senior Official who is a U.S. citizen employee and a senior official of the company.
  • Annual licensee self-review including self-inspection of the ITP.
  • Initial and refresher insider threat training for the awareness of cleared program management and cleared individuals.
  • Requirements to report to the NRC any detection of an insider threat to the licensee.
  • Provide user activity monitoring on any classified IT system.

The NRC has granted facility clearances to its cleared licensees, licensee contractors and certain other cleared entities and individuals in accordance with 10 Code of Federal Regulations (CFR) Part 95.  Some of those receiving a clearance that both have access to and possess classified information are granted a "possessing" facility clearance.  Some of those receiving a clearance that have access to but do not actually possess classified information are granted a "non-possessing" facility clearance.

All five of the NISPOM ITP requirements apply to holders of a possessing facility clearance.  Only the first four requirements apply to holders of a non-possessing facility clearance. Since holders of a non-possessing facility clearance do not possess classified information at their facility, they presumably do not have a classified IT system that needs to be monitored.

To top of page

How can stakeholders stay informed of new NRC developments regarding the new requirements?

Stakeholders should continue to check this website for any new developments. NRC staff guidance or other pertinent information regarding NISPOM ITP implementation will be posted on this website. Additionally, interested persons should check the NRC's Public Meeting Notice website for public meetings held on the subject.

To top of page

Contact Information

For more information on the NISPOM ITP requirements applicable to NRC licensees, licensee contractors, and other cleared entities and individuals please contact:

Office of Nuclear Security and Incident Response
Information Security Branch
E-mail: NISPOMITP@nrc.gov

Office of Nuclear Security and Incident Response
Operations Center
Phone: 301-816-5100
E-mail:  H001@nrc.gov

To top of page

Resources

Insider Threat Program information links:

To top of page

Page Last Reviewed/Updated Tuesday, June 26, 2018