NISPOM Change 2 and H.R.666


NISPOM Conforming Change 2 and Insider Threat and Mitigation Act of 2017 specified a new set of requirements for your insider threat program. Learn more about these regulations, importance of the introduced changes, and tools to help you empower insider threat protection within your company.



NISPOM Change 2 requirements


Insider threat program requirement states that any data related to insider threats needs to be gathered and stored in a single centralized location for analysis and reporting. The form of this central hub and ways to gather and centralize all the necessary data can depend on the specifics of your organization.


The main set of requirements for compliance with Conforming Change 2 include:


Establish and maintain insider threat program


NISPOM requires that companies maintain insider threat program, including gathering, integrating and reporting any information potentially relevant to insider threats. This program should be consistent with other legislations in this area, including National Insider Threat Policy, Minimum Standards for Executive Branch Insider Threat Programs, as well as E.O. 13587.


Designate a senior employee as a chief manager of an insider threat program


Companies need to designate an employee to establish and manage their insider threat program as a senior official. Such employee needs to have US citizenship, and be cleared in connection with the FCL.


Conduct insider threat training


Insider threat program senior official needs to ensure that all employees involved with the program, as well as any employees with sufficient level of clearance complete insider threat training that CSA considers appropriate.


Such training should generally include counterintelligence and security fundamentals, laws and regulations regarding gathering and handling of data, as well as general indicators of insider threats and methods used by adversaries to recruit personnel, among other things.


Monitor user activity on classified networks


Companies need to implement measures that allow detecting activity indicative of insider threats on classified networks. Such measures need to correspond to the guidance issued by CSA (Cognizant Security Agency), as well as other federal regulations with regard to tools that can be used in federal agencies.


Ability to collect screen captures, full application content, and keystrokes are only some of the requirements that federal laws (in this case, CNSS Directive No. 504) pose for monitoring tools used for insider threat detection.


Department of Homeland Security Insider Threat and Mitigation Act of 2017


Department of Homeland Security Insider Threat and Mitigation Act of 2017 was approved by the House of Representatives on January 31. This legislation is similar to NISPOM Change 2 in that it requires to establish insider threat program, but this time the subject is the Department of Homeland Security itself.


Main requirements of Department of Homeland Security Insider Threat and Mitigation Act of 2017 include:


  • Development of a holistic strategy for a department-wide detection, prevention, and mitigation of insider threats
  • Implementation of said strategy across all DHS branches and offices
  • Creation of formal insider threat policies and controls
  • Base risks assessment with regard to insider threats
  • Examination of existing technologies and best practices for insider threat protection, as well as deployment of new tools and implementation of new procedures
  • Assessment of the effectiveness of the insider threat program


A training and education that allows detecting and responding to insider threats, as well as avoiding recruitment, should be provided to personnel as part of the insider threat program. Program should also be used to support investigations into various incidents involving insider threats.


Why insider threat programs are important


NISPOM Change 2 and Department of Homeland Security Insider Threat and Mitigation Act of 2017 introduced much tighter insider threat controls both for DoD and for private subcontractors working with it. This wave of legislation represents a paradigm shift that occurred lately regarding insider threats, both from government and private business standpoint.


Many more organizations came to realize the importance of an effective insider threat program. Main benefits of insider threat program include:


  • Protection from leaks, data theft, and misuse by trusted employees
  • Timely insider attack detection
  • Ability to issue quick targeted response and mitigate damages
  • Compliance with numerous regulations


Ekran System® is a user action monitoring solution that can help you reap all of these benefits and establish an actually effective insider threat program. Whether you want to improve your cyber security by introducing insider threat detection tools, or simply look for more effective and affordable tools, Ekran System will be able to help you.


How Ekran System can help you fight insider threats


With a great feature set that includes robust monitoring and incident response capabilities, Ekran System can serve as a solid foundation for any insider threat program. Main features that it offers include:




Ekran System provides a full video recording of user screen, including mouse movement. All recordings are stored in a centralized database in an indexed format, specifically optimized for low storage and bandwidth requirements.


Along with video recording, Ekran System also records numerous additional metadata, such as keystrokes, names of opened windows and launched applications, visited websites, executed commands in Linux, connected devices, etc. There are extensive options for filtering recording, allowing to start recording automatically, record only at specific times, or even record only certain applications.


Any recording can be reviewed any time along with corresponding metadata via a convenient Wed-based management tool. Recordings are easily searchable, allowing for easy investigation and analysis.




Ekran System monitors all Windows server and desktop, macOS desktop, Linux SSH/Telnet, and various Unix sessions regardless of the level of privilege user has, applications, or network protocols used. Automatic license provisioning makes Ekran System ideal for virtual environments, as it allows redistributing licenses automatically as you shut down and create new virtual machines.


Besides multi-factor authentication, privileged account and session management (PASM), one-time passwords and other access management features, the platform includes the secondary authentication tool. Secondary authentication is used in order to distinguish between users of shared account, allowing Ekran System to clearly attribute each recording to a specific user.


Ekran System also features robust alerting capabilities to facilitate incident detection. It has a set of built-in predefined alerts, specifically designed to cover most common incidents linked to insider threats. Users can also create custom alerts based on their specific needs and situation.


Upon alert, a notification will be sent to your security personnel, allowing them to quickly review the incident and issue an appropriate response.




Upon alert, security personnel will receive a notification with the link to corresponding session recording. If the session is still ongoing, then it can be viewed live, and if malicious activity is detected, a user can be blocked immediately. For high-risk actions, you can configure automatic user and/or process blocking once the corresponding alert is fired.


Apart from allowing to manually block users, Ekran System also can monitor and optionally automatically block any USB connected devices. This allows you to protect your infrastructure from mass storages and infected USB drives.


Reporting and analysis


Ekran System has a number of built-in reports that can be both scheduled and generated manually, allowing you to prove compliance and quickly assess the effectiveness of your insider threat program.


Gathered data is also a great asset for investigation and analysis. Ekran System allows you to export any part of the recording in a fully protected and encrypted format that guarantees that said data hasn’t been tampered with. This data can be used as evidence in an official investigation. Internal Management tool log also guarantees that there was no tampering with data from system administrators.


Ekran System® – powerful tool for fighting insider threats


Ekran System is aimed at helping companies with insider threat detection, as well as employee and subcontractor monitoring. Flexible licensing and support for free database make deployment easily scalable. Large companies will undoubtedly find robust feature set, including high availability, database archiving, and automatic agent updates to be more than enough to cover their needs.