NISPOM Change 2 and H.R.666


NISPOM Conforming Change 2 and Insider Threat and Mitigation Act of 2017 specified a new set of requirements for your insider threat program. Learn more about these regulations, the importance of the introduced changes, and tools to help you empower insider threat protection within your company.




NISPOM Change 2 requirements


The insider threat program requirement states that any data related to insider threats needs to be collected and stored in a single centralized location for analysis and reporting. The form of this central hub and the methods of collecting and centralizing all the necessary data can depend on the specifics of your organization.


The main set of requirements for compliance with Conforming Change 2 include:


Establish and maintain an insider threat program


NISPOM requires that companies maintain an insider threat program, including gathering, integrating and reporting any information potentially relevant to insider threats. This program should be consistent with other legislation in this area, including the National Insider Threat Policy, Minimum Standards for Executive Branch Insider Threat Programs, and E.O. 13587.


Designate a senior employee as the chief manager of an insider threat program


Companies need to designate an employee to establish and manage their insider threat program as a senior official. Such an employee needs to have US citizenship, and be cleared in connection with the FCL.


Conduct insider threat training


The insider threat program senior official needs to ensure that all employees involved with the program, as well as any employees with a sufficient level of clearance complete insider threat training that CSA considers appropriate.


Such training should generally include counterintelligence and security fundamentals, laws and regulations regarding gathering and handling of data, as well as general indicators of insider threats and methods used by adversaries to recruit personnel, among other things.


Monitor user activity on classified networks


Companies need to implement measures that allow detection activity indicative of insider threats on classified networks. Such measures need to correspond to the guidance issued by the CSA (Cognizant Security Agency), as well as other federal regulations with regard to tools that can be used in federal agencies.


The capability to collect screen captures, full application content, and keystrokes are only some of the requirements that federal laws (in this case, CNSS Directive No. 504) pose for monitoring tools used for insider threat detection.


Department of Homeland Security Insider Threat and Mitigation Act of 2017


The Department of Homeland Security Insider Threat and Mitigation Act of 2017 was approved by the House of Representatives on 31 January. This legislation is similar to NISPOM Change 2 in that it requires the establishment of an insider threat program, but this time the subject is the Department of Homeland Security itself.


The main requirements of the Department of Homeland Security Insider Threat and Mitigation Act of 2017 include:


  • Development of a holistic strategy for a department-wide detection, prevention, and mitigation of insider threats
  • Implementation of the said strategy across all DHS branches and offices
  • Creation of formal insider threat policies and controls
  • A basic risks assessment with regard to insider threats
  • Examination of existing technologies and best practices for insider threat protection, as well as deployment of new tools and implementation of new procedures
  • Assessment of the effectiveness of the insider threat program


Training and education that allows for the detection of, and responding to, insider threats, should be provided to personnel as part of the insider threat program. The program should also be used to support investigations into various incidents involving insider threats.


Why insider threat programs are important


NISPOM Change 2 and the Department of Homeland Security Insider Threat and Mitigation Act of 2017 introduced much tighter insider threat controls both for the DoD and for private subcontractors working with it. This wave of legislation represents a paradigm shift that has occurred lately regarding insider threats, both from the government and from private business standpoints.


Many more organizations have come to realize the importance of an effective insider threat program. The main benefits of an insider threat program include:


  • Protection from leaks, data theft, and misuse by trusted employees
  • Timely insider attack detection
  • The ability to issue a quick targeted response and mitigate damage
  • Compliance with numerous regulations


Ekran System® is a insider threat management software that can help you reap all of these benefits and establish an insider threat program that is actually effective. Whether you want to improve your cyber security by introducing insider threat detection tools, or are simply looking for more effective and affordable tools, Ekran System will be able to help you.


How Ekran System can help you fight insider threats


With a great feature set that includes robust monitoring and incident response capabilities, Ekran System can serve as a solid foundation for any insider threat program. The main features it offers include:




Ekran System provides full video recording of the user screen, including mouse movement. All recordings are stored in a centralized database in an indexed format, specifically optimized for low storage and bandwidth requirements.


Along with video recording, Ekran System also records numerous additional metadata, such as keystrokes, names of windows opened and applications launched, websites visited, commands executed in Linux, connected devices, etc. There are extensive options for filtering recording, allowing recording to start automatically, recording only at specific times, or even recording only certain applications.


Any recording can be reviewed at any time along with the corresponding metadata via a convenient wed-based management tool. Recordings are easily searchable, allowing for easy investigation and analysis.




Ekran System monitors all Windows server and desktop, macOS desktop, Linux SSH/Telnet, and various Unix sessions regardless of the level of privilege a user has, or the applications or network protocols used. Automatic license provisioning makes Ekran System ideal for virtual environments, as it allows the redistribution of licenses automatically as you shut down and create new virtual machines.


Apart from multi-factor authentication, privileged account and session management (PASM), one-time passwords and other access management features, the platform includes a secondary authentication tool. Secondary authentication is used to distinguish between users of shared accounts, allowing Ekran System to clearly attribute each recording to a specific user.


Ekran System also features robust alerting capabilities to facilitate incident detection. It has a set of built-in predefined alerts, specifically designed to cover most common incidents linked to insider threats. Users can also create custom alerts based on their specific needs and situation.


When an alert is triggered, a notification will be sent to your security personnel, allowing them to quickly review the incident and issue an appropriate response.




When an alert is triggered, security personnel will receive a notification with a link to the corresponding session recording. If the session is still ongoing, then it can be viewed live, and if malicious activity is detected, the user can be blocked immediately. For high-risk actions, you can configure automatic user and/or process blocking when the corresponding alert is triggered.


Apart from allowing users to be blocked manually, Ekran System can also monitor and optionally block any USB devices connected automatically. This allows you to protect your infrastructure from mass storage devices and infected USB drives..


Reporting and analysis


Ekran System has a number of built-in reports that can be both scheduled and generated manually, allowing you to prove compliance and quickly assess the effectiveness of your insider threat program.


The data collected is also a great asset for investigation and analysis. Ekran System allows you to export any part of a recording in a fully protected and encrypted format that guarantees that the said data has not been tampered with. This data can be used as evidence in an official investigation. The internal Management Tool Log also guarantees that system administrators have not tampered with the data


Ekran System® – a powerful tool for fighting insider threats


Ekran System is aimed at helping organizations with insider threat detection, as well as employee and subcontractor monitoring. Large organizations will undoubtedly find the robust set of features, including high availability, database archiving, and automatic agent updates to be more than enough to cover their needs.