Executive Order 13587, signed in October 2011, established the National Insider Threat Task Force and directed federal agencies and contractors with access to classified national security systems to implement formal insider threat programs. The implementing regulation for cleared contractors is found in 32 CFR Part 117, the National Industrial Security Program Operating Manual (NISPOM), specifically Section 1-102, which defines the minimum requirements for contractor Insider Threat Programs (InTP). DCSA oversees program compliance for cleared facilities.
The NISPOM insider threat requirements are often discussed in the context of behavioral indicators, reporting obligations, and Insider Threat Program coordinator (ITPCO) training. These elements are real and required. What receives less attention in FSO training materials is the precondition that makes the entire program defensible: before an insider threat program can detect, assess, or respond to a threat, it must know who its cleared personnel are, with verified and current identity records. Identity verification is not a support function to the insider threat program — it is the base layer on which every other InTP element depends.
What NISPOM Section 3 Requires for Personnel Security Records
NISPOM Chapter 3 (Personnel Security) establishes the requirements for contractor personnel security programs, which interface directly with the InTP requirements in Chapter 1. Section 3-100 requires that contractors maintain a personnel security file (PSF) for each cleared employee containing the documentation supporting their clearance determination and ongoing access authorization.
The PSF requirements include current SF-86 documentation, security clearance determination records, access authorizations, and records of any security-relevant events — foreign travel reports, adverse information reports, and polygraph records where applicable. What DCSA reviewers consistently examine alongside these records: whether the physical identity of the individual on file can be verified against current government-issued documentation.
The specific concern is personnel record misattribution — a situation where the PSF for individual A has been associated with the access records of individual B, or where an individual's identity documentation has lapsed (expired passport or driver's license on file) without re-verification. In cleared environments, misattributed access records undermine the entire audit trail that an insider threat investigation depends on. An investigation that cannot reliably establish that a specific named individual was the person who accessed a specific system at a specific time is forensically impaired from the outset.
The Identity Foundation of EO 13587 Compliance
EO 13587 Section 1 identifies as a national security imperative the ability to detect, deter, and mitigate insider threats to classified information. The Order requires that insider threat programs include user activity monitoring on classified networks, as well as mechanisms for reporting and assessing anomalous behavior. Every one of these program elements requires that the user accounts monitored correspond to verified, uniquely identified individuals.
User activity monitoring on classified networks — governed by technical standards including NSA-CSS Policy 9-12 for classified systems — generates log records tied to user account identifiers. If the mapping between account identifiers and verified individuals is not maintained with integrity, the monitoring data loses evidentiary value. A UEBA (User and Entity Behavior Analytics) platform flagging anomalous file access at 11:30 PM is actionable only if the FSO and ITPCO can confirm with certainty who holds that account credential.
This is not a hypothetical concern. Insider threat program reviews by DCSA and DSS (pre-DCSA) have identified cases where account-to-person mappings were maintained in disconnected spreadsheets that were not updated when personnel transitioned roles, took extended leave, or separated from the company. When an anomalous event triggered an investigation, the first obstacle investigators encountered was establishing the current verified identity of the account holder — a step that should require seconds, not days.
Re-Verification Events and the InTP Continuous Assessment Requirement
NISPOM establishes that personnel security is not a point-in-time determination but an ongoing assessment. Section 3-106 addresses the obligation to report adverse information — any information that may affect a cleared employee's continued eligibility for access. The practical implication: the InTP must include mechanisms for triggering identity and access re-evaluation when specific events occur.
Re-verification events that FSOs should treat as triggers for identity record review include: return from extended foreign travel (particularly to countries of concern identified in NISPOM Appendix B and related DNI guidance), role changes that alter access scope, new foreign national contacts disclosed on a security update, and any event that raises questions about whether the individual on record and the individual physically present are the same person — which, while rare, is specifically addressed in NISPOM's personnel security investigation triggering criteria.
Consider the operational scenario of a 90-person cleared defense IT services firm with multiple cleared employees holding TS/SCI access supporting a signals intelligence program. The FSO conducts annual security refresher training and reviews PSFs annually. Following a DCSA InTP compliance review, the finding was not in behavioral monitoring or reporting — it was that re-verification events following extended foreign travel had not been documented in the PSF in 3 of 12 reviewed cases. The employees in question had reported travel as required, but the PSF did not contain documentation confirming that re-verification of identity documents (not merely a travel debrief) had occurred. The finding required a corrective action plan addressing re-verification documentation procedures for all trigger events.
We are not suggesting that every cleared employee returning from travel is a threat, or that re-verification documentation is the most operationally important element of an InTP. The point is that DCSA reviewers apply a documentation standard, and the gap between completing a re-verification step and documenting that it occurred is exactly the gap that generates findings during compliance reviews.
Access Provisioning and Deprovisioning as InTP Controls
One of the most common and consequential identity-related insider threat vulnerabilities is delayed access deprovisioning following personnel departure. NISPOM Section 3-301 requires immediate termination of access authorizations upon separation. "Immediate" in this context means the access should be removed before or simultaneously with the termination notification — not within a business day, not within the next access review cycle.
The operational failure mode is familiar to most FSOs managing cleared workforces: an employee gives two weeks' notice, the HR system initiates the standard offboarding workflow, and the system access removal gets queued with other routine IT tasks. In an unclassified environment, this represents a security risk. In a cleared environment, it represents a potential NISPOM violation and a material insider threat exposure during the highest-risk period of a cleared employee's tenure — the period between resignation and separation.
JPAS (Joint Personnel Adjudication System) and its successor DISS (Defense Information System for Security) are the authoritative personnel security record systems that FSOs use to verify clearance status and manage access authorizations for cleared facilities. The access deprovisioning workflow must include updating DISS records to reflect separation, not just removing system access credentials. Cleared employees who separate from a contractor but are not removed from DISS records within required timelines create discrepancy findings when DCSA reviews personnel records.
For FSOs managing these workflows, see our detailed guide on cleared personnel onboarding verification steps, which covers the corresponding provisioning documentation requirements. For organizations preparing for DCSA audit reviews, our guide on DCSA audit readiness and identity documentation covers the specific records categories DCSA reviewers request.
Identity Verification Technology and InTP Program Integration
Insider Threat Program requirements predate modern identity verification technology, and the NISPOM does not prescribe specific technical implementations for identity management. However, the operational requirements — continuous accuracy of identity records, documented re-verification events, real-time access deprovisioning, and audit-ready PSF documentation — map directly to what identity verification platforms designed for the cleared contractor market address.
The integration point between an identity verification system and an InTP is the personnel security record: the identity verification system should be the authoritative source for whether each cleared individual's identity has been proofed, when it was last verified, what documentation was used, and whether any re-verification events have occurred. When an ITPCO receives an anomalous behavior report, the first query against the identity record — who is this person, when were they last verified, what is their current access scope — should be answerable in seconds from a current, verified record.
Fragmented identity records — clearance data in DISS, access records in a spreadsheet, identity documents in physical files — make that query take hours instead of seconds, and they introduce the risk that the records are inconsistent. A consolidated identity record system designed for cleared contractor programs, integrated with DISS data and maintaining a current audit trail of identity proofing events, directly supports InTP operational readiness. For security officers evaluating how to structure this integration, our platform overview at insider risk capabilities describes the continuous monitoring and identity record management functions available to cleared facilities.