Insider Threat Program Requirements for Cleared Contractors: What DCSA Expects

The Insider Threat Program is the single most-cited finding in DCSA security vulnerability assessments. I don’t say that to scare you. I say it because most FSOs I talk to underestimate how much documentation DCSA expects — and overestimate how much their existing “we have a program” counts.

Having an Insider Threat Program isn’t a philosophical statement about security culture. It’s a documented, evidenced, auditable set of artifacts that 32 CFR 117.7(b) requires every cleared contractor to maintain. If the documentation doesn’t exist, the program doesn’t exist — no matter how seriously your facility takes insider threats.

This is the working guide. What the rule requires, what DCSA actually checks, what the common findings are, and how to get your ITP documentation from “we mean to get to it” to assessment-ready.

Why this matters more than it used to

The modern Insider Threat Program requirement traces back to Executive Order 13587 (2011) following the WikiLeaks disclosures, and it was further reinforced by the 2017 Security Executive Agent Directive 3 (SEAD-3). But until the NISPOM was codified as 32 CFR Part 117 in 2021, ITP requirements for cleared contractors were scattered across change notices and DoD guidance.

Now they’re in one place. 117.7(b) explicitly requires every contractor with an FCL to establish, maintain, and operate an Insider Threat Program. DCSA has a specific checklist for ITP review. And the penalty structure has teeth — an incomplete ITP is a routine finding, a missing ITP is an escalated finding, and a missing ITP combined with other deficiencies can contribute to an unfavorable determination on your FCL.

SEAD-3 added a parallel personnel reporting framework. Every cleared employee is now required to report a defined list of events — foreign travel, foreign contacts, financial issues, arrests, and others — not annually, but as they occur. The ITP is where those reports land, get tracked, and get responded to.

Three changes matter for working FSOs:

• The rule is explicit now. No more “we interpret the guidance to mean…”
• Continuous vetting under SEAD-3 and SEAD-4 is fully in effect. Personnel security is no longer an event-driven process tied to clearance reinvestigations.
• DCSA assessors arrive with an ITP-specific review plan.

What NISPOM 117.7(b) actually requires

The core requirements fit on one page:

An Insider Threat Program Senior Official (ITPSO). A designated, cleared individual responsible for the program. Can be the FSO at most small contractors. Must be appointed in writing.

A written Insider Threat Program plan. Documents the program’s scope, roles, information sources, response procedures, and records retention.

Training. Annual insider threat training for every cleared employee. Initial ITP training for new hires. Specialized training for the ITPSO.

Information integration. The program must gather and integrate information from multiple sources — HR, security, IT, and any other function that might see indicators of concern.

Referral and response procedures. A documented process for receiving concerns, investigating them appropriately, and responding or escalating to DCSA when required.

Records retention. A system for maintaining ITP records — training logs, referrals, assessments, response actions — with appropriate retention periods.

That’s the requirement in prose. The operational question — what documents and evidence do you need to show DCSA? — is where most programs fall apart.

The documentation set DCSA expects

The minimum defensible ITP documentation:

• ITPSO designation letter, signed by the senior management official
• Written ITP plan (the governing document)
• Annual insider threat training deck (or equivalent)
• Training log showing every cleared employee, every year
• Referral form template (for receiving concerns internally)
• Referral/activity log (tracking referrals from receipt through disposition)
• Annual ITP self-assessment (a required review of the program itself)
• SEAD-3 reporting awareness — how you brief employees on what they’re required to self-report

If you have an FCL and an ITPSO but none of those documents, you have a program in name only. DCSA will treat it that way.

The Insider Threat Program Template Kit includes the program plan, referral form, annual assessment form, and referral tracking log — the four documents that fill 80% of the evidence request.

The ITPSO role, explained

The ITPSO (Insider Threat Program Senior Official) is the person responsible for running your Insider Threat Program. Under 117.7(b), this role is required for every cleared contractor.

At small facilities (under 200 cleared employees), the ITPSO is almost always the FSO. This is allowed and common. It also creates a documentation requirement: if you’re both FSO and ITPSO, you need two appointment letters — one for each role. A single letter that says “Jean Baptiste is the FSO and ITPSO” is technically sufficient, but two letters are cleaner and clearer in an assessment.

At mid-size facilities, the FSO and ITPSO are often different people — one focused on security operations, one focused on insider threat. The ITPSO might be the General Counsel, a VP of HR, or a dedicated insider threat analyst.

The ITPSO has specific responsibilities under the rule:

• Establishing and maintaining the ITP plan
• Serving as the single point of contact for DCSA on insider threat matters
• Receiving and integrating information from internal sources
• Overseeing training delivery
• Conducting the annual ITP self-assessment
• Completing specialized ITPSO training (CDSE and DCSA both offer it)

The ITPSO must be cleared at the level of the FCL. This is non-negotiable — an uncleared ITPSO is a finding on its face.

The written ITP plan

Your ITP plan is the document that says: here is our insider threat program, here is how it works, and here are the people and processes behind it. It should cover:

Scope. What does the program cover? At minimum, all cleared personnel. Non-cleared personnel can also be included when appropriate.

Threat definition. What the program considers an insider threat. Include both malicious and unintentional indicators (e.g., personal stress, financial difficulty, disaffection, espionage risk indicators).

Roles and responsibilities. ITPSO, FSO, HR, IT, leadership — who does what. Include the escalation chain.

Information sources. Where the program pulls information from. HR (terminations, disciplinary actions, adverse information), IT (unusual access patterns, off-hours activity), security (facility access, visitor patterns), and self-reports under SEAD-3.

Reporting channels. How employees report concerns — a named channel, an email, a phone number, an anonymous mechanism. Document all of them.

Referral procedures. What happens when the ITPSO receives a referral. Initial assessment. Documentation. Potential escalation to DCSA, legal, HR.

Training. Initial briefing, annual refresher, and ITPSO-specific training.

Self-assessment. When and how the program itself is reviewed annually.

Records. What records are kept, where, and for how long.

Review and update cycle. How often the plan itself is reviewed and signed.

A good ITP plan is 8–15 pages. Shorter suggests incompleteness. Longer suggests it was never actually read by the people it governs.

Training requirements and what DCSA checks

The training requirement has three tiers:

Initial ITP briefing. Delivered to every new cleared employee within a defined window (typically 30 days of clearance grant or first reporting to duty). Covers what insider threats are, what indicators look like, what employees are required to report under SEAD-3, and how to report concerns.

Annual refresher. Every cleared employee, every year. Refreshes the initial content and updates with any programmatic changes or current threat trends.

ITPSO training. Specific training for whoever holds the ITPSO role. CDSE’s “Establishing an Insider Threat Program” course and DCSA’s ITPSO training are the baseline. Completion is documented.

What DCSA checks:

• Training logs. Every cleared employee, every year, every briefing documented. Missing signatures, missing dates, missing people — all findings.
• Content review. The assessor will typically ask to see the training deck or outline. They’ll verify it covers SEAD-3 self-reporting, indicators of concern, and the reporting channels.
• ITPSO training certificate. The ITPSO should have completed formal ITPSO training, not just the general cleared-employee briefing.
• Initial briefing timeliness. New hires briefed within the documented window. “We’ll brief them at next month’s all-hands” isn’t a procedure if a new hire gets access to classified material before that.

The Security Briefing Slide Decks 4-pack includes an Insider Threat Awareness deck with speaker notes — one of the four required annual briefings for most cleared programs.

The annual ITP self-assessment

Under 117.7(h), the annual self-inspection covers the entire security program, including the ITP. But the ITP also requires its own specific self-assessment under SEAD-3 guidance — a focused review of the insider threat program’s effectiveness.

This isn’t optional and it isn’t redundant. The FSO’s annual self-inspection checks “do we have an ITP and does it meet the requirements?” The ITPSO’s annual ITP self-assessment goes deeper: are the training records complete, are referrals being received and documented, is information integration actually happening, are there gaps in coverage for specific employee populations, is the plan still accurate?

The self-assessment should produce:

• A written report
• A list of findings (if any)
• Corrective actions with target dates
• Sign-off by the ITPSO
• Closure tracking for the findings

DCSA assessors will ask for this. If you don’t have one, the finding is “no annual ITP self-assessment conducted.”

The top ITP findings, ranked

From my own experience and from talking to other FSOs, these are the ITP findings DCSA cites most often — in rough order of frequency:

1. Incomplete training records. Missing signatures. Missing dates. Missing employees. A training log that says “all cleared employees received annual training” with no corresponding signed roster is not documentation.

2. No written ITP plan. Or a one-page “we have an Insider Threat Program” memo that doesn’t describe scope, roles, sources, or procedures. The plan has to exist as a real document.

3. ITPSO designation missing or stale. No appointment letter. Or an appointment letter from 2019 for someone who left the company in 2021.

4. No referral form or process. When the assessor asks “how does an employee report a concern?” and the answer is “they’d just tell me,” that’s a finding. The process must be documented and the form must exist.

5. No annual ITP self-assessment. Covered above. This is separate from the general self-inspection.

6. Weak information integration. HR has disciplinary records. IT has unusual access logs. Security has visitor logs. If none of that flows to the ITPSO in any documented way, the program isn’t integrated.

7. No SEAD-3 briefing. Employees haven’t been briefed on what they’re required to self-report. The assessor will interview a few cleared employees cold — if they can’t describe at least three SEAD-3 categories, you have a finding.

8. Records retention unclear. How long do referrals stay in the log? Where are they stored? Who has access? If these questions have no documented answer, the records program is a finding.

9. ITPSO training not documented. The ITPSO should have completed formal ITPSO training with a retained certificate.

10. Stale training content. The annual refresher is exactly the same as last year’s, and the year before that. Insider threat trends and SEAD-3 guidance change; your training should reflect that.

How to close the gaps

If you’re reading this and seeing your program in several of those findings, here’s the remediation order:

First — ITPSO designation letter and ITP plan. These are the foundation. Without them, every other element is questionable. Get both signed and dated this month.

Second — training records. Pull your training log. Reconcile it against your current cleared roster. Identify who’s missing an annual refresher. Get them trained and logged. If records are impossible to reconstruct, document what you have and commit to a clean baseline from this point forward.

Third — referral form and log. Build a simple referral form (who’s reporting, what’s the concern, date received). Build a simple log (date, referral summary, disposition, closure). If you have had zero referrals in the past year, that’s fine — the log just needs to exist to receive the first one.

Fourth — annual ITP self-assessment. Conduct one this quarter. Write it up. File it.

Fifth — information integration. Formalize the channels. A monthly touch-base with HR. A quarterly IT access review. A documented process for adverse information flowing to the ITPSO.

Most small contractors can go from “we don’t really have an ITP” to “defensible ITP program” in about 60 days of focused effort. The paperwork is real but it’s not complex.

FAQs

Can our FSO also be the ITPSO?

Yes. At most cleared contractors with fewer than a few hundred employees, the FSO is also the ITPSO. Both roles require written appointment letters — one per role — even if it’s the same person.

Do we need specialized software for an ITP?

No. Large contractors use specialized insider threat tools (user behavior analytics, data loss prevention monitoring, SIEM integration). Small and mid-size contractors can run compliant programs with documentation, manual integration between HR/IT/security, and periodic review meetings. The rule doesn’t require specific tooling.

What’s the difference between the ITP and SEAD-3 reporting?

The ITP is the contractor’s program — what your company does to prevent, detect, and respond to insider threats. SEAD-3 is the individual-level requirement — what each cleared employee is required to self-report. They’re complementary: your ITP briefings cover SEAD-3 requirements so employees know what to report, and your program receives and processes those reports.

Does the ITP apply to non-possessing facilities?

Yes. 117.7(b) applies to every contractor with an FCL. The program may be smaller at a non-possessing facility (fewer employees, less information flow), but the documentation requirement is the same.

How often do we need to update the ITP plan?

At minimum, annually — review and re-sign. Update whenever there’s a material change (new ITPSO, new information sources, revised procedures, new reporting channels).

What counts as insider threat training?

Any documented training that covers: the definition of insider threats, common indicators, what employees are required to report under SEAD-3, how to report concerns, and the consequences of not reporting. CDSE’s free insider threat course can satisfy the baseline, but many FSOs deliver customized briefings that tie the CDSE content to company-specific context.

Is an anonymous reporting channel required?

Not explicitly by 117.7(b), but it’s best practice. An anonymous channel increases the likelihood of concerns being reported, and several DCSA assessors I’ve worked with explicitly ask “how can employees report anonymously?” during their ITP review.

What to do this week

• Verify your ITPSO designation letter is current and signed by the senior management official
• Pull up your ITP plan. If it doesn’t exist or is older than 18 months, schedule a rewrite this quarter
• Audit your training log against your cleared roster. Identify every employee who is missing the current year’s refresher and schedule them
• Check that your referral form exists as a real document, not a hypothetical concept
• Get the Insider Threat Program Template Kit ($89) to fill the documentation gap with a program plan, referral form, annual assessment, and log
• For the complete documentation stack, get the Complete DCSA Assessment Kit ($297)

The ITP is the finding DCSA cites most. It’s also one of the easier findings to close — the requirements are documentation-heavy, not infrastructure-heavy. Sixty days of focused work can take you from repeat finding to cleared program.