Federal contractors that do not already have an insider threat program in place now have just shy of two months to get up to speed.

The urgency comes as the Nov. 30 deadline is fast approaching for contractors who haven’t done so already to have a written program in place to begin implementing an insider threat program designed to protect classified information from unauthorized disclosure. The Defense Security Service (DSS), a division of the Department of Defense, published the new minimum standards requirement—technically referred to as “Change 2”—in May under changes outlined in the National Industrial Security Operating Manual (NISPOM).

To accompany the rule change, DSS issued an Industrial Security Letter (ISL) to provide further clarification and guidance to assist contractors as they establish and tailor an insider threat program to meet the NISPOM Change 2 requirement. Any contractor that has, or aims to have, a U.S. government contract with any of the 31 departments or agencies under the umbrella of DSS are subject to the requirements of Change 2, effectively sweeping in an estimated 13,000 cleared facilities.

On a practical level, implementing the elements of an insider threat program that satisfies DSS requirements leaves plenty of gray areas and room for interpretation, which isn’t sitting well with many contractors. “The most problematic area is one that has really shifted the paradigm now in terms of understanding potential threats,” says Greg Cullison, chief operating officer at Big Sky Associates, a business management consulting firm.

Under Change 2, covered contractors must:

Implement an insider threat program;

Designate an insider threat senior official;

Conduct self-assessments of the insider threat program;

Conduct insider threat training for cleared personnel and employees, and network activity.

The NISPOM broadly defines “insiders” as “cleared contractor personnel with authorized access to any government or contractor resource, including personnel, facilities, information, equipment, networks, and systems.”

Specifically, NISPOM directs contractors to implement an insider threat program that’s able to gather, integrate, and report relevant and credible information that may be indicative of a “potential or actual” insider threat. “This whole idea of ‘potential’ insider threat indicators is causing a lot of concern,” Cullison says.

Traditionally, individuals being considered for initial or continued eligibility for access to classified information must be weighed against a number of variables to make an affirmative determination whether the person is eligible for a security clearance. The Code of Federal Regulations (CFR) describes 13 “adjudicative guidelines” for determining this eligibility. “Available, reliable information about the person—past and present, favorable and unfavorable—should be considered in reaching a determination,” the CFR states.

“The most problematic area is one which has really shifted the paradigm now in terms of understanding potential threats.”
Greg Cullison, Chief Operating Officer, Big Sky Associates

Some of these variables are more obvious and pose a higher risk than others—such as one’s allegiance to the United States, past criminal conduct, or securities violations. Most of them, however, demand some serious judgment calls: sexual behavior, drug and alcohol abuse, personal financial hardships, and more. “All of these things are motivators for people to become actual insider threats,” says John Chierichella, a partner in the government contracts, investigations, and international trade practice group at law firm Sheppard Mullin.

From a legal and compliance standpoint, however, many of the variables by which to determine an individual’s eligibility still demand a high degree of subjectivity. “This is where it gets a little tricky,” Chierichella says. “How do you spot somebody who is going to go off the deep end?”

The fact that there is so much room for interpretation effectively increases the legal risks for these contractors. “I can foresee a lot of instances in which people will say, ‘That’s not right. That’s inaccurate. You’re punishing me for things that bear no relationship to the performance of my job,’ ” he adds. “I think there is going to be some struggle as companies try to deal with complying with the program as it is written and trying to be fair to employees at the same time.”

To mitigate the risk of a lawsuit or an unfavorable DSS inspection, a best practice is to have human resources and legal involved in the actual information-gathering process.

Human resources, for example, has a better sense of which people have problematic employment histories. Although HR has not traditionally been thought of as a security function, “this is a department that has a view of the entire employee lifecycle,” Cullison says.

Getting legal involved is also a good idea, because they understand the personal liberties of employees and their data privacy rights. “The whole idea is to get as much information as you can that will allow you to identify a potential or actual insider threat, but also to deter people from becoming insider threats,” Chierichella says.

In order to effectively gather, integrate, and report insider threats, contractors must have a central, shared location in which to consolidate that information. DSS said it will consider the size and complexity of the cleared facility when assessing the facility’s implementation of an insider threat program.

Q&A: INTERNAL THREAT PROCESSES

Below is a partial list of questions contained in the Self-Inspection Handbook for NISP Contractors concerning internal threat processes, controls, and procedures.
Has the company appointed a U.S. citizen employee, who is a senior official, as a key management personnel who will serve as the Insider Threat Program Senior Official (ITPSO)?
Evidence: Name of the senior official in writing.

Has the company developed and implemented an insider threat program plan endorsed by the ITPSO?

Evidence:  Provide the policy, internal guidelines, and procedures.
Do you have a written program plan that has been self-certified to DSS as current and implemented?
Evidence: Provide the policy, internal guidelines, and procedures.
 
If you do not have an insider threat program established, do you have an implementation plan, roadmap, or milestones for establishing your program?
 
Evidence: Provide the implementation plan or milestones way ahead.
Does your ITPSO ensure compliance with insider threat requirements established in the NISPOM and in the implementing guidance provided by DSS?
Evidence: Explain who and how and how often oversight reviews are conducted.
Does your program include a capability to gather, integrate, and report relevant and credible information, which falls into one of the 13 adjudicative guidelines indicative of a potential or actual insider threat?
Evidence: Explain process to gather and integrate data and provide procedures.
Does your company have procedures for insider threat reviews and response/reporting actions to clarify or resolve potential insider threat matters?
Evidence: Provide guidelines or procedures for documenting all incidents reported and the appropriate response or reporting actions. Explain how the information or data is managed.
Are these reviews managed by the ITPSO or delegated?
Evidence: Provide guidelines or procedures for documenting all incidents reported and the appropriate response or reporting actions. Explain how the information or data is managed.
Do the response/reporting actions taken ensure timely resolution of each matter?
Evidence: Provide guidelines or procedures for documenting all incidents reported and the appropriate response or reporting actions. Explain how the information or data is managed.
Source: Self-Inspection Handbook for NISP Contractors

Much of the concern about Change 2 tends to come from small- to mid-size enterprises (SMEs), “because the regulation doesn’t distinguish between mom-and-pop and multibillion-dollar defense industrial base corporations,” says Cullison. At the very least, DSS wants to see that contractors have a plan to track insider threats. For SMEs, that could mean keeping a spreadsheet of relevant data that’s kept in the security department, he says.

No matter the size of the company, however, contractors must first have a handle on who the data owners are. To that point, Cullison recommends having a cross-functional insider threat working group in place to better track potential threats across the enterprise—from human resources, compliance, legal, audit, security, IT, and more.

DSS also requires that contractors formally appoint an “insider threat senior official” who has facility security clearance to establish and execute the insider threat program. The ISL states that this role may be filled by the contractor’s facility security officer (FSO).

The only snag contractors might run into, however, is that FSOs, while they have significant authority within the realm of their role, often are not regarded as senior officials of the company. That being said, if the FSO is the insider threat senior official, the company must make sure this individual has the appropriate level of authority to, as the ISL states, “provide management, accountability, and oversight to effectively implement and manage the requirements of the insider threat program.”

A parent company may choose to establish a corporate-wide insider threat program with one senior official appointed to establish and execute the program. Be aware, however, that each cleared legal entity of the corporate family must separately appoint that senior official within the Electronic Facility Clearance System (e-FCL).

If a corporate family appoints only one insider threat senior official, that individual must be able to effectively manage the insider threat requirements for each entity for which they are appointed, or maintain a record of individuals at each cleared facility who are trained to support implementation of insider threat program requirements, the ISL states.

Contractors must also conduct formal self-inspections. “These self-inspections will be related to the activity, information, information systems, and conditions of the overall security program, to include the insider threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy,” NISPOM states. A senior management official at the cleared facility must annually certify in writing to the DSS that a self-inspection has been completed in accordance with the provisions of NISPOM.

NISPOM further requires cleared contractors to monitor user activity on classified information systems to detect potential insider threat behavior. To meet this requirement, contractors must implement the DSS-provided information system security controls on classified information systems.

Insider threat training required by NISPOM falls into two buckets. In the first bucket, contractor program personnel assigned insider threat program responsibilities must receive insider threat awareness training. To satisfy the training requirements, contractors may use an existing training course, such as the insider threat awareness course offered by the Center for Development of Security Excellence.

The elements of that training must cover:

Counterintelligence and security fundamentals, including applicable legal issues;

Procedures for conducting insider threat response actions;

Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information; and

Applicable legal, civil liberties, and privacy policies.

After Nov. 30, new contractor personnel who are assigned duties related to insider threat program management must complete the required training within 30 days of being assigned those duties.

The second bucket requires that all cleared employees must receive insider threat training before being granted access to classified information, and annually thereafter. Under NISPOM, training must address current and potential threats in the work and personal environment and must include at a minimum:

The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee;

Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems;

Indicators of insider threat behavior and procedures to report such behavior; and

Counterintelligence and security reporting requirements, as applicable.

Contractors must further establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training.

Insider threats could also be unwitting, such as employees who give valuable corporate insider information to malicious actors through phishing scams or by replying to e-mails that look like they are from legitimate sources, but really are not. “It’s important not to ignore that aspect of it,” Cullison says.

As Compliance Week has previously reported, employees should be regularly trained and reminded not to open any e-mails that look unfamiliar or suspect and to forward it instead to their IT team. The IT department may even want to consider conducting simulated threats posing as a phishing scammer to see what actions employees will take.

In the short-term, contractors will be expected to self-certify by the end of this year that they have a written program, but it’s going to take the DSS through 2017 to do its inspections and start giving feedback, says James Harris, senior counsel at law firm Holland & Knight. “That’s when people are going to start to find out whether they did it right or not.”