The unauthorized treatment of classified information by insiders, including employees of contractors working for federal agencies such as Edward Snowden, Harold Martin, and, more recently, Reality Winner, is a continuing concern of both the federal government and contractors in its supply chain.
The National Industrial Security Program Operating Manual (NISPOM) “Change 2” requires contractors holding a facility security clearance to establish and maintain a program to detect, deter, and mitigate insider threats. Industrial Security Letter (ISL) 2016-02 (Revised June 29, 2017) requires those contractors to provide insider threat training for all cleared employees. (Steptoe previously prepared an advisory on NISPOM Change 2 titled New “Insider Threat” Programs Required for Cleared Contractors and an advisory on required insider threat training titled Cleared Contractors Should Note Insider Threat Training Deadline.)
Two recent developments will further impact contractors’ insider threat programs. First, the most recent Security Executive Agent Directive (SEAD) from the Office of the Director of National Intelligence, Reporting Requirements for Personnel With Access to Classified Information or Who Hold a Sensitive Position (SEAD 3) became effective June 12, 2017. SEAD 3 requires contractors and executive branch employees holding sensitive positions or who have access to any type of classified information to report a variety of life events, including all non-work related foreign travel and substantive foreign contacts to their local security office. Second, the Department of Homeland Security Insider Threat and Mitigation Act of 2017, if enacted, would require the Department to establish a program for identifying and mitigating “insider threats” to the Department's critical assets.
Security Executive Agent Directive 3
NISPOM Change 2 contains general guidance for contractors to establish an insider threat program, but does not provide specific guidance on the types of insider threats covered individuals should report. SEAD 3 went into effect on June 12, 2017 and focuses on reporting events that may impact continued access to information by covered individuals (i.e., those who have access to classified information or hold sensitive positions, including contractor employees), and clarifies insider threat related reporting guidance in ISL 2016-02 issued in conjunction with NISPOM Change 2. The SEAD 3 reporting requirements were approved last year as part of the insider threat program initiated by former President Barrack Obama after reports on the loss and misuse of classified information. Furthermore, the SEAD 3 requirements attempt to achieve more consistency in the existing reporting requirements in order to identify and address potential insider threats.
SEAD 3 imposes reporting obligations triggered by both a covered individual’s own conduct, as defined in SEAD 3, and conduct they observe by other covered individuals. The scope of the reportable activity obligation increases as the individual’s clearance level increases. Furthermore, all covered individuals are now required to report specific life events including unofficial foreign travel, unofficial contact with foreign intelligence entities, and certain personal relationships with foreign nationals. Covered individuals are also required to report activities of others such as unexplained absences, alcohol or drug abuse, criminal conduct, apparent or suspected mental health issues that may impact the individual’s ability to protect classified information, misuse of government property or information systems, or “[a]ny other activity that raises doubts” about whether the individual’s continued access to classified information is consistent with the interests of national security.
Additional specific reporting requirements are applicable to individuals (1) with access to secret or confidential information, “L” access, or holding a non-critical sensitive position; and (2) with access to top secret information, “Q” access, or holding a critical or special sensitive position. The specific reporting obligations vary between those two categories but generally include arrests, alcohol and drug-related treatment, media contacts for other than official purposes where the media seeks access to classified information or “other information specifically prohibited by law from disclosure,” certain bankruptcy or other financial matters, and various enumerated “foreign activities.” These reporting requirements generally apply to anyone receiving a clearance from the executive branch. However, individual agencies may add additional reporting requirements.
Department of Homeland Security Insider Threat and Mitigation Act of 2017
The DHS Insider Threat and Mitigation Act of 2017, which passed the House and has been referred to the Senate’s Committee on Homeland Security and Governmental Affairs, would amend the Homeland Security Act of 2002. If passed and signed by the President, the Act would direct that DHS establish an insider threat Program to (1) provide training and education for DHS personnel to identify, prevent, mitigate, and respond to insider threat risks to DHS's critical assets; (2) provide investigative support regarding such threats; and (3) conduct risk mitigation activities for such threats. The act also requires DHS to “develop a timeline for deploying work place monitoring technologies” for identifying, preventing, mitigating, and responding to potential insider threats to the Department’s critical assets.
The Act defines insider threat as:
…the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States, including damage to the United States through espionage, terrorism, the unauthorized disclosure of classified national security information, or through the loss or degradation of departmental resources or capabilities.
The term “insider” is broad and includes contractors:
(A) any person who has access to classified national security information and is employed by, detailed to, or assigned to the Department, including members of the Armed Forces, experts or consultants to the Department, industrial or commercial contractors, licensees, certificate holders, or grantees of the Department, including all subcontractors, personal services contractors, or any other category of person who acts for or on behalf of the Department, as determined by the Secretary; or
(B) State, local, tribal, territorial, and private sector personnel who possess security clearances granted by the Department.
The effort to address insider threats is not new. In October 2011, Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, mandated that all entities handling classified information establish an insider threat detection and prevention program. One result of this Executive Order included the creation of an Insider Threat Task Force to develop a government wide program for mitigating insider threats, which lead to NISPOM Change 2. Today, we are witnessing the further evolution of such programs through deployment of various tools to monitor data, efforts to access data, and analyze and report behavior.
It is notable there has been little pushback to the insider threat mandates. Industry appears to be in agreement the insider threat is serious and must be addressed. Industry has also developed sophisticated tools that can be used to combat the threat. In fact, H.R. 666 would require that DHS examine existing programmatic and technology best practices adopted by industry in order to implement solutions for protecting against insider threats that are validated and cost-effective. Whether industry will react in the same manner to SEAD 3 remains to be seen. Its reaction may be driven by the whether the SEAD 3 reporting obligations create significant additional administrative burden.
Concerns related to the insider threat have resulted in some companies implementing insider threat programs that include their supply chains. Suppliers may represent potential weak links in this threat..