“Insider threat” refers to a security risk that focuses on those within the organization. An insider can exploit their knowledge of the organization including its controls and weaknesses. Examples of insiders using this information to obtain data include Chelsea Manning and Edward Snowden.
To mitigate the insider risk posed by government contractors, the Department of Defense (DoD), on May 18, 2016, published “Change 2” to the National Industrial Security Program Operating Manual (NISPOM) in order to require contractors holding a facility security clearance establish and maintain a program to detect, deter and mitigate insider threats. Steptoe prepared an advisory on NISPOM Change 2 titled New “Insider Threat” Programs Required for Cleared Contractors.
The end of this month marks a key requirement for cleared contractors, and that is the requirement to have trained their employees. Training is available for that purpose, as described below.
The effort to address the insider threat is not new. In October 2011, President Barak Obama signed Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, to mandate that all entities handling classified information establish an insider threat detection and prevention program. One result of this executive order was the creation of an Insider Threat Task Force to develop a government wide program for mitigating insider threats.
NISPOM Change 2 represented a key outcome of Executive Order 13587. One of the actions required by NISPOM Change 2, and discussed in the DoD Defense Security Service Industrial Security Letter (ISL) providing guidance on Change 2, which is available here, is the training of contractor employees on insider threat awareness.
What is Required?
All cleared contractor’s employees are required to receive training on insider threats. Those employees employed at the time of the issuance of Change 2 are required to receive their training within 12 months of NISPOM Change 2, which is no later than May 31, 2017. (Contractors should note that Change 2 mandates that new employees receive such training prior to accessing classified materials.) This training is to be documented and annual refresher training is also a requirement.
Training must include, at a minimum, the topics outlined in the NISPOM at 3-103b—
(1) The importance of detecting potential insider threats and reporting suspected activity to the organization’s Insider Threat Program official.
(2) The methodologies of adversaries to recruit trusted insiders and collect classified information.
(3) The indicators of insider threat behavior and how to report such behavior.
(4) The applicable counterintelligence and security reporting requirements.
Contractors may use their own training courses to meet the requirements or use available training as noted in the ISL. The employee training to satisfy the May 31 requirement is available here and here.
Although the changes to the NISPOM are focused on contractors with cleared facilities, other contractors may want to consider implementing an insider threat program and training as part of their overall effort to ensure cybersecurity.