The Defense Security Service signed off on more than 5,500 plans to develop initial insider threat programs from cleared industry contractors by the Nov. 30 deadline.
A long-awaited change to the National Industrial Security Program Operating Manual (NISPOM), which DSS issued in May, finally gave cleared contractors an official requirement to develop an insider threat program plan and designate a senior official in the company to endorse and oversee it. Contractors must also periodically submit self-reviews of their insider threat programs to DSS.
More than 7,749 officials have been appointed to lead their company’s insider threat program, DSS said. Specifically, 5,532 insider threat program plans are certified, at least among the companies that DSS and the Defense Department oversee. The CIA, Energy Department and Nuclear Regulatory Commission also have their own contractors that are supposed to submit insider threat plans.
“Cleared industry…made substantial strides in implementing the minimum requirements and establishing their insider threat programs,” DSS said in an email to Federal News Radio. “DSS continues to process additional official appointments and plan certifications and it is clear that cleared industry embraces and acknowledges the importance that insider threat programs bring to the National Industrial Security Program.”
The requirements don’t specify exactly who within the company should be the insider threat program senior official. It could be the contractor’s CEO, president or director of security, said Charlie Sowell, senior vice president for national security and cyber solutions at Salient CRGT and a former senior adviser to the Director of National Intelligence.
“It simply talks about the procedures that you have to put into place to access information, to share that information and to collaborate among the appropriate elements in the company that have a role in insider threat prevention,” he said. “Security is an obvious one. But there’s also human resources. There could be a company’s information assurance program. Some companies have organic legal staff on board.”
Sowell said for many contractors like his own company, implementing initial capabilities on an insider threat program wasn’t an incredible burden. Many of them, particularly large organizations like Lockheed Martin, already have some form of an insider threat program established. The NISPOM change codifies what companies are already doing.
“There’s some training that folks need to go through, employee awareness,” Sowell said. “But this isn’t really a heavy lift for companies.”
Companies can build their programs to reflect the size, scope and complexity of their organization, said Jon Burd, partner in the government contracts practice at Wiley Rein. But they will need to put a lot time and thought into developing these programs.
“Everybody is going to be able to tailor their response based on their unique footprint,” he said. The type of organization that’s going to have to invest comparatively more resources in meeting this rule that are larger organizations, diffused or decentralized management and back-office operations.”
Though Burd agreed many companies may have a few of the building blocks in place to establish basic insider threat programs, he sees challenges ahead.
“Now the government is asking the organization to monitor and police these issues from a much broader perspective, from a human resources perspective, legal perspective,” he said. “I can see that there’s potentially more risk for the organizations from a personal information and privacy perspective.”
The NISPOM change also details specifications for monitoring employees’ activity on systems that process classified information.
“The only way to really identify an insider threat effectively is by being able to monitor behavior and understand when one’e behavior changes,” said Steven Grossman, vice president of strategy and enablement at Bay Dynamics. His company specializes in cybersecurity and insider threat solutions.
Next, companies must connect the dots between the behavior they observe and their activities online and on the network, Grossman said.
It’s the human behavior piece that’s likely to cause the most strife for companies and agencies in the insider threat space, experts said.
“The newness of the rule is going to be more on the human element and the internal training within the organization, the requirement for the organization to dedicate senior management resources to not only oversee the organization’s implementation but then to certify, to be the person who’s going to say, yes we have this process in place and this is what we are doing on a day-to-day week-to-week basis to prevent the threat and to detect the threat and then to report the threat when we find it,” Burd said.
Agencies and organizations that work in the intelligence community are accustomed to these kinds of issues, Sowell said. But for others, these questions that are crucial to a successful insider threat program are more difficult to resolve.
“Think about going out to an organization like Customs and Border Protection, which has a union that’s involved,” he said. “Sometimes [the union] takes a different view of employee monitoring and employee rights and privacy issues.”
Agencies have largely struggled to establish their own insider threat programs. Many missed the deadline to reach initial operating capability by December 2015, and many more will likely miss the mark to reach full operating capability by December 2016.
The National Insider Threat Task Force has continuously said a combination of “organizational culture, legal questions and resource identification” challenges have prevented some agencies from hitting these deadlines, according to the most recent data on Performance.gov. They’re similar issues that insider threat experts say federal contractors will also encounter.
Though “Conforming Change 2” took a while to come out, Sowell said DSS communicated well with industry about its general intentions for the upcoming policy.
DSS said it attributes the success it sees with contractors meeting the deadline to the partnership that agencies and industry formed to develop the implementation guidance, tools and training.