NISPOM’s New Insider Threat Program Is an Opportunity to Establish Competitive Edge
The NISPOM’s new insider threat requirements provide government contractors who have facility clearances with an opportunity to become market leaders.
Early implementation of an insider threat program helps cleared government contractors establish a competitive edge in two distinct ways. First, the sooner contractors can state in their proposals and marketing materials that they are fully compliant with these new requirements, the earlier they can differentiate themselves from the contractors who are only providing the minimum required implementation plan. Second, early implementation of an effective program can thwart malicious insider threats sooner, preventing them from causing damage and the subsequent adverse action by the government for failure to protect classified materials. This earlier detection can ultimately reduce the risk of lost awards, contract termination or potential debarment that could result from a breach of classified location or information.
Merely providing the minimum required implementation plan prior to the November 30, 2016 deadline does not provide a significant distinguishing factor since all affected contractors must also provide a plan by that date.
Broad Internal and External Ecosystem
As described further below, these programs need to address numerous areas and sources of information. As such, when implementing their compliance programs, contractors need to synchronize special classified DOD/IC operations with legal, technical, security, HR, senior leaders and other internal organizations across the enterprise. The key to success is a holistic approach and deep diving into the IT systems, HR policies, legal directives and business organizations so that the program delivers a unified solution.
Contractors also need to ensure that their insider threat program applies to all cleared personnel accessing their locations and networks, not just to their own employees. The program needs to address insider threats from cleared employees, contractors and other personnel with authorized access from: (i) the prime contractor; (ii) its general support contractors such as outsourced IT help desks; and (iii) subcontractors providing deliverables under the prime contract who operate cleared facilities.
Good Model for Any Organization Addressing Insider Threats
Although these new rules are required by government contractors with a facility clearance, they are also a good way for any entity to address potential threats from insiders. Critical infrastructure providers, such as energy utilities and telecommunications carriers, need to identify and mitigate threats from insiders due to similar rules already in place or being developed by the FCC, FERC, SEC and FTC. Fortuitously, the NISPOM’s new rules are also a good model for any organization addressing insider threats.
Scope and Customization
An insider threat program needs to mitigate risks that might arise from, for example, allegiance to a foreign government, influence by a foreign organization, improper behavior, personal problems, financial troubles, sexual misconduct, alcohol and drug use, emotional disorders or misuse of IT systems.
These programs need to be developed by working closely with the legal department so that they are effective while still being consistent with the privacy and civil rights of each party. These programs also need to be tailored to each contractor’s risk profile. There is no cookie-cutter approach at this time because each contractor has a different mix of classified activities, employees, culture and risks.
Much of the current commentators focus their materials only on the gathering, integrating and reporting portions of the new requirement, which are expressly called out in NISPOM Section 1-202. However, this narrow view on gathering information misses the other core areas required for effective compliance. In particular, that same NISPOM section goes on to incorporate by reference a number of policies and procedures that specify three other important core requirements which are to deter, detect and mitigate risks. Gathering information by itself does not actually stop anything if the information is not acted upon.
Therefore, an effective compliance program needs the following four core components:
- Gather, integrate and report: To be compliant, the contractor’s program needs an appropriate system that takes in all sources of information that likely currently flow through many different systems dispersed across HR, IT, Ops, Finance, etc. This kind of single integrated tool incorporates all sources so that contractors can monitor broad ranges of triggers. The system also then needs to report data, triggers and other information to users and other systems in formats and methods so that it may be effectively accessed, shared, compiled, identified and used for collaboration.
- Deter: Deterrence is an evolving area in the market and each organization will need to establish its own methods to deter negative behavior. Punishment, education, exposure and related consequences are potential ways to deter insider threats that need to be adapted into a range of effective deterrence options.
- Detect: An effective compliance program needs enough information about personnel and risky behaviors to enable the contractor to actually identify suspect individuals and trigger action or investigations. Detection needs to occur based on general conduct that indicates a potential to become a threat, as well as specific threats such as photographs, inappropriate physical access, physically copying information without a need, misconduct on IT systems or improper personal behavior.
- Mitigate: This portion of the compliance program can be separated into two main areas. The first area is mitigating the risks before an event occurs by having an ongoing system that automatically prevents harmful actions such as stopping someone from entering or leaving a building. The second area is to mitigate damage with crisis response when an event begins. Whether it’s an active shooter, theft or damage, organizations need to train, prepare and react quickly so that the damages are reduced and stopped. Then they need to follow a pre-scripted disclosure plan to authorities and injured parties pursuant to agreed-upon procedures.
The NISPOM’s insider threat requirements program also includes additional requirements such as designating a senior official, establishing reporting structures, self-assessment, education and training programs, and ongoing monitoring. These broader aspects of the program need to be implemented in order to improve the efficiency of the core requirements.