4 steps contractors should take now to prepare for new security requirements
In October 2011, President Obama signed Executive Order 13587, “Structural Reforms to Improve the Security of Classified Network and the Responsible Sharing and Safeguarding of Classified Information.” The order established the Senior Information Sharing and Safeguarding Committee to develop and implement government-wide policies and minimum standards. It also created the National Insider Threat Task Force to develop a government-wide program for deterring, detecting and mitigating insider threats.
MORE CHANGE ON THE HORIZON
The National Industrial Security Program Operating Manual, known as the NISPOM, is the bible for any defense contractor supporting classified government programs. The Defense Security Service is responsible for administering the NISPOM to protect U.S. and foreign classified information and technologies held by cleared defense contractors. The NISPOM was last updated in 2013 with Conforming Change 1.
Now there is a new version on the way. Conforming Change 2, slated to be released later this year, will include updated mandates related to insider threat. But instead of waiting for these updates, facility security officers can take a number of steps now to address insider threat and stay ahead of the coming modifications.
STEP ONE: DESIGNATE AN INSIDER THREAT PROGRAM MANAGER
This is probably the most important component that every security officer should ensure is in place. The insider threat program manager should be a U.S. citizen with the right clearance levels, and have a broad mandate to organize and design a program that covers the minimum standards contained in EO 13587. The program manager should be a senior official who will serve as the company point of contact. For smaller operations, the FSO may well serve as the insider threat program manager; in others, the roles will be separate.
STEP TWO: BE READY TO PROVIDE HR AND NETWORK DATA RECORDS
Facility security officers should be prepared to provide authorities with personnel files, security files, polygraph examinations and disciplinary files upon request. The National Insider Threat Policy and Minimum Standards, issued via presidential memorandum for executive branch insider threat programs, calls for agencies to “build and maintain an insider threat analytic response capability to manually and/or electronically gather, integrate, review, assess, and respond to information derived from CI, IA, security/law enforcement, [human resources], and other sources.” Follow this link for more information on the insider threat policy.
STEP THREE: TRAIN EMPLOYEES ON INSIDER THREATS IN THEIR FIRST 30 DAYS
Training is a key component of the insider threat program. Components of the training program should include:
- The importance of detecting potential insider threats by cleared employees (i.e., people who have been granted access to classified information) and reporting suspected activity to insider threat personnel or other designated officials
- Methodologies of adversaries to recruit trusted insiders and collect classified information
- Indicators of insider threat behavior and procedures to report such behavior
- Counterintelligence and security reporting requirements, as applicable
STEP FOUR: MONITOR USER ACTIVITY ON CLASSIFIED NETWORKS
User activity monitoring should operate, using required tools and capabilities, in compliance with the cleared defense contractor’s Cognizant Security Agency, which sets how contractors access classified information. According to the policy, the insider threat program should be able to “monitor user activity on all classified networks in order to detect activity indicative of insider threat behavior.” Follow this link for more information on the policy. Organizations should review their acceptable use policies and ensure that network login banners (which notify users that they are being monitored) have been reviewed and implemented.
GETTING READY NOW WILL PAY OFF LATER
What’s in store for cleared defense contractors regarding the changes in NISPOM will become clear soon. Although there is consensus on the general structure of the changes, it’s possible there will be some surprises. But, regardless of what these changes entail, one thing is clear: Forward-thinking FSOs who put the points we’ve outlined into effect will be ahead of the game.
Dan Velez, CISSP, is the director of insider threat operations at Forcepoint,and is responsible for the delivery and support of insider threat monitoring, investigation solutions and related services.