Managing Risk with Insider Threat Programs
Government Contracts Issue Update
On May 18, 2016, the Department of Defense (DoD) published Change 2 to the National Industrial Security Program Operating Manual (NISPOM). NISPOM Change 2 requires that all cleared contractors establish and maintain an Insider Threat Program no later than November 30, 2016. With that deadline fast approaching, this analysis provides a brief overview of the key components of the new NISPOM requirements and highlights five considerations contractors should have in mind when standing up an Insider Threat Program.
Overview of Insider Threat Program Requirements
Under NISPOM Change 2, the Defense Security Service (DSS) requires cleared contractors—both possessing and non-possessing facilities—to create an Insider Threat Program designed to “gather relevant insider threat information across the contractor facility (e.g., human resources, security, information assurance, legal) commensurate with the organization’s size and operations.” Industrial Security Letter 2016-02, May 21, 2016, at 2 (ISL 2016-02). To implement the plan, contractors must, by November 30, 2106:
- Establish an Insider Threat Program;
- Appoint an Insider Threat Program Senior Official (ITPSO) who is cleared to the level of the facility and who will complete the ITPSO training by November 30, 2016;
- Implement the workforce training requirements related to insider threat; and
- Self-certify to DSS that the Program can fulfill the insider threat requirements.
Once implemented, contractors have continuing obligations to gather and report relevant and credible information that indicates potential or actual insider threats. In addition, contractors will be required to monitor classified network activity and to conduct self-inspections of their Insider Threat Programs. Section Y of DSS’s Self-Inspection Handbook for NISP Contractors provides a series of questions to guide contractors through the various requirements of the Insider Threat Program.
Crafting an Insider Threat Program
Based on our recent experience working with cleared contractors to implement effective Insider Threat Programs, below are five key points and best practices that we believe are consistent with the NISPOM requirements and help mitigate risk in the event of an insider threat.
1. Tailoring the Program to the Contractor’s Size and Complexity
DSS has expressly recognized that Insider Threat Programs under NISPOM Change 2 can be right-sized to match the sophistication of the cleared contractor. See ISL 2016-02 at 1 (“DSS will consider the size and complexity of the cleared facility in assessing its implementation of an insider threat program to comply with NISPOM Change 2.”). Accordingly, contractors will need to consider whether existing company policies and procedures are in line with the NISPOM or if changes, updates, or additional items are required.
In that regard, DSS has not mandated a set of rigid best practices. Rather, cleared contractors must design and implement a pragmatic plan that is commensurate with their operations and resources. While contractors will benefit from the flexibility to tailor an Insider Threat Program to their organizations’ needs and resources, they should make a realistic assessment of what resources they can and should commit to an Insider Threat Program. In the absence of a check-the-box set of requirements, over-promising and under-delivering are significant risks, and contractors must resist the temptation to implement plans that are little more than “paper policies” that lack actual implementation.
2. Documenting the Program
Under NISPOM Section 1-202, cleared contractors must create a written Insider Threat Program and self-certify to DSS that the plan has been implemented and is current. See id. DSS has provided a sample template for an Insider Threat Program. DSS’s template is fairly rudimentary, suggesting that DSS does not anticipate that Insider Threat Programs will require much in the way of documentation, unless or until specific threats or incidents drive the need for additional or more rigorous controls.
Nevertheless, we recommend that contractors consider providing more robust documentation of their Insider Threat Program that goes beyond the “bare bones” model DSS has outlined. The real test of the sufficiency of any Insider Threat Program will likely be in the aftermath of an incident where an employee or other insider has compromised classified information and the Contractor must answer for those actions. Contractors may be able to mitigate the risks and liabilities of future insider attacks by thoroughly documenting a robust Insider Threat Plan. That way, post-incident, the contractor can make a credible claim that the incident occurred despite the contractor’s efforts. From that point of view, the more detailed the documentation is, the better—so long as the contractor actually has the resources and institutional backing to follow through and implement the plan. Especially in the event of an insider incident, a contractor’s failure to implement a plan that it documented will likely compound problems and could introduce additional risks (such as suspension/debarment and False Claims Act liability).
3. Monitoring Classified Network Activity
Contractors must implement information system security controls, such as user-activity monitoring, on classified systems in order to detect activity indicative of an insider threat. See NISPOM Section 8-100(d); ISL 2016-02 at 5. We anticipate that for most contractors, the information security controls components of an Insider Threat Program will be relatively easy to implement, because most cleared contractors have already implemented the cybersecurity protections required by NISPOM Section 8-100(d). The DSS ODAA Process Manual provides specific guidance for the auditing and monitoring of contractor classified information systems under User Activity Monitoring/Auditing (6.7.1).
As such, we anticipate that many contractors should be able to leverage existing cybersecurity protections to meet the information security requirements. This is especially true as DSS has stated that contractors can tailor their Insider Threat Programs to the sophistication and size of the contractor. For example, NISPOM Section 8-303(b) requires contractors to apply technical controls to ensure that contractors “limit [Information Systems] access to authorized users . . . [and that] access must be limited to the types of transactions and functions that authorized users are permitted to exercise.” This is a basic cybersecurity requirement and is almost certainly being employed by most cleared contractors. See NIST Standard Publication 800-53, rev. 4. AC-6 (control establishing principle of least privilege to govern user access to information systems).
4. An Insider Threat Program Is Not Just an IT Solution
While information security controls may be relatively easy for contractors to implement, we anticipate that the more difficult part will be ensuring that the contractor has committed sufficient human resources to the Insider Threat Program. NISPOM Section 8-302 requires contractors to implement “Operational Controls,” which it defines as methods “primarily implemented and executed by people (as opposed to systems) . . . .” For example, Section 8-302(a)(3) requires contractors to “review audit logs . . . as a component of its continuous monitoring to determine if there are any personnel failing to comply with security policies and procedures . . . .”
As a technical matter, capturing basic data on user activity such as login failures is easy. In fact, many IT systems will log this type of information by default. But, at some point, a real person will need to review those logs to identify potentially malicious or suspicious activity, like differentiating an employee who misspelled a new password twice in a row from one who is systematically trying to guess coworkers’ passwords; or an employee who is working late on an authorized project versus one who is accessing a system after-hours to evade detection. To be sure, there are evolving tools to help consolidate and streamline this audit review function, but they do not replace the human element altogether. The Insider Threat Program should be built and implemented through a post-incident lens. A contractor does not want to be in a position of trying to explain in hindsight why audit logs showed suspicious activity, but that activity went undetected because no one was reviewing the logs.
Operational Controls, i.e., experienced people who are able to analyze data and assess threats, are critical. Similarly, DSS has stated that a valid Insider Threat Program must also take the physical facilities into consideration. See Section 8-302(b)(2) (“Protect the physical plant and support structure of [Information Systems].”). Even allowing for DSS’s recognition that an Insider Threat Program can be tailored to the contractor’s size and complexity, a purely technical solution will not be regarded as a competent program.
5. Reporting Obligations
Under NISPOM Section 1-300, contractors must report information “that may indicate the employee poses an insider threat.” See also ISL 2016-02 (Contractors must report “relevant and credible information” regarding cleared employees.). Although the reporting requirement has been extended to insider threat information, the basic reporting requirements are the same as NISPOM's long-standing requirements. For example: information regarding cleared employees, to include information indicative of a potential or actual insider threat and which falls into one of the 13 adjudicative guidelines, must be reported when that information constitutes adverse information under NISPOM Section 1-302a; incidents that constitute suspicious contacts must be reported under NISPOM Section 1-302b; incidents that constitute information concerning actual, probable or possible espionage, sabotage, terrorism or subversive activities must be reported to the Federal Bureau of Investigation under NISPOM Section 1-301. As before, we would caution contractors to err on the side of over-reporting. In addition to protecting national security, contractors will be best served to have a strong history of proper reporting should an incident occur.
For more information on developing and implementing insider threat detection and avoidance programs, please contact a Wiley Rein attorney.