Cybersecurity – Making Inside Jobs Less Likely

---

[ARTICLE PDF]      

---

---

A new program to prevent insider cyber threats has the right idea—but has government contractors scratching their heads about how to comply.

In May 2016, the Defense Department’s Defense Security Service amended the National Industrial Security Operating Manual, creating a new requirement that contractors with DOD facility security clearances have a written plan for implementing an insider threat program aimed at preventing cyber attacks. DSS further mandated that the plan be in place by November 30, 2016.

This requirement for cleared contractors is a natural extension of Executive Order 13587 and the National Insider Threat Policy—both signed by President Obama in 2012—which called for the creation of an insider threat task force to develop a government-wide program for deterring, detecting, and mitigating insider threats. Given that cleared contractors have access to and safeguard significant amounts of classified information in performing work for and on behalf of government agencies, it makes sense to require similar programs for them.

So why formalize a program now? According to Adelicia Cliffe, a partner in Crowell & Moring’s Government Contracts and International Trade groups, “The glare of the 2013 document leaks by Edward Snowden and the arrest in 2016 of another National Security Agency contractor for long-term document theft highlight that insider threat risks are not limited to agency employees, and that contractors are also in a position to exploit and compromise classified information. When security breaches of this magnitude happen, the government has to step up its efforts and make prevention a bigger priority.”

NOT ENOUGH SPECIFICS, POTENTIAL LAND MINES

The DSS program has five minimum requirements for affected contractors:

• Designation of an insider threat program senior official to establish and execute the program
• Development of a written implementation plan 
• Reporting of “relevant and credible information” regarding potential insider threats 
• Training programs for managers and all cleared employees, plus annual refreshers 
• Information security controls to monitor activity on classified information systems

But DSS’s guidance falls short on specifics—in fact, it expressly states that the plans must be tailored to each organization’s business—leaving contractors with unanswered questions about the plan’s logistics, content, and training, among many areas. For now, they’ve had to figure things out as they go.

As with the federal agency insider threat program requirements, contractors must implement the insider threat program consistent with legal, civil liberties, and privacy policies. Cliffe emphasizes the significance of this intersection as a particularly thorny area for cleared contractors, in light of the sensitivity of insider threat information and the potential consequences of reporting an individual under the program.

She strongly recommends that contractors include privacy experts in the planning and implementation of their insider threat programs. These experts should be key advisors to be consulted early and often, she says.

WHAT ELSE SHOULD CONTRACTORS DO?

Contractors should take additional steps to make their insider threat programs practical, feasible, and flexible, Cliffe says. The result should be something that works both for the contractor’s business and its existing industrial security program, and that satisfies the DSS requirements.

First, interdisciplinary teams should be set up to foster collaboration across management, legal, and technical groups. An example would be a work group or task force that includes representatives from human resources, the legal department, and operational and technical departments.

Second, contractors’ obligations under their programs are numerous and substantial, meaning that they’ll need significant resources both to comply and monitor compliance. They should plan ahead to make sure that such resources are in place.

Third, recent experience shows that contractor employees aren’t the only potential source of insider threats—subcontractors, vendors, and other business partners with access to sensitive information pose major threats as well. Contractors should therefore consider extending their training programs beyond their own personnel to include third parties with access to classified information.

Finally, contractors should use the program as an opportunity to review and upgrade their current information systems, security policies, and security procedures to ensure compliance with the DSS requirements.

Cliffe takes this idea a step further: “Even better,” she says, “contractors should proactively engage with DSS to get ahead of the curve to avoid compliance issues and help shape DSS’s expectations going forward.”