A Head Start on Insider Threats
Before government employees can access sensitive government information, they must pass an extensive background check and receive a security clearance under federal guidelines. But when private-sector employees need to access that same classified information, the security requirements are a bit hazier. That’s why the National Industrial Security Program (NISP) is working to develop a change to the NISP Operating Manual (NISPOM), which prescribes requirements, restrictions, and other safeguards to private-sector employers to prevent unauthorized disclosure of classified information.
Known as Conforming Change Two, these newest modifications to the NISPOM are seen as the industry interpretation of the National Insider Threat Policy, which was enacted in 2012 and requires government agencies handling classified information to develop an insider threat program. Daniel McGarvey, director of security programs at Global Skills X-change and the chair of the ASIS International Defense and Intelligence Council, has had a hand in developing the guidance for the private sector. He tells Security Management that although the implementation of Conforming Change Two has been delayed by at least six months, government contractors have already started enacting the program in their companies.
“We’ve been doing workshops for implementing the Conforming Change, just talking to companies about how to set up for it, and presentations we’ve given through ASIS International have been standing-room only,” McGarvey explains. “We’ve had two to three hundred attendees at each presentation.”
There’s little time to spare in enacting the program: once the change is officially pushed forward by the Defense Security Service under the U.S. Department of Defense (DoD), private sector companies with access to classified material will have 180 days to fully implement the program. The change will require contractors to gather, integrate, and report relevant information indicative of a potential or actual insider threat, and a senior official from each organization must personally accept responsibility for the security of classified information systems. Contractors must also report any indications of an insider threat by using counterintelligence, security, information assurance, and human resources records.
The updated NISPOM was supposed to be released last summer, but it was delayed due to revisions to include more cybersecurity-related elements, McGarvey says. The procedures will also now apply to the U.S. Department of Homeland Security, making all of the department’s agencies and contractors fall under the comprehensive security requirements.
McGarvey says that many contractors are overwhelmed by the impending change and believe it’s “an onerous process” because they don’t understand the value it provides. “Once we go through the explanation of what you can do with this program, people find it eminently reasonable,” he notes. “I’ve talked to several CSOs at large companies that have implemented the process, and they say it works extremely well.”
Art Davis, the director of corporate security at Booz Allen Hamilton, tells Security Management that before the new NISPOM requirements were realized, his organization did not have much of an insider threat program. “We had concerns that every major corporation had,” he explains. “We had policies that dealt with employee privacy, the protection of proprietary information, and acceptable use of IT systems.”
As Davis and his team learned more about the federal insider threat policy, they decided to implement a program at Booz Allen modeled after how federal agencies were implementing the new program. “We knew that it would be imposed upon industry, and as we looked at the provisions of what was being done to the various government departments and agencies, we kind of made the assumptions that it would look and smell and taste an awful lot like that in industry,” he explains.
Despite not knowing exactly what the Conforming Change Two will entail—since a final draft hasn’t been released—Davis said there was no hesitation in building such a stringent insider threat program.
“We’re concerned about staff wellness, we’re concerned about intellectual property theft, we’re concerned about any variety of things over and above the stuff the government had initially voiced a concern about, which was just people with clearances,” Davis explains.
The first step was to work more closely with other departments at the firm that would logically be involved in such a program, such as the legal office, employee relations, and human resources. The hardest part, Davis says, was developing a governance structure within Booz Allen and ensuring buy-in from shareholders. A steering committee ranging from the working level to the executive vice president level, as well as the firm’s ethics committee, all had a say in what the insider threat program would look like at Booz Allen. “As you might suspect, that did not happen overnight,” Davis notes.
The leadership also agreed that insider threat training and practices would apply to everyone who works at the firm, not just employees with clearances, as required by NISPOM. “I think initially making the decision to apply it to the whole corporation was an awfully good decision on the part of the leadership,” Davis says. “It doesn’t discriminate against any individual group in the firm. It puts everybody at the same level.”
The idea of applying this insider threat program to all employees, not just the ones in contact with classified information, has proven to be popular, McGarvey notes. The well-attended implementation workshops, which are hosted by the ASIS Defense and Intelligence Council, have attracted far more than the contractors required to adhere to the program, including security leaders from other industries and international organizations, McGarvey says.
“There’s a whole lot of interest in terms of trying to deal with the insider threat, and not just in the defense and intelligence communities,” McGarvey explains. “It affects every company. The NISPOM deals only with classified contracts, but insider threat is happening to people at every company.”
McGarvey notes that the NISPOM does not apply to third-party subcontractors who handle classified information, and it’s something that he has brought up to the DoD. Because there’s no industrywide language on how subcontractors should be vetted before handling classified information, McGarvey says the workshops encourage the primary contractors to take the initiative and incorporate the same policies in their relationships with subcontractors.
“If the subcontractors have issues internally, that’s a big problem for the primary contractors,” McGarvey explains. “By incorporating the requirement within subcontracts, the primary contractors are given the legal authority to minimize those issues.”
For example, for a defense contracting company to be given a contract to build a military airplane, the company must adhere to the NISPOM to receive the contract because the aircraft will be built in a classified environment. The primary contractor would then take those same contractual NISPOM requirements and stipulate them in their agreements with any subcontractors involved in building the plane.
“The challenge is that the government can only look at the primary contractor, they can’t look at the subcontractors unless there’s a specific issue,” McGarvey notes. “But the primary contractors can go make sure the subcontractors they work with follow the same guidelines.”
McGarvey says the upcoming changes will have the added benefit of requiring security officers to work with the legal, IT, and human resources departments to make sure the workplace complies with the NISPOM. It enables security officers to lead the process and pulls together a cohesive group of individuals to work the issue jointly, he explains.
Davis agrees, and says that since Booz Allen has implemented the program in its workplace it has “already paid dividends in the company.
“We’re getting input now from across the firm,” Davis explains. “It’s not just an IT tool that gives us input, it’s people who tell us about problems, people that have problems and aren’t afraid to bring problems forward; it’s preventing violence in the workplace, and it’s doing a whole variety of other things.”
Although the industry is still waiting for the DoD to release the official changes to the NISPOM, McGarvey encourages government contractors and others to begin educating themselves about the new program.
“It’s really a 21st century approach to security, because we take a look at what security exists and say, okay, if we repurpose some of these areas that are already in the company, you can have a much more robust security structure that deals with the insider,” McGarvey says. “And if you couple that with your external controls and cybersecurity, you have a really nice comprehensive program.”