Insider Threat

In response to the Washington Navy Yard Shooting on September 16, 2013, NISPOM Conforming Change 2 and Industrial Security Letter (ISL) 2016-02 (effective May 18, 2016) was released, establishing requirements for industry’s insider threat programs. In December 2016, DCSA began verifying that insider threat program minimum requirements are being implemented during security reviews. Overall, contractor insider threat programs must:

  • Appoint an insider threat program senior official

  • Provide initial and refresher insider threat training for cleared employees

  • Place necessary controls on classified information systems

  • Be capable of gathering relevant information across a contractor facility

  • Leverage procedures to identify and report information indicative of a potential or actual insider threat

  • Detect, deter, and mitigate the risk of insider threat

Companies that leverage corporate programs must ensure their insider threat plan addresses requirements for each cleared facility for which it applies, and the program must be appropriately implemented at each cleared facility. DCSA continues to assess compliance with minimum insider threat requirements, which provide the basic elements necessary to establish a fully functional insider threat program.

DCSA is also developing a strategy for evaluating the maturity of contractor insider threat programs. Under the current strategy, requirements will be broken into five principles:

  1. Insider threat program management

  2. Insider threat awareness training

  3. Access to Information

  4. User Activity Monitoring

  5. Integration, Analysis, and Response

DCSA plans to release an ISL that includes additional descriptions of these principles and information to assist contractors with assessing their own insider threat programs. While development of the ISL is still in progress, it will ultimately incorporate language from and replace the current ISL (2016-02).

To assist with maintaining current programs and preparing for assessment program maturity, contractors should leverage the following resources:

The National Insider Threat Task Force (NITTF) Maturity Framework

While this does not directly apply to Industry insider threat programs, it is a good resource to reference to assist with maturing insider threat programs. The maturity principles identified above align closely with elements outlined in NITTF Framework.

CDSE Insider Threat Toolkit

Provides a variety of resources (including job aids, case studies, and e-Learning) to assist with establishing a program, creating training, reporting, etc.