This blog has been edited to reflect the recent Industrial Security Letter released by DCSA, 9/21.
SEAD 3 has been out for some time, but the recently released letter clarifies obligations for cleared federal contractors under SEAD 3.
In short, cleared contractors working for Department of Defense customers must implement the change effective August 24, 2021. They have an additional year to bring all foreign travel pre-approval reporting up to standard.
ThreatSwitch helps companies gather the required data from employees on the new reporting requirements so that they can be easily communicated to government customers serving both DoD and the IC.
If you're a federal contractor, your reporting requirements just changed – dramatically.
The days of perhaps one report to security per employee every year is over.
SEAD 3 requires contractors holding sensitive positions or who have access to any type of classified information to report a variety of life events, including all non-work related foreign travel and substantive foreign contacts to their local security office.
This is well beyond the NISPOM or security clearance reporting we had been used to and the time to get smart on it is now. Keep reading to learn more.
If you were one of the relatively few people who hold TS SCI clearance, SEAD 3 requirements probably sound familiar – but now this guidance applies to all 5.5 million individuals with a clearance, plus anyone in a sensitive position.
If you're a federal contractor, the implications are massive. This means that every single one of your covered employees have to report on themselves – and they are obliged to report on co-workers under certain circumstances.
SEAD 3 is the next part of the insider threat and security-related regulatory changes we've come to know and love.
It's designed to protect the government and the industrial base from an increasingly complex and changing threat environment, punctuated by acts of high profile insiders like Edward Snowden, Bradley Manning, and Reality Winner.
It was signed on December 14, 2016, and was officially implemented on June 12, 2017. SEAD 3 standardizes reporting requirements for individuals with security clearances. Failing to comply with the new policy could cost contractors their jobs or their employers facility clearance.
What Employers and their Security Managers Need to Know
If you are a cleared federal contractor, you should already have an insider threat plan in place.
As part of your insider threat program you should already have a system or process (like ThreatSwitch) to share risk and threat information across the enterprise.
Now, every cleared company must have a mechanism to collect a dramatically increased scope of reporting from far more employees. Let's break it down.
1. Everyone must report on themselves.
"Covered individuals" – anyone with any clearance, or anyone covered under the NISP – has a security obligation to report information (outlined below).
Keep in mind that some people who hold a sensitive position but who are not covered under the NISP still have SEAD 3 reporting requirements -- they just don’t fall under the NISP/DoD CSA.
2. Everyone must now report on others.
Covered individuals don't just have to report their own behavior; they are obligated to report similar information if they observe it in others.
3. Security must review every report.
Companies and their customers must be aware of whether the content of those reports (taken together, or individually), suggest a potential threat to national security.
You may or may not determine that the reporting needs to move on to DCSA or CI or a CSA, but you need a way for employees to securely send it to you, and for you to keep track of it.
4. Failure puts clearance at risk.
Failure to report can result in revocation of national security eligibility, which may mean your facility, too.
So, what kind of reporting are we talking about? It varies a little by clearance, but it's a long list. EVERYONE – even those with just Confidential access – need to report:
- Foreign travel. Note that this requirement is extending beyond the previous requirement only for SCI-cleared individuals.
- Foreign contacts. This isn't just official or business contacts – it includes all foreign contacts.
- Behavior and conduct of others. This includes general security uncooperativeness, unexplained affluence, alcohol abuse, illegal drug use, certain mental health issues, criminal conduct, general concerns about national security, or misuse of systems.
- Foreign Affiliation
- Media Contact
- Criminal Activity
- Alcohol & Drug Treatment
- Behavior & Conduct
Furthermore, everyone with a Top Secret or Q clearance have the following additional reporting obligations: -- have the following reporting requirements
- Financial anomalies
- Non-US Adoption
- Foreign national roommates
- Foreign business
- Foreign property
- Foreign bank accounts
One bright spot: information that has already been reported in an SF-86 or in DISS is not required to be reported.
In short, every security program must have a mechanism for employees to report on themselves and others, and a way to record and share that information appropriately.
We've given this a lot of thought at ThreatSwitch which is why we have designed our product to fulfill 100% of the SEAD 3 reporting requirements for all employees, right out of the box.
Give us 10 minutes and we’ll show you how! Click here to watch a demo.