Conforming Change 2 has finally been released. This change to the National Industrial Security Policy Operating Manual (NISPOM) mandates that all cleared contractors have a functioning Insider Threat program.
Understanding the government’s point of view will help you institute a program that exceeds minimum standards. Remember, the ultimate goal should not be to have a “check the block” compliance but to best protect your people and the assets of your company against hostile internal threats.
Designed to protect both lives and property, the National Insider Threat Policy (NITP) requires agencies to:
- Establish a program headed by a designated official
- Ensure minimum training standards
- Collect and protect information in a centralized system, on an ongoing basis
Now that the government has extended its Insider Threat requirements to the contractor community under Conforming Change 2, we see three basic premises for compliance:
1. You have to crawl (and walk) before you can run.
The government intent is to get everyone to a minimum and consistent set of policies and procedures to improve collective defense. Contractors are a vital part of the functioning of government. Making everyone read from the same sheet of music helps accomplish this. So, as you consider how to build out your own program, we recommend you do the following:
- Review and understand the new minimum standards detailed in the updated NISPOM.
- Make use of your existing capabilities. If you already have an established mechanism to confront security risks, great. Consider how you can align your Insider Threat program to the functions that already work.
- Find gaps in your protection. An honest assessment of where you are weakest will help you apply limited resources to the most critical areas.
2. All risks are not the same.
There is a growing chorus of concern that the small to medium sized businesses affected by Conforming Change 2 will need to institute megalithic Insider Threat programs at a scale equivalent to a multi-billion dollar defense company.
Yes, mom-and-pop are in the supply chain, but the government generally takes a risk-based approach. As it conducts internal reviews of its own executive agencies, the government is already grading its risk. The Department of Defense may not present the same level of risk as the Department of Education.
However, Education does not present zero risk: it’s the nation's third largest bank, based on its volume of student loans. So a system of Tiers 1, 2, and 3 will probably not be based on sheer size, but the degree of risk a company presents to the system. A chain is only as strong as its weakest link. Don't let your company to be that weak link.
3. Take a whole-of-organization approach.
The Insider Threat program does not "belong" to management, human resources, IT, or Security, but touches all of these areas. Each functional discipline has its own perspective. In creating its own programs, the government has taken a multidisciplinary approach based on the philosophy that people think differently and bring unique perspectives to the table when dealing with Insider Threats.
An important reminder: do not neglect personnel issues. At the root of your business are the human beings who work there. Monitoring employee satisfaction and mitigating disgruntlement is a key element of protecting your company from Insider Threat. These safeguards must demonstrate a balance of respect for civil liberties and privacy concerns and alignment with your company’s information assurance and security needs.
What has the government learned as it institutes programs within its own agencies?
Our observations can be distilled into learning points for government contractors who fall under Conforming Change 2:
- Realize that technology is not the underlying issue.
- CHANGE THE CULTURE to one of proactive protection rather than fear or neglect.
- Address potential legal issues up front. Each state has different privacy laws.
- Explain to the workforce why the Insider Threat program matters: they have the right to feel safe and secure when they come to work.
- Extend Intellectual Property protection by knowing who the departing employees are.
- Understand common behavior patterns to predict Insider Threat behavior early but also exonerate innocent people.
If your company embodies these principles you will not only be ahead of the curve in terms of compliance, but also better equipped to provide a bulwark against internal threats that could cause you or your government customer to suffer economic, physical or reputational damage.