Friday, September 9, 2016

In Depth Insider Threat Training

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.

This is the second article under the topic of Insider Threat Training. The earlier article addressed the requirement to training, who to train and when. This article addresses what to train.

NISPOM 3-103b states: NISPOM 3-103b states: All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee.
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to report such behavior.
(4) Counterintelligence and security reporting requirements, as applicable.

Specific Application:
Question: Does your training align with the requirements outlined in NISPOM 3-103 and CSA guidance?

This is a specific question to determine how well the NISP contractor has developed, documented, and presented insider threat training to compliment the Insider Threat Program (ITP) and industrial security requirements.  According to 3-103b, all cleared employees and employees with ITP duties should receive insider threat awareness training.  Interestingly enough, the Insider Threat Training is now required prior to giving a cleared employee access to classified information.

Let’s break down NISPOM Chapter 3-103b into its basic requirements. This will allow us to develop specific training plans to address the topics.

Importance of detecting potential insider threats by cleared employees and reporting suspected activity
Report all viable suspicious activity. First, NISP employees should recognize reportable activity and how to report it. The NISP organization should be able to demonstrate a reporting process that emphasizes the importance of recognizing, reporting and reacting to insider threat activity. This process should be well documented, taught to employees and readily available for inspections and reviews. This is something that should be tailored to the enterprise’s internal policies.

Methodology of adversaries to recruit trusted insiders

There are many methods an adversary can use to target and engage authorized and trusted employees. Some ways adversaries have used to get sensitive information include:

·         Elicitation-Subtle form of questioning where conversation is directed to collect information; it is different than direct questioning and harder to recognize
·         Eavesdropping-Listening in on conversations to get information.
·         Surveillance-Watching target unobserved and looking for exploitation opportunities
·         Theft-stealing classified information
o   There is a technology gap in many weapons systems where the US leads. The best way to close that gap is to steal information from or sabotage US efforts.
o   Acquiring information circumvents the research and development requirement. While R&D is an expensive effort, stealing R&D information is an attractive option.
·         Interception-acquiring classified information as it is transmitted (oral, electronic, hand delivery) to the authorized receiver.
·         Sabotage-destroying, interrupting or corrupting. It is accomplished through cyber-attacks, insider manipulation, and destructive activities.

Indicators of insider threat behaviors and procedures to report

Cleared employees should understand how to work with, store and protect classified information; regardless of type. As a result of good security awareness training, there and expectation placed upon these cleared employees that they will treat classified information per NISPOM requirements. Employees disregarding procedures should be noted and reported. Here are some indicators:
·         Keeping classified materials in an unauthorized location
·         Attempting to access sensitive information without authorization
·         Obtaining access to sensitive information inconsistent with present duty requirements
·         Using an unclassified medium to transmit classified materials
·         Discussing classified materials on a non-secure telephone
·         Removing classification markings from documents
·         Repeated or un-required work outside of normal duty hours
·         Sudden reversal of financial situation or a sudden repayment of large debts or loans
·         Attempting to conceal foreign travel
·         Failure to report overseas travel or contact with foreign nationals
·         Seeking to gain higher clearance or expand access outside the job scope
·         Engaging in classified conversations without a need to know
·         Working hours inconsistent with job assignment or insistence on working in private

The above are but a few indicators contrary to good security policy. Anyone displaying this activity should be reported as soon as possible.

Counterintelligence and security reporting requirements, as applicable

The 13 adjudicative guidelines used to evaluate an employee’s trustworthiness should also be used for continuous evaluation. Any employee displaying behavior that is contrary to the guidelines must be reported when that information constitutes adverse information.

Such incidents that constitute suspicious contact must be reported as well as incidents concerning actual, probable or possible espionage, sabotage, terrorism or subversive activities at any of a NISP contractor’s locations must be reported to Federal Bureau of Investigation with a copy to the CSA.

Here are some specific examples of what should be reported. We recommend a process in place to first notify the Facility Security Officer (FSO) (unless they are the problem) so that the FSO can notify, DSS, and where required, the FBI. Events or behavior that changes:
·         The status of the facility clearance
·         The status of an employee’s personnel security clearance

Events or behavior that indicate:
·         An employee poses a potential Insider Threat
·         Inability to safeguard classified information
·         Classified information has been lost or compromised

Once a NISP contractor has developed insider threat training as described above, it should be included in the self-inspection. The Self-Inspection Handbook has a section entirely devoted to the Insider Threat and required training. Implementing the training and measuring effectiveness can be evidenced in the questions below (also from the handbook).

·         Explain how and when this requirement is fulfilled for new employees
·         Explain and provide annual training
·         Explain how you keep a record of employees insider threat training
·         Can you recall any of the following being addressed in briefings?
o   Risk Management
o   Job Specific Security Brief
o   Public Release
o   Safeguarding Responsibilities
o   Adverse Information
o   Cybersecurity
o   Counterintelligence Awareness
o   Insider Threat

How does your company verify that all cleared employees have completed the required insider threat awareness training, per NISPOM 3-103b and documented as in NISPOM 3-103c?

3-103c. The contractor will establish and maintain a record of all cleared employees who have completed the initial and annual insider threat training. Depending on CSA-specific guidance, a CSA may, instead, conduct such training and retain the records.

This is easy enough to demonstrate. Save a copy of the training and sign in sheets.


1. Provide a copy of insider threat training that is either stand alone or is incorporated into existing training plans.
2. Provide sign in sheet or other media to demonstrate that required employees have received the required training.
3. Provide an insider threat training policy or existing policy that requires insider threat training as outlined in NISPOM.
4. Ask cleared employees the following questions and document their responses:
            a. Who is an insider?
            b. What is an insider threat?
            c. How do you report an insider threat?
            d. How might a cleared employee demonstrate adverse behavior?
            e. Who is in charge of the Insider Threat Program?
            f. Name two methods an adversary might use to recruit and “insider”.

For more information, consider visiting our website at You can find industrial security themed books such as NISPOM, ITAR, Security Clearance and Contracts Guidebook; NISPOM based training presentations including insider threat training that you can download and present. For questions, you can email us at

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: