Monday, September 2, 2019

Gather, integrate, and report insider threat information

This article addresses the NISPOM based Insider Threat Program (ITP) compliance requirements and is inspired by questions from the Self Inspection Handbook for NISP Contractors. The article uses the handbook’s format to through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):
Does your program include a capability to gather, integrate, and report relevant and credible information, which falls into one of the 13 adjudicative guidelines indicative of a potential or actual insider threat?

 EVIDENCE: Explain process to gather and integrate data and provide procedures

NISPOM Reference(s):

a. The contractor will establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat, consistent with E.O. 13587 (reference (ac)) and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (reference (ad)), as required by the appropriate CSA.

One might ask the question of what is reportable as far as insider threat indicators. Aside from actually catching a culprit redhandedly sabotaging company resources or stealing government secrets, the employee is asked to report suspicious but credible observations. The Facility Security Officer (FSO) of the cleared defense contractor organization should develop a methodology for reporting insider threat behavior and training on how to recognize the behavior and then report it.

To do so, there is an existing methodology that leverages a current requirement. The “go to” for a resource for standardized process or policy of relevant and credible information is to follow the 13 Adjudicative Guidelines. Any one of these guidelines can serve as indicators of authorized employees with malicious intent.

A review of the available 13 Adjudicative Guidelines can provide data points for a risk manager to build upon. The guideline topics and a simple description of each topic are provided so that behaviors can be identified and if credible, reported to Insider Threat Program Senior Official.

Employees can be trained to observe certain behavior and recognize them as triggers for whether or not to report. When an employee observes credible high risk behavior they should understand who to and how to report it.

Her the 13 Adjudicative Guidelines that should be employed to recognize reportable behavior.

Guideline A: Allegiance to the U.S.
A cleared employee should demonstrate unquestionable allegiance to the United States. Any behavior or other indications of involvement in, training to commit, support of, or advocacy of any activity that demonstrates loyalty to other countries should be reported. Examples of behavior could include questionable internet searches, club memberships, or charitable donations to organizations with allegiance to other countries that would bring demise on the United States.

Guideline B: Foreign Influence Foreign contacts and interests may be a security concern if a cleared employee demonstrates divided loyalties or foreign financial interests. The concern is they may be influenced to help a foreign person, group, organization, or government in a way that is not in the U.S. interests. The cleared employee could also be vulnerable to pressure or coercion by any foreign interest.

Guideline C: Foreign Preference
Here the cleared employee could be demonstrating behavior that could serve the interests of a foreign person, group, organization, or government that is in conflict with the national security interest.

Guideline D: Sexual Behavior
A cleared employee could be engaged in sexual behavior that involves a criminal offense. Or the behavior could indicate a personality or emotional disorder, reflects lack of judgment or discretion, or which may subject the individual to undue influence or coercion, exploitation, or duress. If in violation of Guideline D, the behavior could raise questions about an individual's reliability, trustworthiness and ability to protect classified information.

Guideline E: Personal Conduct
This is a catch all behavior. Cleared employees demonstrating any personal conduct or concealing information about their conduct. Such behavior creates a vulnerability to exploitation, manipulation, or duress.

Guideline F: Financial Considerations
A cleared employee who is financially overextended could be at risk of having to engage in questionable behavior to improve their situation. This behavior could reflect the other Guidelines.

Guideline G: Alcohol Consumption (
This is one of the more obvious and easier to recognize in most situations. Alcohol-related incidents at work, such as reporting for work or duty in an intoxicated or impaired condition or drinking on the job.

Guideline H: Drug Involvement
The use of illegal drugs or misuse of prescription drugs can raise questions about an individual’s reliability and trustworthiness, both because drug use may impair judgment and because it raises questions about an individual’s willingness to comply with laws, rules, and regulations.

Guideline I: Psychological Conditions
Certain emotional, mental, and personality conditions can impair judgment, reliability, or trustworthiness.

Guideline J: Criminal Conduct
Criminal activity creates doubt about a person’s judgment, reliability, and trustworthiness and calls into question a person’s ability or willingness to comply with laws, rules, and regulations.

Guideline K: Handling Protected Information
This can be accidental, repetitive, as well as malicious. Any situation where a cleared employee mishandles classified information should be addressed per the investigative findings. Forgetful employees can be trained, but problem employees demonstrating repetitive offenses may lose their clearances. Insider threats with malicious intents could be reported to law enforcement.

This behavior can be demonstrated through a long list of NISPOM or ITAR violations such as loading, drafting, editing, modifying, storing, transmitting, or otherwise handling classified reports, data, or other information.

Guideline L: Outside Activities
Any foreign, domestic, or international organization or person engaged in analysis, discussion, or publication of material on intelligence, defense, foreign affairs, or protected technology organization that analyzes, discusses, or publishes material. This can be held in close regard with Guidelines A and B as well as others, depending on motivation.

Guideline M: Use of Information Technology
Cleared employees should handle classified information appropriately and Guideline K demonstrates activity that violates of NISPOM guidance. Here, use of any classified or unclassified information technology system to gain unauthorized access to information or a system. This includes hacking into servers, emails, networks or computers.

The next step is to develop a method of investigating and reporting the behavior. One scenario is that an employee reports suspicious activity to the FSO per earlier NISPOM guidance. The FSO could receive the report and begin an inquiry based on NISPOM requirements. However, with recent NISPOM updates the FSO can now engage the Insider Threat Team as part of that inquiry. Credible violations of the Guidelines can at the very least result in addressing the protection of classified information or be raised to another level of addressing potential insider threat issues.

Ideas to demonstrate compliance:
Develop a reporting process for receiving credible reports of suspicious behavior
Document reports and investigations
Document results of investigations
Create and deliver training to employees
Document training

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: