In May, NISPOM Change 2 went into affect, requiring industry to have an insider threat training program for all employees with access to classified information. In addition to developing a program, facility security officers (FSOs) will be required to offer annual training to all employees.
Having at least implemented a program, the biggest questions security professionals now have is, ‘how do I know my program is effective, and what with the Defense Security Service (DSS) look at when they come and make an assessment?
Over the course of multiple sessions at the recent NCMS Conference in Anaheim, Calif., representatives outlined some of the criteria they’ll be looking for – when the assessments begin. Officials were quick to clarify that initially, the focus will not be on the quality of your program – simply that you have one.
DSS reported that as of June, 98 percent of cleared facilities (11,732) have had their plans certified. That means industry has thus far done an excellent job of creating the baseline of having a representative and some kind of plan to address insider threats.
The next step for DSS is to create criteria for evaluating programs. Officials noted they will pass along the criteria they’ll be looking for when evaluating effectiveness.
“Time, effort and dedication,” will be part of the evaluation noted Matthew Roche DSS, Assistant Deputy Director, Field Operations, Defense Security Service. He noted that as of today, DSS is seeing plans that are boilerplate – essentially pulled directly off of the DSS website with a company logo slapped on. Whatever the final DSS evaluation criteria are, they must be customized and focused on the unique mission and personnel at your facility.
What DSS Isn’t Looking For
“One thing we’re not going to be looking for in evaluating the efficacy,” noted Roche. “Is finding an insider threat. We know that’s something we can’t control.” That means the success or failure of an insider threat is not at all contingent upon a company finding a threat, or not finding one.
Over and over again, both DSS representatives and companies who have had ongoing insider threat programs, cited one key to a successful program – culture. Creating a culture that ‘breeds organic reporting.’ A culture that requires all cleared employees to get to know the people they work ‘with, around and for.’
One of the key issues FSOs face in creating a program? Employees aren’t necessarily spending their down time around a water cooler – they’re spending their down time on their smart phones. That means a creative and potentially more effective component of insider threat programs should be to encourage employees to establish a friendly rapport. Employees should be able to identify who they’re interacting with every day, and have some idea of their work function and responsibilities.
“The evolution of society is effecting and impacting what our policies should be,” noted Roche. “The sharing economy, which started with Napster and extended to Airbnb….it’s going to be a huge challenge for us.” He noted the most recent breaches have a major difference between the espionage cases of previous decades. Today’s insider threats weren’t motivated by financial gain, “they did it for ideologically bent reasons,” said Roche.
That has serious implications on how insider threats will need to be rooted out moving forward. It may no longer be as important to see who in the office is coming in with a brand new car. You may be better off checking out who is changing their bumper stickers.
“We have to overcome this hesitancy to get a firm understanding of who you’re interacting with, and are they doing the things you expect them to do?” said Roche.
DSS reiterated criteria will be created to help guide FSOs through this new requirement. The Risk Management Framework will have specific requirements. When DSS begins evaluating insider threat programs for efficacy, compliance with the RMF will still be the guidepost.