Those engaged in National Industrial Security Program (NISP) engagement with the U.S. government have been building their insider threat program and attendant training for the past seven years. This past week, the Director of National Intelligence’s (DNI) “National Insider Threat Task Force” (NITTF) issued their maturity framework directed at government department and agencies (D/A) to help makes sure all the bases are covered and a means to measure program efficiency is present.

The timing could not have been better, as we have been faced with a plethora of insiders breaking trust with their D/A and sharing classified or sensitive protected information in their possession. The recipients/benefactors include media, hostile intelligence organizations and unauthorized third parties.

The motivation for insider threats

The three primary motivations have been in place for many millenniums and include greed, revenge, and notoriety. While these three motivators are found to be present among those who voluntarily reach out from within their classified environment, in the digital age, we also have to factor in insider carelessness.

insider Carelessness?

Lack of attention to detail enables seemingly weekly declarations of one entity or another not having configured their databases, applications, or web properties correctly, and exposing sensitive information to unauthorized individuals.

Similarly, the onslaught of phishing emails, SMS messages and video messages – all designed to socially engineer the recipient into taking an action which would compromise their device – is a constant. Insiders as a threat is not a mystery, according to Netwrix Corporation’s 2018 IT risk report. More than 50% of all data breaches are caused by insiders.

NISP program managers within the government contracting community will be well served to take on board the six areas of focus highlighted within the NITTF. These areas are: Senior Official/Insider Threat Program Leadership; Program Personnel; Employee Training and Awareness; Access to Information; Monitoring User Activity; and Information Integration, Analysis, & Response.

This will require the dedication of resources, perhaps requiring adjustments to how one conducts business with the government in the classified realm. Cybersecurity statistics show 87% of companies expect to increase their funding requests by up to 50% and only 12% believe they will get an increases over 25%. Wallets will have to open.

According to Dave Wilcox, Vice President of Federal for DTEX Systems, this framework, created in support of E.O. 13587 of October 2018, has been a long time coming. The framework predominantly focuses on ensuring the counterespionage/insider threat cyber capabilities within government can be measured and improved.

“There are huge efficiencies which are realized with the implementation of technology,” Wilcox notes. “The government must be prepared to align policies and initiatives to encourage innovative, cost effective solutions.”

For NISP managers, knowing how and why the sponsoring D/A’s are being measured on their insider threat program maturity, allows one to ensure that when the tide rises, their NISP insider threat program rises in concert with that of the cognizant security authority (CSA).

This is the bell which security program managers need to be ringing, a robust insider threat program isn’t a value add, it is table stakes to continued access to the NISP customer.

How does your organization measure up to this NITTF maturity framework?


The NITTF’s maturity framework consists of 19 elements, designed to help entities evolve their insider threat program (InTP).  (Click here to read the entire 17-page pdf.)

  1. Senior Official/Program Leadership: Exists as a dedicated effort, positioned in the D/A to ensure access to leadership to build support, identify resources, and integrate insider threat objectives within the D/A’s mission and functions.
  2. Senior Official/Program Leadership: Employs metrics to determine progress in achieving program objectives and to identify areas requiring
  3. Senior Official/Program Leadership: Ensure InTP adapts to changes in law, policy, organizational structure, and information technology (IT) architecture.
  4. Senior Official/Program Leadership: Employs risk management principles tailored to address the evolving threat environment and mission needs.
  5. Program Personnel: Includes stakeholders from a broad range of functional areas and others with specialized disciplinary expertise to strengthen InTP processes.
  6. Program Personnel: Provides continuing education and training in appropriate fields and disciplines to help professionalize the insider threat cadre.
  7. Employee Training and Awareness: Provides training and materials to all employees addressing the full range of insider threats to create a culture of insider threat awareness and prevention within the D/A.
  8. Access to Information: Develops automated or scheduled processes for regular and timely receipt and integration of information from all relevant D/A stakeholders.
  9. Access to Information: Establishes procedures to receive notification with predictable frequency of information relevant to insider threat from other US Government and federal partner data holders.
  10. Access to Information: Employs documented processes to validate information sources and identify and assess the use of new information sources.
  11. Monitoring User Activity: Establishes a user activity monitoring (UAM) capability on all USG end points/devices and government-owned IT resources connected to USG computer networks accessible by cleared D/A personnel.
  12. Monitoring User Activity: Ensures UAM requirements are incorporated into D/A IT planning, design, and accreditation processes.
  13. Monitoring User Activity: Establishes capability to monitor the activity and conduct independent audits of InTP personnel with access to insider threat information and tools.
  14. Information Integration, Analysis, & Response: Employs data integration methodologies and advanced analytics to help detect anomalous activity and potential insider threats.
  15. Information Integration, Analysis, & Response: Employs behavioral science methodologies to help identify indicators of potential insider threat.
  16. Information Integration, Analysis, & Response: Employs risk scoring capability based on behavioral and workplace factors to assist with detection of anomalous activity and potential insider threats and in the application of tailored mitigation strategies.
  17. Information Integration, Analysis, & Response: Documents procedures and agreements with other USG InTPs to request or refer information on insider threats of mutual concern
  18. Information Integration, Analysis, & Response: Employs case management tools to ensure the integrity and effectiveness of the insider threat inquiry and response processes
  19. Information Integration, Analysis, & Response: Conducts routine exercises to improve integration, analysis, and response procedures and processes.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of