This
article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security
Program Operating Manual (NISPOM) Incorporating Change 2.
This
is the second article under the topic of Insider Threat Training.
The earlier article addressed the requirement to training, who to train and
when. This article addresses what to train.
NISPOM
3-103b states: NISPOM 3-103b states: All cleared employees must be
provided insider threat awareness training before being granted access to
classified information, and annually thereafter. Training will address current
and potential threats in the work and personal environment and will include at
a minimum:
(1) The importance of detecting potential insider threats by
cleared employees and reporting suspected activity to the insider threat
program designee.
(2) Methodologies of adversaries to recruit trusted insiders
and collect classified information, in particular within ISs.
(3) Indicators of insider threat behavior, and procedures to
report such behavior.
(4) Counterintelligence and security reporting requirements,
as applicable.
Specific
Application:
Question:
Does your training align with the requirements outlined in NISPOM 3-103 and CSA
guidance?
This
is a specific question to determine how well the NISP contractor has developed,
documented, and presented insider threat training to compliment the Insider
Threat Program (ITP) and industrial security requirements. According to 3-103b, all cleared employees
and employees with ITP duties should receive insider threat awareness training. Interestingly
enough, the Insider Threat Training is now required prior to giving a cleared
employee access to classified information.
Let’s
break down NISPOM Chapter 3-103b into its basic requirements. This will allow
us to develop specific training plans to address the topics.
Importance
of detecting potential insider threats by cleared employees and reporting
suspected activity
Report
all viable suspicious activity. First, NISP employees should recognize reportable
activity and how to report it. The NISP organization should be able to
demonstrate a reporting process that emphasizes the importance of recognizing,
reporting and reacting to insider threat activity. This process should be well
documented, taught to employees and readily available for inspections and
reviews. This is something that should be tailored to the enterprise’s internal
policies.
Methodology of adversaries to recruit trusted insiders
There
are many methods an adversary can use to target and engage authorized and
trusted employees. Some ways adversaries have used to get sensitive information
include:
·
Elicitation-Subtle form of questioning
where conversation is directed to collect information; it is different than
direct questioning and harder to recognize
·
Eavesdropping-Listening in on
conversations to get information.
·
Surveillance-Watching target unobserved
and looking for exploitation opportunities
·
Theft-stealing classified information
o There
is a technology gap in many weapons systems where the US leads. The best way to
close that gap is to steal information from or sabotage US efforts.
o Acquiring
information circumvents the research and development requirement. While R&D
is an expensive effort, stealing R&D information is an attractive option.
·
Interception-acquiring classified
information as it is transmitted (oral, electronic, hand delivery) to the
authorized receiver.
·
Sabotage-destroying, interrupting or
corrupting. It is accomplished through cyber-attacks, insider manipulation, and
destructive activities.
Indicators of insider threat behaviors and procedures to
report
Cleared
employees should understand how to work with, store and protect classified
information; regardless of type. As a result of good security awareness
training, there and expectation placed upon these cleared employees that they
will treat classified information
per NISPOM requirements. Employees disregarding procedures should be noted and
reported. Here are some indicators:
·
Keeping classified materials in an
unauthorized location
·
Attempting to access sensitive
information without authorization
·
Obtaining access to sensitive
information inconsistent with present duty requirements
·
Using an unclassified medium to
transmit classified materials
·
Discussing classified materials on a
non-secure telephone
·
Removing classification markings from
documents
·
Repeated or un-required work outside of
normal duty hours
·
Sudden reversal of financial situation
or a sudden repayment of large debts or loans
·
Attempting to conceal foreign travel
·
Failure to report overseas travel or
contact with foreign nationals
·
Seeking to gain higher clearance or
expand access outside the job scope
·
Engaging in classified conversations
without a need to know
·
Working hours inconsistent with job
assignment or insistence on working in private
The
above are but a few indicators contrary to good security policy. Anyone
displaying this activity should be reported as soon as possible.
Counterintelligence and security reporting requirements, as
applicable
The 13 adjudicative guidelines used to evaluate an employee’s trustworthiness should also
be used for continuous evaluation. Any employee displaying behavior that is
contrary to the guidelines must be reported when that information constitutes
adverse information.
Such
incidents that constitute suspicious contact must be reported as well as incidents
concerning actual, probable or possible espionage, sabotage, terrorism or
subversive activities at any of a NISP contractor’s locations must be reported
to Federal Bureau of Investigation with a copy to the CSA.
Here
are some specific examples of what should be reported. We recommend a process
in place to first notify the Facility Security Officer (FSO) (unless they are
the problem) so that the FSO can notify, DSS, and where required, the FBI.
Events or behavior that changes:
·
The status of the facility clearance
·
The status of an employee’s personnel
security clearance
Events
or behavior that indicate:
·
An employee poses a potential Insider
Threat
·
Inability to safeguard classified
information
·
Classified information has been lost or
compromised
Once
a NISP contractor has developed insider threat training as described above, it
should be included in the self-inspection. The Self-Inspection Handbook has a
section entirely devoted to the Insider Threat and required training.
Implementing the training and measuring effectiveness can be evidenced in the
questions below (also from the handbook).
EVIDENCE:
·
Explain how and when this requirement
is fulfilled for new employees
·
Explain and provide annual training
·
Explain how you keep a record of
employees insider threat training
·
Can you recall any of the following
being addressed in briefings?
o Risk
Management
o Job
Specific Security Brief
o Public
Release
o Safeguarding
Responsibilities
o Adverse
Information
o Cybersecurity
o Counterintelligence
Awareness
o Insider
Threat
How does your company verify that all cleared employees have
completed the required insider threat awareness training, per NISPOM 3-103b and
documented as in NISPOM 3-103c?
3-103c. The contractor will establish and maintain a record
of all cleared employees who have completed the initial and annual insider
threat training. Depending on CSA-specific guidance, a CSA may, instead,
conduct such training and retain the records.
This is easy enough to demonstrate. Save a
copy of the training and sign in sheets.
Validation:
1. Provide a copy of
insider threat training that is either stand alone or is incorporated into
existing training plans.
2. Provide sign in
sheet or other media to demonstrate that required employees have received the
required training.
3. Provide an insider
threat training policy or existing policy that requires insider threat training
as outlined in NISPOM.
4. Ask cleared
employees the following questions and document their responses:
a. Who is an insider?
b. What is an insider threat?
c. How do you report an insider
threat?
d. How might a cleared employee
demonstrate adverse behavior?
e. Who is in charge of the Insider
Threat Program?
f. Name two methods an adversary
might use to recruit and “insider”.
For more
information, consider visiting our website at www.redbikepublishing.com. You can find
industrial security themed books such as NISPOM, ITAR, Security Clearance and Contracts
Guidebook;
NISPOM based training presentations including
insider threat training that you can download and present. For questions, you
can email us at FSO@redbikepublishing.com.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment