This article addresses
the NISPOM based Insider Threat Program (ITP) compliance requirements and is
inspired by questions from the Self Inspection Handbook for NISP
Contractors. The
article uses the handbook’s format to through the self-inspection criteria. We
begin the topic question, the NISPOM reference, an explanation of requirements,
and finally how to inspect compliance.
Topic
Question(s):
Does your program include a capability to gather, integrate,
and report relevant and credible information, which falls into one of the 13
adjudicative guidelines indicative of a potential or actual insider threat?
EVIDENCE: Explain
process to gather and integrate data and provide procedures
VALIDATION:
NISPOM Reference(s):
1-202a
a. The contractor will establish and
maintain an insider threat program that will gather, integrate, and report
relevant and available information indicative of a potential or actual insider
threat, consistent with E.O. 13587 (reference (ac)) and the National Insider
Threat Policy and Minimum Standards for Executive Branch Insider Threat
Programs (reference (ad)), as required by the appropriate CSA.
One might ask the question of what is reportable as far as
insider threat indicators. Aside from actually catching a culprit redhandedly
sabotaging company resources or stealing government secrets, the employee is
asked to report suspicious but credible observations. The Facility Security
Officer (FSO) of the cleared defense contractor organization should develop
a methodology for reporting insider threat behavior and training on how to
recognize the behavior and then report it.
To do so, there is an existing methodology that leverages a
current requirement. The “go to” for a resource for standardized process or
policy of relevant and credible information is to follow the 13 Adjudicative
Guidelines. Any one of these guidelines can serve as indicators of authorized
employees with malicious intent.
A review of the available 13 Adjudicative Guidelines can provide data points for a risk
manager to build upon. The guideline topics and a simple description of each
topic are provided so that behaviors can be identified and if credible,
reported to Insider Threat Program Senior Official.
Employees can be trained to observe certain behavior and
recognize them as triggers for whether or not to report. When an employee
observes credible high risk behavior they should understand who to and how to
report it.
Her the 13 Adjudicative Guidelines that should be employed
to recognize reportable behavior.
Guideline A: Allegiance to the U.S.
A cleared employee should demonstrate unquestionable
allegiance to the United States. Any behavior or other indications of involvement
in, training to commit, support of, or advocacy of any activity that
demonstrates loyalty to other countries should be reported. Examples of
behavior could include questionable internet searches, club memberships, or
charitable donations to organizations with allegiance to other countries that
would bring demise on the United States.
Guideline B: Foreign Influence Foreign contacts and
interests may be a security concern if a cleared employee demonstrates divided
loyalties or foreign financial interests. The concern is they may be influenced
to help a foreign person, group, organization, or government in a way that is
not in the U.S. interests. The cleared employee could also be vulnerable to
pressure or coercion by any foreign interest.
Guideline C: Foreign Preference
Here the cleared employee could be demonstrating behavior
that could serve the interests of a foreign person, group, organization, or
government that is in conflict with the national security interest.
Guideline D: Sexual Behavior
A cleared employee could be engaged in sexual behavior that
involves a criminal offense. Or the behavior could indicate a personality or
emotional disorder, reflects lack of judgment or discretion, or which may
subject the individual to undue influence or coercion, exploitation, or duress.
If in violation of Guideline D, the behavior could raise questions about an
individual's reliability, trustworthiness and ability to protect classified
information.
Guideline E: Personal Conduct
This is a catch all behavior. Cleared employees
demonstrating any personal conduct or concealing information about their
conduct. Such behavior creates a vulnerability to exploitation, manipulation,
or duress.
Guideline F: Financial Considerations
A cleared employee who is financially overextended could be at
risk of having to engage in questionable behavior to improve their situation.
This behavior could reflect the other Guidelines.
Guideline G: Alcohol Consumption (
This is one of the more obvious and easier to recognize in
most situations. Alcohol-related incidents at work, such as reporting for work
or duty in an intoxicated or impaired condition or drinking on the job.
Guideline H: Drug Involvement
The use of illegal drugs or misuse of prescription drugs can
raise questions about an individual’s reliability and trustworthiness, both
because drug use may impair judgment and because it raises questions about an
individual’s willingness to comply with laws, rules, and regulations.
Guideline I: Psychological Conditions
Certain emotional, mental, and personality conditions can
impair judgment, reliability, or trustworthiness.
Guideline J: Criminal Conduct
Criminal activity creates doubt about a person’s judgment,
reliability, and trustworthiness and calls into question a person’s ability or
willingness to comply with laws, rules, and regulations.
Guideline K: Handling Protected Information
This can be accidental, repetitive, as well as malicious.
Any situation where a cleared employee mishandles classified information should
be addressed per the investigative findings. Forgetful employees can be
trained, but problem employees demonstrating repetitive offenses may lose their
clearances. Insider threats with malicious intents could be reported to law
enforcement.
This behavior can be demonstrated through a long list of NISPOM or ITAR violations such as loading,
drafting, editing, modifying, storing, transmitting, or otherwise handling
classified reports, data, or other information.
Guideline L: Outside Activities
Any foreign, domestic, or international organization or
person engaged in analysis, discussion, or publication of material on
intelligence, defense, foreign affairs, or protected technology organization
that analyzes, discusses, or publishes material. This can be held in close
regard with Guidelines A and B as well as others, depending on motivation.
Guideline M: Use of Information Technology
Cleared employees should handle classified information
appropriately and Guideline K demonstrates activity that violates of NISPOM guidance. Here, use
of any classified or unclassified information technology system to gain
unauthorized access to information or a system. This includes hacking into
servers, emails, networks or computers.
The next step is to develop a method of investigating and
reporting the behavior. One scenario is that an employee reports suspicious
activity to the FSO per earlier NISPOM guidance. The FSO could receive the report
and begin an inquiry based on NISPOM requirements. However, with recent NISPOM
updates the FSO can now engage the Insider Threat Team as part of that inquiry.
Credible violations of the Guidelines can at the very least result in
addressing the protection of classified information or be raised to another
level of addressing potential insider threat issues.
Ideas to demonstrate compliance:
Develop a reporting process for receiving credible reports
of suspicious behavior
Document reports and investigations
Document results of investigations
Create and deliver training to
employees
Document training
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .
He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures.
He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".