New insider threat training regulations take effect for defense contractors

Mindful of all the federal contractors who have made news in recent years for their connections to leaked defense-related information, the U.S. government has upped the requirements surrounding insider threat training for defense contractors.

The new requirement—part of National Industrial Security Program Operating Manual (NISPOM) Change 2, which went into effect May 31— demands that all cleared government contractors must complete insider threat employee awareness training prior to being granted access to classified information, and they must go through training annually.

Notice of the then-forthcoming regulation was issued in May 2016 by the Undersecretary of Defense for Intelligence Marcel Lettre. Experts say it will bring the information security training for defense contractors into line with requirements for full-time government defense employees.

“This new regulation aligns with what the government agencies already do,” said John M. Dillard, CEO for ThreatSwitch, a software-based service for defense contractors. He adds that the new rule changes build upon the original NISPOM regulations that have been in effect for roughly 50 years.

With as many as 1.5 million defense contractor employees in the U.S., developing and supporting a new insider threat-focused training program might seem to be a tall order. But Dillard said that according to a report released in January 2017 by the Defense Security Service, roughly 85 percent of defense contractor respondents said they had at least begun to implement this training for their employees.

Still, Dillard points out that it is unclear how effective the new trainings may be, and how the programs are being rolled out at large defense contractors versus smaller operations. For instance, the insider threat training regulation also requires that every single facility that has employees working with a security clearance must have a senior official acting as the program lead.

“This training touches every employee, so it’s a big deal,” Dillard said. “And there is a pretty wide variation in security practices across the community.”

Thomas Jones, systems engineer for Bay Dynamics, explains that the required training includes three main components: penalties for committing an insider threat offense, indicators that someone may be an insider threat and contact guidance if a contract employee believes he or she has identified a potential insider threat.

“The factors behind why this requirement went into effect are a combination of high profile data breaches caused by third party contractors [such as] Edward Snowden and Harold Martin III, high-profile attacks against government agencies as a whole,” Jones said, also pointing to “the Chinese army’s alleged cyber spying unit, known as Unit 61398, which actively targets contractors’ home systems and their work systems, as a manner of gaining intrusion to U.S. government networks.”

Other industry experts who work with government defense contractors agree that while recent events do not necessarily paint contractors as more of a security risk than their full-time government agency counterparts, the new requirement is considered necessary to bring them to the same standard.

Agnes Dover, a partner at Hogan Lovells, which represents many government contractors, agrees that the topic of insider threats has been one of “increasing currency” in the wake of compromises involving contractors Edward Snowden and, more recently, Reality Winner.

“I’m not aware of [contractors] being considered more of a threat, but you have thousands and thousands of employees who are cleared and have access,” Dover said. “And they could be just as vulnerable or careless.”

But experts also say this move might well be part and parcel of a wider move to impress security across all their user and employee groups. “This is nothing more than driving additional focus on [Operational Security] for employees and subcontractors,” said Tony Cole, vice president for global government and chief technology officer at FireEye, a cybersecurity firm that works with government agencies and contractors. “Think about how all corporations generally have some semblance of a security program to keep people and the company’s materials safe. This is no different; however, as we’ve seen previously with breaches and leaks, the effects can be more damaging when it’s a government leak.”

And, according to Stu Sjouwerman, CEO of security awareness training outfit KnowBe4, this regulation is also a response to the popular and increasing focus on human vulnerability in breaches.

“The last few years, it has become blindingly clear that the bad guys are not even bothering trying to find software vulnerabilities,” Sjouwerman said, “and have gone after the end-user with social engineering.”

Now, under the new NISPOM Change 2 rules, government contractors are required to have a program to train every employee with internet access how they might recognize and report potential social engineering attacks, he said.

Specifically, these government contractor insider threat training programs must “gather, integrate, and report relevant and credible information covered by any of the 13 personnel security guidelines, which may be indicative of a potential or actual insider threat to deter cleared employees from becoming insider threats [and] detect insiders who pose a risk to classified information; and mitigate the risk of an insider threat,” Cole said.

But, as Dillard points out, “effectiveness in information security is hard to measure… even on a leading measure like testing [all] 1.5 million government defense contract employees… they will require a fairly substantial budget for checking this work.” Case in point: The U.S. government spent $1.3 billion on enforcing NISPOM rules in 2015; the amount is expected to be much higher in 2016 and this year, Dillard said.

Indeed, what the NISPOM Change 2 addresses “is a programmatic vulnerability,” says Heather Foley, the chief security officer for MKACyber. “It’s a vulnerability that exists no matter what is happening in the recent news events. An organization’s vulnerability becomes a government vulnerability if there aren’t proper security measures and procedures in place.”

On the other hand, the positive long-term impact that this new regulation might have is “the responsible sharing of insider threat-relevant information such as security violations, threat intel, HR issues, and foreign travel… between government workers and agencies and cleared private contractors,” Foley said.

Jones is also hopeful that, in the long-term, the new requirement will help contractors reduce third-party vendor risk.

“It’s definitely a step in the right direction and should help flag insider threats before they succeed,” Jones said. “However, security awareness training is only one piece of effective vendor risk management and it should be held more than just once a year.” Security awareness training is most effective when it is given on an “as-it-happens basis where contractors who violate policies are immediately trained, in short seven-to-10 minute sessions, on the policy they violated and how it elevates risk,” he said, in addition to quarterly training where all contractors should take a test about insider threats.