How you can ensure your Insider Threat Program is effective and meets requirements
For any companies holding a Facility Clearance (FCL), the 32 CFR Part 117, NISPOM requires an insider threat program, an internal program dedicated to preventing and catching insider threats. This is led by the Insider Threat Program Senior Official (ITPSO). This is a position the Senior Management Official (SMO) will appoint in a letter. The Facility Security Officer (FSO) can serve as the ITPSO, especially within a smaller company, but they must be a cleared employee.
While this is a key part of maintaining your FCL, the requirements for this program are somewhat vague in the NISPOM. The FSO STEPP training goes more into depth about what exactly is required. If you don’t have an insider threat program or don’t meet requirements, you could be putting your FCL at risk.
In order to begin this program, the ITPSO must complete the insider threat STEPP training within 30 days of appointment. Once they’ve completed their training, they draft an insider threat program company policy. This is a 3-4-page document that will outline the ITPSO’s responsibilities within the company, training requirements for the ITPSO and employees, and what information needs to be reported regarding insider threats. From there, the ITPSO begins work on starting the insider threat working group.
Creating the Working Group
The insider threat working group is a group of company employees whose goal is to catch any insider threats. Essentially, the working group creates more dedicated eyes looking out for suspicious behavior from other employees. This group is the bulk of your insider threat program and is key to preventing and stopping insider threats within your company. The group can be as few as two people, and while there isn’t an upper limit, it’s best to limit how many people are in the group to decrease the likelihood that information leaks out.
The working group needs a separate guide from the company policy. This guide will be longer, around 30 pages, and cover how often the group will meet, what insider threat concerns the group should be looking for, the procedure for responding to reports and more. The ITPSO is also responsible for creating this guide, and it will be shared with any members of the group.
Once the guide is written, group members need to be selected. Both the ITPSO and FSO need to be members of the group, but beyond that, any cleared or uncleared employees can be selected to join. Recruiting is generally not a difficult process, as employees often see these duties as part of their job already. The number of people you have join depends on how many you feel you’ll need to have good coverage of employees. For example, a 500-employee company should have a working group of about 10.
Once group members are selected, they’ll need to complete the same STEPP training as the ITPSO within 30 days of their appointment. From there, the group is ready to start meeting.
Responsibilities of the Working Group
The working group must meet at least once a year, but quarterly meetings will be more effective.. At their meetings, they can discuss any potential threats or issues, like people not reporting their foreign travel or suspicious emails going around the company, and go over a case example of an insider threat to familiarize group members with what they look like.
If something happens between meetings, like a report being made against an employee at the company, an emergency meeting can be called. Here, the group discusses the report and sees if anyone can corroborate the information being reported. For example, maybe it’s reported that an employee has gone from driving a beat-up truck to a brand-new car they wouldn’t be likely to afford. This information can be brought to the group, and someone may have extra information, like the car being a present from someone in the employee’s life. This is part of the informal insider threat investigation before things are escalated to the DCSA.
Bi-annually or annually the group can also discuss any possible holes in the company’s existing security, changes that need to be made to the working group guide, or any other ways the company’s insider threat prevention can be improved. You may also want to take the time as a group to walk around the facility and look for ways to improve the physical security of the area, like adding cameras to an area that’s unprotected.
The DCSA will be looking to make sure you’ve built a working group that’s meeting in order to comply with the NISPOM requirements. Make sure to keep records of meeting agendas and minutes so you can give them to your DCSA representative during their annual security review to prove the group is meeting regularly. Keep copies of all the member’s certifications from completing their STEPP training. A common mistake companies make is not giving members of the group the needed training, which the DCSA representative will be looking for.
When building the working group, it’s best to choose employees who have day-to-day interactions with a variety of employees. These could be project managers, directors, or people with positions in person-forward departments like HR or IT.
If you work at a company that is fully or partially remote or has employees in the field, this can be more difficult to manage. Look for people who will be willing to reach out to others occasionally through email, phone calls, or other forms of communication and build relationships. This way, they’ll be more aware when insider threat indicators appear.
For employees who take the training and join your company’s working group, make sure you keep your own copy of your training certification, whether as a physical copy or saved to your desktop. The certification doesn’t expire unless DCSA decides to change the training, so you can carry that certification with you to future companies.
If you need help building or running your insider threat program, or even just need another person in your working group, Adamo can help! We offer FSO support services that can alleviate the stress of your job by helping you with maintaining your FCL. Contact us today to learn what difference Adamo can make in your security program.