Malicious insiders are a top security threat for federal agencies — events demonstrated with Edward Snowden’s release of government secrets and the U.S. Navy Yard shooting (in which 12 people were killed). In both incidents, and many more, the malicious actors held security clearances. Yet those who monitored cleared personnel were not aware of changes in their life circumstances that could have alerted authorities to the potential threat they posed.
As the clearance process works, each person holding a security clearance must be re-vetted every five or 10 years (depending on the level of the clearance). However, within that time period, if something happens that could impact their clearance, such as getting arrested for drunken driving or going through a bankruptcy, the individual is responsible for self-reporting it. While many do, others do not.
This risk poses a tremendous challenge for the federal government, which simply does not have the resources to continuously monitor every person with a security clearance. As of November 30, the responsibility will fall upon the federal contractors via new insider threat guidelines in the Department of Defense Defense Security Service Industrial Security Letter.
FedPulse spoke with Raj Ananthanpillai, chief executive officer of IDentrix, a firm that provides continuous employee evaluation and insider threat detection services, to discuss what these new rules mean for federal contracts and what contractors can do today to prepare.
FedPulse: What is behind this rule?
Ananthanpillai: The government used to operate in a “trust and verify” mode. But that policy has led to damaging security breaches. The days of “trust and verify” are gone. “No trust” is the policy. It is critical to do whatever possible to predict a security breach — whether physical or cyber. That means continuously monitoring cleared individuals.
FedPulse: What does the rule change mean for contractors?
Ananthanpillai: Federal contractors will be required to monitor the risks posed by their cleared workforce, both on the job and outside the job. They need to do this by implementing a written program that will detect, deter and mitigate insider threats by gathering, integrating and reporting relevant and credible information covered by any of the 13 personnel security adjudicative guidelines. This may include suspicious network activity, personal conduct, financial considerations, alcohol and drug use, mental or personality disorders, and criminal conduct or security violations.
The consequences of non-compliance are potentially drastic: If contractors do not implement procedures for monitoring those clearance holders, they could lose their facility clearance — which would in all likelihood mean the company would lose its contracts.
FedPulse: Logistically, how can contractors monitor these potential security risks?
Ananthanpillai: There are two types of monitoring: in and outside the office. There is the continuous monitoring of what employees do on the job — looking at network activity, log files, network and IT systems activity, and so on. Most companies have implemented software that has those security protocols in place.
The challenge is keeping track of the employee’s actions outside the office. How does a contractor know if someone is having the kind of personal problems that can lead to becoming a candidate for blackmail, for example? Security clearance holders are supposed to self-report potential issues, but not all do. And others may not realize that what has happened in their personal life (such as getting a divorce) could have any bearing on their clearance.
Contractors can perform public records checks periodically, or they can hire a firm to do the monitoring for them. The challenge is doing this without invading the employee’s privacy, and doing it regularly enough to comply with the rules.
Any solution selected needs to be easy, transparent and defensible. When so much of the data will come from a variety of sources, matching it to an individual employee can be time consuming if it’s done manually. The matching process and how threats are escalated must also be transparent so that everyone understands how and why an employee was flagged. The process is defensible with an audit trail that can be traced back to the source data.
The large government contractors will have an easier time with this as most of them already maintain extensive insider threat detection programs. However, small and medium-sized businesses will face challenges in setting up and maintaining the program. And that could impact the larger companies too because they often team with these smaller businesses.
FedPulse: For those contractors who do not yet have a program in place, what can they do now to get the ball rolling?
Ananthanpillai: There are several things companies need to do immediately. The first is to assign an insider threat officer — find the person within the company who will own this task. The second task is to perform a self-assessment: How many clearance holders does the company have? Is there any mechanism in place to monitor the employees? and so on.
This is also the time to document how you will monitor the risk associated with your employees and respond to the perceived threats based on being a critical, high, medium or low threat — all while protecting their privacy. I would advocate you identify the perceived threat first and then develop the processes after you’ve identified the potential problems.
It is extremely important that any information found be used only for the purpose of determining a security threat. Including legal counsel in developing the policy is important to ensuring the process adheres to the law. Companies must also update employee manuals to ensure that employees with clearances understand the rules and the process.
FedPulse: IDentrix has been performing this type of monitoring for years. How do you ensure privacy while also ensuring companies are alerted to potential threats?
Ananthanpillai: Protecting the individual’s privacy has been a primary concern for us. Our cloud-based platform uses data encryption and a multi-tiered security approach to keep information secure. We filter alerts from 1,500 databases. When a potentially relevant change occurs in the background of an identity, the system generates an alert so the organization can promptly perform an investigation to verify the information and report it as required for cleared personnel in accordance with applicable legal requirements. The company chooses which type of alerts to receive, ensuring only information that could predict a security risk is monitored.
We’re also adding views based on role and responsibility. When users sign into our platform, they’ll see only what they have direct responsibility over. Not only have we encrypted the data, but we’re also applying robust governance over who has permission to see the data.
FedPulse: Anything else to add?
Ananthanpillai: This is a complex challenge for federal contractors, and we know they have many questions about how to implement an insider threat program. We have partnered with Holland & Knight to host a series of webinars on how to enable a National Industrial Security Program Operating Manual (NISPOM)-compliant insider threat program. The first one is this Thursday, and we hope as many companies as possible will attend if they are affected by the rules change.
How to Address Continuous Monitoring for Cleared Employees
Thursday, October 6, 2016
1 p.m. EDT – 2 p.m. EDT
FedPulse would like to thank Raj Ananthanpillai for taking the time to speak with us.