How Does NISPOM Conforming Change 2 Define Insider Threat?
By Greg Cullison
NISPOM Conforming Change 2 was released on May 18, 2016. Inside the document is an updated definition of Insider Threat.
Definitions are important because they can lead us to understand the bounds of a compliant Insider Threat program. What does the government say?
This post is part of a series of articles covering NISPOM Conforming Change 2.
Learn more about the policy changes and how you can prepare your company for compliance on our Conforming Change 2 Resource Center page.
Insider Threat is defined in the NISPOM as:
"The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency's obligations to protect classified national security information."
So who is the "insider" here, exactly? The policy defines the insider as:
"Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks, and systems."
Let's pick this apart.
In the government's eyes, the insider is a person who a) holds a security clearance and b) has been granted access to facilities, technology, and/or information that belongs to either the government or the contracting company that employs him or her.
Now, what makes this individual a "threat" is their ability to use their authorized access to cause harm. It's important to realize that the government definition includes not only deliberately malicious actors who do mean to do harm, but also unwitting insiders -- the poor saps whose mistakes risk damange to national security.
No quibbles here. Unwitting insiders are a significant problem in information security (think phishing attacks). However, their behavior can be mitigated through awareness training and improved cyber hygiene. In stark contrast, the malicious insider is a much tougher fish to fry.
The government's new definition of Insider Threat uses three words to mean essentially the same thing: Likelihood, risk and potential. These words refer to the chance (or statistical probability) that something bad will happen. So, the government is saying that even the possibility of compromise -- not statistical certainty -- but the chance that it could happen, constitutes an Insider Threat.
But the definition is problematic because threats and risks are not the same. The two concepts are often confused. The threat is the actor. The risk is the chance that the actor will cause harm. So: a threat can present a risk, but cannot himself be a risk.
What's missing from the definition?
- Former Insiders who have had their access revoked can still have the potential to cause harm
- Despite the Fort Hood and Navy Yard shootings (tragedies perptrated by insiders with access), the Department of Defense has opted to leave workplace violence out of its definition of Insider Threat.
What does all this mean for the cleared contracting company subjected to Conforming Change 2? You must now track incidents that are wittingly or unwittingly perpetrated by your cleared workforce as part of a compliant Insider Threat program -- whether they degrade government systems or programs directly or indirectly. If an insider harms your information, which negatively impacts national security, this is now considered an Insider Threat by the government.