The deadline for Federal contractors to complete insider threat training programs under a Department of Defense rule change arrives on May 31, and Bay Dynamics Federal Systems Engineer Thomas Jones calls the mandate an “excellent first step” in improving protections against insider threats.

“It’s letting people know that they are being watched and that changes behavior,” said Jones.

This assertion is backed by Bay Dynamics data, which found that 90 percent of incidents where employees leak sensitive information to an outside source are conducted by individuals with innocent intent, and that 80 percent of those employees will change their behavior when called out.

The mandate, which is part of the National Industrial Security Operating Manual (NISPOM) Change 2, states that “all cleared employees who are not currently in access must complete insider threat awareness training prior to being granted access. Cleared employees already in access must complete insider threat awareness training within 12 months of the issuance date of NISPOM Change 2, no later than May 31, 2017.”

According to Jones, the mandate closely follows recommendations in the NIST Cybersecurity Framework, and that the framework’s risk-based approach to vulnerabilities should be applied to contracts as well.

“I love the way that it actually ties into so many other mandates throughout the government,” said Jones.

He added that the mandate speaks directly toward employee concerns over when to speak out on suspicious behavior, and details what that behavior looks like. However, he said that one area the mandate could improve on was describing what to do specifically if employees see suspicious behavior.

Jones also called for greater frequency in insider threat training, ideally on a quarterly basis.

“My concern is, if you’re only doing this once a year, how effective is that going to be?” he said.

According to Jones, though there’s “always somebody” who misses the deadline in these sorts of things, most large contractors are already conducting this training to some degree, and the smaller ones are on the path to doing so.

“I think it’s a little burden, but not terribly much,” said Jones. “They definitely want to be compliant.”

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.