Industry prepares for new insider threat regulation.

• Author: Tadjdeh, Yasmin

Even as the Defense Department prepares to implement a new regulation to help mitigate insider threats, security breaches are continuing. Experts say more needs to be done to address the situation.

Years after the Edward Snowden and National Security Agency scandal, the Department of Justice announced that yet another NSA contractor had allegedly stolen classified information.

Harold Thomas Martin III was charged with the "theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor," a Justice statement released in October alleged.

Martin--a 51 -year old contractor from Glen Burnie, Maryland--had a top-secret security clearance and was arrested in August, according to Justice.

The announcement came less than two months before the Defense Department intends to implement a new policy that would require companies to establish individual programs to detect, deter and mitigate insider threats.

Under guidance from the department's defense security service, companies doing business with the Pentagon will soon be required to stand up a program to "gather, integrate and report relevant and available information indicative of a potential or actual insider threat."

The requirement--which has a Nov. 30 deadline--is part of a change to the Defense Department's "National Industrial Security Operating Manual," and was announced in a letter released in May.

The new rule, while basic, is a step in the right direction, said Bryan Ware, CEO of Haystax Technology, a security analytics company.

"Is it enough? I don't think so," he said. "To get to the place where industry really has good insider threat programs is not going to come from this change and it's not going to come quickly."

Though not particularly onerous, in general, industry does not want to be compelled to follow more regulations, he said.

"What I would love to see would be that having a strong insider threat program was a strategic advantage for winning government business, particularly sensitive government business," he said. "When it's just a security check-in-the-box, that's not going to happen. But when instead it gives you an advantage over a competitor winning a contract ... then I think we'll see real, serious programs emerge that become the best practices."

Most defense companies don't have any kind of insider threat program, Ware said.

"Certainly when you look at... the largest defense contractors, the Lockheed...