Insider threats: New challenge for cleared contractors.

• Author: Jehl, Laura
• Position: Legal Viewpoint

The Defense Department in May issued Conforming Change 2 of the National Industrial Security Operating Manual.

NISPOM Change 2 requires all U.S. government contractors who need access to U.S. classified information to implement an insider threat program that will gather, integrate and report relevant information related to potential or actual insider threats among cleared employees by Nov. 30.

Insider threats--a growing phenomenon--arise when employees or contractors exploit legitimate access to an organization's data for unauthorized or malicious purposes. Much of the impetus for the new rule appears to be a valid concern about large-scale thefts of classified data, as exemplified by Edward Snowden's release of a vast trove of sensitive documents stolen from the U.S. National Security Agency.

Under the new rule, affected contractors must determine how to "identify and report relevant and credible information that may be indicative of an insider threat, deter cleared employees from becoming insider threats, detect those who pose an actual risk to classified information and mitigate the risk of an insider incident."

[ILLUSTRATION OMITTED]

The rule requires in-house legal, information security and human resources departments to collect and share information related to the 13 personnel security adjudicative guidelines, monitor access--and attempted access --to classified databases, and establish an insider threat training program to educate employees on how to identify potential insider threats. Any suspected compromise of classified information must be immediately reported to the Defense Security Service.

On its face, the broad language of the rule--which mandates reporting of "relevant and credible information" that "may be" indicative of "potential or actual" threats --appears to argue in favor of over--rather than under-reporting of unusual behaviors or personal factors. Simply put, if an employee's conduct or statements, whether inside or out of the office, raises "credible" red flags, DSS must be notified. But the rule is short on specifics as to exactly what kinds of conduct or statements would indicate a potential insider threat, and silent as to how to determine what kind of information, and from what source, would be considered "relevant and credible."

Contractors subject to the new rule will need to think carefully about how to balance their compliance obligation with employee workplace rights and civil liberties; and consider how...