On May 31st, a new requirement—part of National Industrial Security Program Operating Manual (NISPOM) Change 2, went into effect which mandates that all cleared government contractors must complete insider threat employee awareness training prior to being granted access to classified information, and they must go through this training annually. As this new requirement begins to roll out, it’s critical to keep in mind all of the federal contractors who have made news in recent years due to their connections to leaked defense-related information. Experts say it will bring the information security training for defense contractors in line with requirements full-time government defense employees must meet. John M. Dillard, CEO for ThreatSwitch, a software-based service for defense contractors, stated that, “This new regulation aligns with what the government agencies already do”.
With more than 1.5 million defense contractors in the United States, developing and implementing an efficient training system may seem concerning to some. However, according to a report released in January 2017 by the Defense Security Service, roughly 85 percent of defense contractor respondents said they had at least begun to implement this training for their employees. The required training includes three main components: 1) Penalties for committing an insider threat offense, 2) Indicators that someone may be an insider threat, and 3) Contact guidance if a contract employee believes he or she has identified a potential insider threat.
Thomas Jones, systems engineer for Bay Dynamics, enlightened these new requirements by stating, “The factors behind why this requirement went into effect are a combination of high profile data breaches caused by third party contractors [such as] Edward Snowden and Harold Martin III, high-profile attacks against government agencies as a whole.” Jones also indicated that the new training could aid in the defense against “the Chinese army’s alleged cyber spying unit, known as Unit 61398, which actively targets contractors’ home systems and their work systems, as a manner of gaining intrusion to U.S. government networks.”.
While recent events do not necessarily illustrate contractors as more of a security risk than their full-time government agency counterparts, the new requirement is considered indispensable to bring them to the same standard. Over the last few years, it has become increasingly clear that hackers have shifted away from searching for software vulnerabilities, and have instead begun deploying against the end-user with “social engineering” aiming to wreak havoc by targeting human vulnerability. In closing, the effectiveness of information security as imposed by the new requirements is difficult to measure at this point in time. However, it is hopeful that in the long-term, the new requirement will help contractors reduce third-party vendor risk as an “organization’s vulnerability becomes a government vulnerability if there aren’t proper security measures and procedures in place.”