New Insider Threat Regulations to Hit Contractors Hard
Photo: Defense Dept.
The Department of Defense and other government agencies have recognized that competition and innovation from smaller technology companies are critical to overcoming shortfalls in technology and to providing proposed solutions.
At the same time, the country has witnessed an increasing number of successful cyberattacks and insider threats against the U.S.government and the private sector, many associated with state actors.
Federal contractors face a Nov. 30 deadline to begin to implement a number of significant and potentially costly steps to protect against insider threats and outside cybersecurity risks. The new rules are found in conforming change 2 to the National Industrial Security Program Operating Manual, or NISPOM.
Change 2, known as CC2, places a substantial cost burden on contractors, which may not all be reimbursable. Large companies are better able to undertake these costs and to spread them over a wider array of larger contracts. But many small businesses — those the government is trying to attract — will find that satisfying these requirements will strain their technical and personnel capabilities, and their budgets.
The unwelcome result may be a diminution in competition in the classified government contractor space, particularly from smaller, often more innovative entities. For the Defense Department, this means fewer opportunities to develop experimental and innovative solutions through smaller, new contractors and subcontractors, and less creativity in addressing problems.
All of this may not be offset by a significant rise inactual security and may, potentially, result in a diminished ability to protect information.
In May, the Department of Defense issued Industrial Security letter 2016-02 requiring contractors to have a written program plan to implement the insider threat requirements of CC2.
The insider threat program must detail a contractor’s system for gathering, integrating, reviewing, assessing, and responding to information indicative of a potential or actual insider threat. An insider threat is defined in the NISPOM as the “likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States.”
The definition of an “insider” is far reaching, as it encompasses cleared contractor personnel with authorized access to any government or contractor resource, including personnel, facilities,information, equipment, networks and systems. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency’s obligations to protect classified national security information. Thus, for smaller contractors, this could effectively cover all employees and contracted personnel.
A contractor’s insider threat program must, among other things, establish monitoring of classified computer networks and systems,including monitoring both systems and users and implement certain security controls on classified information systems.
In addition to cybersecurity required by contract and the agency that oversees the contractor’s facility clearance, contractors must now also develop and implement a system security plan. The SSP must include policies and procedures for the contractor to provide information security for the contractor’s information system and reduce the security risks to those systems. It must establish processes for planning, implementing, and evaluating remedial actions to address deficiencies in information systems’ security policies and procedures; and create procedures for detecting, reporting and responding to security incidents.
The SSP must mandate self-inspections of the contractor’s own performance, as well as provide draft formal reports of the inspection findings and written certifications that the contractor’s management has been briefed on the results of the self-inspection and corrective action has been taken to address any issues. Each certification must also include a statement that management “fully supports” the contractor’s security program. This self-inspection obligation is in addition to a requirement for annual testing of information systems security and auditing processes and procedures to detect cyber incidents.
To add teeth to the requirements, CC2 requires contractors to certify that it has sufficient protections, including the appointment of any necessary personnel, in place as a condition to the government’s grant of an authorization to allow the contractor to process classified information.
Of particular importance is the wide net that CC2 casts over personnel. As part of the insider threat program, the contractor must designate a cleared, senior employee to be the Insider Threat Program Security Official,who will be responsible for establishing and executing the program. Contractors must appoint a properly qualified employee to serve as the Information Systems Security Manager to oversee the development and implementation of the contractor’s security plan. Likewise, all employees who access classified networks must receive appropriate training.
Beyond that, the contractor must provide training for identified insider threat program personnel and awareness for cleared employees, establish procedures to analyze and report personal information regarding cleared employees, and provide for annual self-inspections and reporting of those inspections.
The foremost cost wedge potentially is the requirement for contractors to hold employees responsible for SSP compliance through monitoring measures, the results of which can be used for criminal, security or administrative proceedings. Contractors will need to procure or contract for technology that will enable this level of monitoring. For contractors with tight budgets or contracts with thin margins, the burden could be significant.
As a result of these programs, individual employees may face loss or suspension of their security clearances, and termination of their employment, on the basis of suspicions of not preventing or causing a cybersecurity breach, or being an "insider threat," as identified through the more proactive, but potentially incomplete, investigative actions by their employers. While those employees may have an opportunity to win back their individual clearances via an adjudicative process, the burden of proof shifts entirely onto the individual to establish that having a security clearance is in the national security interest of the country.
Companies must be careful in reporting suspicious activity about an employee if a loss of that employee's security clearance results in a loss of employment. The contractor can reasonably expect to hear from that former employee's attorney with claims of wrongful termination, particularly if the reported activity turns out to be incorrect. In this regard, the contractor must try to avoid actions that could be alleged to be in conflict with civil rights and equal employment requirements, while also complying with the requirement to report all “relevant and credible” information about possible insider threats. Notwithstanding the best efforts of a contractor, that wider net the revised NISPOM casts over employees adds yet another layer of potential compliance costs.
Historically, the NISPOM has required contractors to file reports upon learning of adverse information that could have an impact on a security clearance or the entity’s status as a cleared facility. Similarly, contractors have always been required to report and assist security personnel to assess known compromises of classified information.
To date, these have been largely passive requirements, not requiring a proactive investigative effort in the absence of a reason to suspect that violations of security requirements have occurred. Even then, most sophisticated contractors would employ outside counsel to conduct internal investigations and advise company management or the board, under attorney-client privilege, regarding the likelihood and extent of concern and appropriate actions for the company to take in compliance with existing statutes and regulations.
That practice will change under the tenets of CC2, which requires contractors to undertake an affirmative and continuing investigative role, both as to the activities of their employees and contracted personnel and as to the security of their systems. Under the auditing and reporting requirements of CC2, a contractor must report relevant and credible information within 72 hours. This requirement must be viewed in combination with any other contractual requirements to report cyber or related incidents. The DFARS, in particular, now contain reporting requirements that are potentially more stringent than those set forth in CC2.
Further, CC2 requires contractors to grant Defense Department personnel access to the systems that are the subject of a suspected cyber threat. As a consequence,contractors may not be able to fully assess the nature of a possible breach before the government begins its parallel investigation. While CC2 includes nominal limitations on the level of access a contractor must provide, in practice, the government may attempt to use such demands for much broader purposes.
This demand for access could begin to replace criminal investigative and grand jury subpoenas as the preferred method of initial government discovery. Contractors may choose to negotiate or even resist in court compliance with a government subpoena, invoking Fourth Amendment and privileges protections, but it remains unclear whether any such protections apply to a DoD demand for access to the contents of computer systems under the NISPOM.
Under various executive orders and a DoD Directive issued in 2014, components of the Defense Department and other government agencies were required to establish processes and policies to protect against insider and cybersecurity threats. It is apparent, however, that uniform application of these requirements across the government is expensive and time consuming and are not being met uniformly or quickly. Thus, the government is imposing security requirements on contractors that it has not itself met consistently. Furthermore, there is no real enforcement mechanism within the government to ensure that adequate programs are put in place contemporaneously with the imposition of such requirements on contractors.
As a result, the requirement that a contractor report vulnerability of its personnel or its computer systems to a government agency may simply place sensitive information where it may be no more secure from outsider access than it was in the hands of the contractor, and it may be less secure. Moreover, if the government collects all information about a suggested insider threat or the data that maybe subject to a cyber threat and places it in its own imperfectly secured systems, that centralization may simply increase the possibility that the information will be improperly accessed. This may provide cyber threat actors with a much more lucrative target for attack by focusing on the data from numerous, threatened contractors stored in a single government site, making it unnecessary to attack numerous contractors’ individual systems.
DoD has been candid that there will be substantial costs associated with complying with these requirements. The Nov. 30 deadline only requires contractors to certify written insider threat programs and begin to implement those plans, but the costs to achieve all of the policies,procedures, and programs implicated by such plans are unlikely to be fully realized for some time.
A contractor’s ability to recover those full costs is uncertain. DoD has declined to develop cost recovery models for compliance with these programs, and simply advises that those costs should be treated similar to the costs associated with any other DFARS requirement during proposal preparation.And failure by a government contractor to adequately protect against insider or cyber threats may result in termination of contracts, recovery of costs and damages, and loss of a facility clearance or status as a responsible contractor.
It is of little comfort to the small contractor for DoD to point out that the cost to the nation of lost or stolen protected information is significantly greater than any financial burden placed on contractors. DoD appears to reject any opportunity by small contractors and subcontractors to treat costs for compliance with these required programs in a way that would make them more competitive with larger contractors.
Inevitably, this may disqualify smaller firms from competing for sensitive government contracts unless they combine with other small or larger contractors so the costs imposed by these programs can be spread.
The authors are members of Bryan Cave LLP’s national security practice. Schwartz and Mammen are resident in the firm’s Washington office. Schoulder is resident in the firm’s New York office.