Recently, executive orders such as 13587 and 12968 have brought great attention to the president-mandated insider threat programs and permitted continuous evaluation of cleared personnel. These missions are related in some ways, but are different, and it causes confusion. Continuous evaluation has a pretty clear set of rules to follow whereas, for insider threat programs, we have to look to the laws for guidance.
Part of the confusion lies with the fact both programs aim to protect classified information. However, the programs accomplish this end via different means. Continuous evaluation specifically gets at the problem of eligibility and suitability to hold a security clearance. After a clearance is granted it isn’t reinvestigated until some number of years later. Continuous evaluation is meant to ferret out issues during this interim period that would cause the eligibility or suitability to be called into question. With a broader definition of what constitutes an insider threat, it isn’t only security cleared personnel or simply monitoring access to classified systems. Insider threat is additionally intended to help evaluate the general threat an employee poses to an organization.
For continuous evaluation we have the 13 adjudicative guidelines and the Federal Investigative Standard (FIS) which are used to perform the initial investigation. The adjudicative guidelines specify what dimensions of a person will be investigated and the FIS specifies how the investigation will be done. Much of the data gathered by an investigator comes from interviews, government systems and external data providers. A person grants permission to be investigated initially as well as continuously when he or she signs the SF-86. Continuous evaluation then is simply monitoring for any changes in the criteria specified in the adjudicative guidelines that could be deemed disqualifying offenses. There are clear rules regarding which aspects of a person’s life to investigate as well as clear definitions as to what constitutes a problem. As such there are very clear guidelines for continuous evaluation and implementation should be relatively straightforward.
In contrast to continuous evaluation, guidance offered with respect to insider threat programs does not include these same or similar clear guidelines with respect to what should be evaluated. As a result, people tend to reference the adjudicative guidelines to evaluate insider threats. However, the adjudicative guidelines are meant to address a problem that’s much narrower in scope – the specific purpose of eligibility to access classified information. Insider threat encompasses a much larger definition and could include persons who don’t have security clearances and persons who pose a threat that goes beyond classified information. An insider threat is potentially anyone in the organization who poses a threat to that organization. The threat can include espionage, willful destruction of property (sabotage), fraud, theft or violence. The destruction of the USS Miami reminds us of these risks. The vessel had to be decommissioned due to a fire set by a dock worker onboard. Ultimately the repair estimate ballooned to $700M and the Los Angeles class nuclear attack submarine was scrapped for parts.
The adjudicative guidelines and the FIS rely partially on the use of external data sources. The rules for how this data can be used are called out in the adjudicative guidelines and on the SF-86. The challenge for insider threat programs is that there’s no specific guidance with respect to the use of external data sources, yet external data provides a leading indicator of behavioral changes by an employee that could make them a higher level threat, and thus should be considered as part of an effective insider threat program.
The guidelines for insider threat systems are the laws governing the use of external data and employment laws. The Fair Credit Reporting Act (FCRA) defines the roles and responsibilities of Consumer Reporting Agencies (CRA) and the rights of the consumer. The FCRA already permits use of a consumer report for employment screening when the consumer grants explicit consent to do so. The FCRA is probably our strongest guideline for insider threat do’s and don’ts. The FCRA, Gramm-Leach-Bliley Act (GLBA) and the Driver's Privacy Protection Act (DPPA) similarly guide how the use of regulated public record data can be used. Only recently a security policy directive stated how social media data could be used in a background investigation for a security clearance, however there isn’t yet clear laws and policies on how that data can be used in a broader insider threat situation. Employment laws at the federal and state levels define what can be done with a threat when it is investigated and validated.
Since these are the best guidelines we have with respect to insider threat programs, expect implementation to be less clear and thus agencies may be slower to implement. Education of these applicable laws is critical for any government or commercial organization as they develop or manage insider threat programs in this new world order.
To have a TransUnion Government expert contact you, fill out the form below.