In our ongoing series on continuous evaluation, insider threats, and personnel security, we are going to define each of these terms and how these areas relate to each other. Click here for an earlier related blog.
Continuous Evaluation (CE). This term has generally been tied to the population of individuals with U.S. Government security clearances. The term “continuously evaluate” itself shows up in the SF-86, and continuous evaluation was permitted in Executive Order 13467 calling for reform of the personnel security programs. CE is the process of changing the SF-86 investigation from timeline-driven to one that is event-driven. As such, the conditions that can be evaluated are the areas under the Adjudicative Guidelines which generally speak to a person’s behavior outside of their work location across the general dimensions of finances, criminal activity, and mental health. The purpose of CE is to add rigor to the self-reporting process by making security officers aware of reportable events, and more seriously, to identify individuals at risk of stealing and selling secrets, destroying information, or threating lives. Responsibility for CE lies with the agencies that sponsor and grant the security clearances. Individuals with security clearances may be located anywhere – on-site or off-site. This is where it starts to get a little confusing.
Identifying the risk of unfavorable employee behavior is actually an insider threat problem. Insider threat programs have typically been targeted at persons located on-site (or remotely accessing on-site) and is continuously monitoring their activity on premise. Note we used the term “continuously monitor”. It’s a real term in the context of insider threat programs and the concept is similar but is not to be confused with continuous evaluation. Monitored activities include among other things network access, system access, and physical access. It can often include email traffic (especially in and out of the local networks) and removable storage media.
So people who currently operate on-site – or have the right to go on-site unescorted to a government facility — will already be in the insider threat program. If they have a security clearance, they will also be in the CE program.
What about people with security clearances who never, or rarely, go on-site? Glad you asked. Changes to the National Industrial Security Program (NISP) will be calling for companies that fall under the NISP to implement their own insider threat programs. Many probably already do to some degree for intellectual property protection but now you’ll see companies implement insider threat programs for persons in and around classified information that is stored in contractor facilities. To be clear, there will be people who do not have security clearances in government contractor facilities but they interact with people who do, so they will be continuously monitored in the insider threat sense. Will they also be continuously evaluated as defined above? I believe they should be – especially if they have access to and can influence a person with access to sensitive information in the workplace, or if they work in the proximity of classified facilities.
So what does this mean? Today there are two distinct populations for insider threats – those inside a government facility and those inside a contractor facility. The population for continuous evaluation today lays over the top of both to cover the portion of each that have active security clearances. My prediction is that the CE population will expand to cover 100% of both insider threat populations and CE will eventually just be swallowed into insider threat programs.
Let’s not forget Cybersecurity. Cybersecurity includes attacks from outside the organization by individuals, groups, and nation states. More commonly, cybersecurity threats are thought to extend beyond external attackers and include insider threats. Makes sense. The motivations for an external attacker could also be motivations for employees to do harm. Does this mean insider threats will be consumed into cybersecurity the same way we predict continuous evaluation to be consumed in insider threats? No, but they will be related and interact with each other. Cybersecurity is just too broad of a category. Cybersecurity is generally implemented by information security departments while insider threats are more of an employee security/ human resources-like function. However, data from each program will feed the other. Data from employee activities monitored by the information security group’s cybersecurity programs will feed the analytics of insider threat systems. Insider threat analytics on employee activities will serve to shore up information security weaknesses.
On December 15, TransUnion sponsored the annual Cyber Playbook event in Washington DC, where Trevor Rudolph, Chief of the Cyber and National Security Unit Office of E-government and IT, Office of Management and Budget (OMB) shared how his organization completed the Cybersecurity Sprint, and were able to clean up the basic hygiene of federal IT security by identifying high value assets across government, gaining a better understanding of privileged users, and completing scans and patching for critical vulnerabilities across 100% of the US government. Amazing achievements have occurred but, considering the current environment, we all know there is more work to be done by everyone around cybersecurity and insider threats.
We hope this starts a discussion on these areas and their relative definitions and predictions. Let us know below if you have comments, questions, topics you’d like to see covered in this series, or if you’d like to be contacted directly.