Mandatory insider-threat detection program may help Booz Allen and hurt startups

Newly implemented federal rules that call for the creation of mandatory insider-threat detection programs will make competing for lucrative U.S. intelligence and cybersecurity contracts increasingly difficult for smaller defense firms, experts tell CyberScoop.

“Classified programs have some of the highest barriers to entry for small businesses to start working with government agencies. The new policies associated with the Insider Threat program add to those barriers,” said Michael Hoffman, director of Tandem National Security Innovations, an Arlington, Virginia, tech consultancy that helps startups bid for federal business.

The Defense Department in May published a set of requirements, known as NISPOM Change 2, for government contractors to comply with by Nov. 30. Firms must provide insider threat workforce training to employees, appoint an official insider threat program manager and more broadly, increase their coordination with the U.S. Defense Security Service.

The shifting standard on insider-threat detection compliance comes just months after the FBI arrested a Booz Allen Hamilton employee named Harold Martin. According to public court filings,  Martin stole troves of classified information while working for the NSA and Office of the Director of National Intelligence.

“As we have already seen in the cases of Edward Snowden and Harold Martin, if not managed properly, third party contractors can easily walk out the door with sensitive information,” said Vice President Steven Grossman of Bay Dynamics, a behavioral analytics software developer with experience selling to the intelligence community. “Mandating that contractors develop and maintain insider threat programs is a positive step in helping reduce that risk, however, Change 2 doesn’t address some important components.”

The volume of classified information taken by Martin over the course of a more than decade-long intelligence career vastly exceeds that leaked by NSA whistleblower Edward Snowden in 2013. Why Martin was stealing classified files to begin with continues to be the subject of an ongoing federal lawsuit.

“Identifying third parties that are potential insider threats requires a combination of the ability to identify unusual behavior that potentially impacts valuable assets, along with transparency and communication with the vendor’s management to get the full picture,” said Grossman. “Without both the ability to identify indicative behaviors and collaboration with vendor management, any insider threat program will fall short.”

DSS will importantly consider the size and scope of a contractor’s work when assessing its implementation of NISPOM Change 2. Even so, lawyers and contractors say that the compliance process may bring unintended consequences to market. While it may appear that established giants like Booz Allen Hamilton and Raytheon would face the greatest compliance burden, the longterm impacts of this new rule remain difficult to decipher.

For example, though NISPOM Change 2 pushes a comparatively greater overall compliance burden onto multinational corporations that boast large footprints in the classified space, a majority of these brands have already developed similar, existing plans, policies and procedures to NISPOM, explained Wiley Rein LLP partner Jon Burd. As such, the actual gap towards compliance is relatively less damaging to business for these players.

“Those organizations’ compliance may involve simply extending what they are already doing, or consolidating existing procedures,” Burd said.

“By contrast, the burden will likely be felt disproportionately by small and mid-sized organizations, which may have further to go in creating or implementing new policies and procedures,” Burd described. “Some of the technical requirements involving information systems security and monitoring may require these organizations to invest more heavily in systems administration capabilities and expertise.”

Chicago-based Accenture, one of the single largest technology and consulting service providers for government agencies, is among a cohort of brands that has been actively preparing for NISPOM Change 2 since President Obama announced the requirement via a 2011 executive order.

“Navigating and complying with NISPOM should not be an arduous task for organizations,” surmised Gus Hunt, cybersecurity practice lead at Accenture Federal Services.

He added, “a range of modern technologies can be implemented to help build resiliency against attacks. At the same time, to manage compliance, cleared contractors will also want to consult with advisers or directly with the Defense Security Service,” Gus Hunt, cybersecurity practice lead at Accenture Federal Services, told CyberScoop. “As our adversaries get better at what they do, standards for threat programs will need to evolve, and these initial requirements are critical first steps to address security challenges.”