September 23, 2020
Are You Addressing CUI Within Your Insider Threat Plan?
As many companies establish their policies for an Insider Threat Program, a company must also think about specific policies, procedures and safeguarding measures for the protection of Controlled Unclassified Information (CUI) within their insider threat plan. Unclassified information can be export control, critical infrastructure, patent, legal, financial, personnel information. Your Information Technology Department (or person!) should be an instrumental part of your Insider Threat Program to maintain compliance with DFARS 252.204-7012 and Cybersecurity Maturity Model Certification (CMMC) requirements to ensure unauthorized individuals are prohibited from accessing CUI as well as your sensitive and proprietary information. This can be accomplished by establishing access controls, awareness training for personnel, portable media controls, a robust personnel security policy and much more. As a cleared facility you are required to follow Defense Counterintelligence and Security Agency (DCSA) policies. The Insider Threat Plan is an auditable item within a vulnerability assessment, this will also come into effect with CMMC guidelines for future DoD IT audits. If maintaining your facility clearance is important to you then complying with CMMC should be the same; for companies with a facility clearance, we recommend implementing practices in CMMC Levels 1, 2, and 3.
When developing your insider threat plan, consider the following:
- Telecommuting can be an appealing benefit for employees, but it also has it risks and necessary safeguards need to be in place. Individuals need to be aware not to store CUI on personal systems or use personal email accounts (or personal computers/laptops) to transmit CUI. Are VPN’s being used to enhance confidentiality over remote connections?
- What are your policies for personnel terminating employment from your company? Termination procedure should address collection of badges, door lock combination changes, termination of computer access along with disabling access from drives with sensitive data prior to termination or account tracking of employee activities to ensure unauthorized downloads are not occurring.
- What training do you provide your employees? A company needs to address the threat and their responsibility to safeguarding information within their insider threat training. Cyber security awareness training can add an extra incentive to enhance your Insider Threat Plan efficiency and CMMC-related awareness and training policies.
- How are you determining that your insider threat plan is effective within CMMC requirements? Ideas to think about are media controls to limit the possibility of an insider threat to insert a thumb drive to download sensitive information or infect a computer with malware. You can also test your employees by sending them a simulated phishing email to assess the percentage of employees that fall victim to the phishing email and if additional training is required.
Looking for more on developing or enhancing your Insider Threat Program? Contact the Centauri Security & Cyber Services team using the form below.