1 00:00:01,170 --> 00:00:07,490 Welcome to the Insider Threat Overview for FSOs video. This is a high-level overview 2 00:00:07,490 --> 00:00:14,719 of the Insider Threat Program. So, who is an insider threat? It is a trusted individual 3 00:00:14,719 --> 00:00:19,830 in your company that may use their authorized access to do harm to United States national 4 00:00:19,830 --> 00:00:27,260 security. A trusted individual could be an employee, consultant, supplier, or business 5 00:00:27,260 --> 00:00:32,859 partner. This could be wittingly or unwittingly and can harm your program’s obligation to 6 00:00:32,859 --> 00:00:39,199 protect classified information. It is important to report suspicious activities and behaviors 7 00:00:39,199 --> 00:00:44,620 without delay. People are often reluctant to report suspicious behavior, as they don’t 8 00:00:44,620 --> 00:00:49,979 want to pry into other people's business or are afraid of making false accusations. 9 00:00:49,979 --> 00:00:55,719 If the question is “Should I report this?” The answer is usually “Yes.” Reporting 10 00:00:55,719 --> 00:01:00,969 is not needless meddling or turning someone in; it is fulfilling an obligation to protect 11 00:01:00,969 --> 00:01:07,149 our people and national security. All cleared facilities are required to have an Insider 12 00:01:07,149 --> 00:01:14,159 Threat Program and an Insider Threat Program Senior Official, or ITPSO. Specific requirements 13 00:01:14,159 --> 00:01:21,520 can be found in the Insider Threat Toolkit at cdse.edu. As the Facility Security Officer, 14 00:01:21,520 --> 00:01:28,759 or FSO, you will need to work closely with the ITPSO to promote a strong security program. 15 00:01:28,759 --> 00:01:35,320 In your company, you may be both the FSO and ITPSO. It is also crucial to have support 16 00:01:35,320 --> 00:01:40,759 from senior leadership for the Insider Threat Program to be effective. Insider threat awareness 17 00:01:40,759 --> 00:01:46,429 training is a requirement at your facility, given to employees initially and on an annual 18 00:01:46,429 --> 00:01:53,140 basis. A record of training must be maintained. While it is only required to be given to cleared 19 00:01:53,140 --> 00:01:58,009 employees, it is a best practice to give the training to all employees, as anyone can observe 20 00:01:58,009 --> 00:02:04,670 suspicious behavior. The National Industrial Security Program Operating Manual, or NISPOM, 21 00:02:04,670 --> 00:02:09,470 requires training: on current and potential threats, the importance of detecting potential 22 00:02:09,470 --> 00:02:16,000 insider threats and reporting suspected activity, methods used to recruit trusted insiders, 23 00:02:16,000 --> 00:02:21,180 indicators of insider threat behavior and procedures to report, and counterintelligence 24 00:02:21,180 --> 00:02:26,459 and security reporting requirements. There is also separate training required for insider 25 00:02:26,459 --> 00:02:33,010 threat program personnel. Cdse.edu has many resources available to help with training, 26 00:02:33,010 --> 00:02:40,700 including case studies, job aids, videos, posters, and games. When fulfilling training 27 00:02:40,700 --> 00:02:45,280 requirements, it's important to emphasize that the insider threat is REAL, and to keep 28 00:02:45,280 --> 00:02:51,549 the training fresh and impactful. Potential Risk Indicators, or PRIs, are concerning behaviors 29 00:02:51,549 --> 00:02:57,220 or activities that may be present before the occurrence of a negative event. PRIs can indicate 30 00:02:57,220 --> 00:03:02,200 that an employee may be at risk of becoming an insider threat. Some of these indicators 31 00:03:02,200 --> 00:03:07,740 are criminal conduct, financial or foreign considerations, professional performance issues, 32 00:03:07,740 --> 00:03:13,090 psychological conditions, substance abuse, security compliance incidents, or suspicious 33 00:03:13,090 --> 00:03:18,860 technical activity. Detailed information on PRIs is available in the Insider Threat Toolkit 34 00:03:18,860 --> 00:03:26,739 at cdse.edu. What about reporting? Employees report suspicious behavior to either you or 35 00:03:26,739 --> 00:03:34,969 the ITPSO. Don’t overreact—there is usually more than one PRI shown by an insider threat. 36 00:03:34,969 --> 00:03:39,860 Use critical thinking—for example, personal foreign travel doesn’t automatically make 37 00:03:39,860 --> 00:03:45,049 the employee an insider threat; unreported travel or frequent travel to the same country 38 00:03:45,049 --> 00:03:50,989 might be an indicator. DCSA is here to help you in determining these indicators. 39 00:03:50,989 --> 00:03:56,909 Once it is determined that there is a possible insider threat, report it immediately to DCSA 40 00:03:56,909 --> 00:04:02,269 through your Industrial Security Representative or Counterintelligence Special Agent. 41 00:04:02,269 --> 00:04:07,700 One key requirement to an effective Insider Threat Program is to establish an active Insider 42 00:04:07,700 --> 00:04:12,730 Threat Program Working Group. Based on your company’s size and operations, this team 43 00:04:12,730 --> 00:04:19,100 should consist of the ITPSO, FSO, and key company representatives (for example, Human 44 00:04:19,100 --> 00:04:25,030 Resources and IT, or Information Technology). This working group should meet regularly, 45 00:04:25,030 --> 00:04:30,650 have good communication, conduct self-inspections, maintain records on the status of the program, 46 00:04:30,650 --> 00:04:36,330 ensure pertinent information is shared, respond to insider threat incidents, and establish 47 00:04:36,330 --> 00:04:43,060 and follow reporting requirements. It is important that the FSO be an integral part of the Insider 48 00:04:43,060 --> 00:04:49,010 Threat Program Working Group. You are the security counterpoint for DCSA at your facility 49 00:04:49,010 --> 00:04:55,310 and should be well versed on the insider threat. The FSO also receives employee status changes 50 00:04:55,310 --> 00:05:01,560 and adverse information reporting, which could be an indication of an insider threat. 51 00:05:01,560 --> 00:05:07,290 Again, use critical thinking—for example, an employee marrying a foreign national is not automatically 52 00:05:07,290 --> 00:05:12,200 an insider threat indicator, but an employee with a lifestyle of regular foreign contacts 53 00:05:12,200 --> 00:05:20,540 might indicate a concern. So, to recap, here are important items to know as an FSO: First, 54 00:05:20,540 --> 00:05:25,010 senior management support is crucial for an effective Insider Threat Program. 55 00:05:25,010 --> 00:05:30,970 Getting buy-in from management in all departments supports buy-in from employees. The insider 56 00:05:30,970 --> 00:05:36,650 threat is real, and timely reporting of observed suspicious behavior is vital. Reporting is 57 00:05:36,650 --> 00:05:41,830 not information to be used against a person; it is a responsibility to protect people and 58 00:05:41,830 --> 00:05:47,530 national security. If the question is “Should I report this?” The answer is usually “Yes.” 59 00:05:47,530 --> 00:05:52,870 Third, keep training interesting and impactful by varying the methods used to convey what 60 00:05:52,870 --> 00:05:59,000 you want people to know. Cdse.edu has many products in the Insider Threat Toolkit to 61 00:05:59,000 --> 00:06:04,090 use for employee training. For example, you could send out a quarterly case study to reinforce 62 00:06:04,090 --> 00:06:09,680 the training to employees. Potential Risk Indicators are concerning behaviors or activities 63 00:06:09,680 --> 00:06:15,070 that may show a person is at risk of being an insider threat. Usually more than one PRI 64 00:06:15,070 --> 00:06:22,440 is involved. Report a PRI to DCSA as soon as possible. And finally, it is important 65 00:06:22,440 --> 00:06:28,090 that the Insider Threat Program Working Group has regular communication and follows established 66 00:06:28,090 --> 00:06:34,330 procedures. You, as the FSO, are an integral part of the group. You should now have a better 67 00:06:34,330 --> 00:06:39,670 understanding of the Insider Threat Program and how the FSO is an important part of protecting 68 00:06:39,670 --> 00:06:45,110 national security against the insider threat. Much more detailed information can be found 69 00:06:45,110 --> 00:06:51,760 at cdse.edu, especially in the Insider Threat Toolkit. We encourage you to visit our website 70 00:06:51,760 --> 00:06:56,960 soon and often for all of your security education and training needs!