CMMC Practice AT.L2-3.2.3 – Insider Threat Awareness: Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Links to Publicly Available Resources
This paper from Carnegie Mellon discusses potential ways an insider threat program could go wrong. This link to CDSE provides insider threat training and awareness. This toolkit contains resources to help you perform your role in the insider threat field. This webpage provided by CISA will help individuals, organizations, and communities create or improve an existing insider threat mitigation program. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This course from FEMA provides guidance on how to identify and take action against insider threats. This guide provides direction for implementing the basic building blocks of an insider threat program. This Framework is designed to help optimize insider threat program capabilities. This course from DNI is intended to help familiarize you with the subject of insider threat and to provide guidance. This course discusses how Insider Threat Awareness is an essential component of a comprehensive security program.
Discussion [NIST SP 800-171 R2]
Potential indicators and possible precursors of insider threat include behaviors such as: inordinate, long-term job dissatisfaction; attempts to gain access to information that is not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of the policies, procedures, directives, rules, or practices of organizations. Security awareness training includes how to communicate employee and management concerns regarding potential indicators of insider threat through appropriate organizational channels in accordance with established organizational policies and procedures. Organizations may consider tailoring insider threat awareness topics to the role (e.g., training for managers may be focused on specific changes in behavior of team members, while training for employees may be focused on more general observations).
Further Discussion
An insider threat is the threat that an insider will use their authorized access, wittingly or unwittingly, to do harm. Insider threat security awareness training focuses on recognizing employee behaviors and characteristics that might be indicators of an insider threat and the guidelines and procedures to handle and report it. Training for managers will provide guidance on observing team members to identify all potential threat indicators, while training for general employees will provide guidance for focusing on a smaller number of indicators. Employee behaviors will vary depending on roles, team membership, and associated information needs. The person responsible for specifying insider threat indicators must be cognizant of these factors. Because of this, organizations may choose to tailor the training for specific roles. This practice does not require separate training regarding insider threat. Organizations may choose to integrate these topics into their standard security awareness training programs.