FSO Tip of the Month: Meet DCSA Counterintelligence Requirements

The Defense Counterintelligence and Security Agency (DCSA) took off running after it was established to replace the Defense Security Service (DSS) in 2019. Since then, it has taken on 95% of background investigations for the U.S government while working to create new security standards for federal agencies and contractors associated with the Department of Defense (DoD). Included in the new standards is the release of several documents emphasizing the importance of counterintelligence.

“Counterintelligence” is clearly a significant part of DCSA’s overall mission to protect classified information and government contracts while repelling the influence of malicious actors, including domestic and foreign threats. Security officers – including FSOs and CSOs – play a crucial role in supporting counterintelligence by reporting, tracking, and analyzing threats within their own organizations; but in order to do that, they must have the right tools.

In this article, we explain DCSA’s emphasis on counterintelligence by highlighting the connection between counterintelligence and insider threats. We will also look at some of the ways FSOs can use modules within Access Commander to deal with insider threats and meet the DCSA’s counterintelligence reporting requirements.

Insider Threats: Still a Major Problem

DCSA defines Insider Threat as, “… the threat that an employee, contractor or individual with access to government information, systems or facilities will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States.” Accordingly, insider threats have been a central concern in federal security compliance since the release of Security Executive Agent Directive (SEAD) 3 in 2017, which requires cleared personnel to monitor and report security violations committed by their own colleagues.

According to a recent report by Ponemon Institute: Incidents of insider threats have increased by 47%, from 3,200 in 2018 to 4,716 in 2020. Related costs or losses due to the insider threat have surged during this same time frame from $ 8.76 million to $11.45 million in 2020.

As we explained in a past blog post, not all insider threats are the same. The most common types are:

  • Non-malicious error – a majority of insider threat events are caused by mistakes or accidents committed by unwitting or poorly trained employees, especially in the public sector.
  • Disgruntled employee – a minority of insider threats are committed by angry personnel who wish to “get back” at their companies for a real or perceived slight.
  • Malicious insiders – a rising number of insider threats are caused by employees who deliberately exploit their position within a company to advance political goals, or steal money, sensitive information, and trade secrets

For government contractors, malicious insiders – especially those with high-level security clearance – are by far the most dangerous. Counterintelligence is about detecting indicators of malicious behavior and the possible outside influences by foreign actors and governments.

Meet Counterintelligence Requirements with Access Commander 4.0

To detect and root out malicious insiders, cleared personnel are required to report certain events to their FSO; FSOs are required to record and report that information to their Industrial Security Representative (ISR) or Field Counterintelligence Specialist (FCIS).

Specific reporting obligations are outlined in the National Industrial Security Program Operating Manual (NISPOM) and integrated into the modules in Access Commander.

  1. Suspicious Contacts Reporting

NISPOM defines a “suspicious contact” of a cleared employee, as someone who:

  • Tries to obtain unauthorized access to classified or proprietary information
  • Serves as an intelligence officer in a foreign country
  • Indicates that an employee is being targeted by intelligence services in another country

Cleared employees within your organization can report suspicious contacts associated with themselves or a colleague through the Suspicious Contact Reporting module in Access Commander. Data includes:

  • Employee who filed the report
  • Date of the incident
  • Name of suspicious contact if available
  • Contextual information

An FSO can retrieve this information for reporting, analysis, and review through the Suspicious Contacts module under the Incident Reporting tab. All reporting modules integrate with the Personnel Management module which allows FSOs to review employees who are the subject of a report.

  1. Foreign Contacts Reporting

According to DCSA, cleared contractors are always “a prime target of many foreign intelligence collectors and foreign government economic competitors.” Tracking and reporting foreign contacts is therefore central to counterintelligence responsibilities.

A “foreign contact” encompasses any individual of foreign nationality who:

  • Maintains an ongoing relationship with cleared personnel outside of official duties
  • Requests or otherwise tries to obtain unauthorized access to classified information or proprietary intellectual property
  • Indicates that a cleared employee may be the “target of an attempted exploitation”

For the most part, “foreign contacts” are just suspicious contacts from a non-U.S person, but they are reported and processed differently. In Access Commander, foreign contact reports with a photo I.D can be submitted and reviewed from the Foreign Contacts module.

  1. Incidents Reporting

As part of an Insider Threat Program (ITP), NISPOM requires FSOs to report cleared personnel for suspicious activities and disruptive behavior which could indicate that the employee is a threat to their organization. Incidents that should be reported include, but are not limited to:

  • Abuse of substances like drugs or alcohol
  • Arrest and criminal conduct
  • Travel to a foreign country
  • Lack of cooperation with security requirements
  • Unexplained affluence
  • Unreported foreign contacts

Through the Incident Management module, FSOs can record, report, and review security incidents, analyze data for patterns of behavior, and flag potential threats for proactive remediation.

  1. Generate Insider Threat Reports

Addressing insider threats requires cooperation at every level of an organization, from C-level executives to security officers and cleared personnel. The Advanced Insider Threat Analysis module in Access Commander helps Insider Threat Program Officials (ITPSOs) to manage their program, monitor persons of interest, and inform their organization with data visualization and ad-hoc reports.

The Advanced Insider Threat Analysis module provides a top-down view of insider threat trends within an organization, helping security officers to better support counterintelligence while finding and remediating gaps within their ITP.

Security Suite for Comprehensive Counterintelligence

Over the past decade, the number of threats facing government organizations has increased. MathCraft’s software solutions are designed to give FSOs, CSOs, and other security professionals everything they need to run a successful security program, comply with federal regulations, and manage contract requirements. Request a demo today!

MathCraft’s products provide security management professionals with the most comprehensive security platform. Contact us to learn more!