Requirement text: AT.3.058: Provide security awareness training on recognizing and reporting
potential indicators of insider threat.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Potential indicators and possible precursors of insider threat include behaviors such as:
inordinate, long-term job dissatisfaction; attempts to gain access to information that is not
required for job performance; unexplained access to financial resources; bullying or sexual
harassment of fellow employees; workplace violence; and other serious violations of the
policies, procedures, directives, rules, or practices of organizations. Security awareness
training includes how to communicate employee and management concerns regarding
potential indicators of insider threat through appropriate organizational channels in
accordance with established organizational policies and procedures. Organizations may
consider tailoring insider threat awareness topics to the role (e.g., training for managers may
be focused on specific changes in behavior of team members, while training for employees
may be focused on more general observations).
CMMC CLARIFICATION
An insider threat is an employee or contractor that is authorized for computing or network
activities, but conducts malicious activity with that access. The insider threat security
awareness training focuses on recognizing employee behaviors and characteristics that
might be indicators of an insider threat and knowing the guidelines and procedures on how
to handle and report it. Training for managers will provide guidance on observing team
members to identify all potential threat indicators, while training for general employees will
be slightly different and provide guidance for focusing on a smaller number of indicators.
While all the indicators are important, general employees may be on different teams and
knowledge of their job dissatisfaction or requests for information not required for adequate
job performance is unknown. In other words, it is important to tailor the training for specific
roles rather than having the same training program for everyone.
Example
You are responsible for training all employees on the awareness of high risk behaviors that
can indicate a potential insider threat, so you add the following example to the training
package: The organization has created a baseline of normal behavior for work schedules.
One employee’s normal work schedule is 8:00 AM-5:00 PM, but another employee noticed
that the employee has been working until 9:00 PM every day even though no special projects
have been assigned and no short time frame deliverables have been identified. The
observing employee reports the unjustified abnormal work schedule using the established
guidelines of the organization.
References
• NIST SP 800-171 Rev 1 3.2.3
• NIST CSF v1.1 ID.RA-3
• CERT RMM v1.2 OTA:SG2.SP1
• NIST SP 800-53 Rev 4 AT-2(2)