If you're a federal contractor, your reporting requirements just changed -- dramatically. The days of perhaps one report to security per employee every year is over.
Security Agent Executive Directive 3 (SEAD 3) just dropped from our friends at the Office of the Director of National Intelligence (DNI). SEAD 3 became effective June 12, 2017 and requires contractors holding sensitive positions or who have access to any type of classified information to report a variety of life events, including all non-work related foreign travel and substantive foreign contacts to their local security office.
This is well beyond the NISPOM or security clearance reporting we're used to and the time to get smart on it is now. Keep reading to learn more.
If you were one of the relatively few people who have TS SCI access, SEAD 3 requirements probably sound familiar -- but now this guidance applies to the all 5.5 million individuals with a clearance, plus anyone in a sensitive position.
If you're a federal contractor, the implications are massive. This means that every single one of your covered employees have to report on themselves -- and they are obliged to report on co-workers under certain circumstances.
SEAD 3 is the next part of the insider threat and security related regulatory changes we've come to know and love. It's designed to protect the government and the industrial base from an increasingly complex and changing threat environment, punctuated by acts of high profile insiders like Edward Snowden, Bradley Manning, and Reality Winner. It was signed on December 14, 2016, and was officially implemented on June 12. SEAD 3 standardizes reporting requirements for individuals with security clearances. Failing to comply with the new policy could cost contractors their jobs or their employers their facility clearance.
What Employers and their Security Managers Need to Know
If you are a cleared federal contractor, you should already have an insider threat plan in place. As part of your insider threat program you should already have a system or process (like ThreatSwitch) to share risk and threat information across the enterprise.
Now, every cleared company must have a mechanism to collect a dramatically increased scope of reporting from far more employees. Let's break it down.
- Everyone must report on themselves. "Covered individuals" -- anyone with any clearance -- has a security obligation to report information (outlined below).
- Everyone must now report on others. Covered individuals don't just have to report their own behavior; they are obligated to report similar information if they observe it in others.
- Security must review. Companies and their customers must be aware of whether the content of those reports (taken together, or individually), suggest a potential threat to national security.
- Failure puts clearance at risk. Failure to report can result in revocation of national security eligibility (which may mean your facility, too).
So, what kind of reporting are we talking about? it varies a little by clearance, but it's a long list.
- Foreign travel. Note that this requirement is extending beyond the previous requirement only for SCI-cleared individuals.
- Foreign contacts. This isn't just official or business contacts -- it includes all foreign contacts.
- Anything of CI concern in others. This includes general security uncooperativeness, unexplained affluence, alcohol abuse, illegal drug use, certain mental health issues, criminal conduct, general concerns about national security, or misuse of systems.
- Foreign Activities
- Illegal attempts to obtain classified information
- Inappropriate media contacts
- Alcohol or Drug Treatment
- Life Changes
In short, every security program must have a mechanism for employees to report on themselves and others, and a way to share that information appropriately. We've given this a lot of thought at ThreatSwitch which is why we have designed our product to fulfill 100% of the SEAD reporting requirements for all employees, right out of the box.