(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-5BJVBZF');

Adverse Separations: Addressing a Unique Insider Threat Risk

Introduction 

In the complex landscape of federal government contracting, private companies play a pivotal role in advancing critical missions, especially within the homeland security realm. Federal contractors collaborate with government agencies to amplify capabilities and provide specialized expertise that is essential to safeguarding the nation’s interests. These partnerships enhance federal operations while also contributing to the innovation and adaptability required to address rapidly evolving threats.  

While federal contractors help fortify the synergy between the public and private sectors, these partnerships can also create a unique insider threat risk that must be addressed. As a trusted federal government partner, Partner Forces identified one such risk and quickly worked to analyze and validate the finding, collaborating with the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Interagency Security Committee (ISC) to develop a short-term and long-term solution set that reduces risk to both government contracting entities and the agencies they serve. This is what we learned. 

Executive Summary 

Over the last year, Partner Forces examined the operations and human capital risks that exist when employees depart government contracting companies. These risks emanate from the seams of shared responsibility between the government and government contractors, and current law and guidance does not adequately mitigate this risk. Partner Forces identified these risks through first-hand experience working with a federal client to separate an employee with access to government facilities. Our team discovered significant gaps in current government contracting regulations, directives, and language that govern offboarding for contractors with access to federal facilities and equipment. 

The contract offboarding process is often complex and requires close coordination with government officials. Some agencies and contracts allow several days to initiate the separation notification   process. Longer notification periods increase risk to the government—during this time, a recently separated contractor often retains access to facilities and systems. Furthermore, in cases of high-risk separations, an aggrieved employee could return to the workplace and pose an imminent threat to people, property, and/or information technology systems1. Remote work status complicates the risk calculus, but whether a contractor is on-site or remote, greater accountability is needed in high-risk separations to reduce risk. 

Confirming the Vulnerability 

Upon identifying this risk, Partner Forces engaged with DHS to confirm the vulnerability and develop a multi-pronged mitigation strategy together. To mitigate the risk on the government contractor side, we developed a Risk-Based Separation Protocol that details procedures for identifying risk and coordinating with government counterparts to manage that risk with a shared goal of protecting people and property on both sides.  

Our team not only identified the threat but also developed an infographic that presents a sample risk scenario, shedding light on the potential consequences of mismanaged high-risk separations. This risk scenario highlights the importance of effective communication and collaboration between government contractors and Contracting Officer Representatives (CORs). Based on Partner Forces’ research and analysis, the risk scenario also conveys the importance of careful risk management when planning and executing separations. 

Partner Forces Founder and CEO Jenny Stone briefed ISC leadership on the risk associated with contractor separations and asked ISC members for input. The ISC then convened members representing nine federal departments and agencies and all agreed this vulnerability warranted developing guidance and best practices to address the risk on both the government and contractor side. Our team continues to support the ISC in developing and implementing an effective government-wide mitigation strategy. 

Partner Forces is thankful for the ISC’s partnership and sense of urgency to develop near-term risk mitigation ideas and long-term policy and planning approaches to address this vulnerability.
Jenny Stone, Partner Forces Founder and CEO

Expanding on our research and analysis, Partner Forces Senior Consultant, Martin Kobylarczyk, and Consultant, Olivia Lanham, also explored government oversight reports and found evidence to confirm this vulnerability across the federal space. A recent General Services Administration (GSA) Office of the Inspector General (OIG) report indicated, GSA does not consistently collect and destroy inactive GSA contract employee access cards.”2 Similarly, a DHS OIG report noted the Department still faces significant program and management challenges in implementing an effective Homeland Security Presidential Directive 12 (HSPD-12) program, such as placing priority on ensuring separation of the cards for separated contractors who no longer require access [to its controlled facilities and information systems].3 The same report did note that DHS institutionalized “an effective process for collecting the Personal Identity Verification (PIV) cards of separated Federal employees, but not for separated contractors.”4

Navigating the Policy Landscape: Vulnerabilities in Achieving HSPD-12 Compliance 

HSPD-12 significantly enhanced security for federal facilities and systems. Issued in August 2004, HSPD-12 mandated adoption of a standardized identification credential for federal employees and contractors, known as the PIV card. This led to more robust and secure access control systems, reducing the risk of unauthorized access and potential insider threats.  

Through HSPD-12 implementation, federal agencies improved their ability to verify personnel identities and restrict access to sensitive areas and information. The directive also encouraged adopting advanced authentication technologies, such as biometrics, to further enhance security. Overall, HSPD-12 plays a crucial role in fostering a safer and more secure environment within the federal government, safeguarding against potential security breaches and enhancing protection of critical assets and data. 

Our team knew the policy landscape surrounding HSPD-12 compliance was complex but did not fully appreciate the extent of those complexities until our analysis was underway. It was immediately apparent that both government stakeholders and contractors would benefit from a visual display of this policy landscape. Our team developed a graphic overview of Executive Branch Authorities, Other Federal Regulations and Policies, and NIST Standard and Special Publications developed to support agency compliance with HSPD-12.

Through our analysis, we uncovered three key vulnerabilities in the path to achieving HSPD-12 compliance. Current federal policies and guidance do not address vulnerabilities in the following areas:  

  • Non-Networked Physical Access Control Systems: If physical access control systems are not enterprise networked, individuals can still use a PIV as a form of identification to access facilities and systems following separation. Immediate physical recovery of the PIV is critical. 
  • Absence of High-Risk Separation Notifications: The Federal Acquisition Regulations (FAR) do not offer specific contractual language for government contractors to expeditiously notify CORs about urgent or high-risk separations. 
  • Lack of Expedient Separation: Departments and agencies may not have policies or procedures in place to coordinate an expedient separation ahead of the 18-hour requirement. There may be technical roadblocks to a quick separation of physical and logical access, particularly when separation occurs on or around a federal holiday or weekend and staff are out of office and/or deployed.

Best Practices for Terminating PIV Access 

Our team identified several best practices for quickly revoking physical and logical access via PIV cards:  

  • Report lost or stolen PIV cards immediately: PIV card holders should be trained to report lost or stolen PIV cards immediately, ideally within two (2) hours of discovery. This ensures the card can be quickly revoked, reducing the risk of unauthorized access. 
  • Automate the revocation process: Agencies can use automated tools to revoke PIV cards quickly and efficiently. This can include applications through which PIV card holders can report a lost or stolen card online or via mobile app, as well as tools that automate PIV card revocation and update access control systems. 
  • Conduct regular PIV card system audits: Agencies should regularly audit PIV card systems to ensure all cards are accounted for and access control systems are properly configured. This can help identify potential vulnerabilities or issues that could impact the revocation process. 
  • Train PIV card management staff: Individuals responsible for PIV card management should be properly trained on policies and procedures, including how to quickly revoke access during a high-risk separation. 

By following these best practices, departments and agencies can quickly and efficiently revoke PIV card access, reducing the risk of trespassing and safeguarding people, property, and systems. 

Partner Forces Risk-Based Separation Protocol – Putting Knowledge into Action 

Based on these findings, we developed a Risk-Based Separation Protocol to identify and mitigate risks associated with employee separations and to protect our employees, company, clients, and teaming partners. This protocol, along with corresponding standard operating procedures, outlines:  

  • Separation categories;  
  • A methodology for identifying risk level for a separated employee;  
  • An approach for evaluating potential security risks; and  
  • Actions to address identified risks.  

It also offers practical guidance to help managers anticipate, understand, and empathize with the emotions a separated employee might experience and includes guidance around proper communication protocols. 

For most people, separating from an employer generates feelings of uncertainty, vulnerability, fear, and defensiveness. In more severe cases, employees may experience feelings of hostility toward individual(s) involved in the separation and/or resentment toward the company and/or its clients. Being prepared for high-risk separations is essential for the safety of those involved and necessary to protect all aspects of business operations and government assets. For this reason, we recommend relaying this type of news in a considerate and kind way with the goal of alleviating feelings of anger and hostility.  

Conclusion 

Partner Forces identified a critical vulnerability in government policies around employee separations for government contractors with access to federal facilities, equipment, and systems. Collaborating with our federal partners, our team confirmed the potential impacts associated with this vulnerability. To mitigate associated risks, Partner Forces developed a Risk-Based Separation Protocol and recommendations for expediting access terminations. For risks owned on the government side, we continue to collaborate with our clients and other stakeholders to develop a more comprehensive and scalable mitigation strategy.  

Our approach to tackling this unique vulnerability enhances safety, security, and accountability in government contracting, contributing to a more resilient ecosystem. By addressing these vulnerabilities and implementing proactive measures, Partner Forces hopes to set a higher standard for responsible and secure government contracting practices. 

References

1 A high-risk separation refers to separating an employee who is likely to pose a risk to themselves or others. High-risk separations are usually the result of performance and/or behavioral concerns. The risk can be highest at the time of separation or in the hours and days surrounding the separation. Human resources and security managers should understand behavioral indicators for potential violence prior to, during, and following any separation.

2 Office of Audits, Office of the Inspector General, General Services Administration. “GSA Is Not Monitoring Data from Access Card Readers to Identify Risks to GSA Personnel and Federal Property,” Report Number A210069/P/6/R23005, February 21, 2023

3 Office of the Inspector General, Department of Homeland Security. “Department-wide Management of the HSPD-12 Program Needs Improvement,” OIG-18-51, February 14, 2018

4 Ibid