Cyber Risk Advisory

From Insider Threat to Personnel Security: Best Practices for DIB Vendors Under New DoD Guidance

Matt morrill

Matt Morrill

Principal, FedRAMP/NIST Advisory

July 30, 2025
Web Image From Insider Threat to Personnel Security Blog

The July 18, 2025, Memorandum from the Secretary of Defense, titled Enhancing Security Protocols for the Department of Defense,” signals a sharp escalation in how the Department views and manages supply chain and personnel risks. While much attention will be given to cloud, software, and hardware scrutiny under the directive, there’s an equally important mandate embedded in the second half of the memo:

"The Under Secretary of Defense for Intelligence and Security will review and validate personnel security practices and insider threat programs of the Defense Industrial Base (DIB) and cloud service providers to the maximum extent possible."

For Coalfire clients in the DIB, this is more than just a compliance reminder. It’s a warning shot across the bow that personnel security, insider threat detection, and trust-based access decisions are now core to national security and contracting eligibility.

What Does This Mean for the DIB?

The memo introduces a new level of intensity around how the DoD expects defense contractors and service providers to manage personnel-related cyber risk. It's no longer sufficient to have a standard insider threat program or maintain minimal personnel screening for access to sensitive systems. Expect DoD reviews to probe deeper into:

  • Personnel vetting beyond Tier 1 background checks
  • Continuous vetting or insider risk analytics tools
  • Behavioral monitoring programs tied to critical assets
  • Integration with Zero Trust architectures, especially Identity and Access Management (IAM) layers

These aren't just ideas; they're aligned with existing DoD guidance, including:

  • DoDI 5200.48: Controlled Unclassified Information
  • DoDI 5200.08: Security of DoD Installations and Resources
  • [NIST SP 800-53, Rev. 5 controls like PS-3, PS-5, and IR-8]: Personnel Security and Insider Threat Response
  • [NISPOM Rule (32 CFR Part 117)]: Applies to contractors working under classified contracts with DoD

Where Coalfire Sees the Biggest Gaps

As Coalfire teams advise clients preparing for FedRAMP High, DoD IL5/6, and CMMC Level 1/2, we consistently encounter three gaps in contractor readiness:

  1. Nominal insider threat programs: Many DIB vendors have a written plan but lack real telemetry into behavioral anomalies or access misuse. Without data-driven insights, insider threat plans are performative, not preventive.
  2. Weak continuous vetting: Contractors often assume periodic re-clearance is sufficient. However, the shift toward real-time monitoring of risk indicators (e.g., financial distress, policy violations, data exfil) is well underway, especially under Trusted Workforce 2.0.
  3. Access control gaps in hybrid work environments: Contractors allow remote access without revalidating trust levels. Under the new memo, this kind of oversight could be flagged as a national security exposure.

Best Practices to Meet the Memo's Intent

Here’s what Coalfire Advisory recommends for clients working in or seeking to enter the DIB:

1. Assess and Update Insider Threat Programs

  • Implement behavior-based detection platforms (e.g., UEBA).
  • Ensure cross-functional collaboration—HR, Security, IT, Legal.
  • Establish clear response playbooks, not just detection mechanisms.

2. Integrate Personnel Security with Zero Trust

  • Apply identity assurance principles aligned with NIST SP 800-63 and DoD ICAM (Identity, Credential, and Access Management) guidance.
  • Tie user behavior to access decisions,” Who you are" and "what you’re doing" both matter.

3. Adopt Continuous Vetting

  • If not enrolled in DoD’s Trusted Workforce CV program, adopt the same approach internally using HR tools, credit monitoring (for cleared roles), and public record scanning.

4. Include Personnel Risk in System Security Plans (SSPs)

  • For FedRAMP or CMMC documentation, explicitly reference how you address insider threats under IR-8 and PS-family controls.
  • Be ready for assessor review of both policies and technical implementation.

5. Document and Review Privileged User Monitoring

  • Monitor privileged user activity, especially admin and developer roles, with alerting for unusual access patterns or data movement.

What Comes Next?

With the DoD CIO due to issue follow-on guidance by the end of July 2025, we expect:

  • Tighter integration of personnel vetting into cloud ATO and FedRAMP processes
  • Expanded CMMC Level 1/2 requirements tied to insider threat prevention and supply chain risk
  • Contract language updates demanding evidence of vetting, monitoring, and mitigation for human-based threats

Contractors that fail to evolve will find themselves not only out of compliance but also out of eligibility.

Final Thought

The adversaries the memo mentions, China and Russia, aren’t just targeting our systems; they’re targeting our people. The DoD is shifting from a reactive to a preventive approach when it comes to personnel-based risk.

For Coalfire clients, this is a chance to get ahead of the curve and build trust with the DoD not just through your code, but through your culture.