3.2.3 — Spot the Insider Threat

The One-Liner

Your team needs to know what insider threat indicators look like — and exactly how to report them confidentially.

What It Says

Provide security awareness training on recognizing and reporting potential indicators of insider threat.

What It Actually Means

Two things, both required:

1. Indicators are defined and taught. Your training covers specific behaviors and patterns that may indicate an insider threat — not vague warnings, but concrete indicators: unusual after-hours access to CUI, bulk downloading or copying files, expressing disgruntlement about the company or the government, unexplained financial changes, attempts to access systems or data outside their role, and resistance to security controls. Training for managers should be more detailed, covering how to observe team members for patterns over time. Training for general staff can focus on a smaller set of observable indicators.

2. A reporting path exists and is communicated. Staff know exactly how to report concerns — who to contact, how (email, phone, anonymous hotline), and that reports are treated confidentially. Without a clear reporting path, even well-trained staff won’t report.

This isn’t about creating a surveillance culture. It’s about giving people the knowledge to recognize genuinely concerning patterns and a safe channel to raise them. The training should emphasize that reporting is about protecting colleagues and the organization, not about suspicion.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are potential indicators of insider threats identified?	Documented list of insider threat indicators included in training materials
2	Is training on recognizing and reporting indicators provided?	Training completion records showing insider threat module completed by all CUI users, with content covering indicators and reporting procedures

---

What to Have Ready on Assessment Day

Documents they’ll review: Security awareness and training policy; insider threat training materials; insider threat program documentation; reporting procedures; training completion records

People they’ll talk to: Personnel who’ve completed insider threat training; personnel responsible for the insider threat program; information security personnel

Live demos they’ll ask for: “Show me the insider threat module in your training program.” “What indicators do you train staff to look for?” “How does someone report a concern? Show me the process.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What insider threat indicators do you train people to recognize?”
• “How does someone report a suspected insider threat? Is the process confidential?”
• “Does training differentiate between manager-level and general employee indicators?”
• “Show me a recent training completion record that includes the insider threat module.”
• “Have you ever had a report through this channel? How was it handled?”

Real-World Example

A defense contractor includes an insider threat module in their annual security awareness training via KnowBe4. The module covers: unusual data access patterns, bulk file downloads, after-hours CUI access, social engineering attempts targeting employees, and behavioral indicators like expressed grievances or unexplained lifestyle changes. The reporting path is clearly communicated: employees can report to the IT Security Lead directly, to their manager, or through an anonymous reporting form on the company intranet. Managers receive an additional 30-minute session covering how to identify patterns over time and how to escalate observations appropriately without conducting their own investigation. All training completions are tracked. The assessor reviews the training content, confirms the reporting path is documented in the training materials, and checks completion records.

---

Where Companies Trip Up

Not covered in training. General awareness training covers phishing and passwords but never mentions insider threats. Add a dedicated insider threat module to your annual training.

No reporting path. Staff are trained to recognize indicators but the training doesn’t explain who to report to or how. Include specific reporting instructions — name, phone, email, and anonymous option.

Only external threats covered. Training focuses entirely on external attackers (phishing, malware) and ignores the risk from insiders. Insider threats are a distinct topic requiring distinct training.

Manager training identical to general staff. Managers need additional guidance on observing patterns over time, handling reports, and escalating appropriately. A general employee spots a single indicator; a manager should be watching for patterns.

---

How to Talk About This

To a CEO or Board

Every employee is trained to recognize insider threat indicators and has a confidential reporting path. Managers receive additional training on identifying patterns and escalating appropriately. This isn’t about creating suspicion — it’s about protecting our people and our contracts.

To an Engineering Team

Annual insider threat module in KnowBe4. Indicators: unusual data access, bulk downloads, off-hours CUI access, behavioral flags. Reporting: IT Security Lead, manager, or anonymous intranet form. Manager supplement: 30 minutes on pattern recognition and escalation. Completion tracked per user.

---

Connected Requirements

Requirement	Why it matters here
3.2.1 — Train Everyone	Insider threat is a specific topic within the broader awareness training program
3.14.7 — Catch Unauthorized Use	Technical detection complements human awareness of insider threats
3.3.2 — Trace Every Action	Audit trails support investigation of reported insider threat indicators

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: AT.L2-3.2.3 | SPRS Weight: 1 point | POA&M Eligible: Yes