Government Frameworks and Regulations for Insider Threats

Insider threats have evolved into sophisticated, complex challenges that demand comprehensive protective frameworks. With insider threats making up 30% of all breaches in the public sector and causing financial loss through theft, operational disruption, and regulatory penalties, agencies are under pressure to implement detection and prevention measures.

The landscape has become even more dangerous, with artificial intelligence, hybrid work environments, and sophisticated social engineering tactics creating new ways to exploit insiders. Even nation states are shifting their focus to insiders who can be used for intelligence gathering, revenue generation, and system manipulation. These evolving threats have led governments worldwide to develop and refine regulatory frameworks that set minimum security standards and provide guidance for organizations.

This guide looks at the current state of government frameworks and regulations for insider threats as of 2025, giving security professionals a roadmap for compliance and protection. We’ll explore how these frameworks have adapted to the changing nature of insider risks and provide practical implementation strategies to protect your organisation’s most valuable assets.

Key Frameworks at a Glance

Framework	Primary Focus	Latest Update	Key Aspects for Insider Threats
NIST CSF 2.0	Comprehensive cybersecurity management	February 2024	New “Govern” function; enhanced implementation guidance; supply chain risk management
EO 14028 & Follow-up EO	Federal cybersecurity improvement	January 2025	Software supply chain security; identity management; threat information sharing
CNSSD 504	User activity monitoring for national security systems	Ongoing	Keystroke monitoring; application monitoring; screen capture; file shadowing
NITTF Guidelines	Government-wide insider threat program	Ongoing updates	Insider Threat Program Maturity Framework; technical bulletins
National Insider Threat Policy	Minimum standards for insider threat programs	Established 2012, ongoing updates	Executive branch program requirements; classified information protection
CMMC 2.0	Defense industrial base security	Final rule October 2024	Tiered cybersecurity requirements for contractors
NIST SP 800-53	Security controls for federal systems	Rev. 5 (with updates)	Control catalog; privacy controls; insider threat controls
CISA Insider Threat Mitigation	Critical infrastructure protection	Ongoing guidance	Defining insider threats; mitigation strategies

Major Government Frameworks and Updates

NIST Cybersecurity Framework (CSF) 2.0

The National Institute of Standards and Technology (NIST) released CSF 2.0 in February 2024, marking the first significant update to this landmark cybersecurity guidance since its creation in 2014. The updated framework expands its scope beyond critical infrastructure to help all organizations—regardless of size, sector, or cybersecurity sophistication—better manage and reduce cybersecurity risks.

Key changes in CSF 2.0 relevant to insider threat management include:

1. New Govern Function: CSF 2.0 adds a sixth core function called “Govern,” which covers how an organization can make and execute internal decisions to support its cybersecurity strategy. This emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial, and other risks as considerations for senior leadership.
2. Supply Chain Risk Management: The framework consolidates and expands its Supply Chain Risk Management (SCRM) cybersecurity outcomes in the Govern function, which is crucial as supply chain attacks are projected to impact 45% of organizations worldwide by 2025.
3. Implementation Examples: CSF 2.0 provides improved and expanded guidance on implementing the framework, especially for creating profiles that tailor the CSF for particular situations. This makes it easier for organizations to adapt the framework to address insider threats within their specific context.
4. Greater Accessibility: Within just one year of its release, CSF 2.0 became the most downloaded publication of all NIST’s 20,000+ publications and has been translated into multiple languages, demonstrating its widespread adoption and utility.

NIST SP 800-53: Security and Privacy Controls

NIST Special Publication 800-53 provides a catalog of security and privacy controls for federal information systems. While CSF 2.0 provides high-level guidance, SP 800-53 offers specific control recommendations that organizations can implement.

For insider threat management, SP 800-53 includes:

1. Control Catalog Spreadsheet: This shows various components of best practices and provides transparency about where assets are located, helping security professionals build better protection strategies.
2. Privacy Controls Mapping: The standard calls for mapping of privacy controls to implement a more effective insider threat policy.
3. Insider Threat Program Definition: SP 800-53 defines an insider threat program as “a coordinated collection of capabilities authorized by the organization and used to deter, detect, and mitigate the unauthorized disclosure of information.”

Executive Order 14028 and Its Evolution

Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” issued in May 2021, continues to shape the federal approach to cybersecurity. In January 2025, a new executive order titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity” was issued, building upon EO 14028.

This new order focuses on defending digital infrastructure, securing vital services in the digital domain, and addressing key threats. It places particular emphasis on improving accountability for software and cloud service providers, strengthening federal communications and identity management systems, and promoting innovative developments in cybersecurity.

Key developments related to insider threats include:

1. Enhanced Accountability: The order addresses situations where software providers commit to following cybersecurity practices but fail to fix known vulnerabilities, putting government systems at risk.
2. Phishing-Resistant Authentication: Federal agencies are required to implement commercial phishing-resistant standards such as WebAuthn, building on deployments established since EO 14028. This helps mitigate insider threats that leverage credential theft.
3. Implementation Progress: As of April 2024, 49 of the 55 leadership and oversight requirements identified in EO 14028 have been completed, with the remaining five partially completed and expected to be fulfilled by December 31, 2024.
4. Standardized Playbook: EO 14028 created a standardized playbook for cyber incident response by federal departments and agencies, ensuring they’re prepared to take uniform steps to identify and mitigate threats.

Executive Order 13587 and National Insider Threat Policy

The National Insider Threat Task Force was established in 2011 under Executive Order 13587. That same executive order also established the Classified Information Sharing and Safeguarding Office (CISSO).

In November 2012, the federal government issued the National Insider Threat Policy and Minimum Standards that further spelled out how to improve government protection of data. This policy calls for “an executive branch program for the deterrence, detection and mitigation of insider threats, including the safeguarding of classified information from exploitation, compromise or other unauthorized disclosure.”

The National Insider Threat Policy continues to serve as a foundation for insider threat programs across the federal government, requiring agencies to:

1. Establish formal insider threat programs
2. Develop monitoring capabilities
3. Provide training and awareness
4. Implement proper incident response procedures

Cybersecurity Maturity Model Certification (CMMC) 2.0

In August 2024, the Department of Defense (DoD) published a proposed rule for implementing CMMC 2.0 in the Defense Federal Acquisition Regulation Supplement (DFARS), with the final rule passing interagency review in September 2024 and being publicly released in October 2024.CMMC 2.0 establishes cybersecurity standards for defense contractors, with key requirements including:

1. Certification Requirements: Contractors must hold a current CMMC certificate or self-assessment at the specified level as a condition for contract award.
2. Flow-Down Requirements: Contractors must establish the correct CMMC level requirements for subcontracts and other contractual instruments.
3. Tiered Approach: Different levels of certification are offered based on the sensitivity of the information being handled, with corresponding security requirements.

This framework is particularly important for defense contractors who handle Controlled Unclassified Information (CUI) and must protect against insider threats.

Committee on National Security Systems Directive 504 (CNSSD 504)

CNSSD 504 remains a critical standard for protecting national security systems from insider threats. It defines User Activity Monitoring (UAM) as “the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing US Government information in order to detect insider threats and to support authorized investigations.”

The key UAM requirements defined by CNSSD 504 continue to include:

1. Keystroke Monitoring: Tracking every keystroke to build a comprehensive picture of user activity.
2. Full Application Monitoring: Ensuring tools track all activities from endpoints to the network core.
3. Screen Capture: The ability to take screenshots or record a user’s desktop based on automatic or manual triggers.
4. File Shadowing: Tracking documents even when names and locations change.
5. Comprehensive User Identification: Ensuring all user activity is attributable to specific individuals.

CISA Insider Threat Mitigation Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) provides specific guidance for insider threat mitigation across critical infrastructure sectors. CISA defines insider threat as “the threat that an insider will use their authorized access, intentionally or unintentionally, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems.”

CISA’s framework categorizes insider threats into different types:

1. Intentional Threats: Malicious actions performed by insiders who use technical means to disrupt operations, identify IT weaknesses, gain protected information, or otherwise further an attack plan via access to IT systems.
2. Terrorism: Unlawful use of or threat of violence by employees or associates against an organization.
3. Espionage: The covert practice of obtaining confidential information for advantage, including economic and government espionage.

National Insider Threat Task Force (NITTF)

The NITTF released the Insider Threat Program Maturity Framework and continues to develop technical bulletins and resources for the insider threat community. The primary mission of the NITTF remains developing a government-wide insider threat program for deterring, detecting, and mitigating insider threats.

In 2024, NCSC and federal partners focused on “Deter, Detect, Mitigate” during National Insider Threat Awareness Month, highlighting the ongoing emphasis on these three pillars of insider threat management.

Emerging Threats and Considerations for 2025

AI-Enhanced Insider Threats

The rapid growth of AI is elevating insider threat risks, transforming them into a more significant and evolving concern. Clear policies for AI are critical, particularly as AI systems become more integrated into decision-making, security, and business operations.

CISOs now face AI-powered threats where attackers leverage artificial intelligence to automate phishing, generate deepfake voice scams, and bypass traditional security defenses. AI-powered malware can adapt in real-time, making detection harder than ever.

Identity Management and Zero Trust

In January 2025, the White House accelerated the transition of Federal cryptographic systems to use post-quantum cryptography (PQC), which is designed to resist attack by quantum computers. This proactive approach aims to protect government communications from future quantum computing threats.

Implementing access controls based on the principle of least privilege remains crucial for mitigating insider threats. Organizations should ensure employees only have access to information necessary for their roles, reducing the potential for misuse.

Employee AI Education Risks

A new concern highlighted in 2025 predictions is the risk that employees might exploit AI education they receive through enterprise AI tools to steal sensitive information, with at least one global brand expected to be impacted by this type of fraud in the coming year.

How Teramind Helps Organizations Stay Compliant

Teramind offers a purpose-built solution that enables organizations to meet stringent government requirements for insider threat management while streamlining compliance efforts.

Here’s how Teramind helps security teams implement the controls needed to satisfy evolving framework requirements:

• Comprehensive Framework Alignment: Teramind’s solution aligns with major government frameworks including NIST CSF 2.0, SP 800-53, Executive Orders, and CMMC 2.0, providing the visibility and controls needed to satisfy compliance requirements.
• Complete User Activity Monitoring: The platform delivers all technical capabilities required by CNSSD 504, including keystroke monitoring, application monitoring, screen capture, file shadowing, and comprehensive user identification.
• Powerful Threat Detection: Teramind incorporates advanced analytics to detect threats and monitor for unauthorized use of AI tools, addressing the emerging concerns around AI exploitation.
• Zero Trust Architecture Support: The solution enables continuous monitoring of all users regardless of position or privileges, supporting the principle of least privilege through detailed visibility into access patterns and usage.
• Audit-Ready Documentation: Teramind generates comprehensive logs and reports that demonstrate compliance with various regulatory requirements, simplifying the audit process and providing leadership with customizable compliance dashboards.

To learn how Teramind can help you comply with these government frameworks and protect against insider threats, request a demo today.

Conclusion

As we navigate 2025, insider threats continue to evolve in sophistication and impact, reinforced by advances in AI and other technologies. Government frameworks like NIST CSF 2.0, Executive Orders, CMMC 2.0, CNSSD 504, and NITTF guidelines provide essential roadmaps for organizations to develop robust insider threat programs.

The expanding regulatory landscape reflects the growing importance of insider threat management as a critical component of organizational security. By staying informed about the latest regulatory updates and implementing comprehensive monitoring, strong governance, and a security-focused culture, organizations can better protect themselves against the increasingly complex landscape of insider threats.