Why CISA’s New Insider Threat Guidance is a Call to Action for Critical Infrastructure
Key Highlights
- Insider threats include malicious acts and unintentional errors, both capable of causing significant damage within trusted systems.
- Effective defense requires cross-departmental teams involving security, HR, legal, and leadership to identify vulnerabilities and foster a culture of trust.
- Leadership must prioritize insider threat management, allocate resources, and define clear roles to enable proactive, strategic responses.
- Automation plays a critical role in resource-limited agencies by enforcing least-privilege access, monitoring activity, and triggering automated responses to anomalies.
For state and local governments delivering essential services, cyber resilience is not an option. When systems go down or sensitive data is compromised, the consequences to public health and safety are immediate and personal for the communities they serve.
In January, the Cybersecurity and Infrastructure Security Agency (CISA) released a new resource to help critical infrastructure operators and government agencies better defend against a major avenue of risk: insider threats. CISA’s guidance is designed to help critical infrastructure organizations and state, local, tribal, and territorial (SLTT) governments proactively prevent, detect, and mitigate insider threats. While the new guidance underscores the risk of insider threats and provides a high-level roadmap for establishing an insider threat management team, it overlooks the technology needed to address this threat.
Two Types of Insider Threats
Insider threats often take two forms: calculated acts of harm and unintentional user errors or oversights.
Malicious insiders may exploit legitimate access for personal gain, grievance, or other harmful motives. This existing access to trusted systems means they can cause significant damage, compromising systems and data before being detected. Just last May, Coinbase faced a $400 million insider breach after cybercriminals bribed overseas support agents to steal customer data. On the other hand, negligence or simple human error, like mishandled credentials or accidental disclosures, can create vulnerabilities that external adversaries later exploit.
In both cases, the threat originates within the trust boundary, which is what makes insider risk so difficult to manage. Unlike external threat actors who must break in, insiders already have authorized access, understand internal processes, and may know exactly where controls are the weakest.
The Value of Cross-Functional Teams
As emphasized in CISA’s new resource, strong, multidisciplinary insider threat management teams are critical for defending against threats originating within the trust boundary. Too often, insider threat programs are treated as purely IT or security initiatives. In reality, effective insider threat management requires collaboration across departments (e.g., security, IT, human resources, legal, compliance, physical security, and leadership). Drawing on expertise from across the organization will help identify the weakest access points and determine where and how to batten down the hatches.
The roadmap outlined in the new resource is designed to reduce vulnerabilities and strengthen overall resilience, not only through oversight but also by fostering accountability and building a culture of trust. According to CISA Executive Assistant Director for Infrastructure Security Steve Casapulla, organizations should draw expertise from across departments while “fostering a culture of trust where employees feel empowered to report concerns and stop threats before they escalate.” Including stakeholders from across the organization is critical for securing this trust. The cultural component is just as important as the technical. Employees are the first and best line of defense, and when they feel confident reporting suspicious behavior or security concerns, organizations can intervene before a risk becomes an incident.
From Guidance to Action
For state and local governments and critical infrastructure operators, the question becomes: what does decisive action look like and how is it executed?
Leadership must first formally recognize insider threat management as a strategic priority. That means allocating resources, defining clear roles and responsibilities, and ensuring executive sponsorship. Once a cross-functional team is assembled with clearly defined authority and processes, the organization must align people, processes, and technology.
While CISA’s resource focuses on team assembly and organizational strategy, technology plays a pivotal enabling role. Insider threats exploit legitimate access, so visibility into how access is granted, used, and monitored is critical.
In the public sector, where budgets and staffing are often constrained, automation is especially impactful. Agencies must have tools that can:
- Enforce least-privilege access.
- Continuously validate identities to assess and adjust role-based access rights.
- Detect anomalous activity tied to legitimate credentials that deviates from baseline behavior.
- Correlate signals across systems to identify elevated risk.
- Trigger timely, automated responses when risk thresholds are crossed (e.g., step-up authentication or temporary access suspension)
Without automation, even the best-designed insider threat team will be overwhelmed by the volume and complexity of modern IT environments.
For state and local governments, the stakes are particularly high given the common handling of sensitive information like criminal justice data, public health records, and critical infrastructure controls. The volume of access events in these systems can quickly overwhelm any security team if not intelligently filtered and prioritized. In resource-strapped agencies, these capabilities are a force multiplier.
Culture and Controls Must Work Together
No tech investment diminishes the importance of an organization’s culture. Employees remain the first and best line of defense, so encouraging reporting, promoting accountability, and reducing stigma around flagging concerns are all critical.
Culture without controls leaves gaps and strains bandwidths, and controls without culture create friction and mistrust. The most effective and resilient organizations must strike a balance. They build multi-disciplinary teams, empower employees, and deploy technology that provides transparency and guardrails without hindering execution.
CISA has made it clear that mitigating insider threats must be a strategic priority for critical infrastructure organizations and government agencies, and the newest resource offers a valuable roadmap. However, insider threats exploit trust, so defending against them requires more than good intentions and governance frameworks. It requires organizational alignment and technological enablement.
About the Author
Nick Stohlman
Vice President of CJIS Strategy, Imprivata
Nick Stohlman is a mission-driven technology executive with more than 30 years of experience in public safety, justice, and secure cloud innovation. As Vice President of CJIS Program Strategy at Imprivata, Nick leads the company’s efforts to deliver trusted digital identity and access management solutions to law enforcement, courts, and corrections agencies nationwide.
Before joining Imprivata, Nick co-founded SOMA Global, one of the industry’s first cloud-native public safety platforms, where he helped modernize how agencies manage critical operations through secure, scalable technology. His earlier career in law enforcement included service as a Drug Enforcement Agent, Chief Deputy, and Chief Investigator, giving him firsthand insight into the operational realities, security challenges, and high-stakes decisions faced daily by those on the front lines.
Nick’s lifelong mission is to serve those who serve — empowering public safety professionals with technology that keeps them safe, compliant, and mission-ready. At Imprivata, he’s focused on building a CJIS-compliant digital identity framework that bridges security, speed, and trust across the entire Justice ecosystem.