Enhancing Insider Threat Protections for NASA’s Unclassified Systems

NASA’s unclassified systems face significant insider threat risks. Expanding the Agency’s insider threat program to cover these systems, despite challenges, can build a mature and resilient cybersecurity framework.

Last Updated: 2026-04-10

In an era of heightened cyber risks and increasing concerns over foreign interference, it is essential for federal agencies like NASA to strengthen security across all data systems, including unclassified ones. While federal insider threat programs often focus on classified systems, extending protections to unclassified systems significantly enhances cybersecurity maturity and better shields valuable resources.

NASA's Office of Protective Services and Office of the Chief Information Officer (OCIO) are exploring this expansion, weighing both potential security gains and the logistical hurdles of staff shortages, limited technical resources, and funding needs. In 2025 and 2026, this challenge is no longer unique to NASA. Every government agency and large enterprise faces the same question: how do you extend insider threat detection beyond the most sensitive systems to cover everything?

Why Expand Insider Threat Programs to Unclassified Systems?

Federal agencies typically prioritize insider threat programs for classified data and systems, where the risk of data leakage and foreign interference is highest. However, NASA's unclassified systems support many critical functions, from internal communications to project management and external collaborations. While unclassified, these systems remain vulnerable to unauthorized access, inadvertent misuse, or data theft. Enhancing insider threat protections for these systems can help NASA:

Close Security Gaps: Unclassified systems often host essential administrative, scientific, and operational information that could be leveraged by insiders or external actors for harmful purposes.
Strengthen the Agency's Cybersecurity Posture: By focusing on all potential avenues of attack, including unclassified systems, NASA can create a more comprehensive cybersecurity framework.
Increase Resilience Against Emerging Threats: Addressing the vulnerabilities in unclassified systems adds an extra layer of defense, helping the Agency adapt to the changing threat landscape.

Challenges in Expanding the Program

While expanding insider threat protections to include unclassified systems offers clear benefits, NASA officials are mindful of several challenges that must be addressed for successful implementation.

1. Staffing Shortages

Implementing a robust insider threat program across all systems would require additional personnel, including specialists in cybersecurity, data analytics, and threat detection. Addressing staffing limitations through targeted hiring or training will be crucial for NASA to effectively monitor unclassified systems for potential threats.

2. Technical Resource Constraints

Extending protections to unclassified systems will require technical upgrades, such as advanced monitoring tools, automated alerts, and analytics platforms capable of processing large volumes of unclassified data. However, these expansions depend on resource availability, especially given that technical infrastructure is often prioritized for classified systems.

3. Funding Limitations

Allocating budget for insider threat programs is challenging, especially when funding is traditionally directed toward high priority areas. Given the potential impact on procurement, IT upgrades, and training, securing financial resources will be essential to support a broader insider threat framework that includes unclassified systems.

Interdisciplinary Complexity: A Holistic Approach

Expanding insider threat protections for unclassified systems requires coordination across NASA's various offices. The Office of Protective Services and OCIO are primary stakeholders in managing and securing unclassified systems, while the Office of Procurement oversees agency contracts, and the Office of the Chief Financial Officer handles grants and cooperation agreements. This cross department collaboration is essential, as each office manages different risks associated with unclassified data.

By promoting interdepartmental communication and accountability, NASA can identify unique vulnerabilities, strengthen administrative processes, and ensure all unclassified systems receive adequate protection.

Conducting a Comprehensive Insider Threat Risk Assessment

To effectively assess risks to unclassified systems, NASA should conduct a full insider threat risk assessment that encompasses both technical vulnerabilities and human factors. This proactive measure will help the Agency:

Identify Gaps in Current Security Measures: A comprehensive assessment can reveal specific weaknesses or oversights in existing policies for unclassified systems.
Optimize Resource Allocation: By understanding the specific risk profile of unclassified systems, NASA can make informed decisions on where to invest in upgrades, training, and personnel to maximize security benefits.
Enhance Collaboration Across Offices: An thorough assessment facilitates improved communication between departments, supporting the development of a unified strategy for insider threat management across all NASA systems.

Taking Action to Secure Unclassified Systems Against Insider Threats

Expanding NASA's insider threat protections to unclassified systems is a proactive step toward a more resilient security posture. For the Agency to remain agile in the face of growing cyber threats, several incremental actions can be taken, such as:

Implementing Targeted Monitoring on High Risk IT Systems: Rather than monitoring all unclassified systems uniformly, NASA can start by focusing on those systems identified as high risk.
Enhancing Training for High Risk Personnel: Conducting specialized security awareness training for personnel working on unclassified systems can improve threat detection and response capabilities across the organization.
Leveraging Automated Tools for Threat Detection: Deploying automated threat detection solutions, such as Keepnet's Phishing Simulator, can help monitor user behavior and flag unusual activity without requiring significant manual oversight.
Accelerating Phishing Incident Response: When an insider or external attacker uses phishing to gain initial access, fast triage is critical. Keepnet's Phishing Incident Responder enables security teams to analyze and contain threats up to 168x faster, reducing the window of exposure on both classified and unclassified systems.

Building a More Secure Future with Comprehensive Insider Threat Protection

The insider threat landscape continues to evolve, and federal agencies are tasked with adapting to ensure their security protocols are current and resilient. By addressing insider threat risks within unclassified systems, NASA has the opportunity to build a more robust cybersecurity framework that protects all aspects of its mission.

The lessons from NASA's approach apply equally to private sector organizations. Any organization with a large workforce and multiple interconnected systems faces the same challenge of extending threat visibility beyond the most sensitive environments. Platforms like Keepnet's human risk management platform provide the behavioral monitoring and adaptive training needed to detect and reduce insider threat risk at scale.

Editor's Note: This article was updated on April 10, 2026.

Schedule your 30-minute demo now

You'll learn how to:

Strengthen insider threat programs by incorporating unclassified systems into a multi-faceted security strategy.

Prioritize and monitor high-risk unclassified IT systems to enhance detection and response times.

Address staffing, technical, and funding challenges for building a comprehensive insider threat framework across all systems.

Frequently Asked Questions

What is an insider threat program?

An insider threat program is a structured set of policies, tools, and processes designed to detect, prevent, and respond to security risks posed by individuals within an organization, including employees, contractors, and partners. These programs typically involve behavioral monitoring, access controls, training, and incident response procedures. In federal agencies like NASA, insider threat programs are mandated by Executive Order 13587 and the National Insider Threat Policy, which require programs to protect classified information. Extending these programs to cover unclassified systems is an emerging priority in 2025 and 2026.

Why does NASA need to extend insider threat protections to unclassified systems?

Unclassified systems at NASA host critical operational, administrative, and scientific data that, while not classified, is still highly sensitive and valuable. Adversaries including foreign intelligence services actively target unclassified systems because they are often less monitored than classified environments. A breach of unclassified systems can expose personnel data, research, procurement information, and partner communications, all of which can be exploited for espionage, fraud, or subsequent attacks against more sensitive systems.

What are the most common types of insider threats in government agencies?

Government agencies face four main categories of insider threat. Malicious insiders deliberately steal, leak, or sabotage data for personal gain, ideology, or coercion by foreign actors. Negligent insiders cause harm through careless behavior such as clicking phishing links, misconfiguring systems, or mishandling sensitive data. Compromised insiders have had their credentials or accounts taken over by external attackers who then operate under the insider's identity. Collusive insiders work with external threat actors, often in exchange for financial compensation. All four categories can affect both classified and unclassified systems.

How does phishing relate to insider threats?

Phishing is the most common method by which external attackers gain access at the insider level to systems. By tricking an employee into surrendering credentials or installing malware, attackers can operate as a trusted insider, bypassing perimeter defenses entirely. This is why organizations like NASA must combine insider threat monitoring with robust security awareness training and phishing simulations to prevent the credential compromise that enables attacks that mimic insider behavior.

What technical tools are used in insider threat programs?

Common technical tools include User and Entity Behavior Analytics (UEBA), which establishes behavioral baselines and flags anomalies; Data Loss Prevention (DLP) solutions that monitor and block unauthorized data transfers; Privileged Access Management (PAM) tools that control and log access to sensitive systems; Security Information and Event Management (SIEM) platforms that correlate logs across systems; and endpoint detection and response (EDR) tools. Phishing simulation and security awareness platforms are also critical because human behavior is the most common initial entry point for both external and insider threats.

What are the key challenges of running an insider threat program in a large federal agency?

The primary challenges include balancing employee privacy rights with monitoring needs, securing adequate funding and personnel dedicated to the program, integrating monitoring across a large and complex IT environment, managing the high volume of alerts generated by automated systems without overwhelming security teams, and maintaining legal and regulatory compliance. In agencies like NASA with scientific and research missions, there is also the challenge of protecting intellectual property and research data that may not be formally classified but is still highly sensitive.

How does security awareness training reduce insider threat risk?

Most insider threat incidents, particularly those involving negligent insiders, are preventable through effective training. When employees understand how to recognize phishing attempts, handle sensitive data correctly, report suspicious behavior from colleagues, and follow secure access policies, the risk of accidental or coerced insider incidents drops significantly. Keepnet's adaptive security awareness training platform delivers behavioral training tailored by role that directly targets the habits most likely to result in security failures caused by insider behavior.

What is the difference between a classified and unclassified insider threat?

A classified insider threat involves unauthorized access to, disclosure of, or sabotage of data that has been formally designated as classified by the government. An unclassified insider threat involves the same harmful behaviors directed at systems and data that have not been formally classified but may still be sensitive, proprietary, or operationally critical. Historically, insider threat programs focused almost exclusively on classified environments. The recognition that unclassified systems also carry significant risk, particularly for agencies like NASA, is driving the current push to extend program coverage.

How should organizations respond when an insider threat is detected?

The response to a detected insider threat should follow a documented incident response plan that includes immediate containment of the affected account or system, forensic preservation of logs and evidence, notification of the appropriate legal and HR stakeholders, assessment of what data was accessed or exfiltrated, and communication to affected parties if required by law. Keepnet's Phishing Incident Responder accelerates triage of suspicious activity reported by employees, helping security teams respond before damage spreads.

How does Keepnet help organizations build insider threat resilience in 2026?

Keepnet's Extended Human Risk Management Platform addresses the human behaviors at the root of most insider threat incidents. It provides phishing simulations to prevent credential compromise, adaptive training to correct risky behaviors before they lead to incidents, and automated incident response to reduce the time between detection and containment. Together, these tools help organizations extend their threat visibility to all systems, not just the most sensitive ones.