Hi, I'm Amanda, PR Manager at TrustNet. I'd like to pitch our CISO, Trevor Horwitz for this opportunity. He's previously shared his expertise with Dark Reading, CSO Online, Authority Magazine, and other reputable publications. About Trevor: Trevor Horwitz is widely recognized as a cybersecurity leader with over two decades of experience. As the co-founder and CEO of two leading cybersecurity companies, TrustNet and iTrust, Trevor has pioneered innovative information security and data protection solutions. His expertise spans managing complex cybersecurity challenges, including regulatory compliance, privacy, and data governance. Trevor also leads each company's strategic direction, driving advancements in digital trust for a diverse global client base including Herbalife, CareerBuilder, TaxAct, Calendly, Grubhub, Northwestern Invesity, Goodwill. His contributions have been recognized globally, establishing him as a trusted advisor in the industry. His commitment to enhancing cybersecurity standards is reflected in his active participation in industry forums and his frequent contributions to thought leadership on emerging cyber threats and solutions. As for the rest of his background, Trevor previously served as President of InfraGard Atlanta in partnership with the FBI and has been a sought-after speaker at international security conferences including RSA Conference, SPIN, TAG, and ISACA. His qualifications include CISSP, PCI QSA, PCI PCIP, HITRUST CCSFP, CISA, ISO 27001 Lead Auditor. About TrustNet: TrustNet is a leading provider of managed security, consulting, and compliance services. Since 2003, TrustNet has been a strategic partner helping clients ensure the security and integrity of their businesses. From our headquarters in Atlanta, Georgia, TrustNet serves mid-size and large organizations, both public and private, across multiple industries, in the United States and around the world. Contact Information: * Company: TrustNet - https://www.TrustNetInc.com * Role: Co-founder & CISO * LinkedIn: Trevor Horwitz - https://www.linkedin.com/in/trevorhorwitz/ * Headshot: https://drive.google.com/file/d/1LKCLPnUuo0_4h_hJEeHgWEfEwrwbN0yB/view?usp=sharing If you're interested to have a chat with Trevor, kindly connect with me here or via amanda.arambulo@trustnetinc.com so that I can book his time right away.
Insider threats are best addressed through a balance of technology, process, and culture. From a security perspective, organizations should implement least-privilege access, continuous user behavior monitoring, and regular access reviews. Many insider incidents occur because employees retain access long after roles change. Equally important is process maturity. Clear onboarding and offboarding procedures, separation of duties, and periodic security audits significantly reduce risk. Finally, culture matters. In my experience working with enterprise security operations, organizations that invest in security awareness training and transparent reporting channels detect insider risks much earlier. Most insider threats are not malicious at the start but evolve due to negligence or stress. Early detection and preventive controls make the biggest difference.
What i think about this insider threat problem is that majorly, federal contractors come down to rushed hiring and blind trust in job roles Vetting is mostly treated as a box ticking practice instead of an ongoing risk assessment. A good Background check may confirm identity and criminal history, but they don't always look deeply at past access to sensitive systems, conflicts of interest, or unusual employment gaps especially for technical roles that end up with broad system privileges. Another issue is too much permission. New hires are frequently given more access than they need and those permissions are never stopped most times. When access reviews are weak or irregular, a single insider can quietly reach data far outside their job scope without raising alarms. The most effective contractors I have seen reduced inside threat risk by combining strict least privilege access, continuous monitoring, and mandatory peer review for sensitive system changes. Just as important, they create a culture where security teams can slow down hiring or access approvals without being overruled for the sake of speed. Insider threats are not always malicious most times they are the result of poor process, weak oversight, and pressure to move fast places where caution should come first.
FedRAMP is a system authorization framework, not a universal personnel vetting program. For unclassified federal systems, many contractors rely on commercial background checks for roles that are not formally cleared, because FedRAMP itself does not mandate government-run suitability investigations for all personnel. Citizenship and location requirements are often introduced through contract language, agency policy, or data-handling rules, rather than the FedRAMP baseline alone. In many environments, privileged access roles are restricted to U.S. persons or must operate from U.S. soil, even when the underlying data is unclassified. The gap exposed in cases like this is not simply "bad screening," but unclear minimum standards for high-privilege roles. When individuals have administrative access to production systems or government records, vetting expectations should be higher and paired with technical controls that assume screening can fail, such as least privilege, privileged access management, and continuous monitoring. The key issue is that system authorization does not automatically translate into personnel trust. That alignment has to be made explicit in contracts and enforced operationally. One additional factor is that many organizations do not routinely evaluate themselves the way an adversary would. Federal threat reporting, including publicly released DC3 DIB insights, consistently shows that attackers exploit predictable human and access pathways long before technical controls fail. Without an intelligence-informed view of how roles, access, and trust decisions appear from the outside, organizations can meet baseline requirements while still carrying significant insider and exposure risk.
Looking at this insider threat story, the real issue isn't that there aren't rules in place it's that they're not being enforced consistently. FedRAMP and GSA rules allow self-certification for some unclassified roles, but that creates blind spots when you're relying on commercial background checks. Commercial screens tend to focus on speed and cost, and often miss out on federal conviction records. The FDIC process managed to flag the issue because it uses deeper databases and cross-agency verification. To be honest, I think we need to take a hard look at our vetting processes and make sure we're not taking shortcuts. Even moderate-risk roles should be requiring FBI fingerprinting, not just because it's a hassle or takes too long, but because insider threats can be so devastating. We need to match our vetting to the level of access, not just job labels.
In my years running healthcare IT security, I've watched tiny vetting mistakes turn into disasters. One dental practice hired someone with a fraud conviction because they only paid for the basic screening. After some heated discussions, we made federal and state record searches mandatory for all hires. Don't rely on commercial checks alone when patient data is on the line.
Headline: The "Commercial Blind Spot": Why FedRAMP Moderate Needs Biometric Vetting Response: The Opexus incident highlights a catastrophic gap between "Compliance" and "Security." The core failure here is relying on commercial background screens (Consumer Reporting Agencies) for positions that have access to sensitive federal data. The Commercial vs. FBI Gap (Addressing Q4 & Q5): Commercial checks often fail because they are name-based and time-limited. Under the Fair Credit Reporting Act (FCRA), many commercial screens only report convictions going back seven years. Furthermore, if a candidate changes their name or uses a variation, a database search might miss the record entirely. In contrast, the FDIC's process (and what should be the standard) uses biometric vetting (FBI Fingerprinting) against the NCIC database. Fingerprints do not lie, do not expire after seven years, and are immune to name changes. What Needs to Change (Addressing Q2): We must end the bifurcation of vetting standards based on "Classified" vs. "Unclassified" data. In the age of ransomware and data brokering, unclassified data (PII of citizens) is just as valuable to bad actors. The fix is simple but requires a policy shift: Mandatory FBI Rap Back service enrollment for any contractor with admin-level access to FedRAMP environments, regardless of clearance level. We cannot rely on a "trust but verify" model where the verification is outsourced to the lowest commercial bidder.
In my professional view, the distinction between cleared and uncleared roles often creates blind spots. Even when data is unclassified, system access can still carry meaningful risk. I've worked with teams that mitigated this by implementing enhanced screening and monitoring for sensitive roles, regardless of clearance level. That shift improved detection of policy violations and increased confidence with government customers.
I've found that many federal contractors lean too heavily on minimum compliance requirements rather than designing controls for real-world risks. In practice, stronger identity assurance, separation of duties, and least-privilege access make a measurable difference. When I helped implement these measures in a contractor environment, we significantly reduced the number of users with standing administrative access and improved audit outcomes.
The question is essentially how federal contractor vetting failed here and what safeguards need to change to keep insider threats out. In my work partnering with government-facing vendors, I've seen how FedRAMP and GSA rules allow contractors to self-certify screening for unclassified roles, which often means relying on fast, commercial background checks instead of deeper federal record searches. That speed-first approach creates blind spots, and I've personally pushed back on onboarding timelines when a "clean" commercial report didn't match what a simple open-source search revealed. The Opexus case shows that minimum compliance isn't the same as meaningful risk reduction. What needs to change is treating access—not data classification—as the trigger for stronger vetting. Commercial checks differ from the FDIC's process because they often miss older federal convictions unless fingerprinting or direct FBI database integration is used, which is why the brothers' records surfaced only during a clearance review. Contractors rely on lighter screens for FedRAMP moderate roles largely due to cost and hiring pressure, but that tradeoff ignores the real damage insider access can cause. From what I've seen, effective organizations add layered reviews, continuous monitoring, and escalation paths that slow hiring slightly but prevent reputational and operational fallout later.
This is less about a single hiring mistake than it is about a predictable failure of risk assessment. The root of the problem is the gap between a normal commercial background check and a proper screening at the federal level. Normal checks are designed for speed and low cost, covering county-level criminal records and credit checks. They often miss federal convictions, which require a more involved process, sometimes requiring an FBI fingerprint check. Generally allowing self-certification for roles dealing in sensitive-but-unclassified data when there is a strong incentive to default to any level is a recipe for disaster--for the system at risk, that is. Unless the contracting agency asks for, and is willing to pay for, an appropriate level of scrutiny, contractors tend to optimize for the absolute fastest and cheapest vetting process that meets the minimum qualification. The rules basically allow contractors to grade their own homework when it comes to security--something history has shown is almost never a good idea. The change that needs to be made is to ensure that the lowest common denominator of vetting is tied not to the classification level of the data being dealt with, but of the system itself. For a provider managing records for more than 45 agencies in a high-speed information sharing environment, settling on a normal commercial screen is a significant underassessment of risk.