On January 28, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a new resource on Assembling a Multi-Disciplinary Insider Threat Management Team.  The guidance is intended to assist critical infrastructure stakeholders, which includes private sector entities across various sectors, with implementing an insider threat mitigation program that combines physical security, cybersecurity, personnel awareness, and community partnerships.  Although framed for critical infrastructure, CISA’s guidance is relevant to a broader range of organizations, including those outside of critical infrastructure sectors—a point echoed in Covington’s 2025 insider threat webinar series, discussed further below.

Insiders—individuals with institutional knowledge and current or prior authorized access—can cause significant harm to organizations, including through data compromise, operational disruption, reputational damage, loss of revenue and market share, and risks to personnel safety.  According to CISA, assembling a Multi-Disciplinary Insider Threat Management Team is a critical part of an insider threat program that can reduce the damage and frequency of insider threats.  

CISA emphasizes that effective insider threat management depends on integrating multiple disciplines –security, human resources, legal, information technology, and operations – in a manner consistent with the organization’s risk tolerance, structure, and culture.

CISA’s emphasis on multi-disciplinary insider threat management teams is also consistent with a broader legal trend reflected in recent state statutes, as discussed in our prior article, When Physical and Cyber Threats Converge: Six Tips for Companies.  For example, since 2020, several states have enacted or amended statutes requiring schools or other educational entities to establish programs for responding to threats, including by establishing multi-disciplinary threat assessment teams.

The POEM Framework

At the center of the guidance is CISA’s four-phase POEM (Plan, Organize, Execute, and Maintain) framework, which is intended to structure the lifecycle of an insider threat management team.

  1. In the planning phase, organizations are encouraged to structure and scope the role of the threat management team.  The planning phase includes defining the team’s purpose, identifying critical assets and priorities, determining risk tolerance, and establishing reporting pipelines.
  2. In the organizing phase, the team guides employee awareness, encourages a culture of reporting, and provides needed support to relevant departments as they identify potential insider threat activity.  CISA advises that “a trusted staff, with varied expertise in a wide range of disciplines, will be better able to synthesize and analyze data from sources across the organization” in order to better provide needed support. 
  3. The execution phase addresses operation of the program, including implementing mandatory training, integrating information, establishing an analysis hub, and leveraging organizational assets.  CISA encourages teams to seek guidance from legal counsel to ensure compliance with state, local, federal, and other laws.
  4. The maintenance phase requires maintaining and developing the threat management team.  To adapt to emerging insider threats, CISA emphasizes providing ongoing training, incorporating mitigation strategies into new lines of business, revising policies and procedures, soliciting employee feedback, and utilizing external resources.  CISA characterizes insider threat management as an ongoing and dynamic process rather than a one-time effort.

Team Composition and Operational Considerations

CISA recommends that insider threat management teams draw from a broad range of internal stakeholders and external assistance.  Internal team members may include insider threat analysts, human resources, legal counsel, information security (such as the CIO or CISO), physical security, and operations.  External team members may include law enforcement, investigators, external risk screening professionals, and medical or mental health professionals.

CISA advises that teams establish clear leadership, meet routinely, and complete training on topics such as threat assessment, investigations, records management, and data privacy. 

Information Handling and Legal Context

The guidance underscores that insider threat management teams routinely handle sensitive, private, and personally identifiable information.  As a result, CISA notes the need for strict confidentiality, secure handling of records, and sharing information only on a need-to-know basis.  The resource notes the importance of consulting legal counsel to ensure compliance with applicable federal, state, and local laws governing privacy, employment, and records retention.

Takeaways

As organizations face increasingly complex risk environments, CISA’s guidance underscores that insider threats are a significant risk that should be integrated into companies’ cybersecurity and broader risk management frameworks, and that a multi-disciplinary threat management team is an integral component to insider threat mitigation.  Covington also provided guidance on the importance of a well-designed insider threat program in its 2025 insider threat webinar series, which covered foundational concepts related to insider threats, risk and recovery considerations, monitoring and investigation practices, and preparation and prevention measures, including how various teams and personnel within an organization can contribute to those efforts.  By taking a structured, multi-disciplinary approach, organizations can better align their internal capabilities, ensure legal and operational consistency, and strengthen overall resilience against insider threats.

*            *            *

Covington regularly advises companies on their insider threat programs and helps companies respond to insider threat incidents.  Please reach out to a member of the Data Privacy and Cybersecurity practice group if you need any assistance.

Tags: CISA
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashley Nyquist Ashley Nyquist

Ashley guides clients through their most sensitive, high-stakes matters, including government investigations and enforcement matters, independent investigations, and internal investigations into issues posing enterprise-level risk. Her broad-ranging practice has spanned some of the most novel, sensitive, and complex issues facing companies and individuals.…

Ashley guides clients through their most sensitive, high-stakes matters, including government investigations and enforcement matters, independent investigations, and internal investigations into issues posing enterprise-level risk. Her broad-ranging practice has spanned some of the most novel, sensitive, and complex issues facing companies and individuals.

Ashley represents clients – from the largest multi-national companies to individuals – in criminal and civil government investigations led by the Department of Justice (DOJ) and other federal, state, and foreign regulators. In recent years, she has defended clients against allegations of obstruction of justice, false statements, fraud, corruption, and violations of the False Claims Act. She has considerable experience navigating complex, multi-dimensional matters involving parallel criminal, civil, and reputational risks, and has secured multiple full declinations for her clients in federal criminal and civil investigations. She also conducts internal and independent investigations into allegations ranging from fraud to obstruction to data security to sexual misconduct.

Among Ashley’s specialties are crisis matters requiring rapid response and investigation. She is adept at swift fact-finding and analysis and often handles short-fuse internal investigations involving unique or highly sensitive fact patterns posing potential enterprise-level risk. These matters often expand – through press coverage or otherwise – into complex government investigations involving one or more regulators, such as DOJ, state Attorneys General, and foreign regulators.

Since the early days of the #MeToo movement, Ashley has handled investigations into allegations of sexual misconduct and other types of harassment, discrimination, and workplace misconduct.

Given her deep expertise on investigations-related matters, Ashley also routinely advises clients on internal protocols and best practices related to internal investigations, insider threat matters, law enforcement engagement, and privilege.

Ashley has worked with clients from a variety of sectors and industries, including technology, defense, consumer products, food processing, financial services, life sciences, and education.

Ashley’s pro bono work focuses on representing individual criminal defendants in state court and advising non-profits on law enforcement interactions and enforcement risks.

Before practicing law, Ashley taught high school English in rural China.

Read more about Ashley NyquistEmail
Show more Show less
Photo of Ashden Fein Ashden Fein

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

Read more about Ashden FeinEmail
Show more Show less
Photo of Caleb Skeath Caleb Skeath

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

Read more about Caleb SkeathEmail
Show more Show less
Photo of John Webster Leslie John Webster Leslie

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate…

Web Leslie advises clients on a broad range of challenges and opportunities at the intersection of technology and security, including investigations, regulatory, and transactional matters related to cybersecurity, national security, critical infrastructure, and data privacy.

In his white-collar practice, Web helps clients navigate both government and internal investigations. He specializes in complex civil and criminal investigations related to alleged government contracts fraud and other cybersecurity-related allegations under the False Claims Act, FTC Act, and equivalent state laws. Additionally, Web assists clients in responding to a variety of cyber incidents, ranging from intrusions and extortion by advanced persistent threats to business email compromises and large-scale data breaches. Web also helps clients investigate insider threat activity and potential noncompliance with regulatory and contractual cybersecurity requirements.

In his advisory and transactional practice, Web assists clients across a wide range of industries and critical infrastructure sectors manage risk in an evolving regulatory landscape. He regularly advises on cybersecurity compliance and best practices, information security program development, incident response preparedness, insider threat risks, third-party risk management, and international cyber regulations, among other areas. Web also advises clients on a variety of government and industry standards, including the NIST Cybersecurity Framework 2.0, NIST SP 800-53, NIST SP 800-171, FedRAMP and state equivalents (e.g., GovRAMP, TX-RAMP), CJIS, ISO/IEC standards (e.g., ISO 27001), SOC2 Type 2, and other sector-specific requirements (e.g., HIPAA Security Rule, PCI DSS, DFARS Clause 252.204-7012, NERC Critical Infrastructure Protection).

In addition to his regular practice, Web counsels pro bono clients on data breach, immigration, and criminal law matters.

Web previously served in government in different roles at the Department of Homeland Security (DHS), including at the National Protection and Programs Directorate—known today as the Cybersecurity and Infrastructure Security Agency (CISA)—where he specialized in cybersecurity and critical infrastructure protection, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

Read more about John Webster LeslieEmail
Show more Show less
Photo of Matthew Harden Matthew Harden

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He…

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.

As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.

As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.

Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.

Read more about Matthew HardenEmail
Show more Show less
Photo of Catherine McGrath Catherine McGrath

Catherine McGrath represents companies and individuals involved in high-profile and complex government investigations.

Catherine’s practice involves advising and defending clients as they navigate high-stakes civil and criminal investigations before the Department of Justice, Securities and Exchange Commission, and Federal Trade Commission.

Read more about Catherine McGrathEmail
Photo of Samar Amidi Samar Amidi

Samar Amidi is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity Practice Group. Samar advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to…

Samar Amidi is an associate in the firm’s San Francisco office. She is a member of the Data Privacy and Cybersecurity Practice Group. Samar advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, product development, and responses to regulatory inquiries. She also maintains an active pro bono practice with a focus on immigration.

Read more about Samar AmidiEmail
Show more Show less