CISA introduces POEM framework to strengthen insider threat mitigation across critical infrastructure - Industrial Cyber

Attacks And Vulnerabilities CISA Critical Infrastructure Malware, Phishing & Ransomware News Threat Landscape CISA introduces POEM framework to strengthen insider threat mitigation across critical infrastructure JANUARY 29, 2026 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive document that calls upon critical infrastructure organizations to act against insider threats by taking more decisive steps to address insider risk. The guidance laid down a ‘Plan, Organize, Execute, and Maintain’ (POEM framework) that encourages an organization to Plan how it will use a threat management team, Organize the team’s members according to the organization’s needs, Execute effective insider threat mitigation through use of the team, and Maintain the viability of the threat management team to grow its capabilities and improve its operation into the future. Titled ‘Assembling a Multi-Disciplinary Insider Threat Management Team,’ the CISA resource focuses on helping stakeholders build strong, multidisciplinary insider threat management teams. Designed for critical infrastructure entities as well as state, local, tribal, and territorial (SLTT) governments, it provides actionable strategies to proactively prevent, detect, and mitigate insider threats, helping organizations stay ahead of evolving organizational vulnerabilities.  The POEM framework aims to enhance the awareness of critical infrastructure stakeholders regarding insider threats, the potential damage they can inflict, and the steps necessary to construct an insider threat management team to strengthen organizational preparedness and protection. Through an infographic, the agency guides stakeholders in forming a comprehensive, holistic, multidisciplinary team comprising personnel from various sectors of the organization. Additionally, it provides recommendations for maintaining the team to address evolving vulnerabilities effectively. “Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” Madhu Gottumukkala, acting CISA director, said in a Wednesday media statement. “CISA is committed to helping organizations confront this risk head-on by delivering practical strategies, expert guidance, and actionable resources that empower leaders to act decisively — building resilient, multi-disciplinary teams, fostering accountability, and safeguarding the systems Americans rely on every day.” “Insider threats can disrupt operations, compromise safety, and cause reputational damage without warning. Organizations with mature insider threat programs are more resilient to disruptions, should they occur. People are the first and best line of defense against malicious insider threats and organizations should act now to safeguard their people and assets,” according to Steve Casapulla, CISA’s executive assistant director for infrastructure security. “With input from our industry and government partners, our new infographic delivers clear, actionable guidance for building insider threat management teams. We encourage leadership to draw expertise from across departments for a holistic defense, while fostering a culture of trust where employees feel empowered to report concerns and stop threats before they escalate.” Insider threats often take two forms, including calculated acts of harm and unintentional mistakes. Malicious insiders may exploit access for personal gain or revenge, causing severe damage to systems and trust. At the same time, negligence or simple human errors can open the door to vulnerabilities that adversaries can exploit. Whether driven by intent or accident, insider threats pose one of the most serious risks to organizational security and resilience- demanding proactive measures to detect, prevent, and respond. Such threats can compromise sensitive information, damage organizational reputation, cause revenue loss, reduce market share, and harm people or other key assets.  Across the modern threat landscape, insider threat management teams can play a vital role in organizational resilience and should not be viewed as optional, as they are essential. By following this roadmap and implementing its recommendations, organizations can reduce vulnerabilities, prevent workplace violence, and transform vulnerability into strength, reinforcing their defenses against evolving threats. The planning stage of the POEM framework allows an organization to clearly structure and define the scope of its threat management team. Answering foundational questions early helps ensure the team is built to meet the organization’s specific needs. Organizations should first identify which critical assets require protection and define team priorities based on overall risk tolerance. They should also determine which team structure aligns best with existing organizational culture, reporting pipelines, and systems already in place. As part of this process, organizations need to decide where the threat management team fits within the broader enterprise, with an emphasis on integrating and leveraging existing functions rather than creating isolated silos. Selecting the most appropriate operating model is equally important. Finally, organizations should identify the disciplines best suited to support the threat management team and consider integrating expertise from behavioral analysts, psychologists, mental health specialists, and human resources professionals who can provide insight into workplace dynamics. The team plays a central role in guiding employee awareness, fostering a culture of reporting, and providing support to relevant departments as they identify and respond to potential insider threat activity. A trusted team with diverse expertise across multiple disciplines is better equipped to synthesize and analyze data drawn from across the organization. It also advocates for the consistent application and promotion of organizational policies and procedures. Leadership is responsible for creating an environment in which staff feel comfortable raising concerns or reporting safety issues without fear of retaliation. As the threat management team will handle sensitive, private, and personally identifiable information, discretion is essential. Both physical and digital records must be securely maintained, and information should be handled with the highest level of confidentiality and shared strictly on a need-to-know basis. Organizations should consult legal counsel to ensure compliance with applicable laws, while consistent training and enhanced vetting of team members can help reduce the risk of an insider threat emerging from within the team itself. Once the threat management team is established to meet organizational needs, its actions should consistently support and uphold the organization’s insider threat mitigation program. The team must be diligent in gathering data, managing information, and supporting the workforce in detecting and assessing potential threats. To operate effectively, team members should be equipped for threat mitigation through mandatory training and clearly defined processes that coordinate analysis and response activities. Organizations should also establish and maintain a central hub to collect, review, and analyze information, ensuring the team can manage and act on the data it receives in a consistent and structured manner. The team should leverage existing organizational assets, including personnel security files, human resources records, facility access logs, travel records, foreign contact reports, and financial disclosure filings, to build a more complete understanding of potential risk. Throughout this work, organizations should seek guidance from legal counsel to ensure full compliance with state, local, federal, and other applicable laws. Maintaining and developing a threat management team is an ongoing, dynamic process that helps ensure an organization remains prepared to mitigate insider threats over the long term. As insider risks evolve, the team must adapt its procedures to reflect updated organizational policies, changing business priorities, and shifts in workplace culture. To strengthen the team’s capabilities, organizations should regularly re-evaluate performance through consistent training and exercises. Insider threat mitigation strategies should also be embedded into new lines of business and emerging organizational priorities to ensure risk management keeps pace with growth and change. At the same time, organizations need to continually revise policies, procedures, and standards to maintain compliance with legal obligations, particularly when reviewing incidents or conducting post-event assessments. Actively soliciting employee feedback can help surface challenges early, while leveraging external resources can further support the development and sustainability of a robust insider threat mitigation program. Last week, CISA published an initial list of hardware and software categories that currently support, or are expected to support, post-quantum cryptography (PQC) standards. The list helps organizations plan PQC migration strategies and evaluate future technology investments in an evolving cybersecurity landscape. It includes examples of widely available products within these categories that use PQC standards to protect sensitive information. Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions Finland’s National Security Overview 2026 flags Russian and Chinese cyber espionage targeting government, critical infrastructure Cydome flags NAVTOR NavBox path traversal and authentication flaws exposing vessel data, networks to cyber risk Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say Microchip expands Trust Platform to help manufacturers meet EU Cyber Resilience Act security requirements Texas orders cybersecurity review of state agencies for Chinese-made medical devices after federal warnings