1.) What kind of controls (clauses, metrics, etc.) are considered best practice for reducing the insider threat risk associated with contracted privileged users?
2.) Are there any clauses that allow government to hold the contractor accountable for actions their employees take that increase our risk?
There are no current FAR or DFAR clauses available to hold the contractor accountable for actions of their employees. None of the related clauses in FAR Part 39 or DFARS Part 39 (Acquisition of IT) clauses are designed to specifically address limitations on privileged users who are contractors. I believe this is more of a cybersecurity issue than a contracting issue. I would recommend working with your cybersecurity and legal personnel to craft a local clause for use by your office in contracts with a large number of contractors with system access. The clause can contain a paragraph listing your concerns with significant contractor access, and identify the penalties and remedies when these concerns are violated.
Open full Question Details
You may want to use some of the language describing "supply chain risk" located in the DFARS clause 252.239-7018, Supply Chain Risk (OCT 2015).