Frameworks How It Works Services Knowledge Base FAQ Get Started
CMMC Personnel Security

The Insider Threat You're Not Screening For: What North Korean IT Workers Mean for CMMC Compliance

A Bloomberg investigation recently exposed what the FBI has been warning about for months: North Korean IT workers infiltrating American companies using stolen identities, VPN chains, and laptop farms. Some landed roles at defense contractors.

TZC Richard Johnson, CEO
8 min read
North Korean Insider Threat and CMMC Personnel Security

A Bloomberg investigation recently exposed what the FBI has been warning about for months: North Korean IT workers are infiltrating American companies using stolen identities, VPN chains, and laptop farms — sometimes pulling six-figure salaries that funnel directly back to Pyongyang.

Some of these workers landed roles at defense contractors.

Let that sink in.

The Scope of the Problem

The Department of Justice has charged dozens of individuals in connection with North Korean IT worker schemes. The playbook is disturbingly simple:

  1. Stolen identity — Real American credentials, often purchased on dark web markets
  2. Professional profiles — Polished LinkedIn pages, fabricated work histories, legitimate-looking portfolios
  3. Laptop farms — U.S.-based facilitators host physical machines so remote connections appear domestic
  4. Remote work — The DPRK worker logs in from overseas, appearing to be a local employee

One case in Nashville involved a single facilitator hosting laptops for over a dozen North Korean workers simultaneously. Combined, these schemes have generated hundreds of millions in revenue for the North Korean regime.

Why This Matters for the Defense Industrial Base

If your company handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), CMMC requires you to implement controls that directly address this threat — whether you realize it or not.

Personnel Security (PS) Controls

NIST 800-171 Rev 2, Control 3.9.1: Screen individuals prior to authorizing access to organizational systems containing CUI.

Most companies interpret this as "run a background check." But a background check against a stolen identity clears just fine. The question isn't whether the background check passed — it's whether the person on the other end of the Zoom call is who they claim to be.

What you should be doing:

  • Identity verification beyond standard background checks — biometric verification, in-person onboarding where possible
  • Continuous monitoring of remote worker behavior patterns
  • Geographic verification that goes beyond IP address checking
  • Cross-referencing employment eligibility with identity documentation

Access Control (AC) — Least Privilege

Control 3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.

A North Korean IT worker doesn't need admin access to exfiltrate CUI. But limiting access to only what's required for the job reduces the blast radius when — not if — an identity compromise occurs.

Audit and Accountability (AU)

Control 3.3.1: Create and retain system audit logs and records.

If a compromised worker is accessing your systems, your audit logs are the forensic trail. Are you logging enough? Are you reviewing those logs? Can you detect anomalous access patterns — like a "Tennessee-based" developer consistently active during Pyongyang business hours?

Risk Assessment (RA)

Control 3.11.1: Periodically assess the risk to organizational operations, assets, and individuals.

If your last risk assessment didn't include "nation-state actors embedded in our workforce" as a threat scenario, it's time to update it.

The Hard Truth

CMMC compliance isn't just about firewalls and encryption. It's about the people inside your perimeter. The most sophisticated technical controls in the world don't help when the threat actor has legitimate credentials and a company laptop.

The North Korean IT worker scheme exploits the one gap most companies refuse to take seriously: identity assurance for remote workers.

What To Do Now

  1. Audit your remote workforce identity verification process. If it starts and ends with a background check, you have a gap.
  2. Implement behavioral monitoring for remote access — login times, geographic patterns, access frequency.
  3. Review your subcontractor and staffing agency controls. Many of these workers enter through third-party staffing firms. Your supply chain is your attack surface.
  4. Update your risk assessment to include insider threat scenarios involving identity fraud.
  5. Talk to your C3PAO. If you're preparing for a CMMC assessment, make sure your personnel security narrative addresses modern threat actors — not just the disgruntled employee scenario from 2015.

The Bottom Line

The DIB has spent years focused on external threats — nation-state hackers probing networks, phishing campaigns, zero-day exploits. But the most dangerous threat might already be on your payroll.

CMMC exists because the DoD recognized that protecting CUI requires more than good intentions. The North Korean IT worker problem proves why. If you're not screening for it, you're not compliant — you're just lucky.

Close the Gap Before Your Assessor Finds It

If "personnel security" on your SSP is a checkbox and not a program, you have work to do.

Get a Gap Assessment
Aligned to: CMMC Model v2.1 · NIST SP 800-171 Rev 3 · NIST SP 800-53 Rev 5 · NIST SP 800-37 · 32 CFR Part 170 · DFARS 252.204-7012 · FedRAMP 20x · PCI DSS v4.0  |  Assessment methods: Examine · Interview · Test