Until recently, national insider threat policy wasn’t measuring if your agency’s insider threat detection program actually identified insider threats. The only measure was that you had a program that met certain standards.
However, all of that is changing fast, especially for agencies under the Department of Defense. (Other agencies likely need to follow suit, more below.)
Because of major insider threat incidents like the Washington Navy Yard shooting and Edward Snowden’s information leaks, federal law now mandates that your agency not only have an insider threat detection program, but that your internal organizational security meet specific functioning standards.
In order to understand what action steps your agency needs to take today, we need to take a step back to review the evolving story of national insider threat policy.
Memorandum For National Insider Threat Policy
In November 2012, President Obama issued a memorandum for all agencies under his jurisdiction entitled, “The National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.” The policy requires all executive departments and agencies that access classified information to establish insider threat detection programs.
The required programs must adhere to minimum standards for personnel security, threat and risk analysis, law enforcement, information sharing, network monitoring and training and awareness. Each agency and department must conduct quarterly self-assessments on insider threat compliance and report the results to the National Insider Threat Task Force, which oversees the policy implementation.
Memorandum Failure Points
As with most far-reaching national policies, many of the memorandum’s requirements aren’t specific in expressing what insider threat compliance involves. Usually, it is up to the agencies themselves to determine compliance.
For example, the mandatory self-assessments use metrics known as Key Information Sharing and Safeguarding Indicators (KISSI). These are essentially “yes or no” questions that assess whether an agency has an insider threat detection program. There are about fifty of these questions in the assessment, including:
- Do we have an implemented insider threat program?
- Do we have an insider threat policy?
- Do we monitor user activities for insider threat indicators?
- Do we conduct briefings for travel to countries with high-risk security threats and vulnerabilities?
KISSI assessments are useful for a high-level view of an agency’s insider threat compliance, but they don’t measure the effectiveness of the program. Instead, metrics should calculate the value of different efforts in preventing insider threats and should require nuanced discussion in their answers. For example, after noting that your agency employs network monitoring tools, you should also ask:
- What kinds of network monitoring tools are employed?
- How much do they cost?
- What aspects of user behavior do they monitor?
- How effectively do they detect anomalous or suspicious behavior?
With the Snowden affair and Navy Yard shooting occurring after the November 2012 memorandum was issued, the failure points of the policy became clearer. As a result, federal policy focused more intently on the effectiveness of insider threat detection programs.
A Shift Toward Effectiveness: The 2014 NDA Act
The best example this shift toward insider threat detection effectiveness is the 2014 National Defense Authorization (NDA) Act. This law mandates the Secretary of Defense, Director of National Intelligence and the Director of the Office of Management and Budget develop a strategy to modernize personnel security for the Department of Defense and reduce insider threats and espionage.
The President and Congress also demanded that these updated processes be evaluated with specific metrics. By assessing the effectiveness of the Defense Department’s insider threat detection program, the new law could be much more applicable in deterring and detecting potential threats.
Implications For Other Federal Agencies
While the NDA Act focuses primarily on Defense Department personnel, the law also emphasizes the importance of sharing information between different agencies – including those not under the Department of Defense. Specifically, it calls for the electronic integration of information systems between every agency deemed necessary for complete insider threat assessment and deterrence.
If your agency is included in that information sharing or system integration, then you need to prepare your agency for full compliance with the NDA Act and its insider threat detection implications.
The NDA Act shows that Congress and the President aren’t satisfied with agency self-built and self-assessed insider threat programs – instead, they’re raising the bar. While that might initially only include the Department of Defense and a handful of connected groups, every agency should plan for the NDA’s jurisdiction to widen if its initial requirements are successful.
Even if your agency doesn’t fall under the initial jurisdiction of the new law, start preparing today for more accountable insider threat detection metrics. And since NDA requirements don’t come with an explicit budget increase, plan to complete your upgrades with little or no budget boost.
Improving your insider threat detection program? Click below to read the free whitepaper from Big Sky Associates on how to allocate your budget appropriately for the most comprehensive internal organizational security.