Watchdog critical of DOD insider threat program
Types of threats included in the Defense Department’s Insider Threat Program. (GAO)
The Defense Department’s efforts to meet the minimum standards of the National Insider Threat Policy issued in 2012 have been inconsistent across its component agencies, potentially affecting its ability to conduct accurate risk assessments, according to a new Government Accountability Office report.
An unclassified version of the report, released June 2, reveals that a half-dozen Pentagon component agencies have made progress on their insider threat programs, but only half had instituted a baseline of normal activity — a key aspect of insider threat protection used to identify unusual behavior that might pose a security risk. Half of the components also told GAO they are in need of better analytic tools to identify suspicious behavior, particularly on Defense Department computer networks.
The lack of consistency across components and the failure of DOD to issue specific guidance means the department may not be capable of producing an accurate risk assessment of its insider threat posture. “DOD components have identified technical and policy changes to help protect classified information and systems from insider threats in the future, but DOD is not consistently collecting this information to support management and oversight responsibilities,” the GAO report states.
GAO continued, “DOD components had not incorporated risk assessments because DOD had not provided guidance on how to incorporate risk assessments into components’ programs. Until DOD issues guidance on incorporating risk assessments, DOD components may not conduct such assessments and thus not be able to determine whether security measures are adequate.”
The National Insider Threat Policy, issued by President Barack Obama in 2012, directed each agency’s insider threat program to include six minimum standards: designation of senior official(s); information integration, analysis, and response; insider threat program personnel; access to information; monitoring user activity on networks; and employee training and awareness.
