Congress Enacts Insider Threat Detection Program (Secrecy News):
Congress ordered the Secretary of Defense to establish an information security program for detecting “unauthorized access to, use of, or transmission of classified or controlled unclassified information.” The provision was included by the FY2012 defense authorization act that was approved in conference this week (section 922).
The insider threat detection program, conceived as a response to WikiLeaks, is intended to “allow for centralized monitoring and detection of unauthorized activities.” Among other things, it is supposed to employ technology solutions “to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information.”
H.R. 1540, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2012, SEC. 922. INSIDER THREAT DETECTION (Federation of American Scientists):
(a) Program Required.--The Secretary of Defense shall establish a program for information sharing protection and insider threat mitigation for the information systems of the Department of Defense to detect unauthorized access to, use of, or transmission of classified or controlled unclassified information. (b) Elements.--The program established under subsection (a) shall include the following: (1) Technology solutions for deployment within the Department of Defense that allow for centralized monitoring and detection of unauthorized activities, including-- (A) monitoring the use of external ports and read and write capability controls; (B) disabling the removable media ports of computers physically or electronically; (C) electronic auditing and reporting of unusual and unauthorized user activities; (D) using data-loss prevention and data-rights management technology to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information; (E) a roles-based access certification system; (F) cross-domain guards for transfers of information between different networks; and (G) patch management for software and security updates. (2) Policies and procedures to support such program, including special consideration for policies and procedures related to international and interagency partners and activities in support of ongoing operations in areas of hostilities. (3) A governance structure and process that integrates information security and sharing technologies with the policies and procedures referred to in paragraph (2). Such structure and process shall include-- (A) coordination with the existing security clearance and suitability review process; (B) coordination of existing anomaly detection techniques, including those used in counterintelligence investigation or personnel screening activities; and (C) updating and expediting of the classification review and marking process. (4) A continuing analysis of-- (A) gaps in security measures under the program; and (B) technology, policies, and processes needed to increase the capability of the program beyond the initially established full operating capability to address such gaps. (5) A baseline analysis framework that includes measures of performance and effectiveness. (6) A plan for how to ensure related security measures are put in place for other departments or agencies with access to Department of Defense networks. (7) A plan for enforcement to ensure that the program is being applied and implemented on a uniform and consistent basis. (c) Operating Capability.--The Secretary shall ensure the program established under subsection (a)-- (1) achieves initial operating capability not later than October 1, 2012; and (2) achieves full operating capability not later than October 1, 2013. (d) Report.--Not later than 90 days after the date of the enactment of this Act, the Secretary shall submit to the congressional defense committees a report that includes-- (1) the implementation plan for the program established under subsection (a); (2) the resources required to implement the program; (3) specific efforts to ensure that implementation does not negatively impact activities in support of ongoing operations in areas of hostilities; (4) a definition of the capabilities that will be achieved at initial operating capability and full operating capability, respectively; and (5) a description of any other issues related to such implementation that the Secretary considers appropriate. (e) Briefing Requirement.--The Secretary shall provide briefings to the Committees on Armed Services of the House of Representatives and the Senate as follows: (1) Not later than 90 days after the date of the enactment of this Act, a briefing describing the governance structure referred to in subsection (b)(3). (2) Not later than 120 days after the date of the enactment of this Act, a briefing detailing the inventory and status of technology solutions deployment referred to in subsection (b)(1), including an identification of the total number of host platforms planned for such deployment, the current number of host platforms that provide appropriate security, and the funding and timeline for remaining deployment. (3) Not later than 180 days after the date of the enactment of this Act, a briefing detailing the policies and procedures referred to in subsection (b)(2), including an assessment of the effectiveness of such policies and procedures and an assessment of the potential impact of such policies and procedures on information sharing within the Department of Defense and with interagency and international partners. (f) Budget Submission.--On the date on which the President submits to Congress the budget under section 1105 of title 31, United States Code, for each of fiscal years 2014 through 2019, the Secretary of Defense shall submit to the congressional defense committees an identification of the resources requested in such budget to carry out the program established under subsection (a).