National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs

The following National Insider Threat Policy was released by the National Counterintelligence Executive (NCIX) in response to a recent article for McClatchy titled “Obama’s crackdown views leaks as aiding enemies of U.S.”  For more information on the policy, read Steven Aftergood’s analysis for the Federation of American Scientists’ Secrecy News blog.


  • 9 pages
  • November 21, 2012
  • 4.77 MB


The National Insider Threat Policy aims to strengthen the protection and safeguarding of classified information by: establishing common expectations; institutionalizing executive branch best practices; and enabling flexible implementation across the executive branch.

A. Policy

Executive Order 13587 directs United States Government executive branch departments and agencies (departments and agencies) to establish, implement, monitor, and report on the effectiveness of insider threat programs to protect classified national security information (as defined in Executive Order 13526; hereinafter classified information), and requires the development of an executive branch program for the deterrence, detection, and mitigation of insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure. Executive Order 12968 promulgates classified information access eligibility policy and establishes a uniform Federal personnel security program for employees considered for initial or continued access to classified information. Consistent with Executive Orders 13587 and 12968, this policy is applicable to all executive branch departments and agencies with access to classified information, or that operate or access classified computer networks; all employees with access to classified information, including classified computer networks (and including contractors and others who access classified information, or operate or access classified computer networks controlled by the federal government); and all classified information on those networks.

This policy leverages existing federal laws, statutes, authorities, policies, programs, systems, architectures and resources in order to counter the threat of those insiders who may use their authorized access to compromise classified information. Insider threat programs shall employ risk management principles, tailored to meet the distinct needs, mission, and systems of individual agencies, and shall include appropriate protections for privacy, civil rights, and civil liberties.

B. General Responsibilities of Departments and Agencies

1) Within 180 days of the effective date of this policy, establish a program for deterring, detecting, and mitigating insider threat; leveraging counterintelligence (CI), security, information assurance, and other relevant functions and resources to identify and counter the insider threat.

2) Establish an integrated capability to monitor and audit information for insider threat detection and mitigation. Critical program requirements include but are not limited to: (1) monitoring user activity on classified computer networks controlled by the Federal Government; (2) evaluation of personnel security information; (3) employee awareness training of the insider threat and employees’ reporting responsibilities; and (4) gathering information for a centralized analysis, reporting, and response capability.

3) Develop and implement sharing policies and procedures whereby the organization’s insider threat program accesses, shares, and integrates information and data derived from offices across the organization, including CI, security, information assurance, and human resources offices.

4) Designate a senior official(s) with authority to provide management, accountability, and oversight of the organization’s insider threat program and make resource recommendations to the appropriate agency official.

5) Consult with records management, legal counsel, and civil liberties and privacy officials to ensure any legal, privacy, civil rights, civil liberties issues (including use of personally identifiable information) are appropriately addressed.

6) Promulgate additional department and agency guidance, if needed, to reflect unique mission requirements, but not inhibit meeting the minimum standards issued by the Insider Threat Task Force (ITTF) pursuant to this policy.

7) Perform self-assessments of compliance with insider threat policies and standards; the results of which shall be reported to the Senior Information Sharing and Safeguarding Steering Committee (hereinafter Steering Committee).

8) Enable independent assessments, in accordance with Section 2.1 (d) of Executive Order 13587, of compliance with established insider threat policy and standards by providing information and access to personnel of the ITTF.

C. Insider Threat Task Force roles and responsibilities

The JTIF, established under Executive Order 13587, is the principal interagency task force responsible for developing an executive branch insider threat detection and prevention program to be implemented by all departments and agencies covered by this policy. This program shall include development of policies, objectives, and priorities for establishing and integrating security, counterintelligence, user audits and monitoring, and other safeguarding capabilities and practices within departments and agencies.

The ITIF shall:

1) In coordination with appropriate agencies, develop and issue minimum standards and guidance for implementing insider threat program capabilities throughout the executive branch. These standards shall include, but are not limited to, the following:

• Monitoring of user activity on United States Government networks. This refers to audit data collection strategies for insider threat detection, leveraging hardware and/or software with triggers deployed on classified networks to detect, monitor, and analyze anomalous user behavior for indicators of misuse.
• Continued evaluation of personnel security information whereby information is gathered from, including but not limited to, an individual’s security background investigation, clearance adjudication, foreign travel reporting, foreign contact reporting, financial disclosure, polygraph examination results (where applicable) or other personnel actions, and made available to authorized insider threat program personnel to assess, in conjunction with anomalous user behavior data, and/or any other insider threat concern or allegation.
• Employee awareness training of the insider threat, the inherent risk posed to classified information by malicious insiders and, specifically, recognition of insider threat behaviors; developing a reporting structure to ensure all employees and contractors report suspected insider threat activity consistently and securely; informing employees, subject to monitoring, of the policies and processes in place to protect their privacy, civil rights, and civil liberties rights against unnecessary monitoring (to include retaliation against whistleblowers); and, ensuring employee awareness of their responsibility to report, as well as how and to whom to report, suspected insider threat activity.
• Analysis, Reporting and Response: gathering and integrating available information to conduct a preliminary review of any potential insider threat issues; and, where it appears a potential threat may exist, taking action by referring the matter as appropriate to CI, security, information assurance, the Office of Inspector General, or to the proper law enforcement authority.

2) Review and update ITTF standards and guidance, as appropriate.

3) Provide continual assistance to departments and agencies to establish and/or improve insider threat detection and prevention programs. The nature of assistance will involve a collaborative process wherein subject matter expert(s) provide expertise, guidance, and advice through various forums including on site visits.

4) Conduct independent assessments at individual organizations, as directed by the Steering Committee and in coordination with Executive Agent for Safeguarding (EA/S) and the Classified Information Sharing and Safeguarding Office (CISSO) established by Executive Order 13587, to determine the level of organizational compliance with this policy and minimum insider threat standards.

5) Use the results of relevant insider threat data sources to include, but not limited to, the agency’s Key Information Sharing and Safeguarding Indicators self-assessments, applicable portions of the Office of the National Counterintelligence Executive Mission Reviews and Program Assessments, and the results of assistance visits and independent assessments to determine the adequacy of insider threat programs at individual agencies, and Government-wide.

6) Coordinate with the Information Security Oversight Office (ISOO), EA/S, and the CISSO to report results of independent assessments to the Steering Committee for use in the annual reports submitted to the President assessing the executive branch’s effectiveness in implementing insider threat programs, and to inform related program and budget recommendations.

7) Refer to the Steering Committee for resolution any unresolved issues delaying the timely development and issuance of minimum standards.

8) Provide strategic analysis of new and continuing insider threat challenges facing the United States Government.

Share this: