Relevant links are at the end of this post.
The Defense Department is instituting some efforts to curb insider threats, but those policies don’t go far enough beyond the bare-minimum standards, according to a new report from the Government Accountability Office.
DoD components have instituted six minimum standards mandated in an executive order aimed at protecting classified information and systems, such as providing training in insider threat awareness. DoD components also have implemented some recommendations from GAO, the White House and internal DoD guidance, but the components have been inconsistent, to the detriment of better insider-threat protection.
For example, only three of six components reviewed have established baselines of normal activity, a foundational part of any anti-insider threat problem. DoD officials also have failed to analyze program gaps or incorporate risk assessments into their existing programs, the report noted.
“DoD components have not consistently incorporated these key elements because DoD has not issued guidance that identifies recommended actions beyond the minimum standards that components should take to enhance their insider-threat programs,” the report stated. “Gap and risk assessments allow DOD components to regularly assess the dynamic threat, vulnerability, and consequences associated with protecting classified information and systems from insider threats.”
DoD officials say their internal efforts to analyze for security gaps, including a quarterly compilation of key information sharing and safeguarding indicators, identify strengths and weaknesses in DoD insider threat programs, DoD Deputy Principal CIO Dave DeVries wrote in a response to the report.
DeVries also said his office in 2015 will issue further guidance for components to take more action in their insider threat programs, including implementing risk assessments as recommended by GAO. He also said DoD has launched internal self- and independent assessments evaluating Pentagon programs and will report on findings to the Office of the Under Secretary of Defense for Intelligence.