Congress ordered the Secretary of Defense to establish an information security program for detecting “unauthorized access to, use of, or transmission of classified or controlled unclassified information.” The provision was included by the FY2012 defense authorization act that was approved in conference this week (section 922).
The insider threat detection program, conceived as a response to WikiLeaks, is intended to “allow for centralized monitoring and detection of unauthorized activities.” Among other things, it is supposed to employ technology solutions “to prevent the unauthorized export of information from a network or to render such information unusable in the event of the unauthorized export of such information.”
H.R. 1540, NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2012, SEC. 922. INSIDER THREAT DETECTION (Federation of American Scientists):
(a) Program Required.–The Secretary of Defense shall
establish a program for information sharing protection and
insider threat mitigation for the information systems of the
Department of Defense to detect unauthorized access to, use
of, or transmission of classified or controlled unclassified
information.
(b) Elements.–The program established under subsection (a)
shall include the following:
(1) Technology solutions for deployment within the
Department of Defense that allow for centralized monitoring
and detection of unauthorized activities, including–
(A) monitoring the use of external ports and read and write
capability controls;
(B) disabling the removable media ports of computers
physically or electronically;
(C) electronic auditing and reporting of unusual and
unauthorized user activities;
(D) using data-loss prevention and data-rights management
technology to prevent the unauthorized export of information
from a network or to render such information unusable in the
event of the unauthorized export of such information;
(E) a roles-based access certification system;
(F) cross-domain guards for transfers of information
between different networks; and
(G) patch management for software and security updates.
(2) Policies and procedures to support such program,
including special consideration for policies and procedures
related to international and interagency partners and
activities in support of ongoing operations in areas of
hostilities.
(3) A governance structure and process that integrates
information security and sharing technologies with the
policies and procedures referred to in paragraph (2). Such
structure and process shall include–
(A) coordination with the existing security clearance and
suitability review process;
(B) coordination of existing anomaly detection techniques,
including those used in counterintelligence investigation or
personnel screening activities; and
(C) updating and expediting of the classification review
and marking process.
(4) A continuing analysis of–
(A) gaps in security measures under the program; and
(B) technology, policies, and processes needed to increase
the capability of the program beyond the initially
established full operating capability to address such gaps.
(5) A baseline analysis framework that includes measures of
performance and effectiveness.
(6) A plan for how to ensure related security measures are
put in place for other departments or agencies with access to
Department of Defense networks.
(7) A plan for enforcement to ensure that the program is
being applied and implemented on a uniform and consistent
basis.
(c) Operating Capability.–The Secretary shall ensure the
program established under subsection (a)–
(1) achieves initial operating capability not later than
October 1, 2012; and
(2) achieves full operating capability not later than
October 1, 2013.
(d) Report.–Not later than 90 days after the date of the
enactment of this Act, the Secretary shall submit to the
congressional defense committees a report that includes–
(1) the implementation plan for the program established
under subsection (a);
(2) the resources required to implement the program;
(3) specific efforts to ensure that implementation does not
negatively impact activities in support of ongoing operations
in areas of hostilities;
(4) a definition of the capabilities that will be achieved
at initial operating capability and full operating
capability, respectively; and
(5) a description of any other issues related to such
implementation that the Secretary considers appropriate.
(e) Briefing Requirement.–The Secretary shall provide
briefings to the Committees on Armed Services of the House of
Representatives and the Senate as follows:
(1) Not later than 90 days after the date of the enactment
of this Act, a briefing describing the governance structure
referred to in subsection (b)(3).
(2) Not later than 120 days after the date of the enactment
of this Act, a briefing detailing the inventory and status of
technology solutions deployment referred to in subsection
(b)(1), including an identification of the total number of
host platforms planned for such deployment, the current
number of host platforms that provide appropriate security,
and the funding and timeline for remaining deployment.
(3) Not later than 180 days after the date of the enactment
of this Act, a briefing detailing the policies and procedures
referred to in subsection (b)(2), including an assessment of
the effectiveness of such policies and procedures and an
assessment of the potential impact of such policies and
procedures on information sharing within the Department of
Defense and with interagency and international partners.
(f) Budget Submission.–On the date on which the President
submits to Congress the budget under section 1105 of title
31, United States Code, for each of fiscal years 2014 through
2019, the Secretary of Defense shall submit to the
congressional defense committees an identification of the
resources requested in such budget to carry out the program
established under subsection (a).
Bernd Pulch 