National Insider Threat Program Foundational Documents - Vocabulary Flashcards

National Insider Threat Program Foundational Documents

  • Overview
    • Documents establish the Nation’s approach to insider threat programs across the Executive Branch
    • Key components: Executive Order 13587 (Structural Reforms), Presidential Memorandum (National Insider Threat Policy and Minimum Standards), National Insider Threat Task Force (NITTF) Maturity Framework, and related FAQs
    • Purpose: deter, detect, and mitigate insider threats while safeguarding classified information and protecting privacy and civil liberties

Executive Order 13587 of October 7, 2011

  • Policy (Sec. 1)

    • National security requires rapid sharing of classified information with authorized users globally, paired with sophisticated risk-based safeguards
    • Computer networks have vulnerabilities requiring coordinated risk management decisions
    • Structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks, with appropriate privacy and civil liberties protections
    • Agencies bear primary responsibility for meeting twin goals; reforms enable interagency development and implementation of policies and minimum standards across information security, personnel security, and systems security
    • Policies and standards cover all agencies operating or accessing classified networks, all users (including contractors), and all classified information on those networks

  • General Responsibilities of Agencies (Sec. 2)

    • Heads of agencies operating or accessing classified networks must:
    • (a) designate a senior official to oversee classified information sharing and safeguarding
    • (b) implement an insider threat detection and prevention program in line with guidance by the Insider Threat Task Force (ITTF)
    • (c) perform self-assessments of compliance with policies and standards (sections 3.3, 5.2, 6.3) and report results annually to the Senior Information Sharing and Safeguarding Steering Committee (Sec. 3)
    • (d) provide information/access to enable independent assessments by the Executive Agent for Safeguarding Classified Information on Computer Networks and the ITTF
    • (e) staff appropriately to the Classified Information Sharing and Safeguarding Office and the Insider Threat Task Force on an ongoing basis
    • These provisions emphasize risk-based, privacy-preserving, interagency oversight of insider threat programs

  • Senior Information Sharing and Safeguarding Steering Committee (Sec. 3)

    • Sec. 3.1: Establishes the Steering Committee to oversee interagency development and implementation of sharing and safeguarding policies
    • Sec. 3.2: Co-chaired by the Office of Management and Budget (OMB) and National Security Staff (NSS); membership includes senior officers from State, Defense, Justice, Energy, Homeland Security, ODNI, CIA, ISOO, and other designated agencies
    • Sec. 3.3: Steering Committee responsibilities include:
    • (a) setting government-wide goals and reviewing successes/failures annually
    • (b) preparing a President-directed report within 90 days of the order and annually thereafter
    • (c) developing program and budget recommendations for government-wide goals
    • (d) coordinating interagency development and implementation of priorities, policies, and standards
    • (e) recommending overarching policies for promulgation by OMB or ISOO
    • (f) coordinating compliance assessments and recommending corrective actions
    • (g) providing mission guidance for the PM-ISE regarding the Classified Information Sharing and Safeguarding Office
    • (h) referring unresolved policy issues to the Deputies Committee of the National Security Council per PPD-1

  • Classified Information Sharing and Safeguarding Office (CISSO) (Sec. 4)

    • Sec. 4.1: Establish CISSO within and subordinate to the PM-ISE office to provide full-time focus on responsible sharing and safeguarding of classified information on networks; CISSO can include detailees from Steering Committee agencies
    • Sec. 4.2: CISSO responsibilities include:
    • (a) staff support for the Steering Committee
    • (b) advising the Executive Agent and ITTF on developing effective compliance monitoring programs
    • (c) consulting with State, Defense, DHS, ISOO, ODNI, and others to ensure policy consistency with existing orders such as EO 13526, EO 12829, EO 13549, and EO 13556

  • Executive Agent for Safeguarding Classified Information on Computer Networks (Sec. 5)

    • Sec. 5.1: The Secretary of Defense and the Director, NSA jointly act as Executive Agent (EA), exercising authorities under NSD-42
    • Sec. 5.2: EA responsibilities include:
    • (a) developing effective safeguarding policies and standards in coordination with CNSS
    • (b) referring unresolved issues to the Steering Committee for resolution
    • (c) annual reporting to the Steering Committee on CNSS work and recommendations for changes
    • (d) conducting independent assessments of agency compliance and reporting results to the Steering Committee

  • Insider Threat Task Force (Sec. 6)

    • Sec. 6.1: Establish ITTF to develop a Government-wide insider threat program covering deterrence, detection, mitigation, and safeguarding of information
    • Sec. 6.2: ITTF is co-chaired by the Attorney General and the DNI; membership includes senior officials from multiple agencies; staff from FBI, ONCIX, and others as designated; ONCIX may provide site and admin support
    • Sec. 6.3: ITTF responsibilities include:
    • (a) develop government-wide policy for deterrence, detection, and mitigation of insider threats; submit to Steering Committee for review
    • (b) develop minimum standards and guidance for implementation within one year; binding on the executive branch
    • (c) maintain process to update standards if appropriations permit; otherwise propose updates to OMB/ISOO
    • (d) if appropriations are not obtained, propose alternative standards
    • (e) refer unresolved issues to the Steering Committee for resolution
    • (f) conduct independent assessments of agency programs and report results to the Steering Committee
    • (g) provide best-practice dissemination and assistance to agencies
    • (h) provide analysis of new and continuing insider threat challenges

  • General Provisions (Sec. 7)

    • (a) Defines terms based on EO 13526 and other related statutes
    • (b) EO 13587 does not supersede EO 12333, EO 12829, EO 12968, EO 13388, EO 13467, EO 13526, EO 13549, nor successors
    • (c) No change to authorities of other key entities (Energy, Defense, DHS, State, ISOO, PM-ISE, etc.)
    • (d) Steering Committee/CISSO/CNSS/Task Force cannot examine other agencies’ facilities without advance consultation
    • (e) Policy does not deter protected whistleblowing or disclosures under whistleblower protection acts
    • (f) DNI may issue policy directives for the Intelligence Community as needed
    • (g) Order does not impair agency authority or OMB functions
    • (h) Implemented with applicable law and privacy protections, subject to appropriations
    • (i) Order does not create rights enforceable by private parties

Presidential Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs

  • Purpose and Scope (Page 10-11)

    • Transmits policy and minimum standards to promote effective insider threat programs to deter, detect, and mitigate insider threats
    • Insider threats include espionage, violent acts, and unauthorized disclosure of classified information; reflects data on networks and systems
    • Minimum Standards specify elements for monitoring, training, centralized analysis, and protection of civil liberties and privacy
    • Outcome: strengthen protection of classified information across the executive branch and deter insider misuse of access

  • Policy Aims and Core Elements (Page 12)

    • A. Policy Context
    • EO 13587 directs departments/agencies to establish, implement, monitor, and report on insider threat program effectiveness
    • EO 12968 establishes uniform personnel security for access to classified information
    • Policy applies to all executive branch departments/agencies with access to classified information or networks; includes contractors and others who access or operate networks
    • Leverages existing laws, authorities, programs to counter insider threats; uses risk management tailored to agency missions; protects privacy and civil liberties
    • B. General Responsibilities of Departments and Agencies 1) Within 180180 days of policy effective date, establish an insider threat deterrence/detection/mitigation program using CI, security, IA, HR, and other resources
      • 180180 days: timelines anchor for initial implementation
        2) Establish integrated capability to monitor and audit information for insider threat detection and mitigation
      • Key requirements: monitor user activity on classified networks; evaluate personnel security information; provide insider threat training; centralize analysis/reporting
        3) Develop and implement sharing policies/procedures to access/share/integrate information from CI, security, IA, HR, etc.
        4) Designate senior official(s) with authority for management, accountability, oversight; provide resource recommendations
        5) Consult with records management, legal counsel, privacy officials to address legal/privacy concerns
        6) promulgate additional guidance reflecting unique mission needs but not inhibit meeting minimum standards
        7) Perform self-assessments of compliance and report to Steering Committee
        8) Enable independent assessments per EO 13587 §2.1(d) by providing access to ITTF and others
    • C. Insider Threat Task Force Roles and Responsibilities (ITTF)
    • ITTF is the principal interagency task force responsible for developing a government-wide insider threat detection/prevention program
    • ITTF to develop min standards and guidance, covering: monitoring user activity, personnel security information, employee awareness training, reporting/reporting responsibilities, and CI/Security/HR data integration
    • ITTF to review/update standards, provide ongoing assistance, conduct independent assessments, and coordinate with ISOO, ENS, and CISSO for annual reporting and budget implications
    • D. Definitions
    • Classified information, Counterintelligence, Agencies (broad statutory definition), Employee, Insider, Insider Threat, Key Information Sharing and Safeguarding Indicators
    • E. General Provisions
    • Superseding acts, privacy protections, and roles of DNI/IC in implementing directives; limits on authority and scope

  • Minimum Standards for Executive Branch Insider Threat Programs (Page 15-16)

    • A. Authority: EO 13587, EO 12968, National Policy on Insider Threat
    • B. Purpose
    • Insider threat programs deter cleared employees, detect insiders who pose risk, and mitigate risks through actions outlined in E.2
    • Standards are minimum requirements; IC or DoD policies may impose stricter requirements; agencies may add new standards provided they don’t conflict
    • Agency heads are ultimately responsible; designated senior officials implement minimum standards
    • C. Applicability
    • Applies to executive agencies, military departments, independent establishments, and IC elements
    • D. Designation of Senior Official(s)
    • Senior Official(s) oversee gathering/integration/analysis/responding to CI, Security, IA, HR, LE, etc.
    • Responsibilities include management/oversight, developing comprehensive agency policy within 180180 days, annual progress reports, policy/records/privacy considerations, oversight mechanisms for records, and facilitating oversight reviews
    • E. Information Integration, Analysis, and Response
    • Agencies must build insider threat analytic and response capability; centrally manage response actions; document matters and resolutions
    • F. Insider Threat Program Personnel
    • Personnel must be trained in CI/security fundamentals, insider threat procedures, privacy laws and policies, whistleblower protections, and investigative referral requirements
    • G. Access to Information
    • Agencies must provide insider threat personnel with regular access to CI, Security, IA, HR data as needed; establish sensitive access procedures; provide reporting channels; ensure access to intelligence products
    • H. Monitoring User Activity on Networks
    • Agencies must have capability to monitor user activity on classified networks (internally or via external agreements); SLA with providers; protect data; obtain user acknowledgments of monitoring; banner users about monitoring
    • I. Employee Training and Awareness
    • Insider threat awareness training for all cleared employees within 30 days of employment or access grant and annually thereafter; cover indicators, reporting responsibilities, and CI/security reporting requirements; maintain internal portal with resources and reporting tools
    • J. Definitions
    • Agency Head, Classified Information, Cleared Employee, Insider, Insider Threat, Insider Threat Response Action(s), Subordinate Entity

Maturity Framework FAQ

  • Purpose and design (Page 21)

    • The Maturity Framework is designed to help D/As mature their Insider Threat Programs beyond the Minimum Standards by providing a roadmap of capability elements
    • Framework modeled on capability maturity model (CMM) concepts; aims to enable proactive, comprehensive risk management
    • Not a replacement for Minimum Standards; supports ongoing evolution

  • Development and rationale

    • Developed by NITTF under EO 13587 and the National Policy and Minimum Standards
    • Draft framework developed from Fall 2017 through Spring 2018 focus groups; vetted with IC, DoD, and Federal Partner programs

  • Framework vs Framework elements vs standards

    • Framework is not a new set of standards; it identifies key elements (capabilities or attributes) that characterize advanced programs
    • Agencies evaluate applicability of elements to their environment; flexibility to select frameworks elements that fit mission/technology/infrastructure
    • No mandatory timeframe to implement Framework elements; no formal assessment against Framework elements, but NITTF may note incorporation during independent assessments
    • Frame of reference used to collect best practices to strengthen programs; NITTF may evolve assessment measures over time

  • Practical use and implementation

    • Agencies can use the Framework to develop strategic goals and actions to enhance governance, processes, and resources for insider threat management
    • Agencies should involve OGC, privacy/civil liberties officials, and OIG early in planning to ensure compliance with legal and civil liberties requirements
    • NITTF offers ongoing support, guidance, and connections to other programs; resources for implementing Framework elements are the responsibility of the agencies
    • For small D/As with fewer cleared employees, Framework elements are flexible and not all elements are mandatory; goal is to tailor maturity elements to fit mission and environment

  • Assessment and accountability

    • Framework elements are not formally assessed as standards; independent assessments by NITTF may note incorporation of maturity elements
    • Ongoing best-practice collection to support maturation across the insider threat community

Key Definitions and Concepts (Summary)

  • Classified information: Information designated as classified under EO 13526 or related acts and marked as such in documentary form
  • Insider: An individual with authorized access to US Government resources (people, facilities, information, equipment, networks, or systems)
  • Insider Threat: The risk that an insider will use authorized access to harm national security, including espionage, terrorism, or unauthorized disclosure
  • Cleared Employee: Any employee or contractor with access to classified information (with various categories defined in policy)
  • Subordinate Entity: An office or command that manages its own insider threat program
  • Key Information Sharing and Safeguarding Indicators: KPIs used to measure reporting progress and guide resource allocation

Practical Implications and Real-World Relevance

  • Emphasizes risk management and interagency coordination for safeguarding classified information
  • Balances security with privacy and civil liberties protections; requires consultation with privacy, civil liberties, and legal officials
  • Establishes centralized analysis and reporting structures to improve detection/mitigation capabilities across the executive branch
  • Provides a structured path from minimum standards to matured, proactive insider threat programs via the Maturity Framework
  • Allows agencies to tailor approaches to their unique missions and environments while maintaining overarching government-wide standards

Notable Timeframes and References (Examples in Markdown)

  • Initial implementation window: 180extdays180 ext{ days} to establish a baseline insider threat program (from policy effective date)
  • Self-assessment and annual reporting cycles tied to Steering Committee processes throughout the EO framework
  • 90-day reporting requirement to the President for annual assessment of successes/shortcomings (Sec. 3.3(b))
  • One-year horizon for minimum standards and guidance development by ITTF (Sec. 6.3(b)) to be binding on the executive branch
  • 180-day requirement for agency senior officials to develop a comprehensive insider threat policy (Minimum Standards section D2.2 in the Presidential Memorandum)

Connections to Foundational Principles

  • Aligns with broader national security architecture: CI, security, IA, HR integration; governance via Steering Committee; EA oversight via CNSS coordination
  • Demonstrates a lifecycle approach: policy formation → standard setting → implementation → monitoring → independent assessment → continuous improvement
  • Emphasizes privacy and civil liberties protections as a core element of security programs

Ethical, Philosophical, and Practical Implications

  • Balances national security needs with individuals’ privacy rights and civil liberties
  • Recognizes the potential for whistleblower protections and safeguards against retaliatory or abusive monitoring
  • Encourages responsible data handling, retention, and access controls for sensitive information
  • Acknowledges the need for independent assessments to prevent mission creep and maintain public trust

Formulas and Numerical References (LaTeX)

  • Timeframes and counts cited in the documents are presented below in LaTeX format for study reference:
    • The initial establishment of an insider threat program: 180 extdays180\ ext{days} from the policy effective date
    • Annual reporting requirement timeline: 1 year1\ \text{year}, plus recurring annual reviews
    • Interim review/report within: 90 days90\ \text{days} of the order date
    • Minimum standards development and guidance: within 1 year1\ \text{year} from policy issuance

Final Notes for Exam Preparation

  • Be able to explain the relationship between EO 13587, the Presidential Memorandum, and the ITTF/NITTF structures
  • Understand the roles and responsibilities of CISSO, the EA, and the Steering Committee
  • Distinguish between minimum standards and the maturity framework; know that the framework is not a new set of standards but a path for maturation
  • Recall key definitions and why privacy/civil liberties protections are embedded in the framework
  • Recognize the essential workflow: policy creation → standards creation → agency implementation → independent assessments → best-practice sharing