Free Essay

Test One

In: Computers and Technology

Submitted By dwillia9
Words 17616
Pages 71
United States Government Accountability Office

Report to Congressional Committees

June 2015

INSIDER THREATS
DOD Should
Strengthen
Management and
Guidance to Protect
Classified Information and Systems

GAO-15-544

June 2015

INSIDER THREATS
DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems
Highlights of GAO-15-544, a report to congressional committees.

Why GAO Did This Study

What GAO Found

Since 2010, the United States has suffered grave damage to national security and an increased risk to the lives of U.S. personnel due to unauthorized disclosures of classified information by individuals with authorized access to defense information systems. Congress and the
President have issued requirements for structural reforms and a new program to address insider threats.

The Department of Defense (DOD) components GAO selected for review have begun implementing insider-threat programs that incorporate the six minimum standards called for in Executive Order 13587 to protect classified information and systems. For example, the components have begun to provide insider-threat awareness training to all personnel with security clearances. In addition, the components have incorporated some of the actions associated with a framework of key elements that GAO developed from a White House report, an executive order, DOD guidance and reports, national security systems guidance, and leading practices recommended by the National Insider Threat Task Force.
However, the components have not consistently incorporated all recommended key elements. For example, three of the six components have developed a baseline of normal activity—a key element that could mitigate insider threats.
DOD components have not consistently incorporated these key elements because DOD has not issued guidance that identifies recommended actions beyond the minimum standards that components should take to enhance their insider-threat programs. Such guidance would assist DOD and its components in developing and strengthening insider-threat programs and better position the department to safeguard classified information and systems.

A 2014 House Committee on Armed
Services report included a provision that GAO assess DOD’s efforts to protect its information and systems.
This report evaluates the extent to which (1) DOD has implemented an insider-threat program that incorporates minimum standards and key elements, (2) DOD and others have assessed DOD’s insider-threat program, and (3) DOD has identified any technical and policy changes needed to protect against future insider threats. GAO reviewed studies, guidance, and other documents; and interviewed officials regarding actions that DOD and a nonprobability sample of six DOD components have taken to address insider threats.

What GAO Recommends
GAO recommends that DOD issue guidance to incorporate key elements into insider-threat programs, evaluate the extent to which programs address capability gaps, issue risk-assessment guidance, and identify a program office to manage and oversee insider-threat programs. DOD agreed or partially agreed with all of the recommendations, and described actions it plans to take. However,
DOD’s actions may not fully address the issues as discussed in the report.
View GAO-15-544. For more information, contact Joseph W. Kirschbaum at (202) 5129971 or kirschbaumj@gao.gov or Gregory C.
Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. DOD and others, such as the National Insider Threat Task Force, have assessed the department’s insider-threat program, but DOD has not analyzed gaps or incorporated risk assessments into the program. DOD officials believe that current assessments meet the intent of the statute that requires DOD to implement a continuing gap analysis. However, DOD has not evaluated and documented the extent to which the current assessments describe existing insider-threat program capabilities, as is required by the law. Without such a documented evaluation, the department will not know whether its capabilities to address insider threats are adequate and address statutory requirements.
Further, national-level security guidance states that agencies, including DOD, should assess risk posture as part of insider-threat programs. GAO found that
DOD components had not incorporated risk assessments because DOD had not provided guidance on how to incorporate risk assessments into components’ programs. Until DOD issues guidance on incorporating risk assessments, DOD components may not conduct such assessments and thus not be able to determine whether security measures are adequate.
DOD components have identified technical and policy changes to help protect classified information and systems from insider threats in the future, but DOD is not consistently collecting this information to support management and oversight responsibilities. According to Office of the Under Secretary of Defense for
Intelligence officials, they do not consistently collect this information because
DOD has not identified a program office that is focused on overseeing the insider-threat program. Without an identified program office dedicated to oversight of insider-threat programs, DOD may not be able to ensure the collection of all needed information and could face challenges in establishing goals and in recommending resources and improvements to address insider threats. This is an unclassified version of a classified report GAO issued in April 2015.
United States Government Accountability Office

Contents

Letter

1
Background
DOD and Selected Components Have Taken Steps to Implement
Insider-Threat Programs, but DOD Has Not Issued
Supplemental Guidance
DOD Has Assessed Its Insider-Threat Program but Has Not
Analyzed Gaps or Incorporated Risk Assessments into the
Program
DOD Identified Technical and Policy Changes to Protect against
Insider Threats in the Future but Does Not Consistently Collect
Information for Oversight and Recommendations
Conclusions
Recommendations for Executive Action
Agency Comments and Our Evaluation

25
29
30
31

Appendix I

Scope and Methodology

35

Appendix II

Minimum Standards for Executive Branch Insider-Threat
Programs

40

Sources for Key Elements of Insider-Threat Programs GAO
Identified

43

Appendix IV

Comments from the Department of Defense

45

Appendix V

GAO Contacts and Staff Acknowledgments

48

Appendix III

Related Unclassified GAO Products

6
10
18

49

Page i

GAO-15-544 Insider Threats

Tables
Table 1: Department of Defense (DOD) Roles and Responsibilities for Insider Threats
Table 2: GAO’s Assessment of Department of Defense (DOD) and
Six Selected Components’ Incorporation of Minimum
Standards into Insider-Threat Programs as of January
2015

9

12

Figures
Figure 1: Insider-Threat Policies and Plans for the Department of
Defense
Figure 2: Types of Threats Included in the Department of
Defense’s Insider-Threat Program
Figure 3: GAO’s Framework of Key Elements To Incorporate at
Each Phase of DOD’s Insider-Threat Programs

7
10
15

Abbreviations
DOD
DOD CIO
E.O.
OUSD (Intelligence)

Department of Defense
Department of Defense Chief Information Officer
Executive Order
Office of the Under Secretary of Defense for Intelligence

This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

Page ii

GAO-15-544 Insider Threats

Letter

441 G St. N.W.
Washington, DC 20548

June 2, 2015
Congressional Committees
According to U.S. intelligence-community leaders, unauthorized disclosures of classified information by individuals with authorized access to Department of Defense (DOD) information and systems have resulted in grave damage to national security and potentially placed the lives of military service members at risk, highlighting the threat insiders can pose to government organizations. 1 Disclosures by an Army service member in
2010 and a National Security Agency contractor in 2013 are among the largest known leaks of classified information in U.S. history, according to
DOD and U.S intelligence-community leaders. In January 2014, the U.S. intelligence community’s Worldwide Threat Assessment 2 cited the persistent challenge and continuing critical threat that insiders pose. 3
Insiders have an advantage over others who may want to harm an organization because insiders may have an awareness of their organization’s vulnerabilities, such as loosely enforced policies and procedures, or exploitable technical flaws. Even insiders who do not intend to cause harm may inadvertently do so through human error.
Insiders with access to DOD information and systems may be able to conduct far more malicious activity—wittingly or unwittingly—than outsiders, with potentially devastating consequences for DOD. DOD’s
April 2015 cyber strategy stressed the importance of mitigating insider threats, stating that DOD’s work to mitigate these threats extends beyond

1

Statements of James Clapper, Director of National Intelligence, and Lieutenant General
Michael Flynn, Director of the Defense Intelligence Agency, Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence (Jan. 29,
2014); and statement of James Clapper, Director of National Intelligence, Annual Threat
Assessment of the Intelligence Community for the Senate Select Committee on
Intelligence (Feb. 16, 2011).
2

Statement for the Record of James Clapper, Director of National Intelligence, Worldwide
Threat Assessment of the U.S. Intelligence Community (Jan. 29, 2014).

3

An insider is any person with authorized access to any U.S. government resource to include personnel, facilities, information, equipment, networks, or systems. See White
House, National Insider Threat Policy and Minimum Standards for Executive Branch
Insider Threat Programs, memorandum (Nov. 21, 2012).

Page 1

GAO-15-544 Insider Threats

technological solutions and includes personnel, reliability, leadership, and accountability matters. 4
Since the 2010 disclosures, Congress and the President have taken actions to try to prevent additional unauthorized disclosures of classified information by insiders. In 2011, Congress—citing damage to national security, the effect on military operations, and harm to the reputation and credibility of the United States resulting from the 2010 disclosures—called for DOD to establish an insider-threat program. 5 In 2011, the President issued Executive Order 13587 (E.O. 13587) that directed structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks consistent with appropriate protections for privacy and civil liberties. 6 In 2012, the President issued the national insider-threat policy that required agencies to implement insider-threat programs by May 2013. 7 The President also directed each agency’s insider-threat program to include six minimum standards: (1) designation of senior official(s); (2) information integration, analysis, and response; (3) insider-threat program personnel; (4) access to information; (5) monitoring user activity on networks; and (6) employee training and awareness. A 2014 House Committee on Armed Services report included a provision that GAO assess DOD’s efforts to protect information and systems from insider threats. 8 This report evaluates the extent to which (1) DOD has implemented an insider-threat program that incorporates minimum standards and key elements to protect classified information and
4

Department of Defense, The Department of Defense Cyber Strategy (April 2015).

5
See National Defense Authorization Act for Fiscal Year 2012, Pub. L. No. 112–81, § 922
(2011) and H.R. Rep. 112-78 at 184-185 (2011).
6
Executive Order No. 13587, Structural Reforms to Improve the Security of Classified
Networks and the Responsible Sharing and Safeguarding of Classified Information, 76
Fed. Reg. 198 (Oct. 7, 2011). (Hereinafter cited as E.O. 13587.)
7

See White House, National Insider Threat Policy and Minimum Standards for Executive
Branch Insider Threat Programs, memorandum (Nov. 21, 2012), which defines insider threat as the threat that an individual with authorized access will use that access, wittingly or unwittingly, to harm the security of the United States.

8

See H. R. Rep. No. 113-446 at 287–288 (2014) accompanying H.R. 4435, a proposed bill for the National Defense Authorization Act for Fiscal Year 2015. The House report also included a provision for us to evaluate DOD’s efforts to protect U.S. installations from insider threats. That report is due to be issued in summer 2015.

Page 2

GAO-15-544 Insider Threats

systems, (2) DOD and others have assessed DOD’s insider-threat program to protect classified information and systems, and (3) DOD has identified any technical and policy changes it needs to protect its classified information and systems from insider threats in the future.
Although this report is about protection of classified information and systems from insider threats, we have previously completed a body of work on other security issues, such as defense cybersecurity, information security, and personnel security. This is an unclassified version of a classified report that we issued in April 2015. This report does not identify specific DOD components or the results of DOD and independent assessments of DOD insider-threat programs—information that DOD deemed to be classified or sensitive. Although the information provided in this report is less detailed, it addresses the same objectives as our classified report. Also, the overall methodology used for both reports is the same.
To evaluate the extent to which DOD has implemented an insider-threat program that incorporates minimum standards and key elements to protect classified information and systems, we evaluated initiatives that
DOD had established and policy and guidance that identify responsibilities within the department to address the threat that insiders pose to classified information and systems. We selected a nonprobability sample of six DOD components to assess implementation efforts at the component level. 9 The six components include three combat support agencies; one military service; one combatant command; and one service sub-command. We selected these six components based on several factors including their specific roles in supporting DOD networks, prior insider-threat incidents, and reported progress in implementing insiderthreat programs. In order to avoid duplication with an ongoing DOD
Inspector General evaluation, we included only one military service. 10
While not generalizable, the information we obtained from these selected components provided insight about the steps that different types of components (i.e., service, combatant command, combat support agency)

9
DOD defines “DOD components” to include the Office of the Secretary of Defense, the military departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint
Staff, the combatant commands, DOD Office of Inspector General, the defense agencies, the DOD field activities, and all other entities within DOD.
10

In April 2014, the DOD Inspector General initiated work assessing the implementation of insider-threat programs at the four military services. According to the DOD Inspector
General office, it plans to issue its report in mid-2015.

Page 3

GAO-15-544 Insider Threats

are taking and challenges they are encountering. We developed a questionnaire based on our research objectives, the minimum standards called for in E.O. 13587, and industry leading practices for insider-threat programs. We administered the questionnaire and collected responses from all six components, and conducted follow-up meetings as needed based on responses. We also collected responses from the Office of the
Under Secretary of Defense for Intelligence (OUSD [Intelligence]) about the implementation of the department’s insider-threat program because the Under Secretary of Defense for Intelligence is the DOD senior official responsible for the department’s program. We used the questionnaire responses and information obtained from meetings and document reviews to assess each component’s insider-threat program implementation and content. Using a scorecard methodology, two analysts independently rated the collective data sources against the minimum standards to score and provide an overall rating. The two analysts then compared their independent scores, discussed any differences, and determined the final ratings.
In addition to minimum standards, we identified key elements of insiderthreat programs by reviewing and analyzing a range of documents including E.O. 13587, DOD guidance and reports, Committee on National
Security Systems guidance, a set of leading practices that the National
Insider Threat Task Force recommends, practices that other federal agencies and private industry use, and a list of essential principles developed by a group of private-sector and U.S. government analysts.
We then organized this information into a framework of 25 key elements.
We based these elements upon the principles that we identified, but this framework is not necessarily a comprehensive list of all elements since other principles may exist that could benefit insider-threat programs. We discussed this framework with DOD and private-sector officials and incorporated their comments and changes as appropriate. In order to assess how insider-threat programs incorporated these key elements, we collected and analyzed information from the selected components and
OUSD (Intelligence) and interviewed relevant officials.
To evaluate the extent to which DOD and others have assessed DOD’s insider-threat program to protect classified information and systems, we compared DOD assessment efforts occurring during the course of our review to those described in E.O. 13587. We reviewed copies of DOD’s quarterly self-assessments from December 2013 through February 2015, in which DOD reported its progress in complying with minimum standards, and we interviewed OUSD (Intelligence) and DOD Chief
Information Officer (DOD CIO) officials about their self-assessment

Page 4

GAO-15-544 Insider Threats

process and results. We did not independently verify the accuracy of the self-assessments since it was beyond the scope of this review. We also met with officials from the National Security Agency and National Insider
Threat Task Force involved in conducting independent assessments, confirmed that they have assessed some DOD components, and obtained and reviewed copies of the assessments. To determine the extent to which DOD conducted the continuing analysis of gaps in its insider-threat program required by the National Defense Authorization Act for Fiscal Year 2012, we obtained and reviewed DOD’s 2013 report to
Congress, which described the department’s plan for conducting a continuing analysis, and interviewed OUSD (Intelligence) officials about the current status of the analysis. 11 To determine the extent to which DOD incorporated risk assessments in its insider-threat program, we reviewed
DOD, Committee on National Security Systems, and National Insider
Threat Task Force guidance, and asked OUSD (Intelligence), DOD CIO, and component officials about the extent to which DOD conducted risk assessments related to insider-threat programs.
To evaluate the extent to which DOD has identified any technical or policy changes it needs to protect its classified information and systems from insider threats in the future, we focused on initiatives to be implemented beginning in 2015 and those initiatives not included in DOD’s existing insider-threat guidance. We collected information about initiatives through our questionnaire and interviews with component officials, discussed above. We also asked component, OUSD (Intelligence), and DOD CIO officials about their process for prioritizing and planning for initiatives, as well as how the department is collecting information about these initiatives. We compared their responses to DOD guidance on responsibilities for insider-threat programs and the defense security enterprise, federal standards for internal control, 12 and Office of the
Director of National Intelligence guidance. We did not evaluate the initiatives themselves or assess each initiative’s relative priority or efficacy. A more-detailed explanation of our scope and methodology can be found in appendix I.

11

Department of Defense, Report to Congress: Insider Threat Detection (Washington,
D.C.: March 2013).

12

GAO/AIMD-00.21.3.1.

Page 5

GAO-15-544 Insider Threats

We conducted this performance audit from May 2014 to June 2015 in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background
Policies and Plans to
Address Insider Threats

DOD reported on the potential threats that insiders could pose in April
2000 when the department issued an integrated process team report with
59 recommendations for action to mitigate insider threats to DOD information systems. 13 After the unauthorized, massive disclosures of classified information in 2010, Congress required the Secretary of
Defense to establish a program for information sharing protection and insider-threat mitigation for DOD information systems. 14 Additionally, the
President in October 2011 ordered structural reforms to safeguard classified information and improve security of classified networks that were to be consistent with appropriate protections for privacy and civil liberties. 15 E.O. 13587, among other things, established an interagency
Insider Threat Task Force, known as the National Insider Threat Task
Force, discussed below.
In November 2012, the President issued the National Insider Threat
Policy and Minimum Standards for Executive Branch Insider Threat
Programs, which identified six minimum standards that executive-branch agencies were required to include in their insider-threat programs. These standards include (1) designation of senior official(s); (2) information

13

Department of Defense, Insider Threat Mitigation: Final Report of the Insider Threat
Integrated Process Team (Apr. 24, 2000). The Senior Civilian Official of the Office of the
Assistant Secretary of Defense (Command, Control, Communications and Intelligence) established the Insider Threat Integrated Process Team to foster the effective development of interdependent technical and procedural safeguards to reduce malicious behavior by insiders.

14

Pub. L. No. 112–81, § 922 (2011).

15

E.O. 13587.

Page 6

GAO-15-544 Insider Threats

integration, analysis, and response; (3) insider-threat program personnel;
(4) access to information; (5) monitoring user activity on networks; and (6) employee training and awareness. 16 Each minimum standard has multiple associated tasks. For more information on these minimum standards and associated tasks, see appendix II.
As part of the minimum standards, departments and agencies were required to issue their own insider-threat policies and plans. DOD issued its insider-threat program policy in September 2014. 17 DOD’s insiderthreat program policy requires each of the department’s components to issue respective insider-threat policies and implementation plans. Figure
1 shows the relationship between the White House, DOD, and DOD component actions to issue policies or plans.
Figure 1: Insider-Threat Policies and Plans for the Department of Defense

Roles and Responsibilities
Related to Insider Threats

As part of the President’s 2011 reforms, E.O. 13587 assigned various executive-branch organizations responsibilities and oversight related to insider threats.
National Insider Threat Task Force (co-chaired by the Attorney
General of the United States and the Director of National Intelligence and includes representatives from numerous federal entities, including
DOD) developed six minimum standards for executive-branch insiderthreat programs and a guide to assist agencies as they establish and



16

See White House, National Insider Threat Policy and Minimum Standards for Executive
Branch Insider Threat Programs.

17

DOD Directive 5205.16, The DOD Insider Threat Program (Sept. 30, 2014).

Page 7

GAO-15-544 Insider Threats

tailor programs to meet their particular needs. 18 In addition, according to task-force officials, the task force conducts independent assessments of agency programs as required by E.O. 13587.


Senior Information Sharing and Safeguarding Steering Committee
(co-chaired by the National Security Staff and the Office of
Management and Budget and includes representatives from executive departments and agencies, including DOD) is to coordinate priorities for sharing and safeguarding classified information on computer networks. According to E.O. 13587, the committee is to receive copies of the self-assessments that each agency is to conduct—commonly referred to as the Key Information Sharing and Safeguarding
Indicators assessment—and copies of the independent assessments that the National Insider Threat Task Force and National Security
Agency are to conduct.



National Security Agency, as co-Executive Agent for Safeguarding
Classified Information on Computer Networks, is to conduct independent assessments of agency compliance with safeguarding policies and standards as required by E.O. 13587.



Departments and agencies, including DOD, are to establish insiderthreat programs and perform self-assessments of compliance with established standards and priorities.

Various DOD organizations, as described in table 1, have responsibilities related to insider threats, specifically the protection of DOD classified information and systems.

18

National Insider Threat Task Force, 2014 Guide to Accompany the National Insider
Threat Task Force Policy and Minimum Standards (Sept. 2014).

Page 8

GAO-15-544 Insider Threats

Table 1: Department of Defense (DOD) Roles and Responsibilities for Insider Threats
Component

Responsibilities

Under Secretary of Defense for Intelligence

Serves as the senior official for the DOD insider-threat program; provides management, accountability, and oversight of the DOD program; and develops department-wide policy to counter insider threats.

DOD Chief Information Officer

Works with the Under Secretary of Defense for Intelligence to issue department-wide policy to safeguard against and mitigate insider-threat risks to DOD information and systems, based upon interagency priorities.

U.S. Cyber Command

Defends DOD information networks, including issuing detailed direction to DOD components on actions to counter insider-threat risks.

Defense Intelligence Agency

Ensures that the cybersecurity program associated with the Joint Worldwide
Intelligence Communications System, a top-secret-level network, provides effective security against insider threats.

Defense Information Systems Agency

Supports unclassified and classified networks, including the secret-level network, throughout DOD by designing and deploying proactive protections to help address insider threats and performing other necessary security functions.

Defense Security Service

Conducts counterintelligence functions for cleared defense-industrial-base critical assets and incorporates insider-threat education and awareness material into training programs for DOD components and contractors.

a

DOD components

Source: GAO summary of DOD guidance. | GAO-15-544

Implement individual insider-threat programs in accordance with minimum standards and relevant DOD policies. a DOD components include collectively the Office of the Secretary of Defense, the military departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint Staff, the combatant commands, the DOD Office of Inspector General, the defense agencies, the DOD field activities, and all other entities within DOD.

DOD’s Program to
Address Insider Threats

DOD has structured its insider-threat program to include four broad types of insider threats, including cyber threats. According to an OUSD
(Intelligence) insider-threat program briefing, the DOD organizations responsible for each of these threat areas are to share information to help prevent and mitigate insider threats (see fig. 2).

Page 9

GAO-15-544 Insider Threats

Figure 2: Types of Threats Included in the Department of Defense’s Insider-Threat
Program

DOD and Selected
Components Have
Taken Steps to
Implement InsiderThreat Programs, but
DOD Has Not Issued
Supplemental
Guidance
DOD and Selected
Components Have Begun
Implementing InsiderThreat Programs That
Incorporate Minimum
Standards

DOD and the six selected components we reviewed have begun incorporating the minimum standards called for in E.O. 13587 into insiderthreat programs to varying degrees to protect classified information and systems. Specifically, two components have established insider-threat programs that incorporate all six of the minimum standards. Conversely, the other components have taken action but have not addressed all tasks associated with the six minimum standards. For example, one insiderthreat program has addressed six of the seven tasks associated with the minimum standard of “Designation of Senior Official(s).” However, that program has not completed the task that requires their senior official to submit to the agency head an implementation plan and an annual report

Page 10

GAO-15-544 Insider Threats

that identifies annual accomplishments, resources allocated, insiderthreat risks to the agency, recommendations and goals for program improvement, and major impediments or challenges.
Similarly, all of the components we reviewed reported that they had addressed the task included in the “Monitoring User Activity on Networks” standard that states that insider-threat programs should include the technical capability to monitor user activity on classified networks.
However, the means by which the selected components addressed this task varied. Specifically, according to component officials, one component was conducting more enhanced user activity monitoring for a small pilot group, and two components were conducting widespread enhanced monitoring of user activity. Two components reported that they were using an application that provides network activity information to inform user activity monitoring. 19 According to the National Insider Threat Task
Force, this application contributes to insider-threat programs but does not provide full user activity-monitoring capability. Table 2 describes our evaluation of the extent to which DOD and the six selected components had incorporated minimum standards into insider-threat programs as of
January 2015.

19

This commercial application provides network administrators and security personnel with mechanisms to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across networks and systems.

Page 11

GAO-15-544 Insider Threats

Table 2: GAO’s Assessment of Department of Defense (DOD) and Six Selected Components’ Incorporation of Minimum
Standards into Insider-Threat Programs as of January 2015 a Minimum standard

DOD and Components
1

2

3

4

5

6

7












































Monitoring user activity on networks
















Employee training and awareness















b

Designation of senior official(s)

Information integration, analysis, and response
Insider-threat program personnel
Access to information

Legend
 Addressed all tasks associated with minimum standard

◐ Addressed at least one of the tasks associated with minimum standard
 Has not addressed any tasks associated with minimum standard
Source: GAO analysis of DOD information. | GAO-15-544.

a

We have removed identifying references to DOD and specific components in this unclassified version of our assessment. b This minimum standard requires each agency to designate a senior official who shall complete the following seven tasks: (1) program management and oversight; (2) issuing policy; (3) submitting implementation plans and annual reports to the agency head; (4) ensuring legal and civil liberties consultation during development of program; (5) establishing oversight for proper handling of records;
(6) ensuring proper retention of records as defined in Executive Order 13587; and (7) facilitating oversight review to ensure compliance. While six components have designated a senior official for their insider-threat programs, some have not addressed all of the tasks associated with this standard.
Therefore, most components were rated as having addressed at least one of the tasks associated with this minimum standard.

As of January 2015, DOD officials indicated that the selected components continue to take steps to develop their programs and incorporate the minimum standards into their programs. For example, DOD has drafted an implementation plan—a task in the “Designation of Senior Official(s)” minimum standard—that identifies the key milestones to incorporate the minimum standards into the department’s insider-threat program. The implementation plan also requires the components to issue their own implementation plans as they establish insider-threat programs that incorporate all minimum standards in accordance with DOD’s insiderthreat program directive. 20 According to DOD officials, DOD plans to issue the department’s implementation plan in spring 2015. Additionally, according to National Insider Threat Task Force officials, the Senior

20

DOD Directive 5205.16, The DOD Insider Threat Program.

Page 12

GAO-15-544 Insider Threats

Information Sharing and Safeguarding Steering Committee has decided to adopt a risk-based approach to how departments and agencies incorporate the minimum standards. Lower-risk organizations, which could include some DOD components, will not be required to incorporate the minimum standards to the same extent as higher-risk organizations.
The officials told us that they have not yet determined which DOD components might be characterized as lower-risk, and the committee is continuing to study the standards to determine what will be required of lower-risk organizations.

Selected Components
Have Not Incorporated
Key Elements of InsiderThreat Programs That Are
Cited in DOD Guidance

In addition to the minimum standards issued by the President, DOD guidance and reports identify elements that could enhance DOD’s efforts to protect classified information and systems. These elements—which are required to support DOD’s broader efforts in areas such as cybersecurity, counterintelligence, and information security—are also identified in executive-branch policy and recommended in DOD and independent studies related to insider threats. 21 For example, DOD Instruction
5240.26, DOD’s 2000 insider-threat mitigation report, and Carnegie
Mellon Software Engineering Institute’s insider-threat guide state that
DOD components should develop a baseline of normal users’ activities. 22
Also, Carnegie Mellon Software Engineering Institute 23 and a White

21

We identified 25 key elements from DOD, executive-branch, government, and privatesector policies, guidance, and reports that could be included as a part of a framework of key elements of insider-threat programs. However, we did not perform a detailed analysis of all existing policies and guidance that could relate to insider threats. Therefore, agencies may be able to identify elements for inclusion in insider-threat programs in addition to the 25.

22

DOD Instruction 5240.26, Countering Espionage, International Terrorism, and the
Counterintelligence (CI) Insider Threat (May 4, 2012) (incorporating change 1, Oct. 15,
2013); DOD, Insider Threat Mitigation: Final Report of the Insider Threat Integrated
Process Team; and Carnegie Mellon Software Engineering Institute, Common Sense th Guide to Mitigating Insider Threats 4 ed. (December 2012). The National Insider Threat
Task Force cites Carnegie Mellon Software Engineering Institute’s guide as a useful reference with practices that can help agencies formulate their own insider-threat programs. 23

Carnegie Mellon Software Engineering Institute, Common Sense Guide to Mitigating
Insider Threats.

Page 13

GAO-15-544 Insider Threats

House review group 24—both of whom have recommended actions to address insider threats—stated that agencies, such as DOD, should develop risk-based analytics to detect insider-threat activity. As shown in figure 3, we developed a framework of these key elements by program phase based on our analysis of the minimum standards, DOD guidance, executive-branch policy and reports, and other guidance. 25

24

After the 2013 disclosures of classified information by a National Security Agency contractor, the President created the Review Group on Intelligence and Communications
Technologies to review practices for safeguarding liberty and security. The group’s final report included 46 recommendations, including recommendations for protecting classified information and systems. Liberty and Security in a Changing World (The President’s
Review Group on Intelligence and Communications Technologies: Washington, D.C., Dec.
12, 2013).

25

For a detailed list of all documents used to develop each key element, see appendix III.

Page 14

GAO-15-544 Insider Threats

Figure 3: GAO’s Framework of Key Elements To Incorporate at Each Phase of DOD’s Insider-Threat Programs

DOD and the six components we reviewed have incorporated some of the
25 recommended key elements we identified from DOD guidance and reports and independent studies to mitigate insider threats. Specifically, we found that some components have incorporated key elements such as

Page 15

GAO-15-544 Insider Threats

conducting internal spot checks; instituting internal controls and security controls; performing risk-based analytics; and taking personnel action. 26
However, DOD and the six components have not incorporated all of the
25 key elements and for the ones they have incorporated, they have not done so consistently. For example:


Institute and communicate consequences. DOD Instruction 8500.01 directs DOD components to ensure personnel are considered for sanctions if they compromise, damage, or place at risk DOD information. 27 Additionally, Carnegie Mellon Software Engineering
Institute’s insider-threat guide states that agencies should have policies and procedures in place that specify the consequences of particular policy violations. 28 We found that one component published a table of penalties, which is a guide for assessing the appropriate penalty for misconduct. A second component’s policy had procedures for communicating the consequences of disciplinary actions to insiderthreat personnel; however, the other components we reviewed did not have similar information in their insider-threat program policies.
Further, two components reported that their program processes and procedures were not fully documented, and officials from another component cited an example of component officials not instituting consequences when an incident occurred.



Develop a baseline of normal activity. 29 DOD Instruction 5240.26 directs DOD components to report anomalies, such as changes in user behavior. 30 DOD’s 2000 insider-threat mitigation report recommended that DOD create a list of system and user behavior attributes to develop a baseline of normal activity patterns. 31

26

For a list of documents identifying actions associated each of these elements, see appendix III.

27

DOD Instruction 8500.01, Cybersecurity (Mar. 14, 2014).

28

Carnegie Mellon Software Engineering Institute, Common Sense Guide to Mitigating
Insider Threats.

29

A baseline of normal activity identifies a user’s normal network activity.

30

DOD Instruction 5240.26, Countering Espionage, International Terrorism, and the
Counterintelligence (CI) Insider Threat.

31

DOD, Insider Threat Mitigation: Final Report of the Insider Threat Integrated Process
Team.

Page 16

GAO-15-544 Insider Threats

Additionally, according to Carnegie Mellon Software Engineering
Institute’s insider-threat guide, to detect anomalies in network activity, an organization must first create a baseline of normal network activity. 32 Three components have taken action to identify a baseline of normal user activity, but the others have not.


Share information as appropriate. E.O. 13587 states that agencies should provide policies for sharing information both within and outside of the federal government. Component officials stated there are informal processes for sharing information within DOD; however, the component officials stated that they were unaware of a process for sharing information outside of DOD.



Develop, disseminate, and incorporate best practices and lessons learned. DOD Instruction 5240.26 calls for the identification and dissemination of best practices across DOD in support of DOD insider-threat programs. 33 Additionally, DOD’s 2000 insider-threat mitigation report recommended that DOD develop a database of lessons learned from insider-threat incidents. 34 The report stated that not having such information severely hampers understanding of the magnitude of the insider-threat problem and the development of solution strategies. Officials at five components stated that while they sometimes develop and share best practices and lessons learned as a matter of practice, they do not have or use a formalized process of developing, disseminating, and incorporating best practices and lessons learned, such as solutions to vulnerabilities, in their insiderthreat programs.

When we discussed the key elements framework with DOD officials, researchers specializing in insider threats, and a private sector insiderthreat program official, they agreed that it identified elements that would help DOD components develop and strengthen their insider-threat programs. However, DOD officials stated that they would need supplemental planning guidance that helps them identify actions, such as the key elements, beyond the minimum standards that they should take to

32

Carnegie Mellon Software Engineering Institute, Common Sense Guide to Mitigating
Insider Threats.

33

DOD Instruction 5240.26, Countering Espionage, International Terrorism, and the
Counterintelligence (CI) Insider Threat.

34

DOD, Insider Threat Mitigation: Final Report of the Insider Threat Integrated Process
Team.

Page 17

GAO-15-544 Insider Threats

enhance their insider-threat programs. The current DOD directive does not contain additional guidance for implementing key elements of an insider-threat program beyond the minimum standards. 35 According to
DOD component officials, the directive repeats the minimum standards but does not provide DOD component officials with sufficient guidance for incorporating recommended key elements to enhance their insider-threat programs. Additionally, the draft DOD implementation plan provides guidance on the minimum standards but not recommended key elements.
In January 2015, DOD officials stated that they planned to issue supplemental guidance to assist components in implementing insiderthreat programs. Issuing such guidance would be consistent with federal standards for internal control, which state that organizations need information to achieve objectives, and that information should be communicated to those who need it within a time frame that enables them to carry out their responsibilities. 36 Guidance identifying actions beyond the minimum standards could assist components in enhancing their insider-threat programs and further enhance the department’s efforts to protect its classified information and systems.

DOD Has Assessed
Its Insider-Threat
Program but Has Not
Analyzed Gaps or
Incorporated Risk
Assessments into the Program
DOD and Other Entities
Have Assessed the
Department’s InsiderThreat Program

DOD has conducted self-assessments of its insider-threat program; additionally, independent entities have assessed DOD components’ compliance with relevant policies and standards. E.O. 13587 and the national insider-threat policy require agencies to perform selfassessments that evaluate their level of organizational compliance with

35

DOD Directive 5205.16, The DOD Insider Threat Program.

36

GAO/AIMD-00.21.3.1.

Page 18

GAO-15-544 Insider Threats

the national insider-threat policy and minimum standards. 37 To meet this requirement, DOD conducts quarterly self-assessments—commonly referred to as the Key Information Sharing and Safeguarding Indicators assessment—and evaluates the extent to which the department is addressing 63 key performance indicators. These 63 key performance indicators address topics such as the implementation of the department’s insider-threat program, the management and monitoring of removable media, and the implementation of a public-key infrastructure to reduce user anonymity on classified networks. 38 In its February 2015 quarterly self-assessment, DOD reported that it addressed all of the management and monitoring indicators for removable media. For example, DOD reported that it monitors computer systems and uses a tool to alert appropriate officials when individuals try to write to removable media such as CDs or USB devices. However, DOD also reported that it had not fully addressed other indicators, including those associated with the department’s insider-threat program. For example, DOD reported that it had not issued its program-implementation plan. DOD officials acknowledged that the department had not completed the tasks associated with the 63 key performance indicators and told us that the department will continue to focus on these efforts until they have been addressed. DOD has conducted these self-assessments for the department, as required. However, we found that these assessments reflect either the department’s overall progress or limited information regarding actions taken by individual DOD components. This information is limited because the current assessments do not reflect the extent to which the components have accomplished tasks associated with the 63 key performance indicators. According to the draft DOD insider threat program implementation plan, DOD components will be expected to submit self-assessments to the Under Secretary of Defense for
Intelligence in 2015.

37

E.O. 13587 and White House, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.

38

Public-key infrastructure is a system of hardware, software, policies, and people that, when fully and properly implemented, can provide a suite of information security assurances—including confidentiality, data integrity, authentication, and non-repudiation— that are important in protecting sensitive communications and transactions.

Page 19

GAO-15-544 Insider Threats

In addition to its self-assessments, in 2013 DOD updated its Command
Cyber Readiness Inspections 39 to evaluate whether units had incorporated insider-threat security measures identified in a 2013 U.S.
Cyber Command tasking order. 40 U.S. Cyber Command officials indicated that the command selects units for inspection according to risk factors such as threat information and inspection histories. As of July 2014, DOD had inspected one of the six components included in the scope of our review. According to the inspection report, this component was complying with the security measures cited in the 2013 tasking order. 41 U.S. Cyber
Command officials stated that DOD intends to update the inspections in
2015 to include additional security measures developed in response to a
2014 U.S. Cyber Command tasking order. 42
In addition to DOD’s internal assessments, the National Security Agency and the National Insider Threat Task Force separately conduct independent assessments of DOD’s protection of classified information and systems, as required by E.O. 13587. 43 DOD officials stated that as of
January 2015, the National Security Agency had assessed one DOD component since E.O. 13587 was issued in 2011. The focus of the assessment was to identify vulnerabilities, assess compliance, and assist the component with the implementation of safeguarding policies and standards in support of E.O. 13587. The assessment report identified best practices, vulnerabilities, and recommendations to resolve technical security issues.

39

Command Cyber Readiness Inspections are intended to assess compliance, validation, and readiness of components and individual units. U.S. Cyber Command is in charge of the Command Cyber Readiness Inspection process, but the Defense Information Systems
Agency executes these inspections to include evaluations of readiness to mitigate insider threats. 40

U.S. Cyber Command, United States Cyber Command Operation Gladiator Shield
Tasking Order 13-0651 Insider Threat Mitigation Amplifying Direction (July 2013). This tasking order directed DOD components to implement specific short-term technical and procedural safeguards to prevent, deter, and detect insider threats.

41

As of July 2014, U.S. Cyber Command reported that nearly all of the 89 units that it had assessed from October 1, 2013, through June 6, 2014, were complying with the security measures cited in the 2013 task order.

42

U.S. Cyber Command, United States Cyber Command Tasking Order 14-0185 Insider
Threat Mitigation (July 2014).

43

The National Security Agency conducts these assessments in its independent role as co-executive agent for safeguarding classified information on computer networks.

Page 20

GAO-15-544 Insider Threats

In accordance with the executive order, the National Insider Threat Task
Force has assessed four DOD components’ compliance with insiderthreat policies and minimum standards. According to these assessments, the task force compares the component’s policies and practices with the minimum standards. The assessments note where the component has taken action to address minimum standards and associated tasks, and also make recommendations to help the components develop their programs and address the standards. For example, in its assessment of one component, the National Insider Threat Task Force complimented the component’s system to centralize access to unclassified employee records, but recommended that the component begin issuing an annual report to its director, which is a task associated with the “Designation of
Senior Official(s)” standard.

DOD Has Not Completed a Required Continuing
Analysis of Gaps

Section 922 of the National Defense Authorization Act for Fiscal Year
2012 requires that DOD complete a continuing analysis of gaps in security measures and of technology, policies, and processes that are needed to increase the capability of its insider-threat program to address these gaps, and that DOD report to Congress on implementation of the requirement. 44 Although DOD reported to Congress in March 2013 that
OUSD (Intelligence) was conducting a survey to serve as a baseline foundation for a continuing analysis of gaps, in October 2014 DOD officials told us that they suspended this baseline survey and did not otherwise complete a continuing analysis of gaps. 45 This survey would have allowed DOD to define existing insider-threat program capabilities; identify gaps in security measures; and advocate for the technology, policies, and processes necessary to increase capabilities in the future.
According to the officials, after consulting DOD’s Cost Assessment and
Program Evaluation office about the process for conducting such a survey across the department, the department believed such an effort would not be feasible due to financial and personnel limitations. The department has not taken action to fulfill this statutory requirement since then.
OUSD (Intelligence) officials stated that they believe the department has addressed the intent of the statutory requirement through the previously discussed assessments—DOD’s quarterly self-assessments, DOD’s

44

Pub. L. No. 112–81, § 922 (2011).

45

DOD, Report to Congress: Insider Threat Detection.

Page 21

GAO-15-544 Insider Threats

Command Cyber Readiness Inspections, and the National Security
Agency’s independent assessments. However, DOD has not evaluated and documented the extent to which these assessments define existing insider-threat program capabilities; identify gaps in security measures; and advocate for the technology, policies, and processes necessary to increase capabilities in the future, as is required by law. Similarly, DOD officials stated that the department has not informed Congress that it did not complete the actions identified in its 2013 report to Congress, because they believed the legislation required only the 2013 report.
Further, officials from OUSD (Intelligence)—which supports DOD’s senior official overseeing insider-threat programs—told us they do not review the results of the National Security Agency assessments or Command Cyber
Readiness Inspection reports, though DOD Directive 5205.16 directs the senior official to monitor insider-threat program implementation progress. 46 Without evaluating and documenting the extent to which current assessments provide a continuing analysis of gaps, reporting to
Congress on the results of this evaluation, and OUSD (Intelligence) reviewing the overall results of these self- and independent assessments, the department will not know whether their capabilities for insider-threat detection and analysis are adequate and fully address the statutory requirements. DOD and the Six
Components Have Not
Incorporated Risk
Assessments into InsiderThreat Programs

National-level security guidance states that agencies should assess their risk posture as a part of their insider-threat programs. 47 For example, the
National Insider Threat Task Force’s guide states that agencies should identify their critical assets and then assess the risk to those assets. Also, the Committee on National Security Systems’ Directive on Protecting
National Security Systems from Insider Threat requires the alignment of departments and agencies’ cybersecurity protections—which are part of an insider-threat program’s protective capabilities—with the assets,

46

DOD Directive 5205.16. The DOD Insider Threat Program.

47

National Insider Threat Task Force, 2014 Guide to Accompany the National Insider
Threat Policy and Minimum Standards; and Committee on National Security Systems
Directive 504, Directive on Protecting National Security Systems from Insider Threat (Feb.
4, 2014).

Page 22

GAO-15-544 Insider Threats

threats, and vulnerability assessments as determined by risk assessments. 48
We found that DOD has not incorporated risk assessments into its insider-threat programs. DOD officials stated that they include insider threats in other risk assessments; however, these assessments are technical in nature and focus on the vulnerabilities of individual systems.
These individual system risk assessments do not provide insider-threat program officials with complete information to make informed risk and resource decisions about how to align cybersecurity protections. For example, the individual system risk assessments do not identify or consider the different types of insider threats (e.g., foreign intelligence collection, individuals with a personal agenda, or unintentional actions); insider-threat vulnerabilities; or different levels of consequence that each component or organization could suffer if an insider were to exploit the vulnerability; nor do they address the overall risk to the insider-threat program. Rather than conducting a formal risk assessment for the insiderthreat program, DOD CIO officials stated that they reach out to DOD component officials in an effort to maintain awareness of the department’s overall insider-threat capabilities. We found that this communication provides OUSD (Intelligence) and DOD CIO a status update of the component’s progress in achieving key performance indicators for the insider-threat program but does not include identification of component’s critical assets and risks to them, as described in the National Insider
Threat Task Force’s guide. 49 For example, agencies should identify elements of their mission that are essential to national security and that, if damaged, stolen, or otherwise exploited, would have a damaging effect on the agency, its mission, and national security.

48

Risk assessments are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk. They provide a basis for establishing appropriate policies and selecting cost-effective techniques to implement these policies. Risk assessments generally include the tasks of identifying threats and vulnerabilities, and determining consequences. GAO, Information Security
Risk Assessment: Practices of Leading Organizations, GAO/AIMD-00-33 (Washington,
D.C.: Nov. 1, 1999); and National Institute of Standards and Technology, Guide for
Conducting Risk Assessments, Special Publication 800-30 Revision 1 (Gaithersburg, Md.:
September 2012).

49

National Insider Threat Task Force, 2014 Guide to Accompany the National Insider
Threat Task Force Policy and Minimum Standards.

Page 23

GAO-15-544 Insider Threats

DOD officials stated that they believe the department has addressed the intent of a risk assessment by other means, including the Command
Cyber Readiness Inspections and the National Security Agency’s independent assessments of DOD components. Officials of the
Command Cyber Readiness Inspection program told us that the inspection process currently includes threat assessments, a risk-indicator matrix, and a risk assessment to prompt organizations to consider threats and risk to their missions and operations resulting from vulnerabilities found on their networks. However, these inspections do not focus on the overall component but rather on specific units within a component.
Additionally, the National Security Agency told us that its independent assessments would not include all information needed for a true risk assessment. Finally, OUSD (Intelligence) officials stated that they do not currently review the results of the National Security Agency assessments or Command Cyber Readiness Inspection reports, as previously discussed. Therefore, the senior-level official does not know which specific types of risk the department is incurring.
DOD officials stated that the department and its components have not incorporated risk assessments as part of their insider-threat programs in part because they have not fully implemented the department’s insiderthreat program. We also found that the DOD components we reviewed have not assessed risks because DOD has not provided guidance directing components to incorporate risk assessments into their respective insider-threat programs. Until DOD provides supplemental guidance directing components to incorporate risk assessments into their insider-threat programs, components may not assess risk and DOD will not be able to determine whether current security measures are adequate or whether proposed security measures would address a component’s level of risk. Also, if DOD and its components do not align insider-threat security measures with threats, as required by the directive on national security systems, decision makers may lack information needed to make informed judgments. 50

50

Committee on National Security Systems Directive 504, Directive on Protecting National
Security Systems from Insider Threat.

Page 24

GAO-15-544 Insider Threats

DOD Identified
Technical and Policy
Changes to Protect against Insider
Threats in the Future but Does Not
Consistently Collect
Information for
Oversight and
Recommendations
Selected DOD
Components Identified
Technical and Policy
Changes for Future Action

To help protect classified information and systems from future insider threats, in the technical area, officials from three of the six DOD components we reviewed told us that they are hoping to obtain or improve analytic tools that allow the component to identify anomalous behavior that could indicate insider-threat activities. 51 These analytic tools would obtain data through monitoring of user activity. Specifically, officials from two DOD components told us that they currently do not have these tools, but hope to obtain them in the future. Officials from another DOD component that does have such a tool told us that the component hopes to obtain an enhanced version that will allow the tool to analyze user behavior across systems of different classification levels (i.e., across the unclassified network, secret network, and top-secret network). According to National Insider Threat Task Force officials, these tools can also merge user activity-monitoring data with other sources of data to provide analysts with additional information.
In the policy area, component officials we interviewed also identified several actions to better protect against insider threats.

51

Anomalous activities are network activities that are inconsistent with the expected norms. These activities, such as network activity outside of normal work hours or changes in typical data download patterns, could indicate the exploitation of cyber vulnerabilities, among other things.

Page 25

GAO-15-544 Insider Threats



DOD Insider Threat Management and Analysis Center. Officials from three of the six DOD components we reviewed told us that they need
DOD to make additional decisions regarding the proposed Defense
Insider Threat Management and Analysis Center. According to an
OUSD (Intelligence) briefing, DOD developed the concept for such a center based on a common recommendation that was identified in a
2012 Defense Science Board report and a 2013 Washington Navy
Yard shooting after-action report; a similar recommendation was also identified in a 2010 Fort Hood shooting after-action report. 52
According to DOD’s Washington Navy Yard Task Force
Implementation Plan, the center will consist of cross-functional representatives that assess risk, recommend intervention or mitigation, and oversee the completion of case action on threats that insiders may pose to DOD personnel, DOD missions and resources, or both. 53 While this implementation plan identifies general efforts that the center could take, DOD has not issued a concept of operations and other planning documents that identify the center’s actual functions, scope, level of involvement expected from the components, level of DOD involvement, and depth of analysis to be completed at the center, and the relationship between the center and the services’ existing threat-analysis centers.



Information sharing. Officials from two of the six components we reviewed cited the need for clear policies on when and how components can share information about individuals who are suspected or confirmed of being an insider threat. Similarly, officials said that the components need clear policy about sharing suspicious information that could be occurring across DOD components and other federal agencies.



Continuous evaluation. Officials from one of the six components we reviewed told us that the components need policy that addresses continuous evaluation. Continuous evaluation is the practice of reviewing background information at any time during an individual’s period of eligibility for access to classified information to determine

52

Department of Defense, Protecting the Force: Lessons from Fort Hood (Washington,
D.C.: January 2010); Defense Science Board, Task Force Report: Predicting Violent
Behavior (Washington, D.C.: August 2012); and Department of Defense, Security from
Within: Independent Review of the Washington Navy Yard Shooting (Washington, D.C.:
November 2013).

53

Under Secretary of Defense for Intelligence, Washington Navy Yard Task Force
Implementation Plan (June 16, 2014).

Page 26

GAO-15-544 Insider Threats

whether the individual continues to meet the requirement for eligibility.
According to DOD’s Washington Navy Yard Task Force
Implementation Plan, continuous evaluation will leverage automated records checks of personnel with access to DOD facilities or classified information. These automated records checks of authoritative commercial and government data sources (e.g., criminal, financial, or credit records) will flag issues of personnel security concern. These checks are to supplement existing security processes, such as selfreporting, to more quickly identify and prioritize information of adjudicative relevance or adverse events that occur between periodic reinvestigations. According to DOD’s draft insider-threat program implementation plan, as of October 2014 DOD was still defining the organizational construct and concept of operations for continuous evaluation. DOD plans to provide this information in 2015.

DOD Is Not Consistently
Collecting Information for
Providing Oversight and
Recommendations

DOD is not consistently collecting the information to manage and oversee insider-threat programs that could assist the Under Secretary of Defense for Intelligence in providing oversight and making recommendations to counter insider threats, such as the technical and policy changes identified above. DOD’s insider-threat program directive requires that the
Under Secretary of Defense for Intelligence provide management, accountability, and oversight of the department’s insider-threat program, which includes the components’ programs. 54 As part of these responsibilities, the Under Secretary of Defense for Intelligence is to oversee departmental capabilities and resources to counter insider threats, and make recommendations on program improvements and resources. 55 Additionally, DOD’s defense security enterprise directive requires that the Under Secretary of Defense for Intelligence coordinate with the DOD CIO to establish enterprise investment goals informed by security-related efforts such as insider-threat initiatives. 56 OUSD
(Intelligence) officials stated that they reach out to components on an as-

54

DOD Directive 5205.16. The DOD Insider Threat Program.

55

Specifically, the directive requires the Under Secretary of Defense for Intelligence to (1) recommend improvements on DOD insider-threat activities; (2) oversee strategy, programs, capabilities, and resources to counter insider threats; and (3) coordinate with the DOD CIO and the components to make resource recommendations in support of insider-threat activities.

56

DOD Directive 5200.43, Management of the Defense Security Enterprise (Oct. 1, 2012)
(incorporating change 1, Apr. 24, 2013).

Page 27

GAO-15-544 Insider Threats

needed basis to obtain information about insider-threat resources.
However, according to the officials, they do not have a process to consistently collect information that identifies components prioritized needs, such as technical and policy needs for the future, and as a result face difficulties identifying component needs and comparing them against overall goals and strategy. Without collecting information from DOD components, the Under Secretary of Defense for Intelligence may face challenges fulfilling these management responsibilities. OUSD
(Intelligence) and DOD CIO officials acknowledged that information from the components’ about technical and policy needs would help the Under
Secretary of Defense for Intelligence establish investment goals and make recommendations on program improvements and resources.
According to OUSD (Intelligence) officials, they do not have a process to collect information from the components to support management and oversight duties and inform resource recommendations and investment goals because DOD has not dedicated a program office that is focused on oversight of the insider-threat program. Specifically, while DOD has designated the Under Secretary of Defense for Intelligence as the department’s senior insider-threat program official, officials stated that
DOD has not identified a program office to execute the day-to-day responsibilities associated with this position and the program is instead currently supported within an office whose mission is policy, rather than management, oriented. Identification of a program office is consistent with federal standards for internal control and Office of the Director of National
Intelligence guidance. 57 For example, federal standards for internal control call for an organizational structure that provides a framework to achieve agency objectives, including delegation of authority and responsibility for operating activities. 58 Additionally, the Office of the

57

GAO/AIMD-00-21.3.1 and Office of the Director of National Intelligence, Office of the
National Counterintelligence Executive, Protecting Key Assets: A Corporate
Counterintelligence Guide.

58

Per GAO’s Standards for Internal Control in the Federal Government, another factor affecting the environment is the agency’s organizational structure. It provides management’s framework for planning, directing, and controlling operations to achieve agency objectives. A good internal-control environment requires that the agency’s organizational structure clearly defines key areas of authority and responsibility and establishes appropriate lines of reporting. The environment is also affected by the manner in which the agency delegates authority and responsibility throughout the organization.
These delegations cover authority and responsibility for operating activities, reporting relationships, and authorization protocols.

Page 28

GAO-15-544 Insider Threats

Director of National Intelligence guidance states that fully functional headquarters-level counterintelligence programs should include at least a program manager and supporting program staff. Without identifying a program office to support the Under Secretary of Defense for
Intelligence’s responsibilities in managing and overseeing DOD and components’ insider-threat programs, DOD may not be able to collect all information about DOD components’ technical and policy needs and could face challenges in establishing goals, and recommending resources and improvements to address insider threats.

Conclusions

The recent disclosures of classified information by insiders have damaged national security, potentially placed the lives of military service members at risk, and highlighted the importance of preventing or mitigating future threats to DOD’s classified information and systems.
DOD’s April 2015 cyber strategy reflects the importance of mitigating insider threats to achieve the department’s goal of defending DOD’s information network, securing DOD data, and mitigating the risk to DOD missions. 59 DOD and its components are taking steps to address these threats by implementing programs that incorporate minimum standards.
However, DOD components have not taken action to incorporate other key elements into their insider-threat programs because DOD has not issued guidance that identifies actions beyond the minimum standards that components should take to enhance their insider-threat programs.
Such guidance would assist components in developing and strengthening insider-threat programs and better position the department to safeguard classified information and systems.
Gap and risk assessments allow DOD components to regularly assess the dynamic threat, vulnerability, and consequences associated with protecting classified information and systems from insider threats. While
DOD has assessed aspects of its insider-threat program, it has not evaluated or documented the extent to which these assessments provide a continuing analysis of gaps as required by statute and has not incorporated risk assessments into insider-threat programs; nor have the results of the existing assessments been provided to DOD’s senior insider-threat official. Without such an analysis of gaps and risk assessments—and without the Under Secretary of Defense for

59

DOD, The Department of Defense Cyber Strategy.

Page 29

GAO-15-544 Insider Threats

Intelligence reviewing the results—DOD will face challenges understanding the extent to which its mitigations address current and evolving threats that insiders pose, and will be hampered in making moreinformed management and resource decisions.
In addition, as the threat evolves, DOD will need to address future technical and policy changes. However, DOD is not consistently collecting information about future technical and policy changes because it has not established an insider-threat program office. Without designating a program office dedicated to the oversight role, DOD may not ensure the collection of all information about components’ needs and could face challenges in establishing goals, and recommending resources and improvements to address insider threats.

Recommendations for
Executive Action

To further enhance the department’s efforts to protect its classified information and systems from insider threats, we recommend that the
Secretary of Defense take the following four actions.
We recommend that the Secretary of Defense direct the Under Secretary of Defense for Intelligence to take the following actions:


In planned supplemental planning guidance to be developed, identify actions beyond the minimum standards that components should take to enhance their insider-threat programs.



Evaluate and document the extent to which current assessments provide a continuing analysis of gaps for all DOD components; report to Congress on the results of this evaluation; and direct that the overall results of these self- and independent assessments be reviewed by the Office of the Under Secretary of Defense for
Intelligence.



Provide DOD components supplemental guidance that directs them to incorporate risk assessments into their insider-threat programs.

We also recommend that the Secretary of Defense take action to do the following: •

Identify an insider-threat program office to support the Under
Secretary of Defense for Intelligence’s responsibilities in managing and overseeing DOD and components’ insider-threat programs.

Page 30

GAO-15-544 Insider Threats

Agency Comments and Our Evaluation

DOD provided written comments on a draft of this report and these comments are reproduced in appendix IV. DOD concurred or partially concurred with all four of our recommendations. The Departments of
Homeland Security and Justice and the Office of the Director of National
Intelligence reviewed a draft of this report but did not provide any comments. DOD agreed with our recommendation to identify in supplemental guidance actions beyond the minimum standards that components should take to enhance their insider-threat programs. DOD stated that it will publish a detailed implementation plan in 2015 to assist components in implementing multiple actions required in all insider-threat programs.
Issuing an implementation plan is a positive step and one required by the minimum standards. However, as stated in our report, the draft implementation plan that we reviewed focused on actions that DOD would take to implement the minimum standards and did not provide DOD components additional information about other key elements that component officials told us would be helpful. We therefore believe that
DOD needs to update its draft implementation plan before it is issued to include guidance beyond the minimum standards, or issue this guidance in another form. This will ensure that DOD components will be better positioned to enhance their insider-threat programs and the department will be better positioned to protect its classified information and systems.
DOD partially agreed with our recommendation to evaluate and document the extent to which current assessments provide a continuing analysis of gaps for all DOD components, report to Congress on the results of this evaluation, and direct that the overall results of these assessments be reviewed by OUSD (Intelligence). In its comments, DOD first stated that it analyzes security gaps each quarter through its self-assessments, which identify gaps in program capabilities. While these assessments can provide DOD and its components information required under E.O. 13587,
DOD did not indicate whether it would evaluate and document whether those assessments provide a continuing analysis of gaps as identified in
Section 922 of the National Defense Authorization Act for Fiscal Year
2012. Such an evaluation is necessary to determine whether DOD is meeting the statutory requirement to complete a continuing analysis of gaps in security measures and of technology, policies, and processes that are needed to increase the capability of DOD’s insider-threat program to address these gaps. We believe such an evaluation is prudent since, as we stated in the report, the information from the self-assessments and independent assessments cited by DOD is sometimes limited. Therefore, we continue to believe that DOD should take steps to evaluate and

Page 31

GAO-15-544 Insider Threats

document the extent to which these current assessments provide the same information as the statutorily-required analysis of gaps in order to determine the adequacy of DOD’s insider-threat detection and analysis capabilities. Second, DOD stated that it met the congressional reporting requirement with its 2013 report, which did not require additional reporting. However, as we stated in the report, DOD did not complete the actions it described in the 2013 report and thus has not provided
Congress with current information that would assist it in making informed decisions about funding to address gaps in security measures. Therefore, we continue to believe that the department should report to Congress on the results of its evaluation of current assessments, which identify gaps in security measures under its program for information-sharing protection and insider-threat mitigation. DOD also stated that the self-assessments and independent assessments of component insider-threat programs have begun, and agreed that these assessments will be provided to
OUSD (Intelligence) for review upon completion.
DOD agreed with our recommendation to provide components with supplemental guidance directing them to incorporate risk assessments into their insider-threat programs. DOD stated that its forthcoming implementation plan will require components to employ a process to identify critical assets and assess the components’ risk posture. DOD also stated that other risk assessments will be considered and integrated with insider-threat risks. We agree that incorporating risk assessments will assist component leadership in making informed judgments and better enable them to align security measures with threats.
DOD partially agreed with our recommendation to identify an insiderthreat program office to support the Under Secretary of Defense for
Intelligence’s responsibilities in managing and overseeing insider-threat programs. DOD stated that it has chartered a study to examine the feasibility and associated requirements for establishing a separate DOD insider-threat program office. DOD expects to complete this study by July
2016. Our recommendation does not state that DOD needs to establish a separate program office, but rather that DOD should identify a program office to support the Under Secretary’s responsibilities. Therefore we would hope that as part of its study DOD would assign responsibility for this oversight to a program office. In its comments, DOD also referred to steps it has taken to establish the Defense Insider Threat Management and Analysis Center and described some of the center’s future capabilities. However, as we note in our report, DOD components described their need for policy about the center, and DOD has not yet issued a concept of operations and other planning documents that identify

Page 32

GAO-15-544 Insider Threats

the center’s actual functions, scope, and relationships with existing service threat-analysis centers. Once DOD implements our recommendation and identifies an insider-threat program office, the
Under Secretary of Defense for Intelligence will be better positioned to collect information from the components about their prioritized technical and policy needs for the future, such as policy regarding the Defense
Insider Threat Management and Analysis Center.
We are sending copies of this report to the appropriate congressional committees, the Secretaries of Defense and Homeland Security; the
Attorney General of the United States; and the Director of National
Intelligence. In addition, this report will also be available at no charge on the GAO website at http://www.gao.gov.
If you or your staff have any questions concerning this report, please contact Joseph W. Kirschbaum at (202) 512-9971 or
KirschbaumJ@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or
WilshusenG@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this report.
GAO staff who made key contributions to this report are listed in appendix
V.

Joseph W. Kirschbaum
Director
Defense Capabilities and Management

Gregory C. Wilshusen
Director, Information Security Issues
Information Technology

Page 33

GAO-15-544 Insider Threats

List of Committees
The Honorable John McCain
Chairman
The Honorable Jack Reed
Ranking Member
Committee on Armed Services
United States Senate
The Honorable Thad Cochran
Chairman
The Honorable Richard Durbin
Ranking Member
Subcommittee on Defense
Committee on Appropriations
United States Senate
The Honorable Mac Thornberry
Chairman
The Honorable Adam Smith
Ranking Member
Committee on Armed Services
House of Representatives
The Honorable Rodney Frelinghuysen
Chairman
The Honorable Pete Visclosky
Ranking Member
Subcommittee on Defense
Committee on Appropriations
House of Representatives

Page 34

GAO-15-544 Insider Threats

Appendix I: Scope and Methodology
Appendix I: Scope and Methodology

To evaluate the extent to which the Department of Defense (DOD) has implemented an insider-threat program that incorporates minimum standards and key elements to protect classified information and systems, we evaluated initiatives that DOD had established and policy and guidance that identify responsibilities within the department to address the threat that insiders pose to classified information and systems. We selected a nonprobability sample of six DOD components to assess implementation efforts at the component level. 1 These six components include three combat support agencies; one military service; one combatant command; and one service sub-command. We selected these six components based on several factors including their specific roles in supporting DOD networks, prior insider-threat incidents, and reported progress in implementing insider-threat programs. In order to avoid duplication with an ongoing DOD Inspector General evaluation, we included only one military service. 2 While not generalizable, the information we obtained from these selected components provided insight about steps components are taking and challenges they are encountering. We developed a questionnaire based on our research objectives, the six minimum standards issued in 2012 by the President, and industry leading practices, and solicited responses from the six selected components. We administered the questionnaire and collected responses from all six selected components and the Office of the Under Secretary of Defense for Intelligence (OUSD [Intelligence]), and conducted follow-up meetings as needed. We also collected policies and guidance related to the responses and programs. We then used the questionnaire responses and information obtained from meetings and document reviews to assess each component’s insider-threat program implementation and content.
We reviewed the questionnaire responses to ensure the responses were consistent with the information we obtained. Any discrepancies were documented and follow up was conducted as necessary. Using a scorecard methodology, we developed a rating system to assess the

1
DOD defines “DOD components” to include the Office of the Secretary of Defense, the military departments, the Office of the Chairman of the Joint Chiefs of Staff and the Joint
Staff, the combatant commands, the DOD Office of Inspector General, the defense agencies, the DOD field activities, and all other entities within DOD.
2
In April 2014, the DOD Inspector General initiated work assessing the implementation of insider-threat programs at the four military services. According to the DOD Inspector
General, it plans to issue its report in mid-2015.

Page 35

GAO-15-544 Insider Threats

Appendix I: Scope and Methodology

components against the minimum standards to determine the extent to which the minimum standards were incorporated into component insiderthreat programs. We used three ratings for assessing the incorporation of each minimum standard: addressed all tasks associated with minimum standard, addressed at least one task, and did not address tasks. We rated components that answered yes to all questions related to that minimum standard and its associated tasks as addressed all tasks. We rated components that answered yes to one or more question related to that minimum standard and its associated tasks as addressed at least one task. We rated components that did not answer yes to at least one question related to a minimum standard and its associated tasks as having not addressed any of the tasks. Two analysts independently assessed and assigned a rating to each standard and then compared their independent ratings, discussed any differences, and determined a final rating. We then compiled the final ratings into a scorecard graphic.
An independent analyst reviewed our analysis and ratings for accuracy and consistency.
Additionally, to identify 25 key elements for a framework applicable to insider-threat programs, we analyzed Executive Order 13587 (E.O.
13587), the national insider-threat policy and minimum standards, DOD guidance and reports, Committee on National Security Systems guidance, a set of leading practices that the National Insider Threat Task
Force recommends, practices that other federal agencies and private industry use, and a list of essential elements that a group of private-sector

Page 36

GAO-15-544 Insider Threats

Appendix I: Scope and Methodology

and U.S. government analysts created. 3 For a list of the resources we consulted by key element, see appendix III. We then organized this information into a framework of 25 key elements. We based these elements upon the principles that we identified, but note that this framework is not necessarily a comprehensive list since other principles may exist that did not surface based on our inquiry that could benefit insider-threat programs. We discussed the framework with DOD and

3

We analyzed information from Department of Defense, Department of Defense Strategy for Operating in Cyberspace (July 2011); DOD Directive 5105.42, Defense Security
Service (DSS) (Aug. 3, 2010) (incorporating change 1, Mar. 31, 2011); DOD Directive
5200.43, Management of the Defense Security Enterprise (Oct. 1, 2012) (incorporating change 1, Apr. 24, 2013); DOD Directive 5240.06, Counterintelligence Awareness and
Reporting (CIAR) (May 17, 2011) (incorporating change 1, May 30, 2013); DOD DirectiveType Memorandum 09-0912, Interim Policy Guidance for DOD Physical Access Control
(Dec. 8, 2009) (incorporating change 5, Mar. 3, 2015); DOD Instruction 1438.06, DOD
Workplace Violence Prevention and Response Policy (Jan. 16, 2014); DOD Instruction
2000.12, DOD Antiterrorism (AT) Program (Mar. 1, 2012) (incorporating change 1, Sept.
9, 2013); DOD Instruction 2000.16, DOD Antiterrorism (AT) Standards (Oct. 2, 2006)
(incorporating change 2, Dec. 8, 2006); DOD Instruction 2000.26, Suspicious Activity
Reporting (SAR) (Sept. 23, 2014); DOD Instruction 5240.22, Counterintelligence Support to Force Protection (Sept. 24, 2009) (incorporating change 1, Oct. 15, 2013); DOD
Instruction 5240.26, Countering Espionage, International Terrorism, and the
Counterintelligence (CI) Insider Threat (May 4, 2012) (incorporating change 1, Oct. 15,
2013); DOD Instruction 5525.15, Law Enforcement (LE) Standards and Training in the
DOD (Apr. 27, 2012); DOD Instruction 6055.17, DOD Installation Emergency
Management (IEM) Program (Jan. 13, 2009) (incorporating change 1, Nov. 19, 2010);
DOD Instruction 8500.01, Cybersecurity (Mar. 14, 2014); DOD 5200.2-R, Personnel
Security Program (January 1987) (incorporating change 3, Feb. 23, 1996); DOD 5200.8R, Physical Security Program (Apr. 9, 2007) (incorporating change 1, May 27, 2009); DOD
Manual 5200.01, DOD Information Security Program: Protection of Classified Information, vol. 3 (Feb. 24, 2012) (incorporating change 2, Mar. 19, 2013); Department of Defense,
Insider Threat Mitigation: Final Report of the Insider Threat Integrated Process Team (Apr.
24, 2000); Joint Chiefs of Staff, Joint Pub. 3-07.2, Antiterrorism (Mar. 14, 2014); Secretary of Defense, Final Recommendations of the Fort Hood Follow-on Review, memorandum
(Aug. 18, 2010); Committee on National Security Systems Directive 504, Directive on
Protecting National Security Systems from Insider Threat (Feb. 4, 2014); E.O. 13587;
White House, National Insider Threat Policy and Minimum Standards for Executive Branch
Insider Threat Programs; Office of Management and Budget, Suitability and Security
Processes Review: Report to the President (February 2014); Liberty and Security in a
Changing World: Report and Recommendations of the President’s Review Group on
Intelligence and Communications Technologies (Dec. 12, 2013); GAO, Standards for
Internal Control in the Federal Government, GAO/AIMD-00.21.3.1 (Washington, D.C.:
Nov. 1, 1999); Office of the Director of National Intelligence, Office of the National
Counterintelligence Executive, Protecting Key Assets: A Corporate Counterintelligence
Guide (11137482 ID 6-11); Carnegie Mellon Software Engineering Institute, Common th Sense Guide to Mitigating Insider Threats, 4 ed. (December 2012); and the Intelligence and National Security Alliance, Insider Threat Resource Directory. In addition, we consulted officials from DOD, the Department of Homeland Security, Department of
Justice, Federal Bureau of Investigation, and Lockheed Martin.

Page 37

GAO-15-544 Insider Threats

Appendix I: Scope and Methodology

private-sector officials and incorporated comments and changes as appropriate. We also met with officials from the Department of Homeland
Security and Department of Justice and obtained information about their insider-threat programs because E.O. 13587 assigns them roles for insider threats. While not generalizable, the information we obtained provided insight about the implementation of insider-threat programs at federal agencies other than DOD.
To evaluate the extent to which DOD and others have assessed DOD’s insider-threat program to protect classified information and systems, we obtained copies of DOD’s quarterly self-assessments from December
2013 through February 2015, in which DOD reported its progress in complying with minimum standards. We compared the current DOD assessment efforts to those described in E.O. 13587 and national policy, and we interviewed officials from DOD and its components about their self-assessment process and results. We did not independently verify the accuracy of the self-assessments since it was beyond the scope of this review. We met with U.S. Cyber Command and obtained information about Command Cyber Readiness Inspections, including a list of organizations inspected and the overall results related to insider threat.
We did not independently verify the accuracy of this information since it was beyond the scope of this review. We also met with officials from the
National Insider Threat Task Force and National Security Agency who are involved in conducting independent assessments, confirmed that they have assessed some DOD components, and obtained and reviewed copies of the assessments. To determine the extent to which DOD conducted the continuing analysis of gaps in its insider-threat program required by National Defense Authorization Act for Fiscal Year 2012, we obtained and reviewed DOD’s 2013 report to Congress in which it described its plan for conducting a continuing analysis, and interviewed officials about the current status of the analysis. To determine the extent to which DOD incorporated risk assessments in its insider-threat program, we reviewed DOD, Committee on National Security Systems, and
National Insider Threat Task Force guidance related to the assessment of an agency’s risk posture. We interviewed OUSD (Intelligence) and DOD
Chief Information Officer (DOD CIO) officials about the extent to which
DOD conducted risk assessments related to insider-threat programs, and asked components about the extent to which they conducted risk assessments that would inform insider-threat programs.
To evaluate the extent to which DOD has identified any technical or policy changes to protect its classified information and systems from insider threats in the future, we focused on initiatives to be implemented

Page 38

GAO-15-544 Insider Threats

Appendix I: Scope and Methodology

beginning in 2015 and those initiatives not included in DOD’s existing insider-threat guidance. We did not include initiatives that are being assessed in-depth by a related GAO engagement. 4 We collected information about initiatives through the questionnaire we developed for the six selected components, and through interviews with component officials. The questionnaire and interviews were used to identify any future technical and policy changes to address threats to component information and information systems. We also asked component officials about their process for prioritizing and planning for initiatives. We then interviewed officials from OUSD (Intelligence) and DOD CIO about how the department is collecting information about these initiatives and using the information to inform resource recommendations and program improvements. We compared these responses to DOD guidance on responsibilities for insider-threat programs and the defense security enterprise, federal standards for internal control, 5 and Office of the
Director of National Counterintelligence guidance. We did not evaluate the initiatives themselves or assess each initiative’s relative priority or efficacy. We obtained relevant data and documentation and interviewed officials from components within the Department of Defense, Department of
Homeland Security, Department of Justice, and the Office of the Director of National Intelligence’s National Insider Threat Task Force. We also met with representatives from Carnegie Mellon University Software
Engineering Institute – CERT Insider Threat Center and Lockheed Martin.
We conducted this performance audit from May 2014 to June 2015 in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

4
We are currently conducting an engagement assessing DOD’s force-protection efforts to address insider threats at U.S. installations. We anticipate issuing a product in summer
2015.
5

GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
(Washington, D.C.: Nov. 1, 1999).

Page 39

GAO-15-544 Insider Threats

Appendix II: Minimum Standards for
Executive Branch Insider-Threat Programs
Appendix II: Minimum Standards for Executive
Branch Insider-Threat Programs

DESIGNATION OF SENIOR OFFICIAL(S): 1.
Each agency head shall designate a senior official or officials, who shall be principally
2.
responsible for establishing a process to gather, integrate, and centrally analyze, and respond to Counterintelligence (CI), Security,
Information Assurance (IA), Human
Resources (HR), Law Enforcement (LE), and 3. other relevant information indicative of a potential insider threat. Senior Official(s) shall: 4.

5.

6.
7.

INFORMATION INTEGRATION, ANALYSIS 1.
AND RESPONSE: Agency heads shall:
2.

3.
INSIDER THREAT PROGRAM
PERSONNEL: Agency heads shall ensure personnel assigned to the insider threat program are fully trained in:

1.
2.
3.
4.
5.

Provide management and oversight of the insider threat program and provide resource recommendations to the agency head.
Develop and promulgate a comprehensive agency insider threat policy to be approved by the agency head within 180 days of the effective date of the National
Insider Threat Policy. Agency policies shall include internal guidelines and procedures for the implementation of the standards contained herein.
Submit to the agency head an implementation plan for establishing an insider threat program and annually thereafter a report regarding progress and/or status within that agency. At a minimum, the annual reports shall document annual accomplishments, resources allocated, insider threat risks to the agency, recommendations and goals for program improvement, and major impediments or challenges. Ensure the agency’s insider threat program is developed and implemented in consultation with that agency’s Office of General Counsel and civil liberties and privacy officials so that all insider threat program activities to include training are conducted in accordance with applicable laws, whistleblower protections, and civil liberties and privacy policies.
Establish oversight mechanisms or procedures to ensure proper handling and use of records and data described below, and ensure that access to such records and data is restricted to insider threat personnel who require the information to perform their authorized functions.
Ensure the establishment of guidelines and procedures for the retention of records and documents necessary to complete assessments required by Executive Order
13587.
Facilitate oversight reviews by cleared officials designated by the agency head to ensure compliance with insider threat policy guidelines, as well as applicable legal, privacy and civil liberty protections.
Build and maintain an insider threat analytic and response capability to manually and/or electronically gather, integrate, review, assess, and respond to information derived from CI, Security, lA, HR, LE, the monitoring of user activity, and other sources as necessary and appropriate.
Establish procedures for insider threat response action(s), such as inquiries, to clarify or resolve insider threat matters while ensuring that such response action(s) are centrally managed by the insider threat program within the agency or one of its subordinate entities.
Develop guidelines and procedures for documenting each insider threat matter reported and response action(s) taken, and ensure the timely resolution of each matter. Counterintelligence and security fundamentals to include applicable legal issues;
Agency procedures for conducting insider threat response action(s);
Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information;
Applicable civil liberties and privacy laws, regulations, and policies; and
Investigative referral requirements of Section 811 of the Intelligence Authorization
Act for FY 1995, as well as other policy or statutory requirements that require referrals to an internal entity, such as a security office or Office of Inspector
General, or external investigative entities such as the Federal Bureau of
Investigation, the Department of Justice, or military investigative services

Page 40

GAO-15-544 Insider Threats

Appendix II: Minimum Standards for Executive
Branch Insider-Threat Programs

ACCESS TO INFORMATION:
Agency heads shall:

Direct CI, Security, lA, HR, and other relevant organizational components to securely provide insider threat program personnel regular, timely, and, if possible, electronic access to the information necessary to identify, analyze, and resolve insider threat matters. Such access and information includes, but is not limited to, the following:
a. Counterintelligence and Security. All relevant databases and files to include, but not limited to, personnel security files, polygraph examination reports, facility access records, security violation files, travel records, foreign contact reports, and financial disclosure filings.
b. Information Assurance. All relevant unclassified and classified network information generated by IA elements to include, but not limited to, personnel usernames and aliases, levels of network access, audit data, unauthorized use of removable media, print logs, and other data needed for clarification or resolution of an insider threat concern.
c. Human Resources. All relevant HR databases and files to include, but not limited to, personnel files, payroll and voucher files, outside work and activities requests, disciplinary files, and personal contact records, as may be necessary for resolving or clarifying insider threat matters.
2. Establish procedures for access requests by the insider threat program involving particularly sensitive or protected information, such as information held by special access, law enforcement, inspector general, or other investigative sources or programs, which may require that access be obtained upon request of the Senior
Official(s).
3. Establish reporting guidelines for CI, Security, lA, HR, and other relevant organizational components to refer relevant insider threat information directly to the insider threat program.
4. Ensure insider threat programs have timely access, as otherwise permitted, to available United States Government intelligence and counterintelligence reporting information and analytic products pertaining to adversarial threats.

MONITORING USER ACTIVITY ON
NETWORKS: Agency heads shall ensure insider threat programs include:

1.

1.

2.
3.

4.

Either internally or via agreement with external agencies, the technical capability, subject to appropriate approvals, to monitor user activity on all classified networks in order to detect activity indicative of insider threat behavior. When necessary,
Service Level Agreements (SLAs) shall be executed with all other agencies that operate or provide classified network connectivity or systems. SLAs shall outline the capabilities the provider will employ to identify suspicious user behavior and how that information shall be reported to the subscriber’s insider threat personnel.
Policies and procedures for properly protecting, interpreting, storing, and limiting access to user activity monitoring methods and results to authorized personnel.
Agreements signed by all cleared employees acknowledging that their activity on any agency classified or unclassified network, to include portable electronic devices, is subject to monitoring and could be used against them in a criminal, security, or administrative proceeding. Agreement language shall be approved by the Senior Official(s) in consultation with legal counsel.
Classified and unclassified network banners informing users that their activity on the network is being monitored for lawful United States Government-authorized purposes and can result in criminal or administrative actions against the user.
Banner language shall be approved by the Senior Official(s) in consultation with legal counsel.

Page 41

GAO-15-544 Insider Threats

Appendix II: Minimum Standards for Executive
Branch Insider-Threat Programs

EMPLOYEE TRAINING AND
AWARENESS: Agency heads shall ensure insider threat programs:

1.

2.
3.

Provide insider threat awareness training, either in-person or computer-based, to all cleared employees within 30 days of initial employment, entry-on-duty (EOD), or following the granting of access to classified information, and annually thereafter.
Training shall address current and potential threats in the work and personal environment, and shall include, at a minimum, the following topics:
a. The importance of detecting potential insider threats by cleared employees and reporting suspected activity to insider threat personnel or other designated officials;
b. Methodologies of adversaries to recruit trusted insiders and collect classified information;
c. Indicators of insider threat behavior and procedures to report such behavior; and d. Counterintelligence and security reporting requirements, as applicable.
Verify that all cleared employees have completed the required insider threat awareness training contained in these standards. ‘
Establish and promote an internal network site accessible to all cleared employees to provide insider threat reference material, including indicators of insider threat behavior, applicable reporting requirements and procedures, and provide a secure electronic means of reporting matters to the insider threat program.

Source: The White House. | GAO-15-544.

Note: Data are from the White House, National Insider Threat Policy and Minimum Standards for
Executive Branch Insider Threat Programs (Washington, D.C.: Nov. 12, 2012).

Page 42

GAO-15-544 Insider Threats

Appendix III: Sources for Key Elements of
Insider-Threat Programs GAO Identified
Appendix III: Sources for Key Elements of
Insider-Threat Programs GAO Identified

Program phase Program element

Source

Deter

Identify program office

GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00.21.3.1 (Washington, D.C.: Nov. 1, 1999); Office of the Director of National Intelligence, Office of the National Counterintelligence Executive,
Protecting Key Assets: A Corporate Counterintelligence Guide (11137482 ID
6-11)

Establish rules and policies

Department of Defense (DOD) Instruction 5240.26 (Countering Espionage,
International Terrorism, and the Counterintelligence Insider Threat); DOD
Instruction 2000.12 (DOD Antiterrorism [AT] Programs); DOD Instruction
2000.16 (DOD Antiterrorism [AT] Standards); DOD Directive 5105.42 (Defense
Security Service); DOD Directive 5200.43 (Management of the Defense
Security Enterprise); DOD, Insider Threat Mitigation: Final Report of the
Insider Threat Integrated Process Team; Committee on National Security
Systems Directive 504 (Directive on Protecting National Security Systems from
Insider Threat); National Insider Threat Policy and Minimum Standards for
Executive Branch Insider Threat Programs; Carnegie Mellon Software
Engineering Institute, Common Sense Guide to Mitigating Insider Threats

Institute consequences if rules and policies not followed

DOD Instruction 8500.01 (Cybersecurity); DOD Instruction 2000.12; DOD
5200.08-R (Physical Security Program); DOD, Insider Threat Mitigation: Final
Report; Carnegie Mellon, Common Sense Guide

Communicate program goals, policies, and consequences to staff and contractors

DODI 8500.01; DODD 5105.42; DOD Instruction 1438.06 (DOD Workplace
Violence Prevention and Response Policy); DODI 2000.12; DOD, Insider
Threat Mitigation: Final Report; Carnegie Mellon, Common Sense Guide

Conduct internal spot checks

DOD 5200.08-R; DODI 2000.16; DOD, Insider Threat Mitigation: Final Report;
Carnegie Mellon, Common Sense Guide

Host red team

DOD, Department of Defense Strategy for Operating in Cyberspace; DODI
8500.01; Joint Chiefs of Staff, Joint Pub. 3-07.2 (Antiterrorism); Liberty and
Security in a Changing World: Report and Recommendations of the
President’s Review Group on Intelligence and Communications Technologies

Integrate personnel clearance

DODI 8500.01; DODI 5240.26; DOD 5200.2-R (DOD Personnel Security
Program); DODD 5105.42; DOD, Insider Threat Mitigation: Final Report; Office of Management and Budget, Suitability and Security Processes Review
(February 2014); Liberty and Security in a Changing World; Carnegie Mellon,
Common Sense Guide

Train and exercise employees

DODI 5240.26; DODI 8500.01; DODI 1438.06; DODI 2000.12; DODI 2000.16;
Joint Pub. 3-07.2; DOD Directive 5240.06 (Counterintelligence Awareness and
Reporting); DODD 5105.42; CNSSD 504; National Insider Threat Policy and
Minimum Standards; Carnegie Mellon, Common Sense Guide

Develop a baseline of normal activity

DODI 5240.26; Joint Pub. 3-07.2; DOD, Insider Threat Mitigation: Final Report;
CNSSD 504; Carnegie Mellon, Common Sense Guide

Conduct risk assessments

DODI 8500.01; DODI 2000.16; Joint Pub. 3-07.2; DOD, Insider Threat
Mitigation: Final Report; CNSSD 504; Carnegie Mellon, Common Sense Guide

Institute internal controls and security controls DODI 5240.26; DODI 8500.01; DODI 2000.12; CNSSD 504; DOD Instruction
2000.26 (Suspicious Activity Reporting); Carnegie Mellon, Common Sense
Guide

Prevent

Page 43

GAO-15-544 Insider Threats

Appendix III: Sources for Key Elements of
Insider-Threat Programs GAO Identified

Program phase Program element

Source

Detect

Ensure cross-function coordination

DODI 5240.26; DODI 8500.01; DODI 1438.06; DODI 2000.12; DODI 2000.16;
CNSSD 504; National Insider Threat Policy and Minimum Standards; Carnegie
Mellon, Common Sense Guide

Monitor activity

DODI 5240.26; DODI 8500.01; CNSSD 504; Directive-Type Memorandum 09012 (Interim Policy Guidance for DOD Physical Access Control); National
Insider Threat Policy and Minimum Standards; Liberty and Security in a
Changing World; Carnegie Mellon, Common Sense Guide

Perform risk-based analytics

DODI 5240.26; CNSSD 504; Joint Pub. 3-07.2; Liberty and Security in a
Changing World; Carnegie Mellon, Common Sense Guide

Conduct internal audits and reporting

DODI 5240.26; DODI 8500.01; DODI 2000.12; DODI 2000.16; DOD Manual
5200.01, vol. 3 (DOD Information Security Program: Protection of Classified
Information); DODD 5105.42; DOD, Insider Threat Mitigation: Final Report;
CNSSD 504; Joint Pub. 3-07.2; National Insider Threat Policy and Minimum
Standards; Carnegie Mellon, Common Sense Guide

Allow external audits

DODI 5240.26; DODI 2000.16; Joint Pub. 3-07.2; National Insider Threat
Policy and Minimum Standards

Encourage peer reporting

DODI 5240.26; DODI 8500.01; DODI 1438.06; DODD 5240.06; DODM
5200.01, vol. 3; Joint Pub. 3-07.2; National Insider Threat Policy and Minimum
Standards; Carnegie Mellon, Common Sense Guide

Create and retain auditable records of DODI 8500.01; DODI 1438.06; DOD, Insider Threat Mitigation: Final Report; actions taken
CNSSD 504; DTM 09-012; Carnegie Mellon, Common Sense Guide
Share information as appropriate
Suspend access

DOD 5200.2-R; DTM 09-012; DOD, Insider Threat Mitigation: Final Report;
Carnegie Mellon, Common Sense Guide

Take personnel action—counsel, terminate, refer to appropriate authorities DODI 5240.26; DODI 8500.01; DODI 2000.26; DODI 2000.12; DODI 2000.16;
DODI 6055.17; Joint Pub. 3-07.2; DODM 5200.01, vol. 3; Carnegie Mellon,
Common Sense Guide

Conduct damage assessments

DODI 8500.01; DODI 2000.16; DODI 6055.17; DODM 5200.01, vol. 3; DOD,
Insider Threat Mitigation: Final Report; Intelligence and National Security
Alliance, Insider Threat Resource Directory

Develop, disseminate, and incorporate best practices and lessons learned

DODI 5240.26; DODI 2000.12; DODI 2000.16; DODI 6055.17; Joint Pub. 307.2; DOD, Insider Threat Mitigation: Final Report; Intelligence and National
Security Alliance, Insider Threat Resource Directory

Train, exercise, and equip response personnel DOD 5200.8-R; DODI 2000.12; DODI 2000.16; DOD Instruction 5525.15 (Law
Enforcement [LE] Standards and Training in the DOD); DODI 6055.17

Establish formal and informal agreements Take Action

DODI 5240.26; DODI 8500.01; DODI 5240.22; DODD 5105.42; DTM 09-012;
Joint Pub. 3-07.2; E.O. 13587; Carnegie Mellon, Common Sense Guide

DOD 5200.8-R; DODI 2000.16; DODI 6055.17; Joint Pub. 3-07.2; Secretary of
Defense, Final Recommendations of the Fort Hood Follow-on Review, memorandum (Aug. 18, 2010)

Source: GAO analysis of Department of Defense, Office of the Director of National Intelligence, Carnegie Mellon, and Intelligence and National Security Alliance data. | GAO-15-544

Page 44

GAO-15-544 Insider Threats

Appendix IV: Comments from the
Department of Defense
Appendix IV: Comments from the Department of Defense

Note: Since the recommendations in this report are the same as in the classified report, which DOD responded to in a letter we received on April 7, 2015 (see letter to the right), we did not send this version of the report out for agency comment. Page 45

GAO-15-544 Insider Threats

Appendix IV: Comments from the Department of Defense

Page 46

GAO-15-544 Insider Threats

Appendix IV: Comments from the Department of Defense

Page 47

GAO-15-544 Insider Threats

Appendix V: GAO Contacts and Staff
Acknowledgments
Appendix V: GAO Contacts and Staff
Acknowledgments

GAO Contacts

Joseph W. Kirschbaum, (202) 512-9971 or KirschbaumJ@gao.gov
Gregory C. Wilshusen, (202) 512-6244 or WilshusenG@gao.gov

Staff
Acknowledgments

In addition to the individuals named above, Tommy Baril, Assistant
Director; Jeffrey Knott, Assistant Director; Tracy Barnes; Lon Chin; Grace
Coleman; Nicole Collier; Kristi Dorsey; Ashley Houston; Amie Lesser;
Richard Powelson; Terry Richardson; Monica Savoy; and Jennifer
Spence made key contributions to this report.

Page 48

GAO-15-544 Insider Threats

Related Unclassified GAO Products
Related Unclassified GAO Products

Department of Defense Cybersecurity
Defense Department Cyber Efforts: Definitions, Focal Point, and
Methodology Needed for DOD to Develop Full-Spectrum Cyberspace
Budget Estimates. GAO-11-695R. Washington, D.C.: July 29, 2011.
Defense Department Cyber Efforts: DOD Faces Challenges In Its Cyber
Activities. GAO-11-75. Washington, D.C.: July 25, 2011.
Defense Department Cyber Efforts: More Detailed Guidance Needed to
Ensure Military Services Develop Appropriate Cyberspace Capabilities.
GAO-11-421. Washington, D.C.: May 20, 2011.
Cybersecurity
Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems. GAO-15-6. Washington, D.C.:
December 12, 2014.
Information Security: Agencies Need to Improve Oversight of Contractor
Controls. GAO-14-612. Washington, D.C.: August 8, 2014.
Information Security: Agencies Need to Improve Cyber Incident
Response Practices. GAO-14-354. Washington, D.C.: April 30, 2014.
Critical Infrastructure Protection: More Comprehensive Planning Would
Enhance the Cybersecurity of Public Safety Entities’ Emerging
Technology. GAO-14-125. Washington, D.C.: January 28, 2014.
Information Security: Agency Responses to Breaches of Personally
Identifiable Information Need to Be More Consistent. GAO-14-34.
Washington, D.C.: December 9, 2013.
Federal Information Security: Mixed Progress in Implementing Program
Components; Improved Metrics Needed to Measure Effectiveness.
GAO-13-776. Washington, D.C.: September 26, 2013.
Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be
Better Defined and More Effectively Implemented. GAO-13-187.
Washington, D.C.: February 14, 2013.

Page 49

GAO-15-544 Insider Threats

Related Unclassified GAO Products

Information Security: Better Implementation of Controls for Mobile
Devices Should Be Encouraged. GAO-12-757. Washington, D.C.:
September 18, 2012.
Cybersecurity: Challenges in Securing the Electricity Grid. GAO-12-926T.
Washington, D.C.: July 17, 2012.
Information Security: Cyber Threats Facilitate Ability to Commit Economic
Espionage. GAO-12-876T. Washington, D.C.: June 28, 2012.
Cybersecurity: Threats Impacting the Nation. GAO-12-666T. Washington,
D.C.: April 24, 2012.
Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but
More Can be Done to Promote Its Use. GAO-12-92. Washington, D.C.
December 9, 2011.
Personnel Security
Personnel Security Clearances: Additional Guidance and Oversight
Needed at DHS and DOD to Ensure Consistent Application or Revocation
Process. GAO-14-640. Washington, D.C.: September 8, 2014.
Personnel Security Clearances: Opportunities Exist to Improve Quality
Throughout the Process.GAO-14-186T. Washington, D.C.: November 13,
2013.
Personnel Security Clearances: Further Actions Needed to Improve the
Process and Realize Efficiencies. GAO-13-728T. Washington, D.C.: June
20, 2013.
Security Clearances: Agencies Need Clearly Defined Policy for
Determining Civilian Position Requirements. GAO-12-800. Washington,
D.C.: July 12, 2012.

(352022)

Page 50

GAO-15-544 Insider Threats

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions.
GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of
GAO Reports and
Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website (http://www.gao.gov). Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to http://www.gao.gov and select “E-mail Updates.”

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
Visit GAO on the web at www.gao.gov.

To Report Fraud,
Waste, and Abuse in
Federal Programs

Contact:
Website: http://www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional
Relations

Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 5124400, U.S. Government Accountability Office, 441 G Street NW, Room
7125, Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548

Please Print on Recycled Paper.…...

Similar Documents

Free Essay

Test

...Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test test test this is a test. One day, this is a test. Test test......

Words: 5923 - Pages: 24

Free Essay

Test

...Test Automation Criteria Benefit * How often do you believe the test should be run? * How many minutes are required for one tester to execute the test manually? * Will human intervention still be required to execute the test after automation? * Does the execution of the test require the tester to input a large amount of data (e.g. populating many fields or populating the same fields many times) via the gui interface? * Does the test require an inordinate amount of user interface actions (e.g. mouse clicks, validations)? * Will automating the test increase the productivity of the team? * Will automating the test allow us to increase test coverage? * Will automating the test allow us to increase the accuracy (exactness) and precision ( reproducibility or repeatability) of the test? * Is the execution of this test prerequisite to the execution of multiple other tests? Cost * How many hours of data preparation (e.g. querying data, setup within the application, etc.) is required for this test? * Is the test documented in such a way that someone other than the author can execute it, and is it stored in Quality Center? * What is the average number of times the test needs to be updated (e.g to reflect development changes) within a six month span? * Are the manual test steps currently up to date? * Are the systems and environments in which the test is run stable and consistently available? * Are third party systems......

Words: 276 - Pages: 2

Free Essay

The One

...1 9 programming is terrible lessons learned from a life wasted @tef 2 hello, iamtef, I am a bad programmer I took things apart to find out how they work. Now I am surprised they do. I am a bad programmer (tests, docs, apology code review, bugs) we can do better. Good and Bad Programmers How Culture Dictates Code Indoctrination vs Learning Being Successful vs Being Good 3 Not just complaints, Tips, hope. mistakes i’ve made etc. mythos. people rather than code. std disclaimer, opinions, not work, or reality YMMV HTH HAND 4 Some find useful, gives me trouble. I am wrong. Doesn’t stop bloggers. A good place to start my code is better than your code (sing it) 5 false dichotomy of good and bad programmers. they normally mean this Programmers who are like me. Programmers who are not like me. 6 cargo cult their personality -> success Programmers who use my favourite language. Programmers who don’t. 7 blub paradox. aside: unmaintainable lisp, was replaced with perl. aside: lisp would have prevented 9/11 imply good or bad. Programmers who share my political views. Programmers who don’t. 8 mash types into politics for people who understand neither. why? it is easy. simple answer to a hard question. also blog hits. especially emotionally charged/trolling 10 times 50 times 100 times 9 the myth of genius. rockstar, ninja, founder, entrepreneur drowning in puberty/machismo all bollocks, faulty study,......

Words: 1384 - Pages: 6

Premium Essay

One Test

...The supernatural dimension implies a foundation on some sort of divine revelation and is a central commonality to all world religions. It can therefore be said that the most significant element of a religious worldview is the belief in a divine being or power, which greater than humankind and the natural world. This being or power is believed to be responsible for the creation of the world, for providing a moral framework for human life and being the ultimate destiny of a human person at the end of their mortal life. Different responses: The Semitic religions, Judaism, Christianity, and Islam believe that the supernatural dimension is a single divine being or power. This doctrine or belief is known as monotheism. The two Easter religions, Hinduism and Buddhism, derive from an understanding of a number of divine beings or powers, a belief known as polytheism. Despite these differences, the belief in the existence of beings or powers beyond the realm of the natural world is an important defining element of a religious worldview, [Define the characteristics of religion] 1. Beliefs and believers – the key tenets, doctrine, or values, which underpin the religious practice od a particular religion for the believers a. Central belief for all religions = supernatural dimension b. Paradigm = the core belief to belong to the religion i. Christianity – the belief Jesus Christ died and rose from the dead in order to save humankind from sin and death ii. Buddhism –...

Words: 439 - Pages: 2

Premium Essay

Test

...James Bach on Risk-Based Testing by James Bach This is risk-based testing: 1. Make a prioritized list of risks. 2. Perform testing that explores each risk. 3. As risks evaporate and new ones emerge, adjust your test effort to stay focused on the current crop. Any questions? Well, now that you know what risk-based testing is, I can devote the rest of the article to explaining why you might want to do it, and how to do it well. Why Do Risk-Based Testing? As a tester, there are certain things you must do. Those things vary depending on the kind of project you’re on, your industry niche, and so on. But no matter what else you do, your job includes finding important problems in the product. Risk is a problem that might happen. The magnitude of a risk is a joint function of the likelihood and impact of the problem—the more likely the problem is to happen, and the more impact it will have if it happens, the higher the risk associated with that problem. Thus, testing is motivated by risk. If you accept this premise, you might well wonder how the term "risk-based testing" is not merely redundant. Isn’t all testing risk-based? To answer that, look at food. We all have to eat to live. But it would seem odd to say that we do "food-based living." Under normal circumstances, we don’t think of ourselves as living from meal to meal. Many of us don’t keep records of the food we eat, or carefully associate our food with our daily activities. However, when we......

Words: 3876 - Pages: 16

Premium Essay

One One One

...ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE ONE...

Words: 304 - Pages: 2

Free Essay

Test

...the mathematics exam, you may make an appointment by: • • • Going on-line at http://winapp.centennialcollege.ca/oat/ Calling 416-289-5300 Or in person with Enrolment Services IMPORTANT – If you have learning or medical condition, you may request special accommodations. Please contact the Centre for Students with Disabilities (CSD) at 416-289-5000 Ext. 2627. Students will meet with a CSD Counselor to discuss their concerns and make alternative arrangements for their skills assessments if special accommodations are approved. Students applying to multiple programs may only require one math exam to clear admission requirements. Please note that the Engineering math skills assessment can clear admission requirements for Business and General Arts and Science programs. On the date of your exam, please arrive on time. You will be required to show Government issued photo ID. Examples of acceptable photo ID are: • One of the following: valid passport, driver's license, photo health card, age of majority cards, citizenship card, landed card, minister's permit or a Centennial College student photo ID. The photo must not be older than 5 years. If you do not have any of the above then you may provide nongovernment issued photo ID. These could include other school photo ID, transit photo ID, expired government photo ID or employment ID, and two of the following: birth certificate, social insurance card or nonphoto health card. Please note students arriving without acceptable ID will not be......

Words: 2346 - Pages: 10

Free Essay

Test One Two

...series of videos to look specifically at the way women are represented in video games. The idea being that if you were interested in the project, you could donate, and if you weren’t interested, you could choose not to donate. It’s pretty straightforward right? I mean what could possibly go wrong? Yeah. Turns out that there are a bunch of male gamers out there who were, shall we say, not too excited about this project. Now, I’m a pop culture critic, I’m a feminist and I’m a woman. And I’m all of these things openly, on the internet, so I’m no stranger to some level of sexist backlash. Anita Sarkeesian, “Online Harassment and Cyber Mobs”, 2012 Tekst 2 Legal definitions of Internet harassment vary slightly from one region to another, but most jurisdictions agree on the basic principles. Internet harassment is an attempt to use email or another form of electronic communication to torment, threaten, stalk or perform some similar act that would cause distress to a reasonable person. When determining the difference between simple rudeness and criminal harassment, authorities are likely to consider issues such as the attacker’s apparent intent, the frequency of the remarks or postings, evidence of premeditation or information gathering, whether others were encouraged to participate in these acts and whether remarks or attacks were directed specifically at the victim. “What Are Internet Harassment Laws”, www.wisegeek.org |Besvarelse 1d: ......

Words: 1301 - Pages: 6

Premium Essay

Seminar One Essay Test

...Seminar One Essay Test The first method is for a bill to pass both houses of the legislature, by a two-thirds majority in each. Once the bill has passed both houses, it goes on to the states. This is the route taken by all current amendments. Due to some long outstanding amendments, Congress will normally put a time limit for the bill to be approved as an amendment which is typically seven years. The second method prescribed is for a Constitutional Convention to be called by two-thirds of the legislatures of the States, and for that Convention to propose one or more amendments. These amendments are then sent to the states to be approved by three-fourths of the legislatures or conventions. Regardless of which of the two proposal routes is taken, the amendment must be ratified, or approved, by three-fourths of states. There are two ways to do this, too. The text of the amendment may specify whether the bill must be passed by the state legislatures or by a state convention. The Bill of Rights were passed due to the fact that the Federalists basically horse traded with several states to get the constitution ratified. It still was no easy task getting the Bill of Rights ratified. James Madison had to go through and pick out the best ideas from state conventions as he drafted the Bill of Rights. The rights protected individuals from the federal government trampling their rights. Due to the recent war with England and the oppression of the King fresh in mind the Bill of Rights......

Words: 830 - Pages: 4

Premium Essay

Test

...hospital procedure, irrespective of parental consent. These tests commonly analyze hormone and protein content from the samples. Each state oversees their own screening program and currently there is little uniformity among the conditions studied. The costs of these tests vary from $15 to $60 and are often covered through state fees and by health insurance plans. The addition of mandatory postnatal genome sequencing would add a tremendous burden to the healthcare system. Whole genome sequencing tests can currently cost around $1000, creating a deficit of around 4 billion dollars a year. Parents would be required to meet with a genetic counselor to interpret the data and the functionality of many genes has yet to be discovered. There is room for tremendous ambiguity without prior research and a shortage of qualified individuals to interpret all the data. False positive test results for genetic tests occur, on average, more than 50 times per every true positive finding according to a study conducted by Kwon et al from JAMA Pediatrics. This could potentially lead to an increase of vulnerable child syndrome, a condition that affects the family of an infant or child who has suffered what the parents believe is a “close call with death” and is thereafter viewed as vulnerable to serious injury or accidents. In a study conducted by Chambers et al. these children had increased visits to emergency rooms for benign reasons. As one of the earlier debates pointed out, emotional wellbeing......

Words: 551 - Pages: 3

Premium Essay

Test

...Testing Life Cycle (STLC). The different stages in Software Test Life Cycle - Each of these stages have a definite Entry and Exit criteria  , Activities & Deliverables associat In an Ideal world you will not enter the next stage until the exit criteria for the previous stage practically this is not always possible. So for this tutorial , we will focus of activities and delive different stages in STLC. Lets look into them in detail. http://www.guru99.com/software­testing­life­cycle.html 1/12 6/28/2015 Software Testing Life Cycle STLC Requirement Analysis During this phase, test team studies the requirements from a testing point of view to identify requirements. The QA team may interact with various stakeholders (Client, Business Analyst, System Architects etc) to understand the requirements in detail. Requirements could be eith (defining what the software must do) or Non Functional (defining system performance /secur .Automation feasibility for the given testing project is also done in this stage. Activities Identify types of tests to be performed.  Gather details about testing priorities and focus. Prepare Requirement Traceability Matrix (RTM). Identify test environment details where testing is supposed to be carried out.  Automation feasibility analysis (if required). Deliverables RTM Automation feasibility report. (if applicable) Test Planning This phase is also called Test Strategy phase. Typically , in this stage, a......

Words: 1712 - Pages: 7

Free Essay

Test

...Quantitative research methods in educational planning Series editor: Kenneth N.Ross Module John Izard 6 Overview of test construction UNESCO International Institute for Educational Planning Quantitative research methods in educational planning These modules were prepared by IIEP staff and consultants to be used in training workshops presented for the National Research Coordinators who are responsible for the educational policy research programme conducted by the Southern and Eastern Africa Consortium for Monitoring Educational Quality (SACMEQ). The publication is available from the following two Internet Websites: http://www.sacmeq.org and http://www.unesco.org/iiep. International Institute for Educational Planning/UNESCO 7-9 rue Eugène-Delacroix, 75116 Paris, France Tel: (33 1) 45 03 77 00 Fax: (33 1 ) 40 72 83 66 e-mail: information@iiep.unesco.org IIEP web site: http://www.unesco.org/iiep September 2005 © UNESCO The designations employed and the presentation of material throughout the publication do not imply the expression of any opinion whatsoever on the part of UNESCO concerning the legal status of any country, territory, city or area or of its authorities, or concerning its frontiers or boundaries. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means: electronic, magnetic tape, mechanical, photocopying, recording or otherwise, without......

Words: 13966 - Pages: 56

Premium Essay

The One

...Plasmodium can infect and be spread by humans.[2] Most deaths are caused by P. falciparum because P. vivax, P. ovale, and P. malariae generally cause a milder form of malaria.[1][2] The species P. knowlesi rarely causes disease in humans.[1] Malaria is typically diagnosed by the microscopic examination of blood using blood films, or with antigen-based rapid diagnostic tests.[2] Methods that use the polymerase chain reaction to detect the parasite's DNA have been developed, but are not widely used in areas where malaria is common due to their cost and complexity.[3] The risk of disease can be reduced by preventing mosquito bites by using mosquito nets and insect repellents, or with mosquito-control measures such as spraying insecticides and draining standing water.[2] Several medications are available to prevent malaria in travellers to areas where the disease is common. Occasional doses of the medication sulfadoxine/pyrimethamine are recommended in infants and after the first trimester of pregnancy in areas with high rates of malaria. Despite a need, no effective vaccine exists, although efforts to develop one are ongoing.[1] The recommended treatment for malaria is a combination of antimalarial medications that includes an artemisinin.[1][2] The second medication may be either mefloquine, lumefantrine, or sulfadoxine/pyrimethamine.[4] Quinine along with doxycycline may be used if an artemisinin is not available.[4] It is recommended that in areas where......

Words: 4833 - Pages: 20

Free Essay

One Paper Test 123

...-Discuss the key facts in Situation C.  (Generally a paragraph.) -Determine if the law applies to Company x and state whether or not it was violated.  Be sure to show how you reached your conclusion.  It is not enough to simply state that there was or was not a violation. Final Steps: 1.  Review the grading rubric and make sure that your paper meets all of the   requirements. 2.   Run your paper through Turnitin in Taskstream to make sure that your paper has under 30% of  unoriginal work.  If it is over that amount please revise your work and rerun it through Turnitin before submitting it.  If you need assistance with citation please contact the Center for Writing Excellence.   Good Luck!! If at any time you need assistance please contact one of the Legal Team Course Mentors.  We all want you to succeed!!!!!!!!!! ...

Words: 493 - Pages: 2

Premium Essay

Test

...controllers and 1,000 controllers borrowed from the armed forces. The nearly 10,000 controllers now at work contrasts with about 16,000 who directed aircraft before the strike. The government hopes that after two years of the stepped-up training activity a total of about 7,000 new workers will have been assigned to air traffic control duties throughout the country, although many will not be fully qualified for all duties for another one to four years. The aviation agency estimates that ultimately the full controller force need go no higher than 13,000. The agency has said that it was employing 3,000 more than were necessary before the strike. 6 Weeks of Radar Instruction The initial training course for controllers normally lasts 17 to 20 weeks. The shorter time period is for students who will eventually work at "en route" centers, which handle aircraft on the long high-altitude flights between terminals. Academy training for terminal area facilities requires 20 weeks. The last six weeks of training is in operation of radar equipment. But test to determine whether the student will graduate are taken before the final radar instruction. The first post-strike class began its studies Aug 11. The second class began two weeks later, and Mr. Weaver said there were initial indications that the failure rate would be the less than the average 25 percent. The aviation agency also reported that air traffic delays at the nation's 22 busiest airports, while still occurring at......

Words: 1260 - Pages: 6