Following the Executive Order 13587 by former President Barack Obama October 2011, the National Insider Threat Task Force (NITTF) was established.
All federal departments and agencies with classified networks were ordered to establish insider threat detection and prevention programs. The NITTF’s mission is to “develop a Government-wide insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.” (NCSC - NITTF).
In the Executive Order, the U.S. Attorney General and the Director of National Intelligence were ordered to co-chair the NITTF. The U.S. Attorney General and the Director of National Intelligence in turn decided that the Federal Bureau of Investigation (FBI) co-lead the daily NITTF activities together with the National Counterintelligence Executive (NCSC).
The NITTF was established as a response to thousands of unclassified and classified documents being uploaded to WikiLeaks. The interest for insider threat grew after the public leaks completed by former NSA System Administrator Edward Snowden and ex-soldier Chelsea Manning. The program was started to prevent further leaks that may be a threat to national security. Furthermore, the NITTF sets guidelines to assist, evaluate progress, and analyze existing and emerging insider threat challenges.
An insider threat is someone who misuses or betrays their access to a U.S. Government resource–whether it is done in full awareness or without being aware (unintentionally). This means someone inside the U.S. Government is considered an insider threat if their access is being exploited. Threats include damage through “espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities” (NCSC - Mission Fact Sheet)
However, it is important to note that the insider threat programs analyzes malicious activities and behaviors, not individuals.
The Committee on National Security Systems Directive 504 (CNSSD 504), is the directive describing the minimum measures each department or agency need to take to protect national security systems from insider threats.
CNSSD 504 defines UAM as “the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing US Government information in order to detect insider threats and to support authorized investigations.” (CNSSD 504 - Definitions).
At a minimum, each department and agency needs the technical capabilities to collect user activity data, including the following (CNSSD 504 Annex B):
The policy is applicable to all executive branch departments and agencies with access to classified national security information and classified networks, according to National Insider Threat Policy Minimum Standards
Reveal is compliant with the CNSSD 504 and meets the key UAM requirements defined by the NITTF.
In addition to meeting the minimum requirements, Ava is working towards the Maturity Framework to include human behavior models, risk scoring, and AI/ML capability to enhance and automate insider threat detection and response.