DOD Insider Threat Management and Analysis Center COUNTERINTELLIGENCE AWARENESS WEBINAR SERIES

Similar documents
Department of Defense DIRECTIVE

8/11/2015. Navigation in the Meeting Room. Cyber Enabled Threats to Cleared Industry. Host: Rebecca Morgan Counterintelligence Instructor CDSE

DEPARTMENT OF THE NAVY INSIDER THREAT PROGRAM. (1) References (2) DON Insider Threat Program Senior Executive Board (DON ITP SEB) (3) Responsibilities

SECRETARY OF THE ARMY WASHINGTON

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

Department of Defense DIRECTIVE

9/11/2015. Navigation in the Meeting Room. Counter-Proliferation Investigations & National Security

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

Preserving Investigative and Operational Viability in Insider Threat

Naval Security Enterprise Newsletter

Department of Defense DIRECTIVE

EXECUTIVE ORDER 12333: UNITED STATES INTELLIGENCE ACTIVITIES

Creating an Insider Threat Program. NCMS June 2015

Department of Defense DIRECTIVE

Insider Threat Webinar Series Defense Personnel Security and Research Center

Department of Defense INSTRUCTION

DoD Update Insider Threat and the NISP

Department of Defense DIRECTIVE. DoD Executive Agent (EA) for the DoD Cyber Crime Center (DC3)

Protecting US Military s Technical Advantage: Assessing the Impact of Compromised Unclassified Controlled Technical Information

Department of Defense DIRECTIVE

DEPARTMENT OF DEFENSE (DoD) INITIAL TRAINING GUIDE

8/15/2013. Security Incidents Involving Special Circumstances. Information Security Webinar. Danny Jennings. DCO Meeting Room Navigation

Department of Defense INSTRUCTION

For Immediate Release October 7, 2011 EXECUTIVE ORDER

NUCLEAR REGULATORY COMMISSION [NRC ] Nuclear Regulatory Commission Insider Threat Program Policy Statement

Naval Security Enterprise Newsletter

Department of Defense INSTRUCTION

DEPARTMENT OF THE NAVY COUNTERINTELLIGENCE

Department of Defense DIRECTIVE. SUBJECT: Unauthorized Disclosure of Classified Information to the Public

Encl: (1) References (2) Department of the Navy Security Enterprise Governance (3) Senior Director for Security (4) Definitions (5) Responsibilities

September 02, 2009 Incorporating Change 3, December 1, 2011

PERSONNEL SECURITY CLEARANCES

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

Department of Defense DIRECTIVE

February 11, 2015 Incorporating Change 4, August 23, 2018

Question Distractors References Linked Competency

PERSONALLY IDENTIFIABLE INFORMATON (PII)

Department of Defense DIRECTIVE

Defense Security Service Intelligence Oversight Awareness Training Course Transcript for CI

August Initial Security Briefing Job Aid

Department of Defense DIRECTIVE

Declassification Options and Requirements

Security Asset Protection Professional Certification (SAPPC) Competency Preparatory Tools (CPT)

DODEA ADMINISTRATIVE INSTRUCTION , VOLUME 1 DODEA PERSONNEL SECURITY AND SUITABILITY PROGRAM

Department of Defense MANUAL

SUBJECT: Directive-Type Memorandum (DTM) Law Enforcement Reporting of Suspicious Activity

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release January 17, January 17, 2014

SECURITY OF CLASSIFIED MATERIALS B STUDENT HANDOUT

PERSONNEL SECURITY CLEARANCES

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

DOD DIRECTIVE INTELLIGENCE OVERSIGHT

Department of Defense MANUAL

Department of Defense MANUAL

Department of Defense INSTRUCTION

SECURITY OF CLASSIFIED MATERIALS W130119XQ STUDENT HANDOUT

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION

General Security. Question Answer Policy Resource

Department of Defense INSTRUCTION

Department of Defense INSTRUCTION

Engaging the DoD Enterprise to Protect U.S. Military Technical Advantage

INTELLIGENCE COMMUNITY DIRECTIVE NUMBER 501

CONFERENCE MATERIAL DAY ONE 19TH ANNUAL REVIEW OF THE FIELD OF NATIONAL SECURITY LAW

OFFICE OF THE DIRECTOR OF NATION At INTELLIGENCE WASHINGTON, DC 20511

FSO Role in the NISP. Student Guide. Lesson 1: Course Introduction. Course Information. Course Overview

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON, DC

Department of Defense INSTRUCTION

Department of Defense DIRECTIVE

NISPOM Update & Security Basics

Personnel Security Briefing NAWCAD Industry Day Larry Paxton

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 7 R-1 Line #198

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 5 R-1 Line #199

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense DIRECTIVE

Introduction to Industrial Security, v3

Department of Defense INSTRUCTION. SUBJECT: DoD Information Security Program and Protection of Sensitive Compartmented Information

Department of Defense DIRECTIVE

PRIVACY IMPACT ASSESSMENT (PIA) For the

MCMR-AAP-A 22 August 2012

Department of Defense DIRECTIVE. SUBJECT: Release of Official Information in Litigation and Testimony by DoD Personnel as Witnesses

STATEMENT OF JAMES R. CLAPPER FORMER DIRECTOR OF NATIONAL INTELLIGENCE BEFORE THE

INSTRUCTION. SUBJECT: DoD Implementation of the Joint Intelligence Community Duty Assignment (JDA) Program

Department of Defense INSTRUCTION

Annual Report to Congress on Personnel Security Investigations for Industry and the National Industrial Security Program

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON DC

1. Purpose. To implement the guidance set forth in references (a) through (e) by:

DEPARTMENT OF THE NAVY HEADQUARTERS UNITED STATES MARINE CORPS 3000 MARINE CORPS PENTAGON WASHINGTON DC

il~l IL 20 I I11 AD-A February 20, DIRECTIVE Department of Defense

Department of Defense INSTRUCTION

The Threat and Local Observation Notice (TALON) Report Program. Report No. 07-INTEL-09 June 27, 2007

Department of Defense DIRECTIVE

PRIVACY IMPACT ASSESSMENT (PIA) For the

Acquisitions and Contracting Basics in the National Industrial Security Program (NISP)

Department of Defense INSTRUCTION. 1. PURPOSE. This Instruction, issued under the authority of DoD Directive (DoDD) 5144.

Department of Defense INSTRUCTION

Laguna Honda Hospital and Rehabilitation Center. Security Management Plan

DEPUTY SECRETARY OF DEFENSE 1010 DEFENSE PENTAGON WASHINGTON, DC

Department of Defense INSTRUCTION

National Insider Threat Special Interest Group (NITSIG)

Personnel Clearances in the NISP

Transcription:

JUNE, MARCH 2015 2016 DOD Insider Threat Management and Analysis Center COUNTERINTELLIGENCE AWARENESS WEBINAR SERIES

DITMAC Host: Rebecca Morgan Insider Threat Instructor - CDSE Guests: Matt Guy Asst. Director, Program Evaluation Delice Bernhard Asst. Director, Operations Mark Burns Asst. Director, Strategic Integration

Navigation in the Meeting Room Enlarge Screen Q & A Closed Captioning below File Share

DOD INSIDER THREAT MANAGEMENT AND ANALYSIS CENTER DITMAC March 7, 2016

AGENDA Today s Agenda DITMAC mission and status Defining insider threat Analyzing behavior Supporting DoD and its 43 Components Q&A

The Challenge One person can compromise information that can cripple our government. One person can expose the strategies that keep America safe. One person can walk into a workplace with a weapon and commit an atrocity. The insider threat is insidious. It s hiding among the people we trust most. Hon. James R. Clapper, Director of National Intelligence Remarks at National Insider Threat Task Force Legal Forum, October 28, 2015

What is an Insider Threat? INSIDER: Any person with authorized access to DoD resources by virtue of employment, volunteer activities, or contractual relationship with DoD. INSIDER THREAT: The threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States. This can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities. DoD Directive 5205.16, The DoD Insider Threat Program, September 30, 2014

High Profile Examples November 5, 2009 Army Major Nidal Hasan fatally shoots 13 and injures 30 others at Fort Hood, TX May 27, 2010 Army Private Bradley Manning Arrested for illegally disclosing 1,000,000+ classified documents June 9, 2013 Cleared Contractor Edward Snowden identifies himself as leaker of Top Secret NSA information September 16, 2013 Cleared Contractor Aaron Alexis fatally shoots 12 and injures 3 others at the Washington Navy Yard

DoD Insider Threat (InT) Programs November 12, 2012 Presidential Memorandum set requirements for Executive Branch InT Programs, including DoD and DoD Components 1. Designate a Senior Official responsible the InT Program 2. Obtain Visible Support from the Agency Head 3. Form a Working Group/Periodic feedback to the Community 4. Review Current Requirements and Guidance 5. Seek Legal Input 6. Protect Privacy and Civil Liberties by Applying Appropriate Safeguards 7. Identify Classified and other Critical Assets 8. Write Agency Policy and Implementation Plan 9. Obtain approval, Establish Program Office, Implement Plan 10. Conduct scheduled self assessments

DITMAC Background DITMAC: DoD Insider Threat Management and Analysis Center USD(I) assigned the DITMAC incubation mission to the Defense Security Service (DSS) in December 2014 An enterprise insider threat capability for DoD to: Oversee the mitigation of insider threats to DoD Assess risk, refer recommendations for action, synchronize responses, and oversee resolution of identified issues Develop risk thresholds and compile results for evaluation Ensure DoD InT Programs remain compliant to applicable regulations, including the National InT minimum standards Provide a single repository for DoD insider threat related information Promote collaboration and information sharing

DITMAC Operational View Direct/Other Referrals News Example Sources Principal Staff Assistant USD(I) Oversight Enterprise Awareness Value Data Feeds Commercial OGA euam Enterprise View DITMAC Enterprise Threat Analysis Example Sources Component Hub Functional Expertise Security Mental Health Counterintelligence Functional Expertise Law Enforcement Adjudicative Legal Privacy Human Resources Cyber Strategic Trend Analysis Standardization of Risk Thresholds and Reporting Criteria Security Mental Health Counterintelligence Law Enforcement Adjudicative Legal Privacy Human Resources Cyber Data Aggregation Automated Triage Analysis Analytic Finding Enable Improved Insider Threat Policies Promote Efficiencies Threshold Level Notification to DITMAC Enriched or new Insider Threat information sent to Component Hub Promotion of Collaboration and Information Sharing

DoD Component DITMAC Support to DoD Components Identify concerning behavior(s) Aggregate data in Hub and take action Submit PRI report to DITMAC Coordinate with DITMAC Conduct risk mitigation actions Close case DITMAC SMEs analyze PRI, aggregate add l data Send analysis and add l data to Component Store data, share with appropriate stakeholders Coordinate with Hub, oversee and synchronize mitigation Share data, case studies, best practices with InT Community

DITMAC System of Systems (DSoS) 2 3 SIPR DITMAC Workflow Post SORN Component Hub Alerts DITMAC, Must Validate Behavior is Above InT Threshold before Reporting 1 Anomalous Behavior 6 Component InT Hub 7 Component InT Hub 5 4 DITMAC System of Systems (DSoS) DSoS Hub Report File SMEs Assess Team Refines Analytic Finding 4a Ingest 4b Process 4c Analyze 4d Generate

PIOC Component Reporting REVISED THRESHOLDS TO REPORT: 1. Serious Threat 2. Allegiance to the U.S. 3. Espionage/Foreign Considerations 4. Personal Conduct 5. Behavioral Considerations 6. Criminal Conduct 7. Unauthorized Disclosure 8. Unexplained Personnel Disappearance 9. Handling Protected Information 10. Misuse of Information Technology 11. Terrorism 12. Criminal Affiliations 13. Adverse Clearance Actions HOW TO REPORT: Submit PRI on SIPR to dss.ncr.dss ci.mbx.ditmacops@mail.smil.mil UNCLASSIFIED 14

Current Operations and Reporting DITMAC can receive Component InT reports today All Components were given datasheet (spreadsheet) for reporting Components can submit datasheet via SIPR email No PII/PHI can be sent to DITMAC until SORN is in place Reporting is based on 13 initial thresholds DITMAC is conducting basic analysis We are receiving PRI reports that meet threshold requirements We are identifying and sending media reports to Components DITMAC is providing basic metrics to DoD leadership Component reporting will build the DoD InT enterprise view

What DITMAC Will/Will Not Do DITMAC will NOT: Supersede or run the DoD Component InT programs Direct Components to take action on its people Take actions against any Component s people Allow analysis to be dominated by a single discipline Set Insider Threat policy DITMAC will: Support and enable Component InT Programs Identify InT challenges and develop solutions Promote best practices across Component programs Leverage a team of cross functional subject matter experts (SMEs) Advocate for Components to OUSD(I) on policy ideas and initiatives

Protecting and Advancing our Values It s not enough to employ measures to protect classified information. It s not enough to prevent unauthorized disclosures. And it s not enough to position our programs to protect against employees who intend to do violence. We also have to protect the civil liberties and privacy of our employees. That s not a point I m willing to compromise on. Hon. James R. Clapper, Director of National Intelligence Remarks at National Insider Threat Task Force Legal Forum, October 28, 2015

How DITMAC Advances DoD Missions Proactive Approach Privacy Protection Advanced Analytics TRUST: DoD missions depend upon safety and security ENTERPRISE CAPABILITY: DoD requires an enterprise InT capability to mitigate the risk of insidious insider threats COORDINATION: DITMAC is DoD s Hub to support and enable Component Hubs and senior DoD InT leaders ANALYSIS: DITMAC works with Hubs to identify and analyze behaviors indicative of a potential insider threat MULTI DISCIPLINARY: DITMAC s diverse team of experts leverage advanced analytics and unique data sources Component Support

Conclusion Q) How should we measure the effectiveness of our insider threat programs? A) We must always ask ourselves, Are we Protecting our people Safeguarding their trust Securing our resources DITMAC will enable DoD and its Components to meet this vital imperative, together with you.

DITMAC Insider Threat Awareness Training Products Related Training Establishing an Insider Threat Program Insider Threat Awareness Job Aids Insider Threat Case Studies Insider Threat Toolkit Past Webinars Insider Threat for DoD Cyber Insider Threat Peter DeCesare and Rebecca Morgan (410) 689-1294 Email: counterintelligence.training@dss.mil http://www.cdse.edu/catalog/insider-threat.html

DITMAC Question and Answer Session DITMAC@dss.mil or (571) 357-6850

DITMAC Counterintelligence Training POC: Peter DeCesare and Rebecca Morgan (410) 689-1136 (410) 689-1294 Email: counterintelligence.training@dss.mil

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback