GAO study on protecting classified information from insider threats within the Department of Defense

(a)

Study

The Comptroller General of the United States shall conduct a study to assess the ability of the Secretary of Defense to mitigate insider threats to classified information and systems in which classified information is stored within the Department of Defense, including— (1)the extent to which the Secretary takes timely action to address each security deficiency identified in each annual report submitted pursuant to the policy of the Director of National Intelligence titled the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs to the head of an executive agency by a designated senior official regarding the process or status of an insider threat program; (2)the extent to which the Secretary uses information system security controls (including audits, limited access controls, and configuration management) for systems in which classified information is stored; (3)the extent to which the Secretary uses controls to limit the ability of individuals who are eligible for access to classified information in accordance with Executive Order 12968 (60 Fed. Reg. 40245; relating to access to classified information), or any successor thereto, and Executive Order 10865 (25 Fed. Reg. 1583; relating to safeguarding classified information within industry), or any successor thereto, from removing such classified information from a system or facility in which such classified information is stored; and (4)any other related matters that the Comptroller General deems appropriate. (b)

Preliminary briefing; final report

Not later than 180 days after the date of the enactment of this Act, the Comptroller General shall— (1)provide to the Committee on Armed Services of the House of Representatives a briefing regarding the preliminary findings of the study conducted under subsection (a); and (2)submit to such Committee a final report regarding the findings of the study conducted under subsection (a) at such time and in such format as is mutually agreed upon by such Committee and the Comptroller General at the time of the briefing described in paragraph (1). (c)

Definitions

In this section: (1)The term designated senior official means, with respect to an insider threat program, an individual designated by the head of an executive agency to be principally responsible within such agency for establishing a process to gather, integrate, centrally analyze, and respond to information from counterintelligence, security, information assurance, human resources, law enforcement, and other relevant sources with information indicative of a potential insider threat. (2)The term executive agency has the meaning given to such term in section 105 of title 5, United States Code. (3)The term insider threat means, with respect to the Department of Defense, a threat presented by a person who— (A) has, or once had, authorized access to information, a facility, a network, a person, or a resource of the Department; and (B)wittingly, or unwittingly, commits— (i)an act in contravention of law or policy that resulted in, or might result in, harm through the loss or degradation of government or company information, resources, or capabilities; or (ii)a destructive act, which may include physical harm to another in the workplace. (4)The term insider threat program means a program of an executive agency established to deter, detect, and mitigate insider threats within the agency in accordance with the policy set out by the Insider Threat Task Force established under Executive Order 13587 (50 U.S.C. 3161 note; relating to procedures to access classified information).