[House Report 114-321]
[From the U.S. Government Publishing Office]


114th Congress}                                              {Report
                        HOUSE OF REPRESENTATIVES
 1st Session  }                                              {114-321

======================================================================
 
                DEPARTMENT OF HOMELAND SECURITY INSIDER THREAT 
                          AND MITIGATION ACT OF 2015

                                _______
                                

November 2, 2015.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                             together with

                            DISSENTING VIEWS

                        [To accompany H.R. 3361]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3361) to amend the Homeland Security Act of 2002 
to establish the Insider Threat Program, and for other 
purposes, having considered the same, report favorably thereon 
with an amendment and recommend that the bill as amended do 
pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     3
Background and Need for Legislation..............................     3
Hearings.........................................................     5
Committee Consideration..........................................     5
Committee Votes..................................................     5
Committee Oversight Findings.....................................     5
New Budget Authority, Entitlement Authority, and Tax Expenditures     5
Congressional Budget Office Estimate.............................     6
Statement of General Performance Goals and Objectives............     6
Duplicative Federal Programs.....................................     7
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     7
Federal Mandates Statement.......................................     7
Preemption Clarification.........................................     7
Disclosure of Directed Rule Makings..............................     7
Advisory Committee Statement.....................................     7
Applicability to Legislative Branch..............................     7
Section-by-Section Analysis of the Legislation...................     8
Changes in Existing Law Made by the Bill, as Reported............    10
Dissenting Views.................................................    13

    The amendment is as follows:
    Strike out all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Department of Homeland Security 
Insider Threat and Mitigation Act of 2015''.

SEC. 2. ESTABLISHMENT OF INSIDER THREAT PROGRAM.

  (a) In General.--Title I of the Homeland Security Act of 2002 (6 
U.S.C. 111 et seq.) is amended by adding at the end the following new 
section:

``SEC. 104. INSIDER THREAT PROGRAM.

  ``(a) Establishment.--The Secretary shall establish an Insider Threat 
Program within the Department. Such Program shall--
          ``(1) provide training and education for Department personnel 
        to identify, prevent, mitigate, and respond to insider threat 
        risks to the Department's critical assets;
          ``(2) provide investigative support regarding potential 
        insider threats that may pose a risk to the Department's 
        critical assets; and
          ``(3) conduct risk mitigation activities for insider threats.
  ``(b) Steering Committee.--
          ``(1) In general.--The Secretary shall establish a Steering 
        Committee within the Department. The Under Secretary for 
        Intelligence and Analysis shall serve as the Chair of the 
        Steering Committee. The Chief Security Officer shall serve as 
        the Vice Chair. The Steering Committee shall be comprised of 
        representatives of the Office of Intelligence and Analysis, the 
        Office of the Chief Information Officer, the Office of the 
        General Counsel, the Office for Civil Rights and Civil 
        Liberties, the Privacy Office, the Office of the Chief Human 
        Capital Officer, the Office of the Chief Financial Officer, the 
        Federal Protective Service, the Office of the Chief Procurement 
        Officer, the Science and Technology Directorate, and other 
        components or offices of the Department as appropriate. Such 
        representatives shall meet on a regular basis to discuss cases 
        and issues related to insider threats to the Department's 
        critical assets, in accordance with subsection (a).
          ``(2) Responsibilities.--Not later than one year after the 
        date of the enactment of this section, the Under Secretary for 
        Intelligence and Analysis and the Chief Security Officer, in 
        coordination with the Steering Committee established pursuant 
        to paragraph (1), shall--
                  ``(A) develop a holistic strategy for Department-wide 
                efforts to identify, prevent, mitigate, and respond to 
                insider threats to the Department's critical assets;
                  ``(B) develop a plan to implement the insider threat 
                measures identified in the strategy developed under 
                subparagraph (A) across the components and offices of 
                the Department;
                  ``(C) document insider threat policies and controls;
                  ``(D) conduct a baseline risk assessment of insider 
                threats posed to the Department's critical assets;
                  ``(E) examine existing programmatic and technology 
                best practices adopted by the Federal Government, 
                industry, and research institutions to implement 
                solutions that are validated and cost-effective;
                  ``(F) develop a timeline for deploying workplace 
                monitoring technologies, employee awareness campaigns, 
                and education and training programs related to 
                identifying, preventing, mitigating, and responding to 
                potential insider threats to the Department's critical 
                assets;
                  ``(G) require the Chair and Vice Chair of the 
                Steering Committee to consult with the Under Secretary 
                for Science and Technology and other appropriate 
                stakeholders to ensure the Insider Threat Program is 
                informed, on an ongoing basis, by current information 
                regarding threats, beset practices, and available 
                technology; and
                  ``(H) develop, collect, and report metrics on the 
                effectiveness of the Department's insider threat 
                mitigation efforts.
  ``(c) Report.--Not later than two years after the date of the 
enactment of this section and the biennially thereafter for the next 
four years, the Secretary shall submit to the Committee on Homeland 
Security and the Permanent Select Committee on Intelligence of the 
House of Representatives and the Committee on Homeland Security and 
Governmental Affairs and the Select Committee on Intelligence of the 
Senate a report on how the Department and its components and offices 
have implemented the strategy developed under subsection (b)(2)(A), the 
status of the Department's risk assessment of critical assets, the 
types of insider threat training conducted, the number of Department 
employees who have received such training, and information on the 
effectiveness of the Insider Threat Program, based on metrics under 
subsection (b)(2)(H).
  ``(d) Definitions.--In this section:
          ``(1) Critical assets.--The term `critical assets' means the 
        people, facilities, information, and technology required for 
        the Department to fulfill its mission.
          ``(2) Insider.--The term `insider' means--
                  ``(A) any person who has access to classified 
                national security information and is employed by, 
                detailed to, or assigned to the Department, including 
                members of the Armed Forces, experts or consultants to 
                the Department, industrial or commercial contractors, 
                licensees, certificate holders, or grantees of the 
                Department, including all subcontractors, personal 
                services contractors, or any other category of person 
                who acts for or on behalf of the Department, as 
                determined by the Secretary; or
                  ``(B) State, local, tribal, territorial, and private 
                sector personnel who possess security clearances 
                granted by the Department.
          ``(3) Insider threat.--The term `insider threat' means the 
        threat that an insider will use his or her authorized access, 
        wittingly or unwittingly, to do harm to the security of the 
        United States, including damage to the United States through 
        espionage, terrorism, the unauthorized disclosure of classified 
        national security information, or through the loss or 
        degradation of departmental resources or capabilities.''.
  (b) Clerical Amendment.--The table of contents of the Homeland 
Security Act of 2002 is amended by inserting after the item relating to 
section 103 the following new item:

``Sec. 104. Insider Threat Program.''.

                          Purpose and Summary

    The purpose of H.R. 3361, the ``Department of Homeland 
Security Insider Threat and Mitigation Act'' is to amend the 
Homeland Security Act of 2002 to establish an Insider Threat 
program at the Department of Homeland Security (DHS). The bill 
mandates employee education and training programs, and 
establishes an internal DHS Steering Committee to manage and 
coordinate DHS activities related to insider threat issues.

                  Background and Need for Legislation

    Over the last six years several acts of espionage and 
workplace violence committed by U.S. government employees have 
caused grave damage to U.S. national security and taken 
American lives. U.S. Army PFC Bradley Manning provided 
thousands of classified government documents to WikiLeaks, 
which were subsequently published. Edward Snowden continues to 
hide from prosecution in Russia for stealing and later 
releasing classified information related to sensitive national 
security programs. Aaron Alexis, who held a Secret security 
clearance while working as a contractor at the Washington Navy 
Yard, killed 12 people during a rampage in 2013.
    All three of these individuals were vetted, trusted U.S. 
security professionals who abused that trust and committed 
heinous acts. Furthermore, these events underscore the 
importance of identifying potential insider threats that could 
put Department and its employees at risk.
    An official from the Office of Director of National 
Intelligence (ODNI) testified before this Subcommittee in 2013 
that, ``damage assessments regarding individuals involved in 
unauthorized disclosures of classified information or acts of 
workplace violence have uncovered information that was not 
discovered during the existing security clearance process. 
Timely knowledge of such information might have prompted a 
security review or increased monitoring of the individual.''\1\ 
A recent survey of 150 Federal information technology managers, 
including those from the defense and intelligence communities, 
showed that 29 percent of the agencies had suffered a loss of 
data due to an insider over the last year.\2\
---------------------------------------------------------------------------
    \1\Brian Prioletti, Assistant Director, Special Security 
Directorate, Office of National Counterintelligence Executive, Office 
of the Director for National Intelligence, Testimony before the 
Committee on Homeland Security, Subcommittee on Counterterrorism and 
Intelligence, November 13, 2013.
    \2\Aaron Boyd, ``Survey: Insider threats target nearly half of 
agencies'', C4ISR Networks, September 14, 2015, available at: http://
www.c4isrnet.com/story/military-tech/it/2015/09/14/us-government-
insider-threats-survey/72254846/.
---------------------------------------------------------------------------
    The Department of Homeland Security Insider Threat and 
Mitigation Act of 2015 establishes an Insider Threat program at 
DHS to provide a foundation for the Secretary to secure DHS 
facilities and its workforce. It creates a multidisciplinary 
steering committee to coordinate insider threat efforts across 
the Department by developing a holistic strategy for the 
Department to identify, prevent, mitigate and respond to 
insider threats to its critical assets.
    In order for DHS to protect itself against two common 
threats--malicious insiders and external cybercriminals--it is 
important that the Department complete the process to identify 
and secure those critical assets and related infrastructure 
components that it depends on to fulfill its responsibility of 
ensuring homeland security and public safety, as well as the 
security of its workforce. This bill directs the Department to 
conduct a risk assessment of its critical assets which includes 
the Department's information, networks, facilities, and its 
workforce.
    Insider threats are very difficult to discover through 
technology alone, and many leaks are unintentional in nature, 
therefore a key element of any insider threat program is 
training and employee awareness. Research at Carnegie Mellon 
University's Computer Emergency Response Teams has shown that 
most insider threats are first detected by other users who note 
and report something suspicious. Users need training and 
awareness to know what to look out for and to report it in the 
appropriate manner.\3\ The bill requires both to ensure that 
personnel understand how their use of DHS networks will be 
monitored, as well as what workplace behavior may be indicative 
of a potential insider threat.
---------------------------------------------------------------------------
    \3\Jon Ramsey, ``Empower Workers to Take Ownership of 
Cybersecurity'', Dell.com, October 2, 2015, available at: https://
powermore.dell.com/technology/empower-workers-to-take-ownership-of-
cybersecurity/.
---------------------------------------------------------------------------
    The bill ensures that insider threat best practices are 
standardized and implemented across the DHS enterprise, and 
that all relevant stakeholders who possess information 
pertinent to insider threat, have a seat at the table and 
contribute to the program's effectiveness.
    Additionally, this bill provides the authorities and 
direction DHS needs to develop a robust, holistic insider 
threat program. The legislation focuses on: Building a proper 
governance structure; assessing the Department's critical 
assets so it can prioritize appropriately; and training the 
Department's workforce--three pillars of a successful insider 
threat program that seeks to protect the Department's 
workforce, its information, and its physical assets.

                                Hearings

    The Committee did not hold any hearing specifically on 
H.R.3361, however, the Committee did hold the following 
oversight hearing in the 113th Congress:
    On November 13, 2013, the Subcommittee on Counterterrorism 
and Intelligence held a hearing entitled, ``The Insider Threat 
to Homeland Security: Examining Our Nation's Security 
Clearances Processes.'' The Subcommittee received testimony 
from Mr. Merton W. Miller, Associate Director of 
Investigations, Federal Investigative Services, U.S. Office of 
Personnel Management; Mr. Gregory Marshall, Chief Security 
Officer, U.S. Department of Homeland Security; Mr. Brian 
Prioletti, Assistant Director, Special Security Directorate, 
National Counterintelligence Executive, Office of the Director 
of National Intelligence; Ms. Brenda Farrell, Director, 
Military and DOD Civilian Personnel Issues, U.S. Government 
Accountability Office.

                        Committee Consideration

    The Committee met on September 30, 2015, to consider H.R. 
3361, and ordered the measure to be reported to the House with 
a favorable recommendation, as amended, by voice vote. The 
Committee took the following actions:
    The following amendments were offered:

    An Amendment in the Nature of a Substitute offered by Mr. 
Katko listed on the roster as by Mr. King of New York (#1); was 
AGREED TO by voice vote.
    The Subcommittee on Counterterrorism and Intelligence met 
on September 17, 2015, to consider H.R. 3361 and reported the 
measure to the Full Committee with a favorable recommendation, 
as amended, by voice vote.
    The following amendment was offered:

    An Amendment in the Nature of a Substitute offered by Mr. 
King of New York (#1); was AGREED TO by voice vote.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    No recorded votes were requested during the Committee 
consideration of H.R. 3361.

                      Committee Oversight Findings

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee finds that H.R. 
3361, the Department of Homeland Security Insider Threat and 
Mitigation Act of 2015, would result in no new or increased 
budget authority, entitlement authority, or tax expenditures or 
revenues.

                  Congressional Budget Office Estimate

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.

                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, October 23, 2015.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3361, the 
Department of Homeland Security Insider Threat and Mitigation 
Act of 2015.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

H.R. 3361--Department of Homeland Security Insider Threat and 
        Mitigation Act of 2015

    H.R. 3361 would direct the Department of Homeland Security 
(DHS) to establish a program to protect the department's 
critical assets from insider threats (that is, harmful 
activities by department employees and certain other persons 
with access to classified information). DHS is currently 
carrying out activities similar to those required by the bill, 
and CBO estimates that implementing H.R. 3361 would not 
significantly affect spending by DHS. Because enacting the 
legislation would not affect direct spending or revenues, pay-
as-you-go procedures do not apply.
    CBO estimates that enacting H.R. 3361 would not increase 
net direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2026.
    H.R. 3361 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would not affect the budgets of state, local, or tribal 
governments.
    The CBO staff contact for this estimate is Mark Grabowicz. 
The estimate was approved by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

         Statement of General Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, H.R. 3361 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    The goal of H.R. 3361 is to establish a Department-wide 
Insider Threat program at DHS that reports to the Secretary, 
and is managed by the Undersecretary for Intelligence and 
Analysis and the Chief Security Officer. H.R. 3361 ensures that 
a robust, standardized program is implemented across the 
Department and its Component organizations by establishing a 
Steering Committee that consists of Department principals, who 
coordinate insider threat efforts across the Department and 
review insider threat cases and issues related to the 
Department's critical assets. The bill assigns a number of 
tasks to the Steering Committee including developing a 
comprehensive strategy to identify, prevent, mitigate, and 
respond to insider threat to the Department and its employees, 
and conducting a risk assessment of the Department's critical 
assets.
    H.R. 3361 also requires the Secretary to report to Congress 
on the Department's insider threat strategy, the status of the 
Department's risk assessment of critical assets, training of 
Department employees and contractors, and information on the 
effectiveness of the program.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3361 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

   Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the rule 
XXI.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                        Preemption Clarification

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that H.R. 3361 does 
not preempt any State, local, or Tribal law.

                  Disclosure of Directed Rule Makings

    The Committee estimates that H.R. 3361 would require no 
directed rule makings.

                      Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             Section-by-Section Analysis of the Legislation


Section 1.   Short title

    This section provides that bill may be cited as the 
``Department of Homeland Security Insider Threat and Mitigation 
Act of 2015''.

Sec. 2.   Establishment of Insider Threat Program

    This section amends Title I of the Homeland Security Act of 
2002 (6 U.S.C. 111 et seq.) by adding the following new 
section:

``Sec. 104. Insider Threat Program.

    Section 104 directs the Secretary of Homeland Security to 
establish an insider threat program at the Department. The 
purpose of the program is to provide training and education to 
Department personnel regarding insider threats to the 
Department's critical assets, which include its people, 
facilities, and sensitive data; provide support to insider 
threat investigations that may pose a risk to the Department's 
critical assets; and conduct risk mitigation for potential 
insider threats.
    The Committee believes that an insider threat program is 
necessary to standardize efforts Department-wide. The Committee 
is concerned that progress across the Department's component 
agencies has been uneven and requires more centralized 
coordination to ensure that all offices within the Department 
reach a baseline standard of effectiveness.
    The Committee strongly believes that while insiders with 
malicious intent have caused the most serious damage to 
national security and American lives, most gaps that allow 
insiders to conduct their nefarious work are often caused by 
unwitting employees who are not properly trained. The purpose 
of this program is not only to identify and prevent insiders 
from damaging the United States, but also to spot individuals 
who may demonstrate tendencies of an insider threat, and 
intervene through contact with an investigator to mitigate the 
activity through education and increased awareness.
    This section also creates a Steering Committee within the 
Department to coordinate insider threat efforts across the 
Department, and review insider threat cases and issues related 
to the Department's critical assets. The Steering Committee is 
chaired by the Under Secretary for Intelligence and Analysis, 
and the Chief Security Officer serves as the Vice-Chair. The 
Steering Committee's membership includes relevant stakeholders 
from across the Department and its component organizations that 
hold pertinent information to insider threats.
    The Committee believes that a designated Steering 
Committee, chaired by the Under Secretary for Intelligence and 
Analysis, and the Chief Security Officer, with a mandate to 
develop, execute and manage the daily operations of the 
Department's Insider Threat program, will ensure that a 
comprehensive strategy is developed, and a thorough assessment 
of the Department's critical assets is conducted. The Committee 
also believes that the Steering Committee should be responsible 
for issuing guidance and training related to insider threats 
Department-wide to ensure that all employees and contractors 
achieve a consistent-level of understanding and awareness about 
the program.
    It is the Committee's intention that the membership of the 
Steering Committee includes all relevant stakeholders within 
the Department that possess information pertinent to operating 
an effective insider threat program. The Committee believes 
that adding members to the Steering Committee should be at the 
discretion of the Secretary as the Department's needs and 
resources evolve.
    Additionally, this section defines the responsibilities for 
the Steering Committee, including to: (A) Develop a holistic 
strategy for the Department to identify, prevent, mitigate and 
respond to insider threats to its critical assets; (B) develop 
a plan to implement the strategy across the component 
organizations and offices of the Department; (C) document 
insider threat policies; (D) conduct a baseline risk assessment 
of insider threats posed to the Department's critical assets; 
(E) leverage best practices and technology from across the 
Federal Government, industry, and the research community to 
implement insider threat solutions that are validated and cost-
effective; (F) develop a timeline for deploying workplace 
monitoring technologies, awareness campaigns, and insider 
threat training; (G) consult with the Under Secretary of 
Science and Technology to stay current on insider threats, best 
practices and technology related to insider threats; and (H) 
develop and report on metrics that indicate the effectiveness 
of the program.
    In addition to the Department's networks, information and 
technology, the Committee believes that the Department's 
critical assets include its workforce and physical assets. It 
is important that the Department consider all its assets when 
conducting its risk assessment so that it can prioritize and 
allocate resources accordingly.
    As part of leveraging best practices and technology, the 
Committee notes that according to a survey of Federal IT 
managers, more than 40 percent of Federal agencies don't track 
data assets on their networks, and therefore they cannot be 
sure when and how specific documents are shared or otherwise 
exfiltrated.\4\ The Committee remains concerned that DHS' 
inability to track sensitive documents could allow it to be 
victimized by a malicious insider and suffer damage similar in 
scale to WikiLeaks or the Snowden crime. The Committee strongly 
recommends that DHS develop a plan to secure its proprietary 
content and documents so that it can monitor the Department's 
most sensitive digital content, personally identifiable 
information (PII) and classified information at all times while 
in transit on a network, and in storage.
---------------------------------------------------------------------------
    \4\Aaron Boyd, ``Survey: Insider threats target nearly half of 
agencies'', C4ISR Networks, September 14, 2015, available at: http://
www.c4isrnet.com/story/military-tech/it/2015/09/14/us-government-
insider-threats-survey/72254846/.
---------------------------------------------------------------------------
    Furthermore, this section requires the Secretary to submit 
a report to Congress no later than two years after the date of 
enactment that describes how the Department and its components 
have implemented the insider threat strategy, the status of the 
Department's risk assessment of critical assets, training that 
has been provided to Department employees, and information on 
the effectiveness of the program.
    The Committee believes that the required report in this 
subsection will assist the Department in articulating its 
insider threat strategy, how it intends to increase awareness 
of the problem and train employees on how to identify and 
report signs of an insider threat, and collect data that will 
help it evaluate the effectiveness of the program as a whole.
    Finally, this section provides for definitions used in this 
section including: ``critical assets,'' ``insider,'' and 
``insider threat.''

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italic and existing law in which no change is 
proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

     * * * * * * *

                TITLE I--DEPARTMENT OF HOMELAND SECURITY

     * * * * * * *
Sec. 104. Insider Threat Program.

           *       *       *       *       *       *       *


TITLE I--DEPARTMENT OF HOMELAND SECURITY

           *       *       *       *       *       *       *


SEC. 104. INSIDER THREAT PROGRAM.

  (a) Establishment.--The Secretary shall establish an Insider 
Threat Program within the Department. Such Program shall--
          (1) provide training and education for Department 
        personnel to identify, prevent, mitigate, and respond 
        to insider threat risks to the Department's critical 
        assets;
          (2) provide investigative support regarding potential 
        insider threats that may pose a risk to the 
        Department's critical assets; and
          (3) conduct risk mitigation activities for insider 
        threats.
  (b) Steering Committee.--
          (1) In general.--The Secretary shall establish a 
        Steering Committee within the Department. The Under 
        Secretary for Intelligence and Analysis shall serve as 
        the Chair of the Steering Committee. The Chief Security 
        Officer shall serve as the Vice Chair. The Steering 
        Committee shall be comprised of representatives of the 
        Office of Intelligence and Analysis, the Office of the 
        Chief Information Officer, the Office of the General 
        Counsel, the Office for Civil Rights and Civil 
        Liberties, the Privacy Office, the Office of the Chief 
        Human Capital Officer, the Office of the Chief 
        Financial Officer, the Federal Protective Service, the 
        Office of the Chief Procurement Officer, the Science 
        and Technology Directorate, and other components or 
        offices of the Department as appropriate. Such 
        representatives shall meet on a regular basis to 
        discuss cases and issues related to insider threats to 
        the Department's critical assets, in accordance with 
        subsection (a).
          (2) Responsibilities.--Not later than one year after 
        the date of the enactment of this section, the Under 
        Secretary for Intelligence and Analysis and the Chief 
        Security Officer, in coordination with the Steering 
        Committee established pursuant to paragraph (1), 
        shall--
                  (A) develop a holistic strategy for 
                Department-wide efforts to identify, prevent, 
                mitigate, and respond to insider threats to the 
                Department's critical assets;
                  (B) develop a plan to implement the insider 
                threat measures identified in the strategy 
                developed under subparagraph (A) across the 
                components and offices of the Department;
                  (C) document insider threat policies and 
                controls;
                  (D) conduct a baseline risk assessment of 
                insider threats posed to the Department's 
                critical assets;
                  (E) examine existing programmatic and 
                technology best practices adopted by the 
                Federal Government, industry, and research 
                institutions to implement solutions that are 
                validated and cost-effective;
                  (F) develop a timeline for deploying 
                workplace monitoring technologies, employee 
                awareness campaigns, and education and training 
                programs related to identifying, preventing, 
                mitigating, and responding to potential insider 
                threats to the Department's critical assets;
                  (G) require the Chair and Vice Chair of the 
                Steering Committee to consult with the Under 
                Secretary for Science and Technology and other 
                appropriate stakeholders to ensure the Insider 
                Threat Program is informed, on an ongoing 
                basis, by current information regarding 
                threats, beset practices, and available 
                technology; and
                  (H) develop, collect, and report metrics on 
                the effectiveness of the Department's insider 
                threat mitigation efforts.
  (c) Report.--Not later than two years after the date of the 
enactment of this section and the biennially thereafter for the 
next four years, the Secretary shall submit to the Committee on 
Homeland Security and the Permanent Select Committee on 
Intelligence of the House of Representatives and the Committee 
on Homeland Security and Governmental Affairs and the Select 
Committee on Intelligence of the Senate a report on how the 
Department and its components and offices have implemented the 
strategy developed under subsection (b)(2)(A), the status of 
the Department's risk assessment of critical assets, the types 
of insider threat training conducted, the number of Department 
employees who have received such training, and information on 
the effectiveness of the Insider Threat Program, based on 
metrics under subsection (b)(2)(H).
  (d) Definitions.--In this section:
          (1) Critical assets.--The term ``critical assets'' 
        means the people, facilities, information, and 
        technology required for the Department to fulfill its 
        mission.
          (2) Insider.--The term ``insider'' means--
                  (A) any person who has access to classified 
                national security information and is employed 
                by, detailed to, or assigned to the Department, 
                including members of the Armed Forces, experts 
                or consultants to the Department, industrial or 
                commercial contractors, licensees, certificate 
                holders, or grantees of the Department, 
                including all subcontractors, personal services 
                contractors, or any other category of person 
                who acts for or on behalf of the Department, as 
                determined by the Secretary; or
                  (B) State, local, tribal, territorial, and 
                private sector personnel who possess security 
                clearances granted by the Department.
          (3) Insider threat.--The term ``insider threat'' 
        means the threat that an insider will use his or her 
        authorized access, wittingly or unwittingly, to do harm 
        to the security of the United States, including damage 
        to the United States through espionage, terrorism, the 
        unauthorized disclosure of classified national security 
        information, or through the loss or degradation of 
        departmental resources or capabilities.

           *       *       *       *       *       *       *


                            Dissenting Views

    Though I am supportive of the insider threat program that 
is currently in operation at the Department of Homeland 
Security (DHS), I reluctantly voted ``no'' when H.R. 3361 was 
considered on September 30th by the Full Committee. At the 
time, I expressed disappointment that the Majority would not 
agree to clarify that H.R. 3361 authorizes the current DHS 
insider threat program and does not authorize the establishment 
of a continuous evaluation program that subjects certain 
personnel to ongoing automated credit, criminal, and social 
media monitoring.
    DHS' current insider threat program is properly targeted at 
preventing and detecting when a person with authorized access 
to U.S. Government resources, to include personnel, facilities, 
information, equipment, networks, and systems, uses that access 
to harm the security of the United States. In response to high 
profile incidents involving the misappropriation of classified 
and sensitive material by Edward Snowden and Bradley Manning, 
Federal agencies have, increasingly, sought to establish 
continuous evaluation programs to monitor personnel with 
security clearances or in positions of trust on an ongoing 
basis through automated systems. The Department of Defense, in 
particular, has pursued this capability and is currently 
gathering credit, financial, travel information as well as 
criminal records from both public and private databases, 
including social media, for more than 100,000 individuals who 
are eligible for access to classified information. While I 
appreciate that the standard periods for recurrent checks may 
need to be adjusted to enhance detection of potential issues, 
it is incumbent upon Congress to ensure that any adjustments to 
the longstanding security clearance system be transparent and 
effective, with minimum disruption to the important work 
undertaking by the Federal workforce.
    I strongly believe that, as authorizers, we have a 
responsibility, to have an open conversation with the 
Department about the potential costs, both financial and to the 
stability of the security-cleared workforce, as well as the 
potential benefits of erecting such a system prior to 
authorizing DHS to move forward with it.
    Unfortunately, without clarifying language, H.R. 3361 could 
be interpreted to authorize DHS to move forward with a 
continuous evaluation program without our Committee setting 
forth our expectations are for such a system.
    For these reasons, I reluctantly oppose H.R. 3361.

                                                Bennie G. Thompson.

                                  [all]