[Senate Report 114-297]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 553
114th Congress     )                                    {       Report
                                 SENATE
 2d Session        }                                    {      114-297
_______________________________________________________________________

                                     

                    DEPARTMENT OF HOMELAND SECURITY

               INSIDER THREAT AND MITIGATION ACT OF 2015

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                               H.R. 3361

             TO AMEND THE HOMELAND SECURITY ACT OF 2002 TO
      ESTABLISH THE INSIDER THREAT PROGRAM, AND FOR OTHER PURPOSES

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                 July 12, 2016.--Ordered to be printed
                 
                                    ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

59-010                         WASHINGTON : 2016                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
                 
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming             HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire          CORY A. BOOKER, New Jersey
JONI ERNST, Iowa                     GARY C. PETERS, Michigan
BEN SASSE, Nebraska

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
         Elizabeth McWhorter, Senior Professional Staff Member
              Gabrielle A. Batkin, Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
               Mary Beth Schultz, Minority Chief Counsel
      Matthew R. Grote, Minority Senior Professional Staff Member
                     Laura W. Kilbride, Chief Clerk









                                                      Calendar No. 553
114th Congress     )                                    {       Report
                                 SENATE
 2d Session        }                                    {      114-297

======================================================================



 
                     HOMELAND SECURITY ACT OF 2002

                                _______
                                

                 July 12, 2016.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                        [To accompany H.R. 3361]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the act (H.R. 3361), to amend 
the Homeland Security Act of 2002 to establish the Insider 
Threat Program, and for other purposes, having considered the 
same, reports favorably thereon with an amendment in the nature 
of a substitute and recommends that the bill, as amended, do 
pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
 IV. Section-by-Section Analysis......................................4
  V. Evaluation of Regulatory Impact..................................5
 VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Act, as Reported.............6

                         I. Purpose and Summary

    The purpose of H.R. 3361, the Department of Homeland 
Security Insider Threat and Mitigation Act of 2016, is to 
establish an Insider Threat Program (ITP) within the Department 
of Homeland Security (DHS or ``the Department''). The act 
mandates an ITP structure that improves employee 
identification, prevention, and mitigation of risks to the 
Department's critical assets. It also establishes an internal 
DHS Steering Committee to manage and coordinate DHS activities 
related to insider threat issues, includes employee education 
and training, and strengthens the Department's ability to 
discipline employees found to be insider threats. The act 
requires the Secretary to report to Congress on implementation 
progress and the metrics-based effectiveness of the ITP.

              II. Background and the Need for Legislation

    As evolving computer technology becomes an increasingly 
pervasive part of everyday life, both government and private 
entities have grown dependent on information technology (IT) 
systems to process, maintain, and transmit sensitive 
information.\1\ This reliance on IT drives a persistent and 
evolving insider threat to Federal IT systems that manage 
national security critical assets.\2\
---------------------------------------------------------------------------
    \1\GOV'T Accountability Office, GAO-13-187, Cybersecurity: National 
Strategy, Roles, and Responsibilities Need to Be Better Defined and 
More Effectively Implemented 1 (2013), available at http://www.gao.gov/
assets/660/652170.pdf.
    \2\Id.
---------------------------------------------------------------------------
    It has been ``insiders'' with trusted access within the 
United States Government who have conducted some of the most 
egregious releases of classified information and espionage in 
recent years. In 2010, United States Army PFC Manning used 
access to classified databases to leak classified information 
that would ultimately be published online.\3\ Edward Snowden 
continues to evade criminal prosecution after he used his 
access to classified databases to steal and publish classified 
information related to sensitive national security programs.\4\
---------------------------------------------------------------------------
    \3\See id.; see also Ellen Nakashima & Julie Tate, Prosecutors Say 
Manning and Assange Collaborated in Stealing Secret Documents, Wash. 
Post (Dec. 22, 2011), https://www.washingtonpost.com/national/national-
security/prosecutors-say-manning-and-assange-
collaborated-in-stealing-secret-documents/2011/12/22/
gIQARwAXCP_story.html.
    \4\See generally Jordan Fabian, White House Stands Firm on Snowden 
Prosecution, The Hill (June 1, 2015), http://thehill.com/homenews/
administration/243643-amid-nsa-furor-white-house-standing-firm-on-
snowden-prosecution; Safeguarding Our Nation's Secrets: Examining the 
Security Clearance Process: Joint Hearing Before the S. Subcomm. on 
Efficiency and Effectiveness of Fed. Programs and the Fed. Workforce 
and the S. Subcomm. on Fin. and Contracting Oversight of the S. Comm. 
on Homeland Sec. & Governmental Affairs, 113th Cong. (2013); Open 
Hearing: Current and Projected National Security Threats Against the 
United States: Hearing Before the S. Select Comm. on Intelligence, 
113th Cong. (2014) (statement of James R. Clapper, Director of National 
Intelligence).
---------------------------------------------------------------------------
    Publicized security leaks inspired the 2011 Executive Order 
13587 ``Structural Reforms to Improve Security of Classified 
Networks and the Responsible Sharing and Safeguarding of 
Classified Information.''\5\ This Executive Order requires that 
``the heads of agencies that operate or access classified 
computer networks'' shall ``implement an insider threat 
detection and prevention program.''\6\
---------------------------------------------------------------------------
    \5\Gov't Accountability Office, GAO-15-544, Insider Threats: DOD 
Should Strengthen Management and Guidance to Protect Classified 
Information and Systems 6 (2015), available at http://gao.gov/assets/
680/670570.pdf.
    \6\Exec. Order No. 13,587, 3 C.F.R. 63811 (2011), available at 
http://www.archives.gov/isoo/
policy-documents/eo-13587.pdf.
---------------------------------------------------------------------------
    Although according to the Department, current efforts align 
with the requirements of these policies, H.R. 3361 ensures the 
Department will maintain a management structure for the ITP 
that is the most effective for the purposes of national 
security. This structure involves a multidisciplinary steering 
committee that coordinates Department-wide activities related 
to insider threats to its critical assets, including the 
identification of potential threats. The act also directs the 
Department to conduct a risk assessment of its critical assets, 
including its networks, facilities, workforce, and information.
    However, the 2011 Executive Order 13587 and a 2012 
Presidential memorandum on ITPs only require the Department ITP 
to cover classified systems.\7\ Insider threats can affect both 
classified and unclassified systems, as the Department of 
Defense learned in 2008 when malicious software on an infected 
flash drive spread through both system types at a military base 
in the Middle East.\8\ The intelligence and security 
communities recommended and strongly urged that the DHS ITP 
should cover the Department's unclassified systems as well.\9\ 
H.R. 3361 will expand the ITP to cover both the Department's 
classified and unclassified critical assets.
---------------------------------------------------------------------------
    \7\Exec. Order No. 13,587, 3 C.F.R. 63811 (2011), available at 
http://www.archives.gov/isoo/
policy-documents/eo-13587.pdf; National Insider Threat Task Force, 
National Insider Threat Policy and the Minimum Standards for Executive 
Branch Insider Threat Programs, National Counterintelligence and 
Security Center (Nov. 2012), https://www.ncsc.gov/nittf/docs/
National_Insider_Threat_Policy.pdf.
    \8\GAO-13-187, supra note 1 at 10.
    \9\Communications between Dept. of Homeland Sec. staff and S. 
Homeland Sec. & Governmental Affairs Comm. staff (Feb. 1, 2016).
---------------------------------------------------------------------------
    In the event an employee is found to be an insider threat, 
the substitute amendment empowers the Secretary of DHS to 
further prevent and mitigate insider threats by requiring 
certain disciplinary actions against that employee. Overall, 
this act establishes an effective ITP structure to secure 
Department facilities, its workforce, and its critical assets--
both classified and unclassified.
    The extreme cases of intentional insider threats mentioned 
above highlight the need for a strong ITP within departments 
and agencies with national security responsibilities. 
Intentional attacks aside, unwitting employee data breaches 
also pose a significant risk to the security of Federal 
systems. Of the 200 Federal IT decision makers surveyed under a 
study published in 2015 to identify critical cybersecurity 
challenges, more than half (53 percent) ``identified careless 
and untrained insiders as the greatest source of IT security 
threats at their agencies.''\10\ This represented a 42 percent 
increase from the previous year.\11\
---------------------------------------------------------------------------
    \10\Press Release, SolarWinds Survey Investigates Insider Threats 
to Federal Cybersecurity, SolarWinds Worldwide, LLC (Jan. 26, 2015), 
available at http://www.solarwinds.com/company/newsroom/press_releases/
threats_to_federal_cybersecurity.aspx.
    \11\Id.
---------------------------------------------------------------------------
    While the number of respondents that indicated careless and 
untrained insiders as the foremost cybersecurity issue dropped 
to 48 percent in 2016, it is still tied for the top security 
threat.\12\ This means that for the third survey in as many 
years, over 40 percent of Federal IT professionals highlighted 
employee security training and education as a necessary 
investment for threat prevention.
---------------------------------------------------------------------------
    \12\Press Release, Consolidation and Modernization Chief Among 
Federal IT Security Concerns, SolarWinds Survey Discovers, SolarWinds 
Worldwide, LLC (Mar. 1, 2016), available at http://www.solarwinds.com/
company/newsroom/press_releases/consolidation-and-modernization-chief-
among-federal-it-security.aspx.
---------------------------------------------------------------------------
    In 2015, a different survey of 150 Federal IT managers, as 
well as a Government Accountability Office (GAO) report, 
identified the vulnerability of Federal systems to insider 
threats. Results of that survey revealed that nearly half of 
Federal agencies were targets of insider threats and nearly one 
in three (29 percent) suffered a loss of data due to an 
insider.\13\
---------------------------------------------------------------------------
    \13\Id.
---------------------------------------------------------------------------
    Meanwhile, GAO reported steadily increasing information 
security incidents affecting Federal systems from fiscal year 
(FY) 2006 (5,503 incidents) to FY 2014 (67,168 incidents): an 
overall increase of 1,121 percent.\14\
---------------------------------------------------------------------------
    \14\Is the OPM Data Breach the Tip of the Iceberg?: Joint Hearing 
Before the H. Subcomm. on Research and Tech. and the H. Subcomm. on 
Oversight of the H. Comm. on Science, Space, and Tech., 114th Cong. 7 
(2015) (statement of Gregory Wilshusen, Director, Information Security 
Issues, U.S. Gov't Accountability Office).
---------------------------------------------------------------------------
    Unfortunately, technology alone is often incapable of 
detecting insider threats. Patricia Larsen, co-director of the 
National Insider Threat Task Force, recently attested to this 
stating, ``[t]raining is a huge piece of this. No technology 
tool in the world is going to be your silver bullet.''\15\ In 
addition to requiring department-wide coordination on 
addressing insider threats, H.R. 3361 mandates employee 
education and training.
---------------------------------------------------------------------------
    \15\Calvin Hennick, Commerce, State Departments Take Steps to 
Combat Insider Security Threats, FedTech Magazine (Apr. 25, 2016), 
available at http://www.fedtechmagazine.com/
article/2016/04/commerce-state-departments-take-steps-combat-insider-
security-threats.
---------------------------------------------------------------------------
    Through employee education and training, this act seeks to 
create a Federal workforce that is aware of the risks posed by 
insider threats, and qualified to detect and report suspicious 
activity among colleagues.

                        III. Legislative History

    Representative Peter King, along with Representatives Lou 
Barletta, Daniel M. Donovan Jr., Brian Higgins, and John Katko, 
introduced H.R. 3361 on July 29, 2015, which was referred to 
the House Committee on Homeland Security. The House Committee 
on Homeland Security considered H.R. 3361 at a business meeting 
on November 2, 2015. On the same day, the bill passed the House 
by voice vote and under suspension of the rules.
    The act was received in the Senate and referred to the 
Committee on Homeland Security and Governmental Affairs on 
November 3, 2015. The Committee considered H.R. 3361 at a 
business meeting on February 10, 2016.
    Chairman Ron Johnson offered a substitute amendment that 
required certain discipline of employees found to be insider 
threats as well as a modified technical amendment. The 
technical amendment replaced the term ``adjudicatory 
authority'' with ``appropriate entity.'' Senator Claire 
McCaskill offered an amendment to clarify that nothing in this 
act would change existing whistleblower protections for Federal 
employees that are accused of being insider threats.
    The Committee adopted both the Johnson amendments and the 
McCaskill amendment, and ordered the act, as amended, reported 
favorably, en bloc by voice vote. Senators present for the vote 
on the amendments and the vote on the amended act were: 
Johnson, McCain, Portman, Paul, Lankford, Ayotte, Ernst, Sasse, 
Carper, McCaskill, Tester, Baldwin, Heitkamp, Booker, and 
Peters.

        IV. Section-by-Section Analysis of the Act, as Reported


Section 1. Short title

    This section provides the act's short title, the 
``Department of Homeland Security Insider Threat and Mitigation 
Act of 2016.''

Section 2. Establishment of the Insider Threat Program

    This section establishes DHS's Insider Threat Program.
    Subsection (a) requires the Secretary of DHS to establish a 
robust, centralized ITP within the Department. The ITP shall 
provide Department employee training and education related to 
insider threats to the Department's critical assets, allow the 
Department to investigate such threats, and standardize risk 
mitigation of such threats.
    Subsection (b) creates a Steering Committee to manage 
Department-wide activities related to insider threats to the 
Department's critical assets. This subsection further 
identifies the Steering Committee's membership, frequency of 
meetings, and responsibilities. Due to the multidisciplinary 
aspect of Department-wide assets, a successful DHS ITP must be 
led by professionals with not only counterintelligence but also 
law enforcement and investigation authorities. For this reason, 
the DHS Under Secretary for Intelligence and Analysis and Chief 
Security Officer shall serve as Chairperson and Vice 
Chairperson of the Steering Committee, respectively. This 
allows for longer retention of records against which system 
flags can be checked. The remaining members of the Steering 
Committee shall be comprised of representatives from other 
components or offices of the Department identified by the risk 
assessment as appropriate stakeholders. This ensures that 
components or offices with information, networks, or facilities 
at risk of insider threat activities participate in the 
program.
    The Steering Committee shall meet on a regular basis to 
discuss cases and issues related to insider threats to the 
Department's critical assets. This subsection also identifies 
the Steering Committee's responsibilities.
    Subsection (c) details the procedure to be followed when an 
insider threat is discovered. The head of an agency exploited 
by an insider threat is required to propose an adverse action 
against an employee engaged in insider misconduct that is not 
less than a 12-day suspension, with respect to the first 
instance; and removal, for any subsequent instance. That 
employee receives written notice and an opportunity to refute 
the accusation.
    An employee can face multiple adverse actions for the same 
incident of insider misconduct if another provision of law 
applies.
    Subsection (d) requires the Secretary of DHS to report to 
Congress on the status of Department-wide insider threat 
strategy implementation; the status of the Department's 
critical asset insider threat risk assessment; the types of 
training the Department conducts as part of the ITP; the number 
of Department employees trained through the ITP; and analysis 
determining whether the program effectively protects the 
Department's critical assets from insider threats.
    Subsection (e) clarifies that the act does not change 
existing whistleblower protections for Federal employees that 
are accused of being insider threats.
    Subsection (f) provides definitions for the following 
terms: ``appropriate entity,'' ``critical assets,'' 
``employee,'' ``insider,'' ``insider employee,'' ``insider 
misconduct,'' ``insider threat,'' and ``steering committee.''

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this act and determined 
that the act will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that H.R. 3361 contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act and would not affect the budgets 
of state, local, or tribal governments.

             VI. Congressional Budget Office Cost Estimate

                                                    March 21, 2016.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3361, the 
Department of Homeland Security Insider Threat and Mitigation 
Act of 2016.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                                        Keith Hall.
    Enclosure.

H.R. 3361--Department of Homeland Security Insider Threat and 
        Mitigation Act of 2016

    H.R. 3361 would direct the Department of Homeland Security 
(DHS) to establish a program to protect the department's 
critical assets from insider threats (that is, harmful 
activities by department employees and certain other persons 
with access to classified information). DHS is currently 
carrying out activities similar to those required by the act; 
thus, CBO estimates that implementing H.R. 3361 would not 
significantly affect spending by DHS. Because enacting the 
legislation would not affect direct spending or revenues, pay-
as-you-go procedures do not apply.
    CBO estimates that enacting the legislation would not 
increase net direct spending or on-budget deficits in any of 
the four consecutive 10-year periods beginning in 2027.
    H.R. 3361 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act and 
would not affect the budgets of state, local, or tribal 
governments.
    On October 23, 2015, CBO transmitted a cost estimate for 
H.R. 3361, the Department of Homeland Security Insider Threat 
and Mitigation Act of 2015, as ordered reported by the House 
Committee on Homeland Security on September 30, 2015. The two 
versions of the act are similar and CBO's estimates of the 
budgetary effects are the same.
    The CBO staff contact for this estimate is Mark Grabowicz. 
The estimate was approved by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

       VII. Changes in Existing Law Made by the Act, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
H.R. 3361 as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

HOMELAND SECURITY ACT OF 2002

           *       *       *       *       *       *       *


TITLE I--DEPARTMENT OF HOMELAND SECURITY

           *       *       *       *       *       *       *


Sec. 104. Insider Threat Program

SEC. 104. INSIDER THREAT PROGRAM

    (a) Establishment.--The Secretary shall establish an 
Insider Threat Program within the Department, which shall--
          (1) provide training and education for employees of 
        the Department to identify, prevent, mitigate, and 
        respond to insider threat risks to the Department's 
        critical assets;
          (2) provide investigative support regarding potential 
        insider threats that may pose a risk to the 
        Department's critical assets; and
          (3) conduct risk mitigation activities for insider 
        threats.
    (b) Steering Committee.--
          (1) In General.--
                  (A) Establishment.--The Secretary shall 
                establish a Steering Committee within the 
                Department.
                  (B) Membership.--The membership of the 
                Steering Committee shall be as follows:
                          (i) The Under Secretary for 
                        Intelligence and Analysis shall serve 
                        as the Chairperson of the Steering 
                        Committee.
          (ii) The Chief Security Officer shall serve as the 
        Vice Chairperson of the Steering Committee.
          (iii) The other members of the Steering Committee 
        shall be comprised of representatives of the Office of 
        Intelligence and Analysis, the Office of the Chief 
        Information Officer, the Office of the General Counsel, 
        the Office for Civil Rights and Civil Liberties, the 
        Privacy Office, the Office of the Chief Human Capital 
        Officer, the Office of the Chief Financial Officer, the 
        Federal Protective Service, the Office of the Chief 
        Procurement Officer, the Science and Technology 
        Directorate, and other components or offices of the 
        Department, as appropriate.
                  (C) Meetings.--The members of the Steering 
                Committee shall meet on a regular basis to 
                discuss cases and issues related to insider 
                threats to the Department's critical assets, in 
                accordance with subsection (a).
          (2) Responsibilities.--Not later than 1 year after 
        the date of enactment of this section, the Under 
        Secretary for Intelligence and Analysis and the Chief 
        Security Officer, in coordination with the Steering 
        Committee, shall--
                  (A) develop a holistic strategy for 
                Department-wide efforts to identify, prevent, 
                mitigate, and respond to insider threats to the 
                Department's critical assets;
                  (B) develop a plan to implement the insider 
                threat measures identified in the strategy 
                developed under subparagraph (A) across the 
                components and offices of the Department;
                  (C) document insider threat policies and 
                controls;
                  (D) conduct a baseline risk assessment of 
                insider threats posed to the Department's 
                critical assets;
                  (E) examine programmatic and technology best 
                practices adopted by the Federal Government, 
                industry, and research institutions to 
                implement solutions that are validated and 
                cost-effective;
                  (F) develop a timeline for deploying 
                workplace monitoring technologies, employee 
                awareness campaigns, and education and training 
                programs related to identifying, preventing, 
                mitigating, and responding to potential insider 
                threats to the Department's critical assets;
                  (G) consult with the Under Secretary for 
                Science and Technology and other appropriate 
                stakeholders to ensure the Insider Threat 
                Program is informed, on an ongoing basis, by 
                current information regarding threats, best 
                practices, and available technology; and
                  (H) develop, collect, and report metrics on 
                the effectiveness of the Department's insider 
                threat mitigation efforts.
    (c) Discipline of Employees Engaged in Insider 
Misconduct.--
          (1) In General.--In accordance with paragraph (2), 
        the head of an agency or a component of an agency 
        employing an insider employee shall propose--
                  (A) for an insider employee whom an 
                appropriate entity determines knowingly or 
                recklessly engaged in insider misconduct, 
                removal; and
                  (B) for an insider employee whom an 
                appropriate entity determines negligently 
                engaged in insider misconduct--
                          (i) an adverse action that is not 
                        less than a 12-day suspension, with 
                        respect to the first instance; and
                          (ii) removal, for any subsequent 
                        instance.
          (2) Procedures.--
                  (A) Notice.--An insider employee against whom 
                an adverse action under paragraph (1) is 
                proposed is entitled to written notice.
                  (B) Answer and Evidence.--
                          (i) In general.--An insider employee 
                        who is notified under subparagraph (A) 
                        that the insider employee is the 
                        subject of a proposed adverse action 
                        under paragraph (1) is entitled to 14 
                        days following such notification to 
                        answer and furnish evidence in support 
                        of the answer.
                          (ii) No evidence.--After the end of 
                        the 14-day period described in clause 
                        (i), if an insider employee does not 
                        furnish evidence as described in clause 
                        (i) or if the head of the agency or 
                        component of the agency employing the 
                        insider employee determines that such 
                        evidence is not sufficient to reverse 
                        the proposed adverse action, the head 
                        of the agency or component of the 
                        agency shall carry out the adverse 
                        action.
          (C) Scope of procedures.--Paragraphs (1) and (2) of 
        subsection (b) and subsection (c) of section 7513 of 
        title 5, United States Code, and paragraphs (1) and (2) 
        of subsection (b) and subsection (c) of 7543 of title 
        5, United States Code, shall not apply with respect to 
        an adverse action carried out under this subsection.
          (3) Limitation on other adverse actions.--With 
        respect to insider misconduct, if the head of the 
        agency or component of the agency employing an insider 
        employee carries out an adverse action against the 
        insider employee under another provision of law, the 
        head of the agency or component of the agency may carry 
        out an additional adverse action under this subsection 
        based on the same insider misconduct.
    (d) Report.--Not later than 2 years after the date of the 
enactment of this section, and every 2 years thereafter for the 
next 4 years, the Secretary shall submit to the Committee on 
Homeland Security and the Permanent Select Committee on 
Intelligence of the House of Representatives and the Committee 
on Homeland Security and Governmental Affairs and the Select 
Committee on Intelligence of the Senate a report on--
          (1) how the Department and its components and offices 
        have implemented the strategy developed under 
        subsection (b)(2)(A);
          (2) the status of the Department's risk assessment of 
        critical assets;
          (3) the types of insider threat training conducted by 
        the Department;
          (4) the number of employees of the Department who 
        have received such training; and
          (5) information on the effectiveness of the Insider 
        Threat Program, based on metrics under subsection 
        (b)(2)(H).
    (e) Preservation of Merit System Rights.--
          (1) In general.--The Steering Committee shall not 
        seek to, and the authorities provided under this 
        section shall not be used to, deter, detect, or 
        mitigate disclosures of information by Government 
        employees or contractors that are lawful under and 
        protected by section 17(d)(5) of the Central 
        Intelligence Agency Act of 1949 (50 U.S.C. 3517(d)(5)) 
        (commonly known as the `Intelligence Community 
        Whistleblower Protection Act of 1998'), chapter 12 or 
        23 of title 5, United States Code, the Inspector 
        General Act of 1978 (5 U.S.C. App.), or any other 
        whistleblower statute, regulation, or policy.
          (2) Implementation.--
                  (A) In general.--Any activity carried out 
                under this section shall be subject to section 
                115 of the Whistleblower Protection Enhancement 
                Act of 2012 (5 U.S.C. 2302 note).
                  (B) Required statement.--Any activity to 
                implement or enforce any insider threat 
                activity or authority under this section or 
                Executive Order 13587 (50 U.S.C. 3161 note) 
                shall include the statement required by section 
                115 of the Whistleblower Protection Enhancement 
                Act of 2012 (5 U.S.C. 2302 note) that preserves 
                rights under whistleblower laws and section 
                7211 of title 5, United States Code, protecting 
                communications with Congress.
    (f) Definitions.--In this section:
          (1) Appropriate entity.--The term `appropriate 
        entity' means--
                  (A) the head of an agency or a component of 
                an agency;
                  (B) an administrative law judge;
                  (C) the Merit Systems Protection Board;
                  (D) the Office of Special Counsel;
                  (E) an adjudicating body provided under a 
                union contract;
                  (F) a Federal judge; and
                  (G) the Inspector General of the Department.
          (2) Critical assets.--The term `critical assets' 
        means the people, facilities, information, and 
        technology required for the Department to fulfill its 
        mission.
          (3) Employee.--The term `employee' means an employee, 
        as defined under section 7103(a), of title 5, United 
        States Code.
          (4) Insider.--The term `insider' means--
                  (A) any person who has access to classified 
                national security information and is employed 
                by, detailed to, or assigned to the Department, 
                including members of the Armed Forces, experts 
                or consultants to the Department, industrial or 
                commercial contractors, licensees, certificate 
                holders, or grantees of the Department, 
                including all subcontractors, personal services 
                contractors, or any other category of person 
                who acts for or on behalf of the Department, as 
                determined by the Secretary; or
                  (B) State, local, tribal, territorial, and 
                private sector personnel who possess security 
                clearances granted by the Department.
          (5) Insider employee.--The term `insider employee' 
        means an insider who is an employee.
          (6) Insider misconduct.--The term `insider 
        misconduct' means harm to the security of the United 
        States, including damage to the United States through 
        espionage, terrorism, or the unauthorized disclosure of 
        classified national security information, or through 
        the loss or degradation of departmental resources or 
        capabilities, through use of authorized access by an 
        insider employee.
          (7) Insider threat.--The term `insider threat' means 
        the threat that an insider will use the authorized 
        access of the insider, wittingly or unwittingly, to do 
        harm to the security of the United States, including 
        damage to the United States through espionage, 
        terrorism, or the unauthorized disclosure of classified 
        national security information, or through the loss or 
        degradation of departmental resources or capabilities.
          (8) Steering committee.--The term `Steering 
        Committee' means the Steering Committee established 
        under subsection (b)(1)(A).

           *       *       *       *       *       *       *


                                  [all]