What We Did:
The objective of this audit was to determine whether DoD Components reported insider threat incidents to the DoD Insider Threat Management and Analysis Center (DITMAC) in accordance with DoD guidance.
What We Found:
The Army, Navy, Marine Corps, Defense Logistics Agency, and Defense Health Agency Component Hubs did not consistently report to DITMAC insider threat incidents that involved a covered person and met one or more of the reporting thresholds. Specifically, of the 215 insider threat incidents we reviewed from those Hubs, 200 incidents involved a covered person and met one or more of the thresholds. Of those 200 incidents, 115 were reported to DITMAC, but the other 85 were not. Furthermore, of the 115 insider threat incidents that were reported to DITMAC, the time it took the Hubs to report the incidents ranged from 1 day to over 2 years.
The inconsistent reporting to DITMAC occurred because the USD(I&S) did not:
• develop an oversight program to periodically verify that the Hubs reported insider threat incidents that involved a covered person and met one or more of the reporting thresholds; or
• establish timelines for reporting insider threat incidents to DITMAC.
Insider threat incidents have resulted in harm to the United States and the DoD through espionage, terrorism, unauthorized disclosure of national security information, and the loss or degradation of DoD resources and capabilities. Unless the DoD Component Hubs consistently report insider threat incidents to DITMAC as required, DITMAC cannot fully accomplish its mission to provide the DoD with a centralized capability to identify, mitigate, and counter insider threats and reduce the harm to the United States and the DoD by malicious insiders.
What We Recommend:
We recommend that the USD(I&S) implement a process for assessing DoD Component compliance with insider threat reporting requirements, develop timelines for DoD Components to report insider threat incidents to DITMAC, and submit the FY 2021 annual report on the DoD Insider Threat Program to the Secretary of Defense as required.
We also recommend that the Secretary of the Army, the Secretary of the Navy, and the Defense Health Agency Director require that their Hub Directors review the insider threat incidents that we determined should have been reported to DITMAC and report those incidents as required. Lastly, we recommend that the NRO Director, USCYBERCOM Commander, and the NSA/Central Security Service Director require that their Hub Directors review the insider threat incidents received since the establishment of their Hubs or the 2016 DoD Component reporting requirement was initiated and report any of the incidents that involve a covered person and meet one or more of the reporting thresholds.