Publicly Released: September 30, 2022
The objective of this audit was to determine whether DoD Components reported insider threat incidents to the DoD Insider Threat Management and Analysis Center (DITMAC) in accordance with DoD guidance.
DoD Directive 5205.16 defines a DoD insider as any person (DoD personnel, contractors, and other non‑DoD individuals) to whom the DoD has, or once had, granted eligibility for access to classified information or to hold a sensitive position. The Directive defines an insider threat as a threat that insiders pose to the DoD and Federal Government installations, facilities, personnel, missions, and resources, that can result in damage to the United States through espionage, terrorism, and unauthorized disclosure of national security information. The FY 2017 National Defense Authorization Act revised the definition of a DoD insider (also known as a covered person) to include any person who has, or once had, authorized access to DoD information, facilities, networks, or other resources. According to DoD officials, DoD Directive 5205.16 is being updated to reflect the revised definition of a DoD insider.
DoD insiders have caused high-profile disclosures and breaches of data critical to national security. For example, since 2001, some of the most noted disclosures were made by former National Security Agency (NSA) contractors Edward Snowden and Harold Martin. DoD insiders were also responsible for the mass shootings at Fort Hood, Texas, in 2009 and at the Washington Navy Yard in Washington, D.C., in 2013.
After the Navy Yard shooting in 2013, the Secretary of Defense commissioned independent panels to review gaps and deficiencies in DoD security programs, policies, and procedures. In response to recommendations made in the panel reports, the Secretary of Defense approved the formation of DITMAC to provide a centralized capability to manage and analyze DoD insider threat data. DITMAC helps prevent, deter, detect, and mitigate the potential threat that DoD insiders may pose to the United States.
In 2016, the Under Secretary of Defense for Intelligence and Security (USD[I&S]), who serves as the DoD senior official responsible for overseeing the DoD Insider Threat Program, established DITMAC within the Defense Counterintelligence and Security Agency. The USD(I&S) also directed that all DoD Components report insider threats to DITMAC. DoD Components are required to report to DITMAC through their Component’s insider threat analysis center, known as an Insider Threat Hub. DoD military, civilian, and contractor personnel are required to report any incidents that involve a covered person (DoD insider) and meet one or more of the 13 reporting thresholds established by DITMAC. Examples of reportable incidents involve sexual assault, violent acts, questionable allegiance to the United States, unauthorized disclosure of classified information, and terrorism. DITMAC receives insider threat incidents from the Hubs electronically through the DITMAC System of Systems or e-mail.
The Army, Navy, Marine Corps, Defense Logistics Agency, and Defense Health Agency Component Hubs did not consistently report to DITMAC insider threat incidents that involved a covered person and met one or more of the reporting thresholds. Specifically, of the 215 insider threat incidents we reviewed from those Hubs, 200 incidents involved a covered person and met one or more of the thresholds. Of those 200 incidents, 115 were reported to DITMAC, but the other 85 were not. Furthermore, of the 115 insider threat incidents that were reported to DITMAC, the time it took the Hubs to report the incidents ranged from 1 day to over 2 years.
The inconsistent reporting to DITMAC occurred because the USD(I&S) did not:
- develop an oversight program to periodically verify that the Hubs reported insider threat incidents that involved a covered person and met one or more of the reporting thresholds; or
- establish timelines for reporting insider threat incidents to DITMAC.
Insider threat incidents have resulted in harm to the United States and the DoD through espionage, terrorism, unauthorized disclosure of national security information, and the loss or degradation of DoD resources and capabilities. Unless the DoD Component Hubs consistently report insider threat incidents to DITMAC as required, DITMAC cannot fully accomplish its mission to provide the DoD with a centralized capability to identify, mitigate, and counter insider threats and reduce the harm to the United States and the DoD by malicious insiders.
We recommend that the USD(I&S) implement a process for assessing DoD Component compliance with insider threat reporting requirements, develop timelines for DoD Components to report insider threat incidents to DITMAC, and submit the FY 2021 annual report on the DoD Insider Threat Program to the Secretary of Defense as required.
We also recommend that the Secretary of the Army, the Secretary of the Navy, and the Defense Health Agency Director require that their Hub Directors review the insider threat incidents that we determined should have been reported to DITMAC and report those incidents as required. Lastly, we recommend that the NRO Director, USCYBERCOM Commander, and the NSA/Central Security Service Director require that their Hub Directors review the insider threat incidents received since the establishment of their Hubs or the 2016 DoD Component reporting requirement was initiated and report any of the incidents that involve a covered person and meet one or more of the reporting thresholds.
Management Comments and Our Response
The DoD Counter-Insider Threat Deputy Director, responding for the USD(I&S), agreed to implement a process for assessing DoD Component compliance with insider threat reporting requirements, develop timelines for DoD Components to report insider threat incidents to DITMAC, and submit the DoD Insider Threat Program annual report to the Secretary of Defense.
The Under Secretary of the Army, responding for the Secretary of the Army, and the Deputy Under Secretary of the Navy for Intelligence and Security, responding for the Secretary of the Navy, agreed to report the incidents identified in this report to DITMAC. In addition, the USCYBERCOM Chief of Staff, responding for the USCYBERCOM Commander, agreed.
The NRO Director and the NSA Chief of Staff for Workforce Support Activities, responding for the NSA/Central Security Service Director, disagreed.
We disagree. The FY 2017 National Defense Authorization Act revised the definition of a DoD insider (covered person) to include any person who has, or once had, authorized access to DoD information, facilities, networks, or other resources. Therefore, the recommendations to NRO and NSA are unresolved, and we request that the NRO Director and the NSA/Central Security Service Director provide comments on the final report.
The Defense Health Agency Director did not provide comments on the draft report; therefore, we request that the Defense Health Agency provide comments on the final report.
This report is a result of Project No. D2020-D000CP-0074.000.