The government-wide effort to contain the threat to classified information and sensitive facilities from trusted insiders is falling behind schedule.
Currently, the anticipated achievement of an Initial Operating Capability for insider threat detection by January 2017 is “at risk,” according to a new quarterly progress report. Meanwhile, the date for achieving a Full Operating Capability cannot even be projected. See “Insider Threat and Security Clearance Reform, FY2014, Quarter 4.”
One aspect of the insider threat program is “continuous evaluation” (CE), which refers to the ongoing review of background information concerning cleared persons in order to ensure that they remain eligible for access to classified information and to provide prompt notice of any anomalous behavior.
The Office of the Director of National Intelligence was supposed to achieve “an initial CE capability for the most sensitive TS [Top Secret] and TS/SCI population” by December 2014. The latest quarterly report on the Insider Threat program noted that this milestone is “at risk.” In fact, it was missed.
“We did not meet” the December 2014 milestone for an initial CE capability, confirmed ODNI spokesman Eugene Barlow, though he said that “we’ve made considerable progress” in the Insider Threat program overall.
Nor has a revised milestone date for the initial CE capability been set, he added. But “we continue to aggressively push forward” and the desired function will be rolled out over the next few years, he said.
The Department of Defense is “on track” to provide continuous evaluation of 225,000 agency personnel by the end of 2015, and to expand that number to 1 million employees by 2017, according to the quarterly report. Actual achievements in individual agencies are classified.
As a general matter, the Insider Threat program faces both technological and “cultural” obstacles.
The information technology structures that are in place at most executive branch agencies are not optimized to support continuous evaluation or related security policies. Adapting them to address the insider threat issue is challenging and resource-intensive. Nor are agency policies and practices consistent across the government or equally hospitable to security concerns.
But it’s worth noting that the uneven performance described in the quarterly report reflects a degree of public candor that is unusual in security policy. Instead of presenting assurances that everything is fine in the Insider Threat program, the report acknowledges that some things are not fine and will not be fine for an unspecified time. That is refreshing and even, in its straightforward approach to the issue, somewhat encouraging.