[Congressional Record Volume 157, Number 190 (Monday, December 12, 2011)]
[House]
[Pages H8356-H8726]


CONFERENCE REPORT ON H.R. 1540, NATIONAL DEFENSE AUTHORIZATION ACT FOR 
                            FISCAL YEAR 2012

  Mr. McKEON submitted the following conference report and statement on 
the bill (H.R. 1540) to authorize appropriations for fiscal year 2012 
for military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes.

                  Conference Report (H. Rept. 112-329)

[...]

     SEC. 922. INSIDER THREAT DETECTION.

       (a) Program Required.--The Secretary of Defense shall 
     establish a program for information sharing protection and 
     insider threat mitigation for the information systems of the 
     Department of Defense to detect unauthorized access to, use 
     of, or transmission of classified or controlled unclassified 
     information.
       (b) Elements.--The program established under subsection (a) 
     shall include the following:
       (1) Technology solutions for deployment within the 
     Department of Defense that allow for centralized monitoring 
     and detection of unauthorized activities, including--
       (A) monitoring the use of external ports and read and write 
     capability controls;
       (B) disabling the removable media ports of computers 
     physically or electronically;
       (C) electronic auditing and reporting of unusual and 
     unauthorized user activities;
       (D) using data-loss prevention and data-rights management 
     technology to prevent the unauthorized export of information 
     from a network or to render such information unusable in the 
     event of the unauthorized export of such information;
       (E) a roles-based access certification system;
       (F) cross-domain guards for transfers of information 
     between different networks; and
       (G) patch management for software and security updates.
       (2) Policies and procedures to support such program, 
     including special consideration for policies and procedures 
     related to international and interagency partners and 
     activities in support of ongoing operations in areas of 
     hostilities.
       (3) A governance structure and process that integrates 
     information security and sharing technologies with the 
     policies and procedures referred to in paragraph (2). Such 
     structure and process shall include--
       (A) coordination with the existing security clearance and 
     suitability review process;
       (B) coordination of existing anomaly detection techniques, 
     including those used in counterintelligence investigation or 
     personnel screening activities; and

[[Page H8429]]

       (C) updating and expediting of the classification review 
     and marking process.
       (4) A continuing analysis of--
       (A) gaps in security measures under the program; and
       (B) technology, policies, and processes needed to increase 
     the capability of the program beyond the initially 
     established full operating capability to address such gaps.
       (5) A baseline analysis framework that includes measures of 
     performance and effectiveness.
       (6) A plan for how to ensure related security measures are 
     put in place for other departments or agencies with access to 
     Department of Defense networks.
       (7) A plan for enforcement to ensure that the program is 
     being applied and implemented on a uniform and consistent 
     basis.
       (c) Operating Capability.--The Secretary shall ensure the 
     program established under subsection (a)--
       (1) achieves initial operating capability not later than 
     October 1, 2012; and
       (2) achieves full operating capability not later than 
     October 1, 2013.
       (d) Report.--Not later than 90 days after the date of the 
     enactment of this Act, the Secretary shall submit to the 
     congressional defense committees a report that includes--
       (1) the implementation plan for the program established 
     under subsection (a);
       (2) the resources required to implement the program;
       (3) specific efforts to ensure that implementation does not 
     negatively impact activities in support of ongoing operations 
     in areas of hostilities;
       (4) a definition of the capabilities that will be achieved 
     at initial operating capability and full operating 
     capability, respectively; and
       (5) a description of any other issues related to such 
     implementation that the Secretary considers appropriate.
       (e) Briefing Requirement.--The Secretary shall provide 
     briefings to the Committees on Armed Services of the House of 
     Representatives and the Senate as follows:
       (1) Not later than 90 days after the date of the enactment 
     of this Act, a briefing describing the governance structure 
     referred to in subsection (b)(3).
       (2) Not later than 120 days after the date of the enactment 
     of this Act, a briefing detailing the inventory and status of 
     technology solutions deployment referred to in subsection 
     (b)(1), including an identification of the total number of 
     host platforms planned for such deployment, the current 
     number of host platforms that provide appropriate security, 
     and the funding and timeline for remaining deployment.
       (3) Not later than 180 days after the date of the enactment 
     of this Act, a briefing detailing the policies and procedures 
     referred to in subsection (b)(2), including an assessment of 
     the effectiveness of such policies and procedures and an 
     assessment of the potential impact of such policies and 
     procedures on information sharing within the Department of 
     Defense and with interagency and international partners.
       (f) Budget Submission.--On the date on which the President 
     submits to Congress the budget under section 1105 of title 
     31, United States Code, for each of fiscal years 2014 through 
     2019, the Secretary of Defense shall submit to the 
     congressional defense committees an identification of the 
     resources requested in such budget to carry out the program 
     established under subsection (a).

[...]

     Insider threat detection (sec. 922)
       The House bill contained a provision (sec. 922) that would 
     require the Secretary of Defense to establish a program for 
     information sharing protection and insider threat mitigation, 
     and to provide the congressional defense committees regular 
     briefings on the Secretary's strategy, strategy 
     implementation, and associated resources. In addition, annual 
     budget submissions must include identification of the 
     resources requested for the program.
       The Senate amendment contained a similar provision (sec. 
     932).
       The Senate recedes with an amendment that would 
     include several procedural and technical options for 
     countering the insider threat that were contained in the 
     Senate provision.
       The conferees concur with the admonishment contained in the 
     Senate provision for the Department of Defense to fully 
     integrate its program to counter the insider threat with its 
     overall cybersecurity strategy and programs because of the 
     high degree of overlap between the two challenges.

[...]