PM-12—Insider Threat Program
>Control Description
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP, to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns.
A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture. Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams.
Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy.
The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is the process for integrating insider threat detection and response capabilities?
- •How does the organization coordinate insider threat activities with security, privacy, HR, and legal teams?
- •Who oversees the insider threat program, and what authority do they have?
- •What policies govern the collection and use of information for insider threat detection?
- •What governance exists for protecting privacy while detecting insider threats?
Technical Implementation:
- •What technical systems support insider threat detection (UEBA, DLP, SIEM)?
- •How are insider threat indicators collected from multiple sources?
- •What analytics or correlation capabilities detect insider threat behaviors?
- •How are insider threat alerts generated and escalated?
- •What privacy-protective technical measures are implemented in insider threat tools?
Evidence & Documentation:
- •Provide insider threat program documentation and charter.
- •Provide evidence of insider threat program coordination with HR, legal, and privacy.
- •Provide insider threat detection and response procedures.
- •Provide records of insider threat assessments or reviews.
- •Provide privacy impact documentation for insider threat monitoring.
Ask AI
Configure your API key to use AI features.