The Department of Homeland Security’s insider watchdog says there must be more action to ensure its Insider Threat Program (ITP) doesn’t violate employees’ rights as well as other policy and procedural improvements before continuing the program’s planned expansion.
In December 2017, DHS expanded ITP from monitoring user activity on its classified networks to monitoring cleared and non-cleared employees’ activity on unclassified networks. The Office of the Inspector General (OIG) within DHS initiated a project to determine ITP progress in monitoring, detecting, and responding to malicious insider threats on unclassified DHS systems and networks.
Although the expanded program was approved in January 2017, the Office of the Chief Security Officer (OCSO) has yet to revise, obtain approval for, and reissue the required documentation. Specifically, OIG found that DHS has not completed required standard procedures, acquisition paperwork, and the systems engineering life cycle framework.
The Department also did not complete or revise the ITP privacy threshold analysis, privacy impact assessment, system of records notification, and operating procedures to ensure the program complies with privacy laws. OIG said DHS should not monitor user activity of un-cleared personnel at the components until it has taken steps to address these deficiencies.
OIG recommends OCSO reviews DHS logon banners for unclassified systems at all components and determine whether they are legally sufficient; complete the required systems engineering life cycle Framework; and revise and reissue DHS Instruction 262-05-002 for the expanded ITP. It should also determine, with the aid of the Office of Program Accountability and Risk Management, whether the expanded ITP is an acquisition program, what level of acquisition program it is using a Rough Order of Magnitude or other cost estimate, and where the program is in the acquisition life cycle.
DHS concurred with the recommendations and agreed that it could strengthen its ITP. The Department stated it had already taken steps to strengthen the ITP, including updating required documentation to expand the scope of the ITP to the unclassified environment.
