PM-12 Insider Threat Program
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Organizations that handle classified information are required, under Executive Order 13587 [EO 13587](#0af071a6-cf8e-48ee-8c82-fe91efa20f94) and the National Insider Threat Policy [ODNI NITP](#06d74ea9-2178-449c-a9c5-b2980f804ac8) , to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.
Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
- EO 13587 Executive Order 13587, *Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information* , October 2011.
- NITP12 Presidential Memorandum for the Heads of Executive Departments and Agencies, *National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs* , November 2012.
- ODNI NITP Office of the Director National Intelligence, *National Insider Threat Policy*
Related controls 22
- AC-06 Least Privilege L M H P
- AT-02 Literacy Training and Awareness L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- AU-07 Audit Record Reduction and Report Generation L M H P
- AU-10 Non-repudiation L M H P
- AU-12 Audit Record Generation L M H P
- AU-13 Monitoring for Information Disclosure L M H P
- CA-07 Continuous Monitoring L M H P
- IA-04 Identifier Management L M H P
- IR-04 Incident Handling L M H P
- MP-07 Media Use L M H P
- PE-02 Physical Access Authorizations L M H P
- PM-16 Threat Awareness Program L M H P
- PS-03 Personnel Screening L M H P
- PS-04 Personnel Termination L M H P
- PS-05 Personnel Transfer L M H P
- PS-07 External Personnel Security L M H P
- PS-08 Personnel Sanctions L M H P
- SC-07 Boundary Protection L M H P
- SC-38 Operations Security L M H P
- SI-04 System Monitoring L M H P
- PM-14 Testing, Training, and Monitoring L M H P