The Department of Homeland Security (DHS) Insider Threat Program (ITP) faces vulnerabilities because of DHS’s incomplete documentation and privacy monitoring procedures for the program, according to a May 24 Office of the Inspector General (OIG) report.
Former DHS Secretary Jeh Johnson signed a memorandum in January 2017 to expand ITP from monitoring cleared employee user activity on classified networks to include non-cleared employee activity on unclassified networks, with a pilot in the Office of the Chief Security Officer (OCSO) to test the expansion first.
The deficiencies the report found in ITP’s ability to monitor, detect, and respond to internal threats on unclassified DHS systems in the pilot, however, made OIG recommend that DHS address the flagged issues in ITP before expanding it.
The deficiencies, more specifically, included that OCSO has not revised, gotten approval for, and reissued required documentation, such as standard procedures, acquisition paperwork, and the systems engineering life cycle framework.
Furthermore, DHS also didn’t complete or revise ITP’s privacy threshold analysis privacy impact assessment, system of records notification, and operating procedures to ensure ITP complies with privacy laws.
“As of November 2018, we had no evidence that the OCSO had submitted a revised Privacy Threshold Analysis (PTA) to the DHS Privacy Office to ensure the expanded ITP’s Privacy Impact Assessment (PIA) and System of Records Notice (SORN) are updated and the program complies with privacy laws,” OIG said. “Expanding the ITP to monitor non-cleared personnel at the components without first ensuring legally sufficient notice is provided … creates the potential for violations of the Fourth Amendment.”
OIG issued four recommendations, which ask OCSO to:
- Review DHS logon banners for unclassified systems at all components and determine their legal sufficiency;
- Revise and reissue DHS’s Information Sharing and Safeguard Program for ITP to include the expanded components of the January 2017 memorandum;
- Determine whether the expanded ITP is an acquisition program, what acquisition program level it is, and what phase ITP is in its acquisition life cycle – which should be determined with the required framework documentation; and
- Work with the Office of Program Accountability and Risk Management to complete the required systems engineering life cycle framework.
DHS agreed it would strengthen ITP accordingly, adding that it’s taken steps to strengthen the program by working to update “required documentation to expand the scope of the ITP to the unclassified environment, obtaining DHS Privacy Office approval of PTA in March 2019, planning to finalize ITP SORN and standard operating procedures, and making progress in updating PIA, SORN and the Information Sharing and Safeguard Program.