Following the Executive Order 13587 by former President Barack Obama October 2011, the National Insider Threat Task Force (NITTF) was established.
All federal departments and agencies with classified networks were ordered to establish insider threat detection and prevention programs. The NITTF’s mission is to “develop a Government-wide insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.” (NCSC - NITTF).
In the Executive Order, the U.S. Attorney General and the Director of National Intelligence were ordered to co-chair the NITTF. The U.S. Attorney General and the Director of National Intelligence in turn decided that the Federal Bureau of Investigation (FBI) co-lead the daily NITTF activities together with the National Counterintelligence Executive (NCSC).
Why was NITTF established?
The NITTF was established as a response to thousands of unclassified and classified documents being uploaded to WikiLeaks. The interest for insider threat grew after the public leaks completed by former NSA System Administrator Edward Snowden and ex-soldier Chelsea Manning. The program was started to prevent further leaks that may be a threat to national security. Furthermore, the NITTF sets guidelines to assist, evaluate progress, and analyze existing and emerging insider threat challenges.
What is an insider threat to the U.S. Government?
An insider threat is someone who misuses or betrays their access to a U.S. Government resource–whether it is done in full awareness or without being aware (unintentionally). This means someone inside the U.S. Government is considered an insider threat if their access is being exploited. Threats include damage through “espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities” (NCSC - Mission Fact Sheet)
However, it is important to note that the insider threat programs analyzes malicious activities and behaviors, not individuals.
How does CNSSD 504 define User Activity Monitoring (UAM)?
The Committee on National Security Systems Directive 504 (CNSSD 504), is the directive describing the minimum measures each department or agency need to take to protect national security systems from insider threats.
CNSSD 504 defines UAM as “the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing US Government information in order to detect insider threats and to support authorized investigations.” (CNSSD 504 - Definitions).
At a minimum, each department and agency needs the technical capabilities to collect user activity data, including the following (CNSSD 504 Annex B):
Keystroke monitoring
Full application content, e.g. email, chat, data import, and data export
Screen capture
File shadowing for all lawful purposes, i.e. the ability to track documents when the names and locations have changed
All collected data must be attributable to a specific user
Who does CNSSD 504 apply to?
The policy is applicable to all executive branch departments and agencies with access to classified national security information and classified networks, according to National Insider Threat Policy Minimum Standards
How does Reveal fulfill the UAM requirements?
Reveal is compliant with the CNSSD 504 and meets the key UAM requirements defined by the NITTF.
Keystroke monitoring: With the Reveal Agent, you have several capabilities for monitoring, including keyboard typing pattern, keystroke analytics, and keyword blacklisting.
Full application content: With a full paper trail—even if the data is deleted or evidence is destroyed during an attack, you can see full application content and metadata. You have all the data structured, consistent, and continuous collected and reported in one place by collecting our own telemetry.
Screen capture: You can take a screenshot to capture an image of a user’s desktop based on automatic and manual real-time actions, In addition, motion screenshots shows the screen capture recording of when the policy was breached.
File shadowing for all lawful purposes: With files, you can do advanced (regex) and standard content inspection, track file types, content and name changes, as well as see how the files moves through your organization.
All collected data must be attributable to a specific user: With the Cyber Passport, all data collected and user activity is attributed to an individual. In the Cyber Passport’s activity feed you can see all user actions and alarms in logical sequence, including print, browser, file and integration events, as well as connections, logins, DNS lookups, USB events, applications, sensors, alarms and more.
In addition to meeting the minimum requirements, Next DLP is working towards the Maturity Framework to include human behavior models, risk scoring, and AI/ML capability to enhance and automate insider threat detection and response.
Frequently asked questions
What’s the goal of the National Insider Threat Task Force (NITTF)?
The NITTF is used to develop a government-wide insider threat program. The goal is to deter, detect, and mitigate insider threats. This includes safeguarding classified information from exploitation, compromise, or unauthorized disclosure.
The NITTF also provides guidelines, evaluates progress, and analyzes both existing and emerging insider threat challenges across federal departments and agencies.
What are the most common indicators of insider threats?
Common indicators of insider threats include unusual or unauthorized access to sensitive information, irregular work hours, downloading or transferring large amounts of data, accessing restricted websites or networks, and changes in behavior or performance. Monitoring these activities can detect potential insider threats early and prevent security breaches.
Can the NITTF help agencies create their own insider threat programs?
Yes, the NITTF is a suitable framework for insider threat mitigation. It provides guidelines, resources, and best practices for establishing and maintaining insider threat programs.
It conducts evaluations to ensure compliance with established standards and offers training and awareness programs to help agencies understand and mitigate insider threats. The NITTF also shares threat information and lessons learned across agencies to enhance overall security.
What are the technical requirements for User Activity Monitoring (UAM) under CNSSD 504?
Technical requirements include:
Tracking and recording keystrokes to detect unauthorized activities
Monitoring and capturing all application content, including emails, chat messages, and data transfers
Taking screenshots or recording user screens to provide visual evidence of activities
Tracking changes to files, including renaming, relocation, and content modifications
How can organizations ensure compliance with CNSSD 504 and NITTF?
CNSSD 504 and NITTF are complementary to each other. Complying with both will set your organization up for success, although you do need to stay on top of updates or changes to both requirements. Aside from keeping up with any updates, organizations can stay CNSSD 504 and NITTF compliant by:
Implementing comprehensive UAM solutions that meet all technical requirements
Conducting regular internal audits
Developing and enforcing data access, usage, and monitoring policies
