Coast Guard says it’s the first to achieve FOC on insider threat program

The Coast Guard says it’s the first agency in the Executive Branch to achieve full operating capability on its insider threat program.

The National Insider Threat Task Force evaluated the program earlier this year and called it the “gold standard” for small agencies, said Rear Adm. Robert Hayes, assistant commandant for intelligence at the Coast Guard, during a July 13 hearing before the House Homeland Security Committee.

Hayes said his agency is now at the point where it’s giving advice to other organizations about the implementation of their insider threat programs.

“We’ve advised the Department of Defense on the conduct of technical insider threat detection on classified computer systems at sea,” he said. “We’ve compared and contrasted best practices with other departments, and we’ve provided best practices to Executive Branch agencies, as well as some combatant commands.”


Since the Coast Guard fully stood up its insider threat program, it’s detected and prevented multiple threats, Hayes said. Most were non-malicious in nature, and ranged from system administrator abuse to password sharing.

This comes as the Homeland Security Department is making improvements to its insider threat program.

A DHS technical monitoring solution audited 33 million actions on the department’s enterprise classified networks in this fiscal year, Gen. Frank Taylor, undersecretary for intelligence and analysis at DHS, told the committee.

Roughly 215,000 of those actions required manual review from DHS analysts, and 72 of those led to further investigations.

Taylor said the DHS insider threat program identified 162 violations and supported 15 counterintelligence and internal investigations during the previous two fiscal years.

“DHS, as well as DoD and the intelligence community, are taking a more expansive view of the threat to include workplace violence, fraud, waste and abuse and other potential workforce corruption,” said Col. Richard McComb, the DHS chief security officer.

DHS is also working to automate its continuous evaluation program. McComb said once the program is fully up and running, anyone with a secret or above security clearance will be vetted against seven authoritative databases.

Chat with Jonathan Alboum, USDA CIO, July 26 at 2 p.m.  Sign up here.

“If an individual indicates a hit from one of those databases, then the Department of Homeland Security, along with all the other departments who participate in this program, will be required to follow that lead, vet that individual and determine whether it has implications on their ability to perform their job and/or have access to national security information,” he said.

The Office of the Director of National Intelligence has until 2017 to put 5 percent of the federal workforce with top secret or sensitive security clearances under a continuous evaluation program. McComb said DHS is doing its part to make sure its systems are ready to handle that kind of activity.

“We … have already initiated the work to ensure that our IT systems allow us to receive those alerts from DNI automated program,” he said. “We’ll do a pilot program this year to start doing some of those continuous evaluations on our most sensitive population.”

DHS, and all other agencies, have been particularly focused on developing their own insider threat programs since a 2011 executive order from the Obama administration set governmentwide policy to detect, deter and prevent insider threats.

Challenges with culture, resources and legal questions are pushing agencies farther and farther off schedule in standing up their own insider threat programs.

Most departments have met the basic requirements, but many still haven’t, according to a first-quarter update to, the most recent one publicly available. The National Insider Threat Task Force (NITTF) is working “to address those issues as quickly as possible.”

Agencies were supposed set up the basic requirements for their programs by January 2015 and achieve initial operating capability by December 2015.

The importance of the insider threat has taken on greater meaning in the wake of Edward Snowden and Aaron Alexis. The House committee was particularly concerned by recent reports that two people, one employee and one contractor, were found carrying a gun inside DHS headquarters within the past month.

The department is still investigating both matters. McComb said he would give the committee more information about the investigations in a closed setting, but he said he believes neither the employee nor the contractor intended to commit an act workplace violence.