[Congressional Record Volume 157, Number 190 (Monday, December 12, 2011)]
[House]
[Pages H8356-H8726]
CONFERENCE REPORT ON H.R. 1540, NATIONAL DEFENSE AUTHORIZATION ACT FOR
FISCAL YEAR 2012
Mr. McKEON submitted the following conference report and statement on
the bill (H.R. 1540) to authorize appropriations for fiscal year 2012
for military activities of the Department of Defense, for military
construction, and for defense activities of the Department of Energy,
to prescribe military personnel strengths for such fiscal year, and for
other purposes.
Conference Report (H. Rept. 112-329)
[...]
SEC. 922. INSIDER THREAT DETECTION.
(a) Program Required.--The Secretary of Defense shall
establish a program for information sharing protection and
insider threat mitigation for the information systems of the
Department of Defense to detect unauthorized access to, use
of, or transmission of classified or controlled unclassified
information.
(b) Elements.--The program established under subsection (a)
shall include the following:
(1) Technology solutions for deployment within the
Department of Defense that allow for centralized monitoring
and detection of unauthorized activities, including--
(A) monitoring the use of external ports and read and write
capability controls;
(B) disabling the removable media ports of computers
physically or electronically;
(C) electronic auditing and reporting of unusual and
unauthorized user activities;
(D) using data-loss prevention and data-rights management
technology to prevent the unauthorized export of information
from a network or to render such information unusable in the
event of the unauthorized export of such information;
(E) a roles-based access certification system;
(F) cross-domain guards for transfers of information
between different networks; and
(G) patch management for software and security updates.
(2) Policies and procedures to support such program,
including special consideration for policies and procedures
related to international and interagency partners and
activities in support of ongoing operations in areas of
hostilities.
(3) A governance structure and process that integrates
information security and sharing technologies with the
policies and procedures referred to in paragraph (2). Such
structure and process shall include--
(A) coordination with the existing security clearance and
suitability review process;
(B) coordination of existing anomaly detection techniques,
including those used in counterintelligence investigation or
personnel screening activities; and
[[Page H8429]]
(C) updating and expediting of the classification review
and marking process.
(4) A continuing analysis of--
(A) gaps in security measures under the program; and
(B) technology, policies, and processes needed to increase
the capability of the program beyond the initially
established full operating capability to address such gaps.
(5) A baseline analysis framework that includes measures of
performance and effectiveness.
(6) A plan for how to ensure related security measures are
put in place for other departments or agencies with access to
Department of Defense networks.
(7) A plan for enforcement to ensure that the program is
being applied and implemented on a uniform and consistent
basis.
(c) Operating Capability.--The Secretary shall ensure the
program established under subsection (a)--
(1) achieves initial operating capability not later than
October 1, 2012; and
(2) achieves full operating capability not later than
October 1, 2013.
(d) Report.--Not later than 90 days after the date of the
enactment of this Act, the Secretary shall submit to the
congressional defense committees a report that includes--
(1) the implementation plan for the program established
under subsection (a);
(2) the resources required to implement the program;
(3) specific efforts to ensure that implementation does not
negatively impact activities in support of ongoing operations
in areas of hostilities;
(4) a definition of the capabilities that will be achieved
at initial operating capability and full operating
capability, respectively; and
(5) a description of any other issues related to such
implementation that the Secretary considers appropriate.
(e) Briefing Requirement.--The Secretary shall provide
briefings to the Committees on Armed Services of the House of
Representatives and the Senate as follows:
(1) Not later than 90 days after the date of the enactment
of this Act, a briefing describing the governance structure
referred to in subsection (b)(3).
(2) Not later than 120 days after the date of the enactment
of this Act, a briefing detailing the inventory and status of
technology solutions deployment referred to in subsection
(b)(1), including an identification of the total number of
host platforms planned for such deployment, the current
number of host platforms that provide appropriate security,
and the funding and timeline for remaining deployment.
(3) Not later than 180 days after the date of the enactment
of this Act, a briefing detailing the policies and procedures
referred to in subsection (b)(2), including an assessment of
the effectiveness of such policies and procedures and an
assessment of the potential impact of such policies and
procedures on information sharing within the Department of
Defense and with interagency and international partners.
(f) Budget Submission.--On the date on which the President
submits to Congress the budget under section 1105 of title
31, United States Code, for each of fiscal years 2014 through
2019, the Secretary of Defense shall submit to the
congressional defense committees an identification of the
resources requested in such budget to carry out the program
established under subsection (a).
[...]
Insider threat detection (sec. 922)
The House bill contained a provision (sec. 922) that would
require the Secretary of Defense to establish a program for
information sharing protection and insider threat mitigation,
and to provide the congressional defense committees regular
briefings on the Secretary's strategy, strategy
implementation, and associated resources. In addition, annual
budget submissions must include identification of the
resources requested for the program.
The Senate amendment contained a similar provision (sec.
932).
The Senate recedes with an amendment that would
include several procedural and technical options for
countering the insider threat that were contained in the
Senate provision.
The conferees concur with the admonishment contained in the
Senate provision for the Department of Defense to fully
integrate its program to counter the insider threat with its
overall cybersecurity strategy and programs because of the
high degree of overlap between the two challenges.
[...]
