- What capabilities exist to combat insider threats in government, industry, and academia?
- What aspects of CE are being implemented in these sectors to address insider threats?
- What are the costs and benefits of CE?
- What aspects of CE could be implemented in the federal government in the future?
- What are the potential cost savings stemming from implementing CE in the federal government?
The United States currently employs a periodic and aperiodic investigative and adjudicative security clearance process with origins in the Second World War. Information systems and data — e.g., financial, legal, travel — on individuals have improved dramatically since the creation of this process. This exploratory project examines various continuous evaluation (CE) approaches to detecting insider threats that are available to the U.S. government and assesses the relevance of these approaches to the challenges posed by such insider threats. The authors considered CE cost estimates, examined efficacy and best practices, and assessed some of the practicalities of employing CE.
This report defines CE as a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility. There are potential benefits from CE in effectiveness and cost over the current method of granting security clearances to personnel based on periodic reinvestigation and readjudication. While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period. While the process of CE would be new, the substance is not, and, thus, if executed properly, CE would be no more invasive than current processes.
The current investigation and adjudication process is time consuming
- There is a large backlog of investigations and periodic reinvestigations. As of 2018, there were approximately 416,000 unprocessed security clearance investigations and approximately 156,000 unprocessed periodic reinvestigations.
- The Office of Personnel Management, the organization that has had primary security clearance investigating responsibility, has faced resource reductions.
There are limitations and challenges to using CE in the federal government
- There is no commonly shared definition of insider threat across the government.
- Neither CE nor insider threat has been defined in statute.
- There are limited behavioral or technical data available to develop and deploy an effective and predictive CE monitoring tool.
- There is no centralized or authorized facility to receive anonymous reporting streams for individuals in either cleared or uncleared populations.
- There are privacy concerns for CE programs related to sharing personal or privileged individual data.
The cost over the long term for CE might be lower than the cost over the same period using current practices
- While exact costs and savings depend on CE packages selected and population size, estimates revealed that savings might be realized after six years and could be substantial (in the billions of dollars) over a longer period.
CE could be less invasive for the cleared population than current approaches
- The substance of the data CE reviews is not new; only the frequency with which the data are reviewed is.
- Establish a common definition of insider threat, such as "the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization or national security."
- Establish a common definition of CE, such as "a vetting and adjudication process to review on an ongoing basis the background of an individual who has been determined eligible for access to classified information or to hold a sensitive position at any time during the period of eligibility."
- Add negligence as a type of insider threat.
- Conduct a thorough academic and scientific review of behavioral approaches predicting insider threat behavior before it occurs.
- Increase the frequency of continuous monitoring efforts surrounding the period of an employee's termination in both public- and private-sector CE programs.
- Create a real-time reporting mechanism to supplement any future security clearance approach, including one involving CE.
- Study standards and establish authorities for access to all relevant nonfederal information that could inform the CE tool, such as local criminal records, mental health information, and significant financial activity.
- Prioritize resources and clearance reviews that present the most urgent investigative and adjudicative issues.
- Conduct a detailed cost-benefit analysis to determine projected programmatic costs.
- Fully implement security clearance reciprocity and suitability/fitness reciprocity among U.S. government departments and agencies and merge the security clearance and suitability/fitness programs and processes to improve coordination and gain maximum vetting value from collected data across programs, departments, and agencies.
Table of Contents
Insider Threat and Continuous Evaluation Defined
Background: Addressing Insider Threats
What Capabilities Exist to Combat Insider Threats?
How Is Continuous Evaluation Implemented Today?