H. Rept. 114-321 - DEPARTMENT OF HOMELAND SECURITY INSIDER THREAT AND MITIGATION ACT OF 2015114th Congress (2015-2016)
Committee Report
Hide Overview icon-hideReport Type: | House Report |
---|---|
Accompanies: | H.R.3361 |
Committees: |
Reports for H.R.3361
Report text available as:
- TXT
(PDF provides a complete and accurate display of this text.) Tip?
114th Congress} {Report HOUSE OF REPRESENTATIVES 1st Session } {114-321 ====================================================================== DEPARTMENT OF HOMELAND SECURITY INSIDER THREAT AND MITIGATION ACT OF 2015 _______ November 2, 2015.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T together with DISSENTING VIEWS [To accompany H.R. 3361] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the bill (H.R. 3361) to amend the Homeland Security Act of 2002 to establish the Insider Threat Program, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Purpose and Summary.............................................. 3 Background and Need for Legislation.............................. 3 Hearings......................................................... 5 Committee Consideration.......................................... 5 Committee Votes.................................................. 5 Committee Oversight Findings..................................... 5 New Budget Authority, Entitlement Authority, and Tax Expenditures 5 Congressional Budget Office Estimate............................. 6 Statement of General Performance Goals and Objectives............ 6 Duplicative Federal Programs..................................... 7 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 7 Federal Mandates Statement....................................... 7 Preemption Clarification......................................... 7 Disclosure of Directed Rule Makings.............................. 7 Advisory Committee Statement..................................... 7 Applicability to Legislative Branch.............................. 7 Section-by-Section Analysis of the Legislation................... 8 Changes in Existing Law Made by the Bill, as Reported............ 10 Dissenting Views................................................. 13 The amendment is as follows: Strike out all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Department of Homeland Security Insider Threat and Mitigation Act of 2015''. SEC. 2. ESTABLISHMENT OF INSIDER THREAT PROGRAM. (a) In General.--Title I of the Homeland Security Act of 2002 (6 U.S.C. 111 et seq.) is amended by adding at the end the following new section: ``SEC. 104. INSIDER THREAT PROGRAM. ``(a) Establishment.--The Secretary shall establish an Insider Threat Program within the Department. Such Program shall-- ``(1) provide training and education for Department personnel to identify, prevent, mitigate, and respond to insider threat risks to the Department's critical assets; ``(2) provide investigative support regarding potential insider threats that may pose a risk to the Department's critical assets; and ``(3) conduct risk mitigation activities for insider threats. ``(b) Steering Committee.-- ``(1) In general.--The Secretary shall establish a Steering Committee within the Department. The Under Secretary for Intelligence and Analysis shall serve as the Chair of the Steering Committee. The Chief Security Officer shall serve as the Vice Chair. The Steering Committee shall be comprised of representatives of the Office of Intelligence and Analysis, the Office of the Chief Information Officer, the Office of the General Counsel, the Office for Civil Rights and Civil Liberties, the Privacy Office, the Office of the Chief Human Capital Officer, the Office of the Chief Financial Officer, the Federal Protective Service, the Office of the Chief Procurement Officer, the Science and Technology Directorate, and other components or offices of the Department as appropriate. Such representatives shall meet on a regular basis to discuss cases and issues related to insider threats to the Department's critical assets, in accordance with subsection (a). ``(2) Responsibilities.--Not later than one year after the date of the enactment of this section, the Under Secretary for Intelligence and Analysis and the Chief Security Officer, in coordination with the Steering Committee established pursuant to paragraph (1), shall-- ``(A) develop a holistic strategy for Department-wide efforts to identify, prevent, mitigate, and respond to insider threats to the Department's critical assets; ``(B) develop a plan to implement the insider threat measures identified in the strategy developed under subparagraph (A) across the components and offices of the Department; ``(C) document insider threat policies and controls; ``(D) conduct a baseline risk assessment of insider threats posed to the Department's critical assets; ``(E) examine existing programmatic and technology best practices adopted by the Federal Government, industry, and research institutions to implement solutions that are validated and cost-effective; ``(F) develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns, and education and training programs related to identifying, preventing, mitigating, and responding to potential insider threats to the Department's critical assets; ``(G) require the Chair and Vice Chair of the Steering Committee to consult with the Under Secretary for Science and Technology and other appropriate stakeholders to ensure the Insider Threat Program is informed, on an ongoing basis, by current information regarding threats, beset practices, and available technology; and ``(H) develop, collect, and report metrics on the effectiveness of the Department's insider threat mitigation efforts. ``(c) Report.--Not later than two years after the date of the enactment of this section and the biennially thereafter for the next four years, the Secretary shall submit to the Committee on Homeland Security and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on Homeland Security and Governmental Affairs and the Select Committee on Intelligence of the Senate a report on how the Department and its components and offices have implemented the strategy developed under subsection (b)(2)(A), the status of the Department's risk assessment of critical assets, the types of insider threat training conducted, the number of Department employees who have received such training, and information on the effectiveness of the Insider Threat Program, based on metrics under subsection (b)(2)(H). ``(d) Definitions.--In this section: ``(1) Critical assets.--The term `critical assets' means the people, facilities, information, and technology required for the Department to fulfill its mission. ``(2) Insider.--The term `insider' means-- ``(A) any person who has access to classified national security information and is employed by, detailed to, or assigned to the Department, including members of the Armed Forces, experts or consultants to the Department, industrial or commercial contractors, licensees, certificate holders, or grantees of the Department, including all subcontractors, personal services contractors, or any other category of person who acts for or on behalf of the Department, as determined by the Secretary; or ``(B) State, local, tribal, territorial, and private sector personnel who possess security clearances granted by the Department. ``(3) Insider threat.--The term `insider threat' means the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States, including damage to the United States through espionage, terrorism, the unauthorized disclosure of classified national security information, or through the loss or degradation of departmental resources or capabilities.''. (b) Clerical Amendment.--The table of contents of the Homeland Security Act of 2002 is amended by inserting after the item relating to section 103 the following new item: ``Sec. 104. Insider Threat Program.''. Purpose and Summary The purpose of H.R. 3361, the ``Department of Homeland Security Insider Threat and Mitigation Act'' is to amend the Homeland Security Act of 2002 to establish an Insider Threat program at the Department of Homeland Security (DHS). The bill mandates employee education and training programs, and establishes an internal DHS Steering Committee to manage and coordinate DHS activities related to insider threat issues. Background and Need for Legislation Over the last six years several acts of espionage and workplace violence committed by U.S. government employees have caused grave damage to U.S. national security and taken American lives. U.S. Army PFC Bradley Manning provided thousands of classified government documents to WikiLeaks, which were subsequently published. Edward Snowden continues to hide from prosecution in Russia for stealing and later releasing classified information related to sensitive national security programs. Aaron Alexis, who held a Secret security clearance while working as a contractor at the Washington Navy Yard, killed 12 people during a rampage in 2013. All three of these individuals were vetted, trusted U.S. security professionals who abused that trust and committed heinous acts. Furthermore, these events underscore the importance of identifying potential insider threats that could put Department and its employees at risk. An official from the Office of Director of National Intelligence (ODNI) testified before this Subcommittee in 2013 that, ``damage assessments regarding individuals involved in unauthorized disclosures of classified information or acts of workplace violence have uncovered information that was not discovered during the existing security clearance process. Timely knowledge of such information might have prompted a security review or increased monitoring of the individual.''\1\ A recent survey of 150 Federal information technology managers, including those from the defense and intelligence communities, showed that 29 percent of the agencies had suffered a loss of data due to an insider over the last year.\2\ --------------------------------------------------------------------------- \1\Brian Prioletti, Assistant Director, Special Security Directorate, Office of National Counterintelligence Executive, Office of the Director for National Intelligence, Testimony before the Committee on Homeland Security, Subcommittee on Counterterrorism and Intelligence, November 13, 2013. \2\Aaron Boyd, ``Survey: Insider threats target nearly half of agencies'', C4ISR Networks, September 14, 2015, available at: http:// www.c4isrnet.com/story/military-tech/it/2015/09/14/us-government- insider-threats-survey/72254846/. --------------------------------------------------------------------------- The Department of Homeland Security Insider Threat and Mitigation Act of 2015 establishes an Insider Threat program at DHS to provide a foundation for the Secretary to secure DHS facilities and its workforce. It creates a multidisciplinary steering committee to coordinate insider threat efforts across the Department by developing a holistic strategy for the Department to identify, prevent, mitigate and respond to insider threats to its critical assets. In order for DHS to protect itself against two common threats--malicious insiders and external cybercriminals--it is important that the Department complete the process to identify and secure those critical assets and related infrastructure components that it depends on to fulfill its responsibility of ensuring homeland security and public safety, as well as the security of its workforce. This bill directs the Department to conduct a risk assessment of its critical assets which includes the Department's information, networks, facilities, and its workforce. Insider threats are very difficult to discover through technology alone, and many leaks are unintentional in nature, therefore a key element of any insider threat program is training and employee awareness. Research at Carnegie Mellon University's Computer Emergency Response Teams has shown that most insider threats are first detected by other users who note and report something suspicious. Users need training and awareness to know what to look out for and to report it in the appropriate manner.\3\ The bill requires both to ensure that personnel understand how their use of DHS networks will be monitored, as well as what workplace behavior may be indicative of a potential insider threat. --------------------------------------------------------------------------- \3\Jon Ramsey, ``Empower Workers to Take Ownership of Cybersecurity'', Dell.com, October 2, 2015, available at: https:// powermore.dell.com/technology/empower-workers-to-take-ownership-of- cybersecurity/. --------------------------------------------------------------------------- The bill ensures that insider threat best practices are standardized and implemented across the DHS enterprise, and that all relevant stakeholders who possess information pertinent to insider threat, have a seat at the table and contribute to the program's effectiveness. Additionally, this bill provides the authorities and direction DHS needs to develop a robust, holistic insider threat program. The legislation focuses on: Building a proper governance structure; assessing the Department's critical assets so it can prioritize appropriately; and training the Department's workforce--three pillars of a successful insider threat program that seeks to protect the Department's workforce, its information, and its physical assets. Hearings The Committee did not hold any hearing specifically on H.R.3361, however, the Committee did hold the following oversight hearing in the 113th Congress: On November 13, 2013, the Subcommittee on Counterterrorism and Intelligence held a hearing entitled, ``The Insider Threat to Homeland Security: Examining Our Nation's Security Clearances Processes.'' The Subcommittee received testimony from Mr. Merton W. Miller, Associate Director of Investigations, Federal Investigative Services, U.S. Office of Personnel Management; Mr. Gregory Marshall, Chief Security Officer, U.S. Department of Homeland Security; Mr. Brian Prioletti, Assistant Director, Special Security Directorate, National Counterintelligence Executive, Office of the Director of National Intelligence; Ms. Brenda Farrell, Director, Military and DOD Civilian Personnel Issues, U.S. Government Accountability Office. Committee Consideration The Committee met on September 30, 2015, to consider H.R. 3361, and ordered the measure to be reported to the House with a favorable recommendation, as amended, by voice vote. The Committee took the following actions: The following amendments were offered: An Amendment in the Nature of a Substitute offered by Mr. Katko listed on the roster as by Mr. King of New York (#1); was AGREED TO by voice vote. The Subcommittee on Counterterrorism and Intelligence met on September 17, 2015, to consider H.R. 3361 and reported the measure to the Full Committee with a favorable recommendation, as amended, by voice vote. The following amendment was offered: An Amendment in the Nature of a Substitute offered by Mr. King of New York (#1); was AGREED TO by voice vote. Committee Votes Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during the Committee consideration of H.R. 3361. Committee Oversight Findings Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. New Budget Authority, Entitlement Authority, and Tax Expenditures In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that H.R. 3361, the Department of Homeland Security Insider Threat and Mitigation Act of 2015, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. Congressional Budget Office Estimate The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, October 23, 2015. Hon. Michael McCaul, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 3361, the Department of Homeland Security Insider Threat and Mitigation Act of 2015. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Keith Hall. Enclosure. H.R. 3361--Department of Homeland Security Insider Threat and Mitigation Act of 2015 H.R. 3361 would direct the Department of Homeland Security (DHS) to establish a program to protect the department's critical assets from insider threats (that is, harmful activities by department employees and certain other persons with access to classified information). DHS is currently carrying out activities similar to those required by the bill, and CBO estimates that implementing H.R. 3361 would not significantly affect spending by DHS. Because enacting the legislation would not affect direct spending or revenues, pay- as-you-go procedures do not apply. CBO estimates that enacting H.R. 3361 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2026. H.R. 3361 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. The CBO staff contact for this estimate is Mark Grabowicz. The estimate was approved by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. Statement of General Performance Goals and Objectives Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, H.R. 3361 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. The goal of H.R. 3361 is to establish a Department-wide Insider Threat program at DHS that reports to the Secretary, and is managed by the Undersecretary for Intelligence and Analysis and the Chief Security Officer. H.R. 3361 ensures that a robust, standardized program is implemented across the Department and its Component organizations by establishing a Steering Committee that consists of Department principals, who coordinate insider threat efforts across the Department and review insider threat cases and issues related to the Department's critical assets. The bill assigns a number of tasks to the Steering Committee including developing a comprehensive strategy to identify, prevent, mitigate, and respond to insider threat to the Department and its employees, and conducting a risk assessment of the Department's critical assets. H.R. 3361 also requires the Secretary to report to Congress on the Department's insider threat strategy, the status of the Department's risk assessment of critical assets, training of Department employees and contractors, and information on the effectiveness of the program. Duplicative Federal Programs Pursuant to clause 3(c) of rule XIII, the Committee finds that H.R. 3361 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the rule XXI. Federal Mandates Statement The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. Preemption Clarification In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that H.R. 3361 does not preempt any State, local, or Tribal law. Disclosure of Directed Rule Makings The Committee estimates that H.R. 3361 would require no directed rule makings. Advisory Committee Statement No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. Applicability to Legislative Branch The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. Section-by-Section Analysis of the Legislation Section 1. Short title This section provides that bill may be cited as the ``Department of Homeland Security Insider Threat and Mitigation Act of 2015''. Sec. 2. Establishment of Insider Threat Program This section amends Title I of the Homeland Security Act of 2002 (6 U.S.C. 111 et seq.) by adding the following new section: ``Sec. 104. Insider Threat Program. Section 104 directs the Secretary of Homeland Security to establish an insider threat program at the Department. The purpose of the program is to provide training and education to Department personnel regarding insider threats to the Department's critical assets, which include its people, facilities, and sensitive data; provide support to insider threat investigations that may pose a risk to the Department's critical assets; and conduct risk mitigation for potential insider threats. The Committee believes that an insider threat program is necessary to standardize efforts Department-wide. The Committee is concerned that progress across the Department's component agencies has been uneven and requires more centralized coordination to ensure that all offices within the Department reach a baseline standard of effectiveness. The Committee strongly believes that while insiders with malicious intent have caused the most serious damage to national security and American lives, most gaps that allow insiders to conduct their nefarious work are often caused by unwitting employees who are not properly trained. The purpose of this program is not only to identify and prevent insiders from damaging the United States, but also to spot individuals who may demonstrate tendencies of an insider threat, and intervene through contact with an investigator to mitigate the activity through education and increased awareness. This section also creates a Steering Committee within the Department to coordinate insider threat efforts across the Department, and review insider threat cases and issues related to the Department's critical assets. The Steering Committee is chaired by the Under Secretary for Intelligence and Analysis, and the Chief Security Officer serves as the Vice-Chair. The Steering Committee's membership includes relevant stakeholders from across the Department and its component organizations that hold pertinent information to insider threats. The Committee believes that a designated Steering Committee, chaired by the Under Secretary for Intelligence and Analysis, and the Chief Security Officer, with a mandate to develop, execute and manage the daily operations of the Department's Insider Threat program, will ensure that a comprehensive strategy is developed, and a thorough assessment of the Department's critical assets is conducted. The Committee also believes that the Steering Committee should be responsible for issuing guidance and training related to insider threats Department-wide to ensure that all employees and contractors achieve a consistent-level of understanding and awareness about the program. It is the Committee's intention that the membership of the Steering Committee includes all relevant stakeholders within the Department that possess information pertinent to operating an effective insider threat program. The Committee believes that adding members to the Steering Committee should be at the discretion of the Secretary as the Department's needs and resources evolve. Additionally, this section defines the responsibilities for the Steering Committee, including to: (A) Develop a holistic strategy for the Department to identify, prevent, mitigate and respond to insider threats to its critical assets; (B) develop a plan to implement the strategy across the component organizations and offices of the Department; (C) document insider threat policies; (D) conduct a baseline risk assessment of insider threats posed to the Department's critical assets; (E) leverage best practices and technology from across the Federal Government, industry, and the research community to implement insider threat solutions that are validated and cost- effective; (F) develop a timeline for deploying workplace monitoring technologies, awareness campaigns, and insider threat training; (G) consult with the Under Secretary of Science and Technology to stay current on insider threats, best practices and technology related to insider threats; and (H) develop and report on metrics that indicate the effectiveness of the program. In addition to the Department's networks, information and technology, the Committee believes that the Department's critical assets include its workforce and physical assets. It is important that the Department consider all its assets when conducting its risk assessment so that it can prioritize and allocate resources accordingly. As part of leveraging best practices and technology, the Committee notes that according to a survey of Federal IT managers, more than 40 percent of Federal agencies don't track data assets on their networks, and therefore they cannot be sure when and how specific documents are shared or otherwise exfiltrated.\4\ The Committee remains concerned that DHS' inability to track sensitive documents could allow it to be victimized by a malicious insider and suffer damage similar in scale to WikiLeaks or the Snowden crime. The Committee strongly recommends that DHS develop a plan to secure its proprietary content and documents so that it can monitor the Department's most sensitive digital content, personally identifiable information (PII) and classified information at all times while in transit on a network, and in storage. --------------------------------------------------------------------------- \4\Aaron Boyd, ``Survey: Insider threats target nearly half of agencies'', C4ISR Networks, September 14, 2015, available at: http:// www.c4isrnet.com/story/military-tech/it/2015/09/14/us-government- insider-threats-survey/72254846/. --------------------------------------------------------------------------- Furthermore, this section requires the Secretary to submit a report to Congress no later than two years after the date of enactment that describes how the Department and its components have implemented the insider threat strategy, the status of the Department's risk assessment of critical assets, training that has been provided to Department employees, and information on the effectiveness of the program. The Committee believes that the required report in this subsection will assist the Department in articulating its insider threat strategy, how it intends to increase awareness of the problem and train employees on how to identify and report signs of an insider threat, and collect data that will help it evaluate the effectiveness of the program as a whole. Finally, this section provides for definitions used in this section including: ``critical assets,'' ``insider,'' and ``insider threat.'' Changes in Existing Law Made by the Bill, as Reported In compliance with clause 3(e) of rule XIII of the Rules of the House of Representatives, changes in existing law made by the bill, as reported, are shown as follows (new matter is printed in italic and existing law in which no change is proposed is shown in roman): HOMELAND SECURITY ACT OF 2002 SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Homeland Security Act of 2002''. (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE I--DEPARTMENT OF HOMELAND SECURITY * * * * * * * Sec. 104. Insider Threat Program. * * * * * * * TITLE I--DEPARTMENT OF HOMELAND SECURITY * * * * * * * SEC. 104. INSIDER THREAT PROGRAM. (a) Establishment.--The Secretary shall establish an Insider Threat Program within the Department. Such Program shall-- (1) provide training and education for Department personnel to identify, prevent, mitigate, and respond to insider threat risks to the Department's critical assets; (2) provide investigative support regarding potential insider threats that may pose a risk to the Department's critical assets; and (3) conduct risk mitigation activities for insider threats. (b) Steering Committee.-- (1) In general.--The Secretary shall establish a Steering Committee within the Department. The Under Secretary for Intelligence and Analysis shall serve as the Chair of the Steering Committee. The Chief Security Officer shall serve as the Vice Chair. The Steering Committee shall be comprised of representatives of the Office of Intelligence and Analysis, the Office of the Chief Information Officer, the Office of the General Counsel, the Office for Civil Rights and Civil Liberties, the Privacy Office, the Office of the Chief Human Capital Officer, the Office of the Chief Financial Officer, the Federal Protective Service, the Office of the Chief Procurement Officer, the Science and Technology Directorate, and other components or offices of the Department as appropriate. Such representatives shall meet on a regular basis to discuss cases and issues related to insider threats to the Department's critical assets, in accordance with subsection (a). (2) Responsibilities.--Not later than one year after the date of the enactment of this section, the Under Secretary for Intelligence and Analysis and the Chief Security Officer, in coordination with the Steering Committee established pursuant to paragraph (1), shall-- (A) develop a holistic strategy for Department-wide efforts to identify, prevent, mitigate, and respond to insider threats to the Department's critical assets; (B) develop a plan to implement the insider threat measures identified in the strategy developed under subparagraph (A) across the components and offices of the Department; (C) document insider threat policies and controls; (D) conduct a baseline risk assessment of insider threats posed to the Department's critical assets; (E) examine existing programmatic and technology best practices adopted by the Federal Government, industry, and research institutions to implement solutions that are validated and cost-effective; (F) develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns, and education and training programs related to identifying, preventing, mitigating, and responding to potential insider threats to the Department's critical assets; (G) require the Chair and Vice Chair of the Steering Committee to consult with the Under Secretary for Science and Technology and other appropriate stakeholders to ensure the Insider Threat Program is informed, on an ongoing basis, by current information regarding threats, beset practices, and available technology; and (H) develop, collect, and report metrics on the effectiveness of the Department's insider threat mitigation efforts. (c) Report.--Not later than two years after the date of the enactment of this section and the biennially thereafter for the next four years, the Secretary shall submit to the Committee on Homeland Security and the Permanent Select Committee on Intelligence of the House of Representatives and the Committee on Homeland Security and Governmental Affairs and the Select Committee on Intelligence of the Senate a report on how the Department and its components and offices have implemented the strategy developed under subsection (b)(2)(A), the status of the Department's risk assessment of critical assets, the types of insider threat training conducted, the number of Department employees who have received such training, and information on the effectiveness of the Insider Threat Program, based on metrics under subsection (b)(2)(H). (d) Definitions.--In this section: (1) Critical assets.--The term ``critical assets'' means the people, facilities, information, and technology required for the Department to fulfill its mission. (2) Insider.--The term ``insider'' means-- (A) any person who has access to classified national security information and is employed by, detailed to, or assigned to the Department, including members of the Armed Forces, experts or consultants to the Department, industrial or commercial contractors, licensees, certificate holders, or grantees of the Department, including all subcontractors, personal services contractors, or any other category of person who acts for or on behalf of the Department, as determined by the Secretary; or (B) State, local, tribal, territorial, and private sector personnel who possess security clearances granted by the Department. (3) Insider threat.--The term ``insider threat'' means the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States, including damage to the United States through espionage, terrorism, the unauthorized disclosure of classified national security information, or through the loss or degradation of departmental resources or capabilities. * * * * * * * Dissenting Views Though I am supportive of the insider threat program that is currently in operation at the Department of Homeland Security (DHS), I reluctantly voted ``no'' when H.R. 3361 was considered on September 30th by the Full Committee. At the time, I expressed disappointment that the Majority would not agree to clarify that H.R. 3361 authorizes the current DHS insider threat program and does not authorize the establishment of a continuous evaluation program that subjects certain personnel to ongoing automated credit, criminal, and social media monitoring. DHS' current insider threat program is properly targeted at preventing and detecting when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States. In response to high profile incidents involving the misappropriation of classified and sensitive material by Edward Snowden and Bradley Manning, Federal agencies have, increasingly, sought to establish continuous evaluation programs to monitor personnel with security clearances or in positions of trust on an ongoing basis through automated systems. The Department of Defense, in particular, has pursued this capability and is currently gathering credit, financial, travel information as well as criminal records from both public and private databases, including social media, for more than 100,000 individuals who are eligible for access to classified information. While I appreciate that the standard periods for recurrent checks may need to be adjusted to enhance detection of potential issues, it is incumbent upon Congress to ensure that any adjustments to the longstanding security clearance system be transparent and effective, with minimum disruption to the important work undertaking by the Federal workforce. I strongly believe that, as authorizers, we have a responsibility, to have an open conversation with the Department about the potential costs, both financial and to the stability of the security-cleared workforce, as well as the potential benefits of erecting such a system prior to authorizing DHS to move forward with it. Unfortunately, without clarifying language, H.R. 3361 could be interpreted to authorize DHS to move forward with a continuous evaluation program without our Committee setting forth our expectations are for such a system. For these reasons, I reluctantly oppose H.R. 3361. Bennie G. Thompson. [all]