U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  1. Home
  2. Opog
  3. Directives

Was this page helpful?

Insider Risk Management Program Office

Number:DOO 20-32

                                                                                                                                                                                                                                         Effective Date:2024-08-27

 

SECTION 1. PURPOSE

.01       This Order prescribes the functions, responsibilities, and organization of the Insider Risk Management Program Office (IRMPO).

SECTION 2.  SCOPE.

.01       IRMPO will follow the policies, procedures, and responsibilities as provided for in or authorized by this DOO to detect and mitigate impacts of a trusted insider who misuses their access to damage the security of the Department’s information, assets, technologies, capabilities, and resources.  For purposes of this DOO, trusted insiders include all persons with access to classified information, including any employees, contractors, guest researchers/scientists, experts, consultants, and trainees/students, in all Department operating units and the Office of the Secretary, who have an ongoing official association or that work directly on activities, projects, or programs of the Department (covered persons).

SECTION 3.  POLICY.

.01       This DOO implements Executive Order (E.O.) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, dated October 7, 2011, which requires agency implementation of an insider threat detection and prevention program, consistent with the National Insider Threat Task Force (NITTF) Government-wide program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies (insider risk program) and Presidential Memorandum of November 21, 2012, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, which requires agencies, in part, to establish an integrated capability to monitor and audit information for insider threat detection and mitigation, noting that critical program requirements include but are not limited to: (1) monitoring user activity on classified computer networks controlled by the Federal Government; (2) evaluation of personnel security information; (3) employee awareness training of the insider threat and employees' reporting responsibilities; and (4) gathering information for a centralized analysis, reporting, and response capability.

.02       In respect to E.O. 13587 and the Presidential Memorandum of November 21, 2012, by Secretarial Designation, dated July 18, 2022, the Deputy Assistant Secretary for Intelligence & Security (DAS I&S) is designated as the Senior Agency Official (SAO), responsible for overseeing: (1) classified information sharing efforts for the agency; and (2) the Department’s Insider Risk Management Program (IRMP).  The SAO is to make resource recommendations to the appropriate agency officials and establish and maintain an insider risk management program office under the Office of Intelligence and Security that runs the Department’s IRMP.  This program is established pursuant to the requirements set forth in the November 21, 2012, Memorandum on National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs; the Office of the Director of National Intelligence, NITTF standards; and where appropriate, program best practices.

.03       IRMPO’s purpose is to effectively and efficiently:

a.         Increase covered persons’ awareness of threats, vulnerabilities, and consequences to the Department associated with the insider risk, such as through training;

b.         Deter covered persons from becoming insider risks;

c.         Detect covered persons who pose an insider risk;

d.         Mitigate detected risks posed by an insider;

e.         Provide enhanced protection of classified and sensitive information; and

f.          Make and receive referrals relating to insider risk to or from the appropriate action offices.

.04       To ensure IRMPO activities are conducted in accordance with relevant legal authorities, IRMPO will consult with Department legal counsel and subject matter experts and officials when questions concerning the legality and propriety of IRMPO activities arise.

.05       The acquisition and use of personal information to detect and prevent insider risks is authorized under E.O. 13526, Classified National Security Information, and E.O. 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.  The SAO will consult with appropriate expert entities (to include NITTF) to establish procedures whereby collection of information will be subject to oversight by civil liberties and privacy authorities, and to ensure that personally identifiable information is only gathered and used for legitimate and authorized purposes; such information must be strictly controlled within IRMPO and in accordance with all applicable records retention policies and other legal requirements.

SECTION 4.  AUTHORITIES AND REFERENCES.

.01       Executive Order (E.O.) 13587 of October 7, 2011, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, including developing an insider threat detection and prevention program consistent with guidance developed by NITTF.

.02       Presidential Memorandum of November 21, 2012, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, including establishing an integrated capability to monitor and audit information for insider threat detection and mitigation.

.03       50 U.S.C. 3381(e), immediately advising the Federal Bureau of Investigation of certain unauthorized disclosures of classified information.

.04       National Security Directive - 42, National Policy for the Security of National Security Telecommunications and Information Systems, July 5, 1990, including policies and standards issued by the Committee on National Security Systems.

.05       E.O. 10450 of April 27, 1953, Security Requirements for Government Employment.

.06       E.O. 12333 of December 4, 1981, United States Intelligence Activities.

.07       E.O. 12829 of January 6, 1993, National Industrial Security Program.

.08       E.O. 12968 of August 2, 1995, Access to Classified Information.

.09       E.O. 13467 of June 30, 2008, Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information; and E.O. 13526 of December 29, 2009, Classified National Security Information.

SECTION 5.  DEFINITIONS.

.01       Action Office is defined as the office or organization with the legal authority to take the action as proposed by IRMPO.  Action offices can include the Department’s internal operating units or other external federal, state, tribal, or local entities, depending on the action to be taken and that particular action office’s expertise and legal authority.

.02       Information refers to:

a.         Classified Information/Classified National Security Information (NSI): Information that Executive Order 13526, “Classified National Security Information,” December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with classified markings and protect against unauthorized disclosure.

b.         Controlled Unclassified Information (CUI):  Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.  However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

c.         Any other communication or representation of knowledge, such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, electronic, or audiovisual forms, which is owned by, produced by or for, or is under the control of the U.S. Government.

.03       Insider is defined by the National Insider Threat Policy and Minimum Standards as “any person with authorized access to any United States Government resource to include personnel, facilities, information, equipment, networks or systems.”

.04       Insider threat is defined by the National Insider Threat Policy and Minimum Standards as “the threat that an insider will use her/his authorized access, wittingly or unwittingly, to do harm to the security of the United States.  This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of Departmental resources or capabilities.”

.05       Inquiries are defined as the systematic and lawful gathering of information by IRMPO to ascertain whether there is an insider risk following allegations, complaints, facts, circumstances, or indicators that a covered person is or may be engaged in actions constituting an insider risk; an inquiry results in one of the following: internal IRMPO resolution with no further action; internal IRMPO resolution with Departmental action, including referral to other appropriate Departmental action office(s); or IRMPO resolution with referral to an external action office.  Although IRMPO’s authorities only apply to covered persons, as part of these authorized activities, IRMPO may gather controlled unclassified information and other non-public information, as well as publicly-available information, or otherwise access the systems and networks where this non-classified information is stored.

.06       Criminal and Counterintelligence Investigations are defined as the gathering of facts to form a cohesive and logical picture of a given situation to assess criminal or counterintelligence matters.  IRMPO does not conduct criminal or counterintelligence investigations; such investigations are conducted by appropriate action offices with the proper law enforcement and/or counterintelligence authorities.

.07       Partners are defined as outside entities that work with IRMPO to resolve/mitigate an insider issue.  Partners could include external action offices that might receive information from IRMPO for their use in mitigating a risk or might provide information to IRMPO for use by the Department to mitigate an insider risk.

.08       Stakeholders are defined as Department operating units, including the Office of the Secretary, that are affected by an insider risk and who rely on IRMPO for assistance in mitigating said risk.

SECTION 6.  SENIOR AGENCY OFFICIAL’S RESPONSIBILITIES.

.01       The SAO will:

a.         Establish, maintain, and update a comprehensive IRMP and Insider Risk Implementation Plan for the Department and ensure that IRMP policies and procedures are developed and executed as approved by the Insider Risk Governance Board (IRGB) in accordance with national policies and interagency guidance; such policies must include internal guidelines and procedures for the implementation of standards contained in Presidential Memorandum of November 21, 2012, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs.  The Insider Risk Implementation Plan will ensure the creation of a program that focuses on deterring, detecting, and mitigating impacts of an insider risk.

b.         Provide an annual report to the Secretary of Commerce on the progress and status of the IRMP.  This report should include:

1.         Accomplishments;

2.         Resource allocation;

3.         Insider risks to the agency;

4.         Recommendations and goals for program improvement; and/or

5.         Major impediments or challenges. 

c.         Provide program management oversight and approve or deny recommendations from IRMPO or directly from the IRMPO Director.

d.         Supervise the IRMPO Director to manage issues under the mission, vision, and authorities as they pertain to E.O. 13587 and manage and oversee staffing, resources, policy, and other logistical and operational aspects of the program.

e.         Direct that a partnership with NITTF is maintained to ensure that the IRMP is effective and accountable.

f.          Ensure that classified or other databases, if any, that the IRMP should use in executing its duties are identified and that there are adequate policies and procedures governing the use of those databases.

g.         Define and track key performance indicators and metrics that will enable effective managerial and budgetary oversight of the IRMP.

h.         Establish standards for when and how matters that require law enforcement or Intelligence Community engagement can be transferred to external action offices with the relevant authority and expertise.

i.          Establish periodic review of all open inquiries in which IRMPO is involved.

j.          Establish a regular cadence for IRMPO compliance reviews by the Plans, Programs, and Compliance Division of the Office of Security (OSY).

k.         Develop training requirements for IRMPO personnel that comply with best practices.

l.          Convene a security and insider risk review board at least semiannually to review the performance, policies, and priorities of the Department’s security investigations and insider risk functions.  The IRGB, as described in Section 8 below, will serve this role.

m.        Establish oversight mechanisms and procedures to ensure that all data used for the IRMP is collected, retained, and destroyed in accordance with applicable laws, regulations, records schedules, and other legal requirements, including restricting access to only authorized personnel who require the information to perform their authorized duties.

n.         Work with the Department’s Office of Privacy and Open Government to ensure that appropriate Privacy Act systems of records are established and maintained for IRMP operations and ensure that IRMP operations are carried out in compliance with all applicable federal privacy laws and policies, including the Privacy Act of 1974, the privacy provisions of the E-Government Act of 2002, and the Office of Management and Budget’s related implementing guidance.

o.         Work the with Department’s Records Officer to ensure:

1.         Appropriate records retention schedules are selected or otherwise developed for the IRMP; and

2.         All IRMPO staff receive appropriate training on records procedures. 

3.         The establishment of guidelines and procedures for the retention of records and documents necessary to complete assessments required by Executive Order 13587.

p.         Require annual training for IRMPO personnel on civil rights, civil liberties, privacy and data collection, implicit bias, and related issues.

SECTION 7.  INSIDER RISK MANAGEMENT PROGRAM OFFICE DIRECTOR RESPONSIBILITIES.

.01       The IRMPO Director will:

a.         Be responsible for the day-to-day operations of IRMPO, including deterrence, detection, and mitigation of insider risks;

b.         Provide oversight in the conduct of insider risk inquiries and ensure all IRMPO activities are in compliance with applicable laws and policies, including but not limited to privacy and civil rights and civil liberties protections, records retention and documentation, and appropriate Department operating units, offices, and business unit responsibilities;

c.         Represent the Department operating units, offices, and business units on matters as they relate to IRMPO;

d.         Represent the Department in interagency forums related to IRMPO;

e.         Act as an advocate and liaison for the IRMP to public and private partners to ensure development of and collaborative efforts for insider risk mitigation;

f.          Ensure compliance with all relevant laws and regulation, Department policies, E.O. 13587, the National Insider Threat Policy and Minimum Standards, and any future related requirement;

g.         Manage IRMPO’s operations consistent with this DOO and guidance from the IRGB and Insider Risk Advisory Hub (IRAH);

h.         Establish and administer an appropriate training program for IRMPO staff that includes information on civil rights, civil liberties, privacy and data collection, implicit bias, records retention, and related issues;

i.          Report regularly to the SAO, IRGB, and other Department Leadership regarding IRMP policies, procedures, efforts, and inquiries for oversight and support;

j.          Propose and execute approved policies and procedures for conducting insider risk activities; and

k.         Liaise with interagency insider risk program, law enforcement, counterintelligence, and intelligence community organizations as necessary for effective operation of the IRMP.

SECTION 8.  INSIDER RISK GOVERNANCE BOARD.

.01       The Insider Risk Governance Board (IRGB), governed by a charter, is a board of multidisciplinary senior Department officials responsible for the executive level oversight and strategic direction of the IRMP.  Specifically, the IRGB performs the following responsibilities:

a.         Provides strategic guidance to IRMPO and the SAO;

b.         Reviews and approves IRMPO policies, including policies for law enforcement referrals and user activity monitoring;

c.         Receives and considers recommendations from the Insider Risk Advisory Hub;

d.         Reviews IRMPO compliance audits as it relates to program management and accepts or modifies recommended corrective action, and monitors progress toward implementation of corrective action; and

e.         Approves potential data sources and database access for IRMPO use across all operations.

SECTION 9.  INSIDER RISK ADVISORY HUB.

.01       The Insider Risk Advisory Hub (IRAH), to be governed by a charter, consists of representatives of a cross-section of Departmental offices that will assist the SAO and IRMPO Director in the production of IRMPO policies, procedures, practices, and priorities for consideration by the IRGB and will serve as subject matter experts with the ability to provide insight into specific insider risk inquiries conducted by IRMPO.  The IRAH will monitor, assess, and analyze incoming information for insider risk detection and mitigation.  As such, the IRAH will support IRMPO as needed to manage the IRMP implementation efforts effectively and provide guidance and operational direction where applicable by ensuring policies are applied and assisting in operational decisions in a timely manner.

SECTION 10. INSIDER RISK MANAGEMENT PROGRAM OFFICE PERSONNEL.

.01       IRMPO Personnel will:

a.         Be responsible for intake of insider risk reports of anomalous behavior and/or activity, documentation of actions, analysis of relevant information, and make recommendations to the IRMPO Director and/or SAO;

b.         Act as the initial processing point for potential insider risk information gathered through reporting capabilities and data sources;

c.         Conduct inquiries using reporting capabilities and data sources to detect anomalous incidents and behavior, document activities, and provide analysis through the use of designated data sources;

d.         Serve, pursuant to IRGB-approved policies and IRAH guidance, as the coordinating office for law enforcement, counterintelligence, and intelligence agencies requesting assistance and information from the Department and its operating units, offices, and business units, when the request is directly related to counterintelligence or insider risk and a determination has been made by the requesting agency and the SAO that Department personnel possess special or relevant expertise or are otherwise directly related to the subject matter of the requesting agency’s activity.  All requests not specifically addressed by IRGB policies and IRAH guidance will be evaluated by the Office of the General Counsel; 

e.         Given that IRMPO conducts inquiries but not investigations, develop and execute policies and procedures for when and how matters or inquiries that require law enforcement or Intelligence Community engagement can be transferred to the appropriate action office with the relevant authority and expertise;

f.          Refer all data and analytics to the appropriate internal and external action office to support the mitigation process for anomalous insider risk behaviors, including recommendations for action to refer the inquiry to another agency to conduct an investigation;

g.         Maintain open communication with action offices to provide and receive regular updates on inquiries of insider risk behavior and/or incidents, as determined by the action office director;

h.         Meet regularly with other offices to provide updates and recommend actions on insider risk inquiries;

i.          Coordinate with subject matter experts trained in relevant topics and regulations as they relate to insider risk issues, including but not limited to the following areas of expertise:

1.         Counterintelligence, law enforcement, and security fundamentals;

2.         Administrative and criminal misconduct;

3.         Department procedures and policies;

4.         Applicable laws and regulations regarding the gathering, integration, retention, and disposition of records and documents collected through the insider risk inquiry process; and

5.         Applicable civil liberties and privacy laws, regulations, and policies;

j.          Develop and implement awareness and education materials and training on insider risk related issues for personnel;

k.         Provide in-person awareness briefings and computer-based trainings to promote detection and reporting of insider risk related activities or incidents;

l.          Coordinate with appropriate offices on Department-wide required trainings, which include but are not limited to Defensive-Counterintelligence and Insider Risk Awareness Training;

m.        Act as a liaison with the NITTF, U.S. Government agencies, and other public/private sector partners on educational and awareness-related insider risk mitigation; and

n.         Ensure, in the conduct of duties, the adherence to applicable civil liberties and privacy laws, regulations, and policies.

SECTION 11.  OPERATING UNIT INSIDER RISK COORDINATION.

.01       IRMPO will work with Department operating units, offices, and business units to develop plans and agreements that will ensure:

a.         Operating units without an internal insider risk management program will report insider risk concerns directly to IRMPO; and

b.         Operating units with an internal insider risk management program that is responsible for detecting, deterring, and mitigating insider risks within that operating unit will follow Department policies and procedures and will coordinate with IRMPO.

SECTION 12.  PROTECTION OF INFORMATION TECHNOLOGY RESOURCES.

.01       IRMPO, through SAO coordination, will work with the Department’s Office of the Chief Information Officer (OCIO), pursuant to DOO 15-23, Chief Information Officer, to achieve all relevant requirements for the protection of classified information, as required by Executive Order 13587, the Presidential Memorandum of November 21, 2012, or other duties as established by other Executive Orders, Presidential Memorandum, or statutes.  This may include, but is not limited to, access to results of user activity monitoring (UAM) of classified systems as well as separate audit data from both classified and unclassified information technology systems for covered persons, pursuant to relevant statutes, regulations, and Executive Orders.  The IRMPO Director and SAO will be guided by the safeguarding and utilization principles established in Sections 13, 14, and 15 of this DOO.

SECTION 13.  ACCESS TO INFORMATION.

.01       The IRMPO Director will:

a.         Collaborate with relevant Department operating units, offices, and partners to request all relevant data sources necessary to perform insider risk analysis.

b.         Facilitate the sharing of data sources for insider risk inquiries and establish procedures for obtaining this information, consistent with applicable laws, regulations, and policies.  Data sources do not include unauthorized data mining of information that is not in accordance with applicable laws, rules, regulations, and policies.  Data sources may include:

1.         Department Records to include human resources and/or security records, as determined necessary by the IRMPO Director;

2.         UAM data that identifies anomalous user behavior indicative of a potential insider risk;

3.         All relevant network information from classified systems to include, but is not limited to: personnel usernames, levels of network access, unauthorized use of removable media, network or system logs, and other data relevant to the insider risk inquiry; and

4.         Open source information relating to covered persons that is publicly available and acquired as part of an inquiry or to mitigate an insider risk.  Such information may include, but is not limited to, social media activity, blogs or electronic postings, and news outlet reports.  The collection of this information will be carried out in compliance with the Privacy Act of 1974, 5 U.S.C. § 552a, as amended, which prohibits maintaining records describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized criminal or counterintelligence investigation or IRMPO inquiry.

c.         Establish procedures for access requests by IRMPO involving particularly sensitive or protected information, which may require access be provided upon the request of the SAO, and the protection of the information received.  Such information includes: medical records and information held by special access, law enforcement, inspector general, or other investigative sources or programs.

d.         Ensure that IRMPO staff have timely access, as otherwise permitted, to available U.S. Government intelligence and counterintelligence reporting information and analytic products.

SECTION 14.  MONITORING USER ACTIVITY ON NETWORKS.

.01       The Insider Risk Management Program shall:

a.         Utilize OCIO’s UAM capability on Department-managed classified networks to detect activity indicative of insider risk behavior.

b.         Obtain approval from IRGB on policies and procedures related to the implementation, interpretation, protection, and storage of UAM information.  These policies and procedures will incorporate protections for legal, civil rights, civil liberties, and privacy interests. 

c.         While creating policies for protecting, interpreting, storing, and limiting access to UAM methods and results, develop with OCIO and the Office of the General Counsel agreements and procedures for operation of OCIO’s UAM capabilities and procedures for IRMPO analysis of UAM results from OCIO operations that are approved and overseen by the SAO, upon approval by the IRGB to ensure that legal, civil liberties, and privacy protections are properly incorporated and adhered to by IRMPO employees and stakeholders. 

SECTION 15.  PROTECTIVE MEASURES FOR SENSITIVE DATA COLLECTION.

.01       All IRMPO employees, stakeholders, and partners shall ensure the protection of all information, documents, files, and other materials related to IRMPO operations.  This includes subject and source identity, accusations of concerning behavior, acknowledgement of other office investigations, and anything potentially damaging to the process, inquiry, or subject. 

.02       All information and supporting materials obtained and/or documented in the course of IRMPO operations should be held in accordance with applicable laws, rules, regulations, and policies.

.03       Oversight mechanisms and procedures shall be followed to ensure the proper handling and safeguarding of records and data, including restriction of access to sensitive information, and will be shared only with IRMPO employees, stakeholders, and partners with a legal right to access the information. 

.04       IRMPO policies and procedures related to the protection and collection of sensitive information will be approved and overseen by the SAO, upon approval of the IRGB and any other relevant office to confirm that legal, civil liberties, and privacy protections are properly incorporated and adhered to by IRMPO employees and stakeholders.

.05       Any information collected or created by IRMPO will follow the Department’s record retention policies to ensure the proper protection, as required by the Federal Records Act and outlined in the Department’s organization and administrative orders and regulations, the Manual of Security Policies and Procedures as appropriate, and the Department’s System of Record Notices (SORNs).

SECTION 16.  EMPLOYEE TRAINING AND AWARENESS.

.01       IRMPO will ensure the following training and awareness requirements:

a.         Mandatory insider risk awareness training will, at a minimum, be provided to all covered persons with access to classified information within 30 days of entering on duty or following the granting of access to classified information, and annually thereafter, and will address the following:

1.         The significance and impact of Executive Order 13587;

2.         What constitutes an insider risk;

3.         Why it is important to detect potential insider risk;

4.         The indicators of insider risk behavior;

5.         The phases of recruiting trusted insiders;

6.         The procedures to report a suspected insider risk;

7.         The methodologies of adversaries to recruit trusted insiders and collect classified information; and

8.         The counterintelligence and security reporting requirements as applicable.

.02       In coordination with OCIO, an internal network will be maintained and made available to all authorized users of the network to provide insider risk reference material, including indicators of insider risk behavior, applicable reporting requirements and procedures, and provide a secure electronic means of reporting matters to IRMPO;

.03       In-person briefings for Department operating units, offices, and operating units will be conducted upon request to provide in-depth coverage of the Program and mission;

.04       Assistance to overseas and domestic posts and facilities will be provided to support strong defensive educational programs for employees; and

.05       The Department continues to expand, enhance, and augment its risk briefings and related user awareness products on the nature and scope of insider risk.

SECTION 17.  EFFECT ON OTHER ORDERS.

.01       Nothing in this Order shall have the effect of, or be construed as, an exception to the responsibilities and authorities of any other DOO or DAO.  With respect to Insider Risk matters that also involve fraud, waste, or abuse, the IRMPO Director shall consult with the Office of Inspector General, which has the right of first refusal in investigating allegations involving any Department employee, contractor, or grantee.

Signed by: Chief Financial Officer and Assistant Secretary for Administration