Insider Threat

The Insider Threat program, identified as Program Element (PE) 0305327N in the Navy's Research, Development, Test & Evaluation (RDT&E) budget, is designed to fulfill federal mandates under Executive Order 13587 and the National Insider Threat Policy. These directives require all U.S. government agencies to implement insider threat programs that monitor user activity on classified networks and provide analytic and response capabilities. The Department of the Navy's implementation is known as the Counter Insider Threat Capability (CITC), which aims to prevent, deter, detect, and respond to threats posed by both witting and unwitting insiders.

The primary objective of the Counter Insider Threat Capability (CITC) is to develop, integrate, and test advanced technological solutions that protect Navy data, equipment, and personnel from insider threats. The core materiel solution supporting CITC is the Platform for Risk Evaluation and Engagement to Neutralize Threat (PREVENT), which consists of two main components: User Activity Monitoring (UAM) and an Integrated Tool Suite (ITS). UAM is responsible for monitoring user activity across classified Navy networks, while ITS provides the IT platform for analytic and response functions.

In fiscal years 2024 through 2026, the program's goals include continued migration of CITC capabilities to the NAVINTEL Cloud Ecosystem (NCE), ongoing testing and evaluation of major upgrades to the ITS and UAM solutions, and integration of these capabilities across key classified networks such as the Joint Worldwide Intelligence Communications System (JWICS) and the Secret Internet Protocol Router Network (SIPRNet). Additional objectives involve assessment and accreditation of PREVENT in the NCE cloud broker environment, as well as testing on afloat networks like CANES (Consolidated Afloat Networks and Enterprise Services).

Another significant focus is the research, development, and integration of enhanced testing environments within Navy networks. These efforts are intended to measure the health and performance of the UAM system, including policy effectiveness, network impacts, and dashboard availability metrics. The program also emphasizes reassessment and reaccreditation of the PREVENT capability to ensure ongoing compliance with evolving security standards and operational requirements.

The acquisition strategy for CITC is based on the IT Box model, which allows for incremental delivery of capabilities in response to rapidly changing requirements and technologies. Capability Drops (CDs) are used to deliver new functionalities, with each increment approved by the CITC Requirements Governance Board (RGB). Capability Drop-1 (CD-1) achieved Initial Operational Capability (IOC) by fielding Commercial-Off-The-Shelf (COTS) tools. Subsequent drops, such as CD-2 and CD-3, have expanded capabilities to include enhanced case management, additional ITS data sources, and automated/manual network Lightweight Directory Access Protocol (LDAP) data ingestion for entity resolution.

As the program transitions from the Middle Tier of Acquisition (MTA) authority to an Abbreviated Acquisition Program (AAP), the objective is to sustain existing capabilities while delivering incremental enhancements based on new or evolving requirements. This flexible approach ensures that the Navy's insider threat program remains responsive to emerging risks and technological advancements, supporting the broader goal of safeguarding classified information and critical assets.