Next named exclusive Trail Blazer in NEW 2024 Radicati DLP Market Quadrant Report Read the Report
Updated: Mar 20, 2024   |  

NITTF & CNSSD 504: Everything you need to know

Go back

What is NITTF?

Following the Executive Order 13587 by former President Barack Obama October 2011, the National Insider Threat Task Force (NITTF) was established.

All federal departments and agencies with classified networks were ordered to establish insider threat detection and prevention programs. The NITTF’s mission is to “develop a Government-wide insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies.” (NCSC - NITTF).

In the Executive Order, the U.S. Attorney General and the Director of National Intelligence were ordered to co-chair the NITTF. The U.S. Attorney General and the Director of National Intelligence in turn decided that the Federal Bureau of Investigation (FBI) co-lead the daily NITTF activities together with the National Counterintelligence Executive (NCSC).

 

Why was NITTF established?

The NITTF was established as a response to thousands of unclassified and classified documents being uploaded to WikiLeaks. The interest for insider threat grew after the public leaks completed by former NSA System Administrator Edward Snowden and ex-soldier Chelsea Manning. The program was started to prevent further leaks that may be a threat to national security. Furthermore, the NITTF sets guidelines to assist, evaluate progress, and analyze existing and emerging insider threat challenges.

What is an insider threat to the U.S. Government?

An insider threat is someone who misuses or betrays their access to a U.S. Government resource–whether it is done in full awareness or without being aware (unintentionally). This means someone inside the U.S. Government is considered an insider threat if their access is being exploited. Threats include damage through “espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities” (NCSC - Mission Fact Sheet)

However, it is important to note that the insider threat programs analyzes malicious activities and behaviors, not individuals.

How does CNSSD 504 define User Activity Monitoring (UAM)?

The Committee on National Security Systems Directive 504 (CNSSD 504), is the directive describing the minimum measures each department or agency need to take to protect national security systems from insider threats.

CNSSD 504 defines UAM as “the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing US Government information in order to detect insider threats and to support authorized investigations.” (CNSSD 504 - Definitions).

At a minimum, each department and agency needs the technical capabilities to collect user activity data, including the following (CNSSD 504 Annex B):

  • Keystroke monitoring

  • Full application content, e.g. email, chat, data import, and data export

  • Screen capture

  • File shadowing for all lawful purposes, i.e. the ability to track documents when the names and locations have changed

  • All collected data must be attributable to a specific user

Who does CNSSD 504 apply to?

The policy is applicable to all executive branch departments and agencies with access to classified national security information and classified networks, according to National Insider Threat Policy Minimum Standards

How to fulfill the UAM requirements?

Here are some capabilities to ask your technology partners about in order to be compliant with the CNSSD 504 and meet the key UAM requirements defined by the NITTF.

  • Keystroke monitoring: What are the capabilities of the agent? Does it have capabilities for monitoring, including keyboard typing pattern, keystroke analytics, and keyword blacklisting.

  • Full application content: With a full paper trail—even if the data is deleted or evidence is destroyed during an attack, can you see full application content and metadata?  Do you have all the data structured, consistent, and continuous collected and reported in one place by collecting our own telemetry?

  • Screen capture: Can you can take a screenshot to capture an image of a user’s desktop based on automatic and manual real-time actions? In addition, motion screenshots shows the screen capture recording of when the policy was breached.

  • File shadowing for all lawful purposes: With files, can you do advanced (regex) and standard content inspection, track file types, content and name changes, as well as see how the files moves through your organization?

  • All collected data must be attributable to a specific user: How is data collected and user activity attributed to an individual? Is there an activity feed where can see all user actions and alarms in logical sequence, including print, browser, file and integration events, as well as connections, logins, DNS lookups, USB events, applications, sensors, alarms and more?

 

Demo

See how Next protects your employees and prevents data loss