In mid-January the Defense Information Systems Agency (DISA) directed the Joint Service Provider (JSP) to issue a solicitation for sources to create and monitor against insider threats. The JSP Insider Threat solicitation (#PL83210030) identifies the active monitoring requirement as:
The JSP is seeking information for potential sources for a commercial off-the-shelf system (including software, hardware, support, training, and travel) to monitor and log anomalous user behavior accessing network and computer systems managed by the JSP. The source should have insider threat cybersecurity solutions that proactively identifies and supports investigations of user violations to allow government network administrators and security personnel to proactively manage insider threat incidents. A total of approximately 80,000 end devices will be configured across multiple networks supporting the Pentagon and National Capital Region (NCR)
The solicitation goes on to place emphasis on the need for the JSP customer to be able to detect events which “put the enterprise at risk.” The solicitation also describes in detail the granularity for 70 separate functionality requirements within the JSP insider threat monitoring.
These include the customary, user log-in activities and the movement of data. It also includes a number of requirements to monitor, log and record all application data including but not limited to: keystrokes, chat programs, email, website browsing, social media usage, clipboards, file access, file modification, file deletion, and writes and downloads to storage devices of all varieties.
Perhaps the most interesting requirement was the need for ” Capture and playback of a user’s actions before, during and after suspicious activity is discovered in order to discern user intent. This screen-capture playback capability must have the ability to reveal the user’s actions by displaying a replay of the user’s desktop before, during, and after suspicious activity.”
Insider Threat Program
When the JSP stands up and is fully functional, the network monitoring capability and the individual user granularity of action will be substantial, and every user within the JSP, those 80,000 in the NCR alone, will have their every keystroke subject to monitoring, storage and recovery. The system drives home the point that all users should be trusted. The insider threat monitoring capability ensures the individual’s activities are consistent with the earned-trust.
The impetus behind this insider threat solicitation appears to be the 2017 National Defense Authorization Act, which included the admonishment to DISA to increase their monitoring capabilities against insider skullduggery. Specifically, the House Armed Services Committee’s Subcommittee for Emerging Threats and Capabilities called out DISA: “Where the Department has been focused on insider threats, the committee is concerned that those recommendations have been focused on procedural changes that are not connected to the capabilities, or the capability needs, for network tools and digital rights management.”
The DISA JSP Insider Threat solicitation should satisfactorily address this deficiency. Those vendors interested in bidding on the Insider Threat program, have a deadline of 2/3/2017, 4:00 pm EDT.