The Department of Defense concluded a 45-day security review of security ‘programs, policies, and procedures’ in the wake of the alleged leaks of classified documents by Massachusetts Air National Guardsman Jake Teixeira. The Airman appeared to have a pattern of failing to adhere to security procedures that culminated in increasingly flagrant disregard for classified information and the publication of classified documents on the popular internet chat forum Discord.
“The Department relies on a culture of trust and accountability for those who are granted access to CNSI. This review found that the overwhelming majority of DoD personnel with access to CNSI are trustworthy, and that all DoD Components demonstrate a broad commitment to security,” Secretary of Defense Lloyd Austin wrote in a June 30 memo, following the review.
The memo directs DoD components to perform several actions, including greater accountability for how security personnel are accounted for and tracked, and assigned to a Security Management Office (SMO). The memo also calls out SCIF accountability and security procedures, including policies around electronic devices in SCIFs.
The bulk of the activities require greater accountability around existing procedures and policies. But it also calls for the establishment of a Joint Management Office for Insider Threat and Cyber Capabilities.
The Undersecretary of Defense for Intelligence and Security (USD I&S) was also directed to coordinate with DCSA to:
- Improve security training by August 2023.
- Conduct a pathfinder program to make Continuous Vetting (CV) information more accessible to military commanders and supervisors.
- Optimize security information technology systems for information sharing in Advana or another systems.
Take a Chisel, Not a Hammer
The full review isn’t released, but based on the highlights in the memo and associated fact sheet, it’s clear the review supports the perspective that while security policies and procedures need to be more strictly enforced, elements related to the personnel vetting program or Trusted Workforce 2.0 effort were not highlighted as failures. Follow-on guidance rightly calls out SCIF security, mobile device access, security training and procedures, and how to better leverage existing policy for greater accountability (like ensuring all personnel are assigned to a SMO).
One of the key issues for CV is not the program itself, but how to ensure the data uncovered is best leveraged and made accessible to key stakeholders. The memo calls out that issue and for broader use of IT, AI, and information sharing through the DoD’s existing capabilities.
Measuring the effectiveness of existing security training is another area the memo tackles. It’s not necessarily new training that is needed – but it’s accountability around ensuring training truly addresses the threat landscape and educates all employees about both security and insider risks.
The devil is in the details – and the data – but the memo and review is a critical next step in greater accountability around security management and accessibility, while still allowing for the information sharing and ability to get intelligence to critical decision makers and stakeholders.