R 281639Z JUL 23 MID120000332400U
FM CNO WASHINGTON DC
INFO SECNAV WASHINGTON DC
CNO WASHINGTON DC
NAVY INSIDER THREAT HUB ELEMENT WASHINGTON DC
MSGID/GENADMIN/CNO WASHINGTON DC/N2N6/JUL//
SUBJ/POLICY AND GUIDANCE REGARDING THE U.S. NAVY INSIDER THREAT PROGRAM//
REF/A/EXECUTIVE ORDER 13587/07OCT2011//
REF/C/DOC/NDAA FOR FY17, SECTION 922/30NOV2016//
REF/G/DOC/INTELLIGENCE COMMUNITY DIRECTIVE 700-2/JUN2011//
REF/J/DOC/NATIONAL INSIDER THREAT TASK FORCE/21NOV2012//
REF/M/MSG/NIWC PACIFIC SAN DIEGO CA/052306ZOCT21// POC/MR. NEVILLE
SMITH/CIV/NIA N7/ARLINGTON VA/TEL: (703) 604-
POC/MS. ANGELA ONEAL/CIV/NIA N7/ARLINGTON VA/TEL: (703) 604-
5743/EMAIL: email@example.com/RANDOM POLYGRAPH// POC/MR.
TYREE SCOTT/NIA N7/SUITLAND MD/TEL: (301) 669-2898/EMAIL:
firstname.lastname@example.org/NAVY UAM CENTER//
NARR/REF A DIRECTS STRUCTURAL REFORMS TO CLASSIFIED NETWORKS TO ENSURE
RESPONSIBLE SAFEGUARDING OF CLASSIFIED INFORMATION CONSISTENT WITH PRIVACY
AND CIVIL LIBERTIES.
REF B PROMULGATES POLICY AND RESPONSIBILITIES FOR THE INSIDER THREAT PROGRAM
REF C DIRECTS DOD TO ESTABLISH A PROGRAM FOR INFORMATION SHARING PROTECTION
AND INSIDER THREAT MITIGATION.
REF D SEPARATES THE SINGLE DEPT OF NAVY (DON) INSIDER THREAT ANALYTIC HUB TO
ONE FOR NAVY AND ONE FOR MARINE CORPS.
REF E ESTABLISHES THE NAVY INTP.
REF F SETS POLICY ON PERSONALLY IDENTIFIABLE INFORMATION INDIVIDUAL
AWARENESS, TRAINING, COMPLIANCE, AND REPORTING.
REF G DESCRIBES USE OF AUDIT DATA FOR COUNTERINTELLIGENCE, INFORMATION
ASSURANCE, BUSINESS ANALYTICS, PERSONNEL SECURITY, AND OTHER AUDIT NEEDS.
REF H DESCRIBES MEASURES TO MITIGATE AND DETER POTENTIAL INSIDER THREAT TO
CLASSIFIED INFORMATION, SYSTEMS, AND NETWORKS.
REF I DEFINES USER ACTIVITY MONITORING REQUIREMENTS.
REF J LEVERAGES EXISTING LAWS, STATUTES, AND RESOURCES TO COUNTER INSIDER
REF K ESTABLISHES THE DON INTP.
REF L DELEGATES AUTHORITY AND RESPONSIBILITY TO NAVAL INTELLIGENCE ACTIVITY
TO MANAGE AND OVERSEE NAVYS INTP.
REF M ADDRESSES UPDATED MCAFEE ENDPOINT PRODUCTS TO SUPPORT CANES SW2.X AND
SW3 STIG REQUIREMENTS ON CANES CENTRIXS (SR) AND SENSITIVE COMPARTMENTALIZED
INFORMATION (SCI) SECURITY ENCLAVES ON FORCE AND UNIT LEVEL PLATFORMS.//
RMKS/1. Navys InTP identifies potential malicious insiders within the U.S.
Navy and reports those personnel to leadership to prevent or mitigate
activity that could be harmful to Navy personnel, resources, or information.
InTP is a centralized Navy Program, mandated by reference (a) and focused on
early identification and reporting of any potential malicious activity. This
NAVADMIN identifies critical actions to further posture the InTP to help
every Navy command guard against such threats and to mature processes and
readiness to stay ahead of the constantly evolving threat. In addition to
the InTP, this message tasks Commands to take actions to empower Navys User
Activity Monitoring (UAM), giving the UAM access to critical information
sources that aid in identifying Insider Threats through online communications
activities. We must work together to increase our chances in early
identification of such threats to our mission.
2. InTP has six lines of operation: (1) Navy Insider Threat (InT) policy,
(2) UAM on Navy classified networks and systems, (3) Navy InT Analytical Hub
operations, (4) Random Polygraph Program for Navy Privileged Users (PU), (5)
Navy InT Strategic Engagement and Outreach Program, and (6) posturing Navy to
meet National Insider Threat Task Force and DoD InTP standards. Navy InTP is
managed by OPNAV N2N6 serving as the Navy Executive Agent for Insider Threat.
3. Insider Threat: Commanders, Directors, and Supervisors at all echelons
must establish a culture of InT awareness and deterrence by reinforcing InT
training and education and emphasizing Sailors and employees duties and
responsibilities to notify appropriate leadership of suspicious behaviors or
activities. A single insider threat, through any number of malicious
activities, can directly and negatively impact readiness, morale, trust, and
credibility of the Navy within the United States and with our allies abroad.
A malicious insider with the appropriate access can cause significant impact
to the Fleet and the Joint force, harming our ability to accomplish our
Nations mission. Commanders must be watchful for the InT and ensure prompt,
decisive action is taken when provided with evidence of a potential malicious
insider. At a minimum, Commanders will:
a. Develop command policies that support Navy InTP, as outlined in
reference (e), and comply with National, DoD, DON, and Navy InTP policies,
including, but not limited to, those pertaining to OPNAVINST 5510.165.
Include procedures to report perceived InTs to the Policy POC listed above.
b. Designate a command InT Representative to coordinate with the Navy
InTP. Email the InT Representatives contact information to the Policy POC
c. Upon receipt of a Navy Insider Threat Risk Analysis (ITRA) memorandum
from the Navy InT Hub, report to the InT Hub all mitigating actions taken
within 30 days of initial receipt of the ITRA.
d. Direct all cleared employees complete InT awareness
training: DON-CIAR-1.0-NCIS Counterintelligence and Insider Threat Awareness
and Reporting Training available in TWMS at
https://twms.dc3n.navy.mil/login.asp. Training must be completed 30 days of
initial employment, entry-on-duty, or following the granting of access to
classified information and annually thereafter. Report completion to the
Command InT Representative.
e. Report potential InT activity via the command InT Representative or
directly to the Navy Insider Threat Hub. InT reports of potential malicious
insider activity can be submitted through the DON InT Reporting Portal at
www.secnav.navy.mil/itp or by contacting the Navy InT Hub at (703) 695-7700
(1) Navy Reporting Criteria and Potential Risk Indicators
(PRI) for InT are listed below. Any activity observed under the listed
criteria should be reported to the chain of command and to the Navy InT Hub.
All reports made to the Navy Hub will be compliant with personally
identifiable information (PII) handling standards per reference (f).
Criteria 1: Serious Threats (e.g. threatening violence in the
Criteria 2: Allegiances Against the United States/Terrorism (e.g.
expressing ill-will towards the government)
Criteria 3: Espionage/Foreign Considerations (e.g.
unreported foreign contacts or relationships)
Criteria 4: Unusual Behavior and Signs of Excessive Stress (e.g.
extreme changes in behavior)
Criteria 5: Criminal, Violent, or Abusive Conduct (e.g.
involvement in criminal activity)
Criteria 6: Financial Considerations (e.g. unexplained
Criteria 7: Self-Destructive Behaviors or other Behavioral
Considerations (e.g. suicidal ideations)
Criteria 8: Security Infractions or Violations (e.g.
willful or negligent compromise of classified data)
Criteria 9: Misuse of Information Technology (e.g.
negligent misuse; malicious damage/destruction)
Criteria 10: Personnel Security and Human Resources
Considerations (e.g. absent without leave)
f. For Navy ashore SIPRNet and JWICS network owners and afloat units
(1) Provide the Navy InTP access to appropriate data streams (i.e.
audit logs, Lightweight Directory Access Protocol (LDAP), Active Directory,
etc.) and records to allow for effective Insider Threat Program analysis.
(a) Provide LDAP data in .csv file format to the Navy UAM POC
listed above. LDAP data transfer and ingestion will occur by the eigth day
of the first month of each quarter (8 January, 8 April, 8 July, and 8
October). The Navy UAM Center will maintain secure control of the data,
ensuring only authorized personnel are permitted to review LDAP data.
(b) LDAP data must contain:
1. User Principal Name (UPN)
2. User DoD ID Number
3. Common name
6. Email address
8. Telephone number
(2) Provide the Navy InTP a POC for all network owners and
alternates, to include the Information System Security Manager
(ISSM) name, email address, and contact number.
(3) Maintain and share situational awareness of the network
environment with the Navy InTP to facilitate accurate identification of
anomalous activity, for example network outage vice sabotage.
(4) Incorporate InT mitigation requirements into planning,
programming, readiness, and inspection decisions.
(5) For Commands with CANES SW2/SW3 installed per reference (m),
report ship name, CANES install date, and ship Information System Security
Manager (ISSM) contact information to the UAM POC listed above. Once
received the Navy UAM Center will provide a testing schedule to validate UAM
4. Random Counterintelligence (CI) Polygraph Program for Privileged Users
(PU): Recent high-profile compromises highlight the need to increase the
frequency of Random CI Polygraph Program for PUs, those with system
administrator or similar accesses. Per reference (h) and to better respond to
this type of threat, Commands will ensure Navy PUs with enhanced access to
JWICS receive a CI polygraph once every two years.
a. InTP will manage and coordinate the Random CI Polygraph Program for
PUs with both NCIS and the associated command. InTP will enroll all PUs in
DoDs continuous monitoring program and random polygraph pool to ensure
b. Commands that manage Navy JWICS networks and systems will provide a
list of military, civilian, and contractor PU to the Navy InTP Polygraph POC
listed above. Provide an Excel spreadsheet indicating the name of the PU,
classified systems of privileged access, job function, DoD ID number,
command, and date of last polygraph. Commands will maintain an inventory of
PUs and routinely review and revalidate PU status to verify the privileges
are commensurate with the individuals job requirements.
5. This NAVADMIN will remain in effect until cancelled or superseded.
6. Released by VADM Jeffrey E. Trussler, Deputy Chief of Naval Operations
for Information Warfare, OPNAV N2N6.//