A major element of the Defense Department’s new program to better detect insider threats will be up and running by next month, at least on an initial operating capability basis, a top Pentagon security official said last week.
The DoD Insider Threat Management Analysis Center (DITMAC) will be in charge of collecting and coordinating potentially “adverse” information about Defense employees and other people with access to DoD facilities including automated criminal records checks, tracking cases of possible insider threats and helping to decide whether intervention of some kind is warranted.
“It really is intended to be the central hub for the department’s insider threat programs,” said Carrie Wibben, the director for security and policy oversight within the office of the undersecretary of Defense for intelligence. “They are focused on establishing a lot of the enterprise capabilities — the things that we don’t want all 43 of our components doing on their own or duplicating. That means behavioral analysis, predictive analytics, risk rating tools and insider threat systems for centralized reporting.”
Secretary of Defense Ash Carter has told several audiences in recent weeks that he’s trying to drill tunnels through the “wall” that sits between the Defense Department and commercial innovators. But one of the most important Defense overseers on Capitol Hill said a new regulation DoD put forward one month ago does exactly the opposite.
At issue, said Sen. John McCain (R-Ariz), the chairman of the Senate Armed Services Committee, is an Aug. 3 proposed rule dealing with the Pentagon’s acquisition of commercial items. Following instructions from Congress, the department’s new rule offers guidance to contracting officers on when and how they should ask vendors for additional data to make sure DoD is getting a fair price.
It “sends a signal that DoD has little interest in realistic commercial acquisition practices and will continue to operate under its archaic, defense-unique, cost-based oversight system.” McCain wrote in a letter to Carter last week.
Pentagon officials fully acknowledged that they’ve been relatively sluggish adopters of cloud computing, but have continued to maintain that there will always be some applications that are so sensitive that they will never be appropriate for transition to commercial hosting and must stay within the military’s networks.
Thus far, that has mostly has meant MilCloud, the private offering that’s both operated and secured by the Defense Information Systems Agency. But a new 2.0 version is in the works, and DISA is looking for ways to get more commercial players into the game while maintaining its (probably justifiable) security paranoia.
“In the next version of MilCloud, we will be going commercial,” Tony Montemarano, DISA’s top civilian official and acquisition boss said. “Where that sits, etcetera is still a question, but we’re about to start our acquisition strategy for a MilCloud 2 … cloud is coming into our vernacular, and coexistence with industry is what we’re trying to come to grips with.”