March 6, 2023
Review of the Department’s Insider Threat Analysis and Referral Center
In 2014, the Department of Energy issued Department Order 470.5, Insider Threat Program, to establish the responsibilities and requirements for the agency-wide Insider Threat Program (ITP) to deter, detect, and mitigate insider threat actions by Federal and contractor employees, per the requirements of Executive Order 13587. The Analysis and Referral Center (ARC) involves gathering, integrating, and analyzing information derived from counterintelligence, security, information assurance, human capital, law enforcement, the monitoring of user activity, and other sources, as necessary and appropriate, to identify potential insider threat activity for referral and response. We initiated this inspection to determine if the Department is operating a single centralized insider threat ARC for insider threat assessments.
We found that the Department is not operating a single centralized insider threat ARC for insider threat assessments. Specifically, we identified the following opportunities for improvement: the ARC receiving information from the Local Insider Threat Working Groups; the ARC consistently receiving feedback from referrals; the Department’s Designated Senior Official’s (DSO) receiving notification of referrals; the Designated Senior Official’s involvement with oversight of referrals that are generated at the ARC; and the Designated Senior Official issuing an annual progress and status report to the Secretary of Energy.
We identified that Department Order 470.5 is outdated. Specifically, it was written in 2014, which was prior to the Office of Environment, Health, Safety and Security establishing the ITP Office in 2015. The Office of Environment, Health, Safety and Security has administrative control of the ITP and is the office of primary interest for Department Order 470.5; however, this Order does not address coordination between the ITP Office and the ARC. The DSO informed us that he surmised that Department Order 470.5 should be updated to clarify the responsibilities of the Local Insider Threat Working Groups. He thought that there was a significant disconnect between the Order and what has been implemented. For example, the DSO concluded that Local Insider Threat Working Groups insider threat activities need to be restructured to clearly identify who should be informed of issues because he is not confident instructions in the Order are clear. In discussions with the ITP Director, we were told that the Order is vague and that efforts are being made to update it.
To address the issues identified in this report, we made six recommendations that, if fully implemented, should help ensure problems identified during our inspection are corrected.
Management fully concurred with our recommendations and are evaluating corrective actions.