Security Review Seeks to Assess Employee Trustworthiness

 

According to the memo, agencies have to identify vulnerabilities or weaknesses in automated systems and formulate plans to address those gaps. The memo contained more than 100 questions, asking each agency to provide the OMB with information about how classified networks are configured and upgraded, and the process under which individuals are given access to these classified systems.

There were several questions that asked about how employee "trustworthiness" was measured without "alienating" them. The OMB also wanted information about agencies using psychiatrists and sociologists to determine employees' job satisfaction. In fact, "relative happiness" would imply trustworthiness, and "despondence and grumpiness" could "gauge waning trustworthiness," according to the memo.

Interestingly, the memo asked agencies whether employees are required to report contacts with the media or subject themselves to regular polygraph examinations.

"If your agency does not have any of the required programs/processes listed, you should establish them," the memo said.

In order to "deter, detect, defend against employee unauthorized disclosures," agencies were asked about efforts to "fuse together" individual employees' disparate security information, such as personnel security and evaluation, polygraph, IT auditing or user activities, and foreign contact/foreign travel information. The information would provide analysts with "early warning indicators of insider threats," according to the memo.

Agencies should be combining security information "that lets employees enter the door" with information about their user access rights in a single identity profile, but "the entrenched bureaucracy is slowing down" that effort, said Ammon.

The OMB was unclear on how it expects agencies to monitor employees before or after their employment, but it asked whether their online activities were being monitored. Some of the directives were "out of place," wrote Aftergood.

Other questions were a bit more reasonable, dealing with the agency's policy for the use of removable media, such as USB devices, on secured systems. In a "zero-trust" environment, it's easy to know when a person is trying to do something that is prohibited, instead of trying to sift through all the activities to find the "bad thing," said Ammon.

The Information Security Oversight Office, the Office of the Director of National Intelligence and OMB will assist the review teams and conduct "periodic on-site reviews of agency compliance" if necessary, according to the memo.