DATE: January 6, 2020
SUBJECT: Insider Threat Program
- PURPOSE. To establish a Department of the Treasury Insider Threat Program in accordance with Executive Order 13587 and its implementing policies and standards, as well as the other authorities set out in Section 8 below.
- SCOPE. This Order applies to all bureaus, offices, and organizations of the Department of the Treasury, including the offices of Inspectors General, within the Department. The provisions of this Order shall not be construed to interfere with or impede the authorities or independence of the Treasury Inspector General, the Treasury Inspector General for Tax Administration, or the Special Inspector General for the Troubled Asset Relief Program.
- POLICY. It is the policy of the Department of the Treasury to deter, detect, and mitigate insider threats that would do harm to the security of the United States. These efforts include safeguarding classified national security information and conducting insider threat detection and response actions consistent with the insider threat mission, while protecting the privacy, civil rights, and civil liberties of Treasury employees.
- DELEGATION. The Assistant Secretary for Intelligence and Analysis, or its successor position, is the Senior Official for establishing and managing the Insider Threat Program in accordance with the authorities set out in Section 8 below.
- TREASURY EXECUTIVE ADVISORY BOARD FOR INSIDER THREAT. There is an established Insider Threat Treasury Executive Advisory Board for Insider Threat to advise the Senior Official on management of the Insider Threat Program. The Treasury Executive Advisory Board for Insider Threat, chaired by the Senior Official, is composed of representatives of the Treasury Offices of the Chief Information Officer; Counterintelligence; General Counsel; Human Resources; Privacy, Transparency, and Records; Security Programs; and such other bureaus, offices, and organizations as the Senior Official shall prescribe. Representatives from the Treasury Inspector General will be invited to attend and observe the activities of the Advisory Board, and provide input and oversight as appropriate.
- The Under Secretary for Terrorism and Financial Intelligence shall provide oversight of the Insider Threat Program.
- The Senior Official shall, with the advice of the Treasury Executive Advisory Board for Insider Threat, establish and manage the Insider Threat Program in accordance with the authorities set out in Section 8 below, including the development and issuance of the program’s policies and procedures in Treasury Directive Publication (TD P) 15-71 (“Treasury Security Manual”). In managing the Insider Threat Program, the Senior Official shall, among other things:
- 1) Establish the Insider Threat Program as a centralized hub for reporting, analyzing, and responding to insider threat information.
- 2) Assign to the Insider Threat Program employees with training in counterintelligence, security functions, and applicable investigative, civil liberties and privacy laws, regulations, and policies.
- 3) Promulgate policies and procedures governing the Treasury Executive Advisory Board for Insider Threat.
- 4) Establish definitional and reporting guidelines for bureaus, offices, and organizations to refer relevant insider threat information to the Insider Threat Program.
- 5) Establish the capability to monitor user activity on all Department of the Treasury networks, as deemed necessary by the Senior Official, consistent with applicable law, regulations, and policies.
- 6) Establish policies and procedures for properly collecting, protecting, storing, and limiting access to insider threat information to authorized employees.
- 7) Establish mechanisms for employees to report insider threat information directly to the Insider Threat Program.
- 8) Provide insider threat awareness training to all employees, as deemed necessary by the Senior Official, upon entry on duty and annually thereafter.
- 9) Establish policies and procedures in coordination with the Inspectors General, in accordance with their authorities, for the Inspectors General to report insider threat information and for the Insider Threat Program to refer matters as appropriate to the Inspectors General.
- 10) Notify all employees that their activity on any Department of the Treasury classified or unclassified network, to include portable electronic devices, is subject to monitoring and may be used against them in a criminal, security, or administrative proceeding.
- 11) To the extent permissible, ensure the Insider Threat Program has timely access to intelligence and counterintelligence information pertaining to adversarial threats.
- The Chief Information Officer and the heads of the Treasury Offices of Counterintelligence; Human Resources; Privacy, Transparency, and Records; Security Programs; or their successors; such additional bureaus, offices, and organizations prescribed by the Senior Official; and the Inspectors General, to the extent consistent with their authorities and Section 6.b.9 above, shall:
- 1) Ensure the Insider Threat Program is provided with access to information within the bureau's, office's, and organization's area of administrative control, as directed by the Senior Official, that is necessary to identify, analyze, and resolve insider threat matters. When providing access to information, bureaus, offices, and organizations will make every reasonable effort to provide access only to the information requested.
- 2) Submit any dispute regarding the Senior Official's access to information to the Treasury Executive Advisory Board for Insider Threat for resolution. Requests for reconsideration of the Treasury Executive Advisory Board for Insider Threat’s decision shall be directed to the Under Secretary for Terrorism and Financial Intelligence for a final decision.
- All Treasury employees shall report insider threat information to the Insider Threat Program as prescribed by the Senior Official.
- “Employee” for purposes of this order, means a person, other than the President and Vice President, employed by, detailed or assigned to, an agency, including members of the Armed Forces; an expert or consultant to an agency; an industrial or commercial contractor, licensee, certificate holder, or grantee of an agency, including all subcontractors; a personal services contractor; or any other category of person who acts for or on behalf of an agency as determined by the appropriate agency head.
- “Insider Threat” for the purposes of this order, means that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.
- 31 U.S.C. 311 & 312
- 31 U.S.C. 321(b)
- The Inspector General Act of 1978, as amended
- Executive Order 13587, and its implementing policies and standards
- Executive Order 12968
- Executive Order 12333
- Executive Order 10450
- CANCELLATION. Treasury Order 105-20, “Insider Threat Program,” dated April 16, 2019, is superseded.
- OFFICES OF PRIMARY INTEREST. Office of the Under Secretary for Terrorism and Financial Intelligence; Office of Counterintelligence; Office of Security Programs.
Steven T. Mnuchin
Secretary of the Treasury