U.S. Navy, DITMAC Apply New Counter Insider Threat Capabilities via SITH

Photo By Christopher Gillis | DCSA Official Press Release read more read more

Photo By Christopher Gillis | DCSA Official Press Release  see less | View Image Page

UNITED STATES

07.05.2024

Story by John Joyce 

DOD Insider Threat Management and Analysis Center

✔ ✗ Subscribe

1

Military Services, DOD Agencies Slated to Onboard Steadily into SITH Solution

QUANTICO, Va. – The onboarding of insider threat professionals from the U.S. Navy and the Department of Defense (DOD) Insider Threat Management and Analysis Center (DITMAC) into a new technology called the Solution for Insider Threat Hindrance (SITH) is just the beginning of an extensive DOD onboarding process, according to Defense Counterintelligence and Security Agency (DCSA) officials.

In all, 72 counter insider threat professionals from the Navy and DITMAC are managing unclassified insider threat cases in SITH – an interim solution while DITMAC System of Systems (DSoS) Increment 2 is under development.

“We are genuinely excited about deploying SITH to the insider threat community. It took a monumental group effort to get this project across the finish line as a new solution in the hands of our users,” said Shannon Walters, DITMAC DSoS deputy program manager at the DCSA Program Executive Office. “SITH demonstrates DCSA’s ability to deliver solutions that meet the needs of our customers – making their jobs more efficient and providing new features that will have a positive impact on the mission. SITH is a real win for DCSA and the insider threat community. Its success built confidence in our ability to continue delivering capability with Increment 2.”

The SITH interim solution introduces Prevention, Assistance and Response (PAR) program functionality for DITMAC and case management capabilities for the PAR cadre at the installation level and insider threat component hubs. In addition, SITH maintains the existing DSoS Increment 1 capabilities for managing and analyzing insider threat information.

DSoS Increment 1 – still in effect for DOD users pending migration to SITH – is a unique custom built enterprise level capability for managing and escalating insider threat information.

Overall, the DSoS mission supports DOD components, specialized missions and the intelligence community through the development, implementation and sustainment of technologies that aid in the management, analysis and mitigation of insider threat information in support of the DOD Counter Insider Threat Program Strategic Plan, DITMAC, and the DOD Insider Threat Program Implementation Plan.

The newly established PAR program relies on its coordinators assigned to military bases across the country who advise commanders and base leadership in the prevention, assistance and response to potential threats.

SITH functionality and management features are already enhancing PAR coordinators’ efforts at gathering information to include a holistic assessment of an individual or threat in order to make recommendations that will raise awareness, assist leadership decision making, and help prevent and reduce risk.

“SITH and our work towards DSoS Increment 2 is an absolute game changer as we move forward to building a scalable DSoS that works for the entire insider threat community, including the PAR program” said Challenge Gray, DITMAC program manager for SITH.

DSoS also serves as the insider threat community’s primary tool for capturing, consolidating, storing, analyzing and managing insider threat data reported to the DITMAC. It supports 54 insider threat hubs and programs – 43 DOD and 11 civilian – on the Secret Internet Protocol Router Network (SIPRNet) and the Joint Worldwide Intelligence Communications System (JWICS) highly secure communication networks used by the U.S. government and military to share classified information.

SITH, however, tracks and manages insider threats that exist on the Non-Classified Internet Protocol Router Network (NIPRNet) to allow the insider threat hubs to ingest, triage, manage and escalate incidents as they are identified.

“This NIPR capability is fantastic since a majority of our cases are on the unclassified side,” said Gray. “It will allow everybody to perform their jobs to the best of their abilities a lot quicker and smoother as well as that cross coordination – allowing each component to talk to one another and coordinate on such a higher level than they currently are able to.”

Moreover, the SITH product provides initial capabilities encompassing enterprise case management, continuous vetting, continuous evaluation, alert ingestion, sharing closed cases, basic reporting and role-based dashboards.

“SITH is the first major steppingstone as a standalone implementation bringing us to the next phase – DSoS Increment 2,” said Erin Lambert, DSoS program manager at DCSA’s Program Executive Office. “DSoS Increment 2 will eventually provide data automation and integration with other systems, enabling us to send our data to other systems.”

Lambert described her team’s collaboration with user communities as a “hand in hand” operation to develop a SITH solution that works technically to enable future expansion and scalability.

“Our unique partnership and coordination with the user community was vital to get to where we are in the development of SITH,” she said. “We're moving in the right direction to deliver functionality the insider threat user community will find beneficial for the mission as we continue with SITH deployments and the transition to Increment 2.”

DITMAC officials envision DSoS Increment 2 as a broad-based capability that supports installation-level reporting, support for the DITMAC PAR program, user access monitoring, and behavioral threat analysis capability. It will feature adaptation to allow for automated data ingest to directly support and enhance analytic efforts focusing on areas of increased risk. DSoS Increment 2 includes development efforts for automated data ingest by adding additional data sources and the addition of reporting, analysis and data visualization capabilities.

The SITH good news was outlined chronologically in Lambert’s April 15 email to DCSA leaders and teams who helped make the interim SITH solution to DSoS Increment 2 a reality.

She pointed out that the DCSA Decision Authority established SITH as a prototype on March 29, 2023. It was followed by the agency’s Acquisition Review Board’s February 1, 2024 authorization to deploy SITH to the Navy, DITMAC and the DCSA Operations Analysis Group.

“Since then, the team completed planning and execution activities necessary to operationalize SITH for the Insider Threat mission,” Lambert recounted. “These activities included user testing, independent verification and validation testing, cyber and regression testing in addition to user training, building out of the production environment, obtaining an Authority to Operate, establishing the help desk, creating user guidance and documentation, and onboarding preparations.”  

In her announcement about the product’s development and onboarding process, Lambert emphasized that SITH is the first DCSA solution hosted on the newly established Impact Level 5 National Security Cloud ServiceNow SaaS architecture, introducing NIPR level functionality to the insider threat community.  

DOD Impact Level 5 – encompassing controlled unclassified information (CUI) and unclassified national security information – is used to host non-public, unclassified national security system data or non-public, unclassified data where the unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. This includes CUI and other mission data that may require a higher level of protection than was afforded by IL4 as deemed necessary by the information owner, public law or other government regulation.

Meanwhile, the software acquisition and procurement planning phase for DSoS Increment 2 continues as the gradual onboarding of SITH takes place throughout the DOD insider threat community until December 2024.
The development phase of DSoS Increment 2 is planned to start in fiscal year 2025 with its minimum viable capability release scheduled by the end of that fiscal year with multiple integrations to follow in fiscal year 2026.

DSoS Increment 2 will be self-hosted at DCSA, eventually providing users with access to NIPR IL-5, SIPR and JWICS domains. Its functionality, incorporating everything within the capability assessment, will deploy incrementally via Agile releases to include full functionality for case management and PAR requirements.

Lambert concluded her memorandum by crediting internal and external partners in the consultation and collaboration process resulting in a “truly monumental accomplishment that would not have been successful without the efforts and support of multiple teams and partners among government, federal contractor and internal DCSA partnerships.”