[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4265 Introduced in House (IH)]

<DOC>






118th CONGRESS
  1st Session
                                H. R. 4265

  To direct the Comptroller General of the United States to conduct a 
  study and submit a report about the effectiveness of the procedural 
   safeguards used by the Secretary of Defense to protect classified 
       information from insider threats, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 21, 2023

   Mr. Ryan introduced the following bill; which was referred to the 
                      Committee on Armed Services

_______________________________________________________________________

                                 A BILL


 
  To direct the Comptroller General of the United States to conduct a 
  study and submit a report about the effectiveness of the procedural 
   safeguards used by the Secretary of Defense to protect classified 
       information from insider threats, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Insider Threat Assessment Act'' or 
``ITAA''.

SEC. 2. GAO STUDY ON PROTECTING CLASSIFIED INFORMATION FROM INSIDER 
              THREATS WITHIN THE DEPARTMENT OF DEFENSE.

    (a) Study.--The Comptroller General of the United States shall 
conduct a study to assess the ability of the Secretary of Defense to 
mitigate insider threats to classified information and systems in which 
classified information is stored within the Department of Defense, 
including--
            (1) the extent to which the Secretary takes timely action 
        to address each security deficiency identified in each annual 
        report submitted pursuant to the policy of the Director of 
        National Intelligence titled the ``National Insider Threat 
        Policy and Minimum Standards for Executive Branch Insider 
        Threat Programs'' to the head of an executive agency by a 
        designated senior official regarding the process or status of 
        an insider threat program;
            (2) the extent to which the Secretary uses information 
        system security controls (including audits, limited access 
        controls, and configuration management) for systems in which 
        classified information is stored;
            (3) the extent to which the Secretary uses controls to 
        limit the ability of individuals who are eligible for access to 
        classified information in accordance with Executive Order 12968 
        (60 Fed. Reg. 40245; relating to access to classified 
        information), or any successor thereto, and Executive Order 
        10865 (25 Fed. Reg. 1583; relating to safeguarding classified 
        information within industry), or any successor thereto, from 
        removing such classified information from a system or facility 
        in which such classified information is stored; and
            (4) any other related matters that the Comptroller General 
        deems appropriate.
    (b) Preliminary Briefing; Final Report.--Not later than 180 days 
after the date of the enactment of this Act, the Comptroller General 
shall--
            (1) provide to the Committee on Armed Services of the House 
        of Representatives a briefing regarding the preliminary 
        findings of the study conducted under subsection (a); and
            (2) submit to such Committee a final report regarding the 
        findings of the study conducted under subsection (a) at such 
        time and in such format as is mutually agreed upon by such 
        Committee and the Comptroller General at the time of the 
        briefing described in paragraph (1).
    (c) Definitions.--In this section:
            (1) The term ``designated senior official'' means, with 
        respect to an insider threat program, an individual designated 
        by the head of an executive agency to be principally 
        responsible within such agency for establishing a process to 
        gather, integrate, centrally analyze, and respond to 
        information from counterintelligence, security, information 
        assurance, human resources, law enforcement, and other relevant 
        sources with information indicative of a potential insider 
        threat.
            (2) The term ``executive agency'' has the meaning given to 
        such term in section 105 of title 5, United States Code.
            (3) The term ``insider threat'' means, with respect to the 
        Department of Defense, a threat presented by a person who--
                    (A) has, or once had, authorized access to 
                information, a facility, a network, a person, or a 
                resource of the Department; and
                    (B) wittingly, or unwittingly, commits--
                            (i) an act in contravention of law or 
                        policy that resulted in, or might result in, 
                        harm through the loss or degradation of 
                        government or company information, resources, 
                        or capabilities; or
                            (ii) a destructive act, which may include 
                        physical harm to another in the workplace.
            (4) The term ``insider threat program'' means a program of 
        an executive agency established to deter, detect, and mitigate 
        insider threats within the agency in accordance with the policy 
        set out by the Insider Threat Task Force established under 
        Executive Order 13587 (50 U.S.C. 3161 note; relating to 
        procedures to access classified information).
                                 <all>