How Much Are Agencies Spending on Insider Threat Protection?

Published: October 12, 2016

Cybersecurity

With news breaking of the latest insider data breach at a major federal intelligence agency someone asked me how much federal department and agencies were budgeting for insider threat solutions.

Recently, the New York Times reported that a former contractor at the National Security Agency (NSA) was arrested, accused of stealing and disclosing highly classified computer code developed by the agency to hack into the networks of foreign governments. With the revelation raising insider threats into the forefront of our minds an associate asked me if I knew how much federal department and agencies were budgeting for insider threat solutions.

Good question. And given the way agencies formulate and report their IT budgets, it’s not a simple answer. There is no official “insider threat protection” line item I have seen, but there is data in the federal IT budget portfolio available on the IT Dashboard that allows me to take a shot at the question, if only from a “back of the envelope” perspective.

Analysis Approach

When agencies formulate their yearly IT budgets they are required to identify how each IT investment fits within an overall Federal Enterprise Architecture (FEA) that OMB has constructed and revised over the last several administrations as part of the E-Gov initiative. One component of the FEA is the Business Reference Model (BRM), a reference model that links IT investments to specific functional objectives, like citizen services or security. Agencies code their IT budget line items with primary and secondary BRM codes, etc. to show how the dollars link to agency functional objectives and mission.

To get a sense of how insider threat protection efforts might link to BRM codes in the fiscal year (FY) 2017 IT budget I searched the titles and descriptions of all the IT Initiatives for key word like inside, internal, user, behavior, and threat to identify the most appropriate BRMs to include.

The results consistently returned the following BRM labels.

  • 121 - Security Management
  • 315 - Threat and Vulnerability Management
  • 316 - Continuous Monitoring
  • 317 - Data Integrity and Privacy Management
  • 337 - Credential Issuance and Management
  • 648 - Identification and Authentication
  • 649 - Access Control
  • 656 - Certification and Accreditation

Each IT budget line item may have a “BRM Primary Service Area” identifier as well as one or more “BRM Secondary Service Area” identifier that adds further granularity into how the agency links the investment line to the FEA. Agencies used the above BRMs as both primary and secondary identifiers, so there is some interplay between the codes.

To get a rough sense of the dollars budgeted in these areas I arranged the data by BRM Primary Service Area and BRM Secondary Service Area #1 for the three fiscal years included in the FY 2017 IT budget –2015, 2016, and 2017 – and filtered out Secondary BRMs that were unlikely to address insider threats, (e.g. healthcare administration.) (See table below.)

Conclusion

One caveat to recognize is that the dollars associated with the above Primary and Secondary BRM areas are not 100% allocated to insider threat protection efforts and solutions. Spending on insider threat efforts are likely a component of the IT initiatives to which these dollars are tied. Simply put, follow the BRMs to the IT initiatives that are labeled as such to flush out potential opportunities in this area.

Admittedly, the above rough-order analysis is far from perfect, but given that agencies do not release a discrete budget line item for insider threat protections (if they even have one) then a rough estimate is the best we may be able to achieve, given limited data. Still, it might give a few threads to pull at when trying to unravel agency spending in this area.