Department of Homeland Security Insider Threat and Mitigation Act of 2016

Department of Homeland Security Insider Threat and Mitigation Act of 2016

(Sec. 2) This bill amends the Homeland Security Act of 2002 (HSA) to direct the Department of Homeland Security (DHS) to establish an Insider Threat Program, which shall: (1) provide training and education for DHS employees to identify, prevent, mitigate, and respond to insider threat risks to DHS's critical assets; (2) provide investigative support regarding such threats; and (3) conduct risk mitigation activities for such threats.

DHS shall establish a Steering Committee. The Under Secretary for Intelligence and Analysis, who shall serve as the Chair of the Committee, and the Chief Security Officer, who shall serve as the Vice Chair, shall, in coordination with the Committee:

• develop a holistic strategy for DHS-wide efforts to identify, prevent, mitigate, and respond to insider threats to DHS's critical assets;
• develop a plan to implement the strategy across DHS components and offices;
• document insider threat policies and controls;
• conduct a baseline risk assessment of such threats;
• examine programmatic and technology best practices adopted by the federal government, industry, and research institutions;
• develop a timeline for deploying workplace monitoring technologies, employee awareness campaigns, and education and training programs related to potential insider threats;
• consult with the the Under Secretary for Science and Technology and other stakeholders to ensure that the program is informed by current information regarding threats, best practices, and available technology; and
• develop, collect, and report metrics on the effectiveness of DHS's insider threat mitigation efforts.

An agency employing a person who has access to classified national security information (insider employee) shall propose: (1) removing such employee whom an appropriate entity determines knowingly or recklessly engaged in insider misconduct, and (2) taking an adverse action of at least a 12-day suspension of such employee for the first instance of negligently engaging in insider misconduct and removal for any subsequent instance.

An insider employee who is notified that he or she is the subject of a proposed adverse action is entitled to 14 days to answer and furnish evidence in support of such answer. If such employee does not furnish such evidence or if the agency determines that such evidence is not sufficient for reversal, such agency shall carry out the adverse action. An agency that carries out an adverse action against an insider employee for insider misconduct under another provision of law may carry out an additional adverse action under the Insider Threat Program based on the same insider misconduct.

DHS must submit to specified congressional committees a biennial report on:

• how DHS and its components and offices have implemented such strategy,
• the status of DHS's risk assessment of critical assets,
• the types of insider threat training conducted,
• the number of DHS employees who have received such training, and
• information on the effectiveness of the Insider Threat Program.

The Steering Committee shall not seek to, and the authorities provided under this bill shall not be used to, deter, detect, or mitigate disclosures of information by government employees or contractors that are lawful under and protected by any whistleblower statute, regulation, or policy. Any activity carried out under the bill shall be subject to provisions of the Whistleblower Protection Enhancement Act of 2012, and any activity to implement or enforce any insider threat or authority of this bill or Executive Order 13587 shall include a statement required by such Act that preserves rights under whistleblower laws and provisions protecting communications with Congress.