NITTF Technical

NITTF Technical

NITTF Technical


The NITTF Technical Team is a vital component of the NITTF through its infusion of specialized expertise into other NITTF teams/work-streams as well as its development of effective and cost-effective technical solutions for the insider threat community. The Technical Team provides tailored assistance to inside threat programs spanning the IC, DoD, and NT-50 Federal Partners focusing on User Activity Monitoring (UAM), insider threat data integration and analysis, automated case management, Enterprise Audit Management (EAM), and other technical capabilities. The Technical Team also brokers classified network provider/subscriber relationships across the USG, maintains awareness of the vendor marketplace to identify tools and best practices, provides input to national-level policy frameworks, and explores solutions for emerging technical trends and vulnerabilities. 


The NITTF Technical Team developed technical bulletins to provide the insider threat community additional information on key technological issues departments and agencies face when implementing insider threat programs. Bulletins are arraigned by the date of bulletins with the most recent on top. As new bulletins become available, they will be identified as new and placed on the top of the list. Click on the title to view the technical bulletin. For additional information contact the NITTF Technical Team.


TitleDate of Bulletin
How CNSSD 504 Defines UAM 5/27/2018

Abstract : This Tech Bulletin considers the definition of user activity monitoring (UAM) provided by CNSSD 504, and it notes the technical functionality that a UAM solution must have to meet the Directive’s requirements.


TitleDate of Bulletin
How CNSSD 1015 Defines EAM 4/27/2018

Abstract : This Tech Bulletin considers the definition of enterprise audit management (EAM) provided by CNSSD 1015. According to CNSSD 1015, EAM is the “the identification, collection, correlation, analysis, storage, and reporting of audit information, and monitoring and maintenance of this capability.”


TitleDate of Bulletin
Security Information and Event Management for Insider Threat Programs 3/22/2018

Abstract : Security information and event management (SIEM) refers to a cyber tool for the collection and analysis of security events and threat management.


TitleDate of Bulletin
Data Quality for Insider Threat Programs 1/5/2018

Abstract : Executive branch departments and agencies should not overlook the importance of data quality to their insider threat programs. Inaccurate or ‘poor-quality’ data can hinder a program’s ability to identify theta behaviors and conduct an effective inquiry.


Provided below are additional technical bulletins that are not available for public release. Please contact NITTF if you have an official need for this item.


TitleDate of Bulletin
Continuous Monitoring and Continuous Evaluation and Their Value for insider Threat Programs 3/31/2018

Abstract : No abstract information available.


TitleDate of Bulletin
Clarification of User Activity Monitoring (UAM) Requirements 2/25/2018

Abstract : No abstract information available.


TitleDate of Bulletin
User (Entity) Behavior Analytics for insider Threat Programs 2/14/2018

Abstract : Executive branch departments and agencies may want to implement a UBA/UEBA tool to enhance their ability to find, track, and mitigate anomalous activity.


TitleDate of Bulletin
The Provider/Subscriber Relationship 2/10/2018

Abstract : No abstract information available.


TitleDate of Bulletin
UAM Solutions for insider Threat Programs 2/10/2018

Abstract : No abstract information available.


TitleDate of Bulletin
Commercial Data Aggregators for Insider Threat Programs 1/30/2018

Abstract : No abstract information available.


TitleDate of Bulletin
Cross Domain Solutions for Insider Threat Programs 1/14/2018

Abstract : Executive branch departments and agencies that operate multiple classified networks may want to employ a Cross Domain Solution (CDS) with their UAM solution(s) to transfer information between two or  more differing security domains.