OPINION — “The FBI requests $7 million to procure and deploy a digital watermarking solution capable of embedding unique digital forensic watermarks in commonly shared documents to mitigate unauthorized disclosures from the FBI’s classified and unclassified networks. Digital watermarking embeds a unique overt or covert forensic marker into emails and other commonly used file types, making it possible to attribute leaked information via screen photography or other non-traditional means back to the user. If information is exfiltrated from an FBI-managed endpoint, the watermarking solution can trace the document back to an employee or group of employees.”
That’s a quote from the 94-page FY 2027 FBI Budget Request to Congress that was released in March under a section entitled “Transparency of Government and Promoting Public Trust.”
I was aware of the investigative use of watermarks to track down confidential government documents, but I had never believed I would find a government agency, particularly the FBI, acknowledging publicly they were using it to keep tabs on their own employees.
Much to my surprise, the FY 2027 FBI Budget Request to Congress showed other FBI programs to catch leakers inside the Bureau. The Bureau budget document also describes other programs that are worth some public disclosure which I will discuss below.
First, some explanation.
I had decided to look into the proposed FY 2027 FBI budget after reading some nasty exchanges that took place at the May 12, Senate Appropriations Committee hearing on the Bureau’s budget. FBI Director Kash Patel was a witness and several Senators raised questions about recent news stories about Patel’s personal activities, to which he made a strong vocal defense of the activities.
After one bitter argument over stories about Patel’s alleged excessive use of alcohol, Sen. Chris Van Hollen (D-Md.) asked the FBI Director if he had ordered polygraph tests for FBI personnel to determine the sources of these leaked stories.
Patel responded, “There's an internal inspection review process for any and all leaks -- especially of baseless information -- at the FBI that's been in place for the last 30 years. Those processes are followed by career intelligence and agents on the ground.”
My interest in the FBI’s “internal inspection review process for any and all leaks” led me to the FY 2027 FBI Budget Request to Congress and there under a section called “Transparency of Government and Promoting Public Trust,” were descriptions of not only the watermark program, described above, but also one entitled User Activity Monitoring (UAM) Technology.
With UAM, according to the FBI budget document, “The FBI is strategically shifting its insider risk identification posture from traditional reactive activities to enhanced proactive approaches, allowing for early detection and mitigation.”
It then says that the FBI planned to purchase a “risk management suite” and, once procured, the Bureau will need $11.4 million in FY 2027 to support operation of the system.
Back in December 2025, the FBI awarded a five-year, $7 million contract to Everfox LLC to provide an Insider Threat Management Suite with UAM capability and User and Entity Behavior Analytics capabilities.
According to the FBI Budget document, “The UAM module will serve as the FBI’s primary monitoring and logging tool, capturing and analyzing all employee activity…The system generates real-time alerts, audit logs, and reports to notify insider threat analysts of potential risks, such as unauthorized access to sensitive data or files.”
As for the Behavior Analytics capabilities, that module uses “advanced analytics across all FBI-managed endpoints to detect anomalous and high-risk user activity indicative of insider threats.”
In short, to track down leaks the FBI has put in place a system to monitor employee computer usage and analyze that usage to detect any that is unusual. Although the Everfox systems purchased are directed at monitoring FBI employees to prevent leaks of any kinds of information, the FBI budget justifies this approach by referring to an Executive Order signed in 2011 by then-President Barack Obama which was aimed to protect Bureau classified information from outside hackers.
So far, however, the stories questioning Patel actions continue, as seen Sunday with the New York Times story headlined, “Patel’s Pearl Harbor Snorkeling Trip Adds Concerns About his travels.” The authors claim they spoke with “more than a dozen current and former FBI and law enforcement agents,” as well as Freedom of Information material.
Another FBI program disclosed in the FY 2027 FBI Budget Request to Congress relates to implementing President Trump’s September 2025 National Security Presidential Memorandum-7 (NSPM-7), Countering Domestic Terrorism and Organized Political Violence.
According to the FY 2027 FBI budget document, “In recent years, heinous assassinations and other acts of political violence in the United States have dramatically increased. Commonly, this violent conduct relates to views associated with anti-Americanism, anti-capitalism, and anti-Christianity; support for the overthrow of the U.S. Government (USG); extremism on migration, race, and gender, and hostility towards those who hold traditional American views on family, religion, and morality.”
To meet this challenge, the budget document says, the FBI now oversees the “recently created NSPM-7 Joint Mission Center (JMC),” which is “composed of personnel from 10 [Federal] agencies who possess CT (counterterrorism) and criminal operational and analytical expertise. The JMC is working to counter DT (domestic terrorist) and organized political violence by integrating intelligence, operational support, and financial analysis to proactively identify networks and prosecute domestic terrorist and related criminal actors.”
So far, there have been no reported activities of the JMC, but organizations such as the Brennan Center For Justice point out that NSPM-7 excludes high-profile examples of domestic political violence that do not comport with its storyline, such as the January 6, 2021, attack on the Capitol.
I close with one element of his time as FBI Director that Patel seems most proud of.
As he put it during his May 12 testimony, “Before I got in the [FBI Director] seat, over one-third of the entire FBI workforce was located in the National Capital Region. When I got here, I put a thousand agents into the field permanently. Every single state got more agents than they've ever had. Behind that, I sent 300 intelligence analysts into the field permanently. Behind that, I sent 500 support staff and program managers into the field permanently. And that's only Conus [within continental U.S.]. We've also expanded our overseas footprint. So, decentralizing the bureaucracy of Washington, removing the red tape in the bureaucracy, putting agents in the field…is how we're getting the mission done.”
Time will tell how that Patel action has worked out.
Patel also added to the above statement, “no one at this FBI is allowed to politicize or weaponize law enforcement. If you do, you don't get to work there anymore.” Reviewing the number of FBI officials and special agents that have been summarily dismissed since Patel’s appointment, including those who were assigned to participate in Trump-related investigations, I don’t believe that statement can be considered accurate.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
