"Unauthorized possession or operation of cameras, recording devices, computers, and communication devices where classified information is handled or stored."
"Discussions of classified information over a non-secure communication device."
"Unauthorized copying, printing, faxing, e-mailing, or transmitting classified material."
"Contact, association, or connections to known or suspected international terrorists, including online, e-mail, and social networking contacts. "
"Unauthorized downloads or uploads of sensitive data."
"Unauthorized use of Universal Serial Bus, removable media, or other transfer
"Downloading or installing non-approved computer applications."
"Unauthorized e-mail traffic to foreign destinations."
"Excessive and abnormal intranet browsing, beyond the individual's duties and responsibilities, of internal file servers or other networked system contents."
"Unexplained user accounts."
So, uh, phew, that's a shitload of very ambiguously-worded things to monitor your coworkers for.
Now we don't fault the Pentagon for watching its ass. They can't have classified documents flowing out of their doors (or ethernet cables). But by stating that "Personnel who fail to report the contacts, activities, indicators, and behaviors...are subject to punitive action" puts pressure on you to be a paranoid. The directive says a few of the "failures to report" may not carry punitive action—but is anyone going to take that risk? The push here is to not just look over your shoulder, but your colleague's. To watch your coworkers. To watch your friends—out of fear of the Pentagon's hammer. By crowdsourcing counterintelligence, the Pentagon risks turning its staff of millions against each other—or at the very least, making it a hell of a lot more stressful to work.