October 31, 1998
The President
Through:
Mr. Samuel R. Berger
The White House
Washington, DC 20500
The Security Policy Advisory Board was chartered by Presidential Decision Directive 29 of 16 September 1994. The Advisory Board provides a non-government, public interest perspective on actions required to streamline and improve Federal security policies and procedures. Our frame of reference is the report of the Joint Security Commission (JSC), "Redefining Security," dated February 28, 1994. Part of our charter is to provide to the President, through the National Security Advisor, an annual report of our findings on implementing recommendations contained in the JSC report. The emphasis is on the four key principles enumerated in PDD 29 that Security Policy (1) match the threat; (2) be consistent and enable us to allocate scarce resources efficiently; (3) result in fair and equitable treatment; and (4) provide the security we need at a price we can afford.
In keeping with our tasking, we held a series of four public meetings over the last year to discuss particular security issues and to solicit input from the public at large, and industry in particular. To encourage public participation, our meetings are advertised in the Federal Register and held in locations where there is a significant concentration of government contractors. This past year they were held in Boston Massachusetts, Sunnyvale California, Washington DC, and Tucson Arizona.
In the course of the second year of our activity, we continued to focus on personnel security issues. Similar to our first year's report, we are keying this report to specific observations and recommendations of the JSC report.
We continue to believe that the Security Policy Board process is a valuable one, albeit cumbersome due to the number of agencies involved. Progress is being made toward accomplishing some key recommendations of the JSC, but momentum is increasingly difficult to maintain. The Board needs to be revitalized with more senior level attention and participation and more focus to make the needed progress. There are important efficiencies yet to be realized that will require a higher sense of urgency.
There is almost universal agreement on the need to drastically improve personnel security policies and processes. And there has been significant progress in formulating policies for more rational approaches. Nonetheless, as practiced in the field, the personnel security process is still unduly arbitrary, bureaucratic, and cumbersome, particularly as applied to special access programs. In the course of our meetings with industry representatives, we continue to hear frustration at the pace of progress in streamlining security processes and making them less burdensome, intrusive, and costly. We continue to believe that priority attention to several areas could result in significant cost savings and efficiencies and provide more fair and equitable treatment and could do so in the relatively short term.
The attachment lists five priority areas where priority attention could produce rapid improvement and increased efficiency in the security process. Three of these five areas were also discussed in last year's report. There has been some progress in these three areas but much remains to be accomplished. The common recommendation for all of these areas is for the Security Policy Board to establish their satisfactory completion as high priority goals and to require quarterly reports on their progress with a goal of assuring completion within six months. Each could be completed within that time frame with the right attention and modest additional resources.
As an overarching matter, the Security Policy Board was established to provide structure and coherence to US Government security policy, practices and procedures. Last year we observed that the Security Policy Board had not met in over a year. The Security Forum and the supporting staff expend an enormous amount of energy and produce useful output. Still, the Forum continues to be a cumbersome mechanism that has difficulty with effective, prioritized, timely decision making and leadership. In the intervening year, the Security Policy Board has met one time and has just now set out some priority strategies and a program plan to implement the strategies is to be considered at a later Forum meeting. It will soon be five years since the JSC report was issued. A focus on a manageable set of priorities that can be achieved on an annual, or shorter, basis is essential to accelerate the currently frustratingly slow process of formulating and implementing policies and procedures and to raise the current low rate of return from the effort going into the process.
The DOD and DCI have agreed to reconvene the Joint Security Commission to examine progress made, provide new observations and recommendations, and to generally re-invigorate the mechanisms for reforming the security processes of the Federal Government. We applaud that decision and suggest that the JSC pay particular attention to updating their recommendations on information security given the enormous increase in the electronic flow and impact of that flow of classified and unclassified information.
Respectfully,
Larry D. Welch, Chairman, SPAB
JSC Report: "Our goal is to establish a security clearance standard, the application of which will be tracked in a Community-wide data base and will be fully transferable and valid among all government agencies"
There continue to be differences of opinion regarding the value and/or necessity of certain investigative practices. These differences, if not resolved, can undermine commitment to reciprocity, central to progress in administering sensible personnel security policies. Resolving these differences will require funding of the needed research.
There is an urgent need to complete the work to create a centralized data base wherein investigation and clearance status (collateral and SCI) is maintained and which is easily accessible to security officials across the spectrum of government via either the internet or a security intranet. Technology is readily available to put this important capability in place with appropriate security. This system would quickly more than pay for itself by reducing duplication of investigative and adjudication and administrative effort.
Considering the above and other factors we find that reciprocal recognition of clearances, recommended by the JSC and mandated by executive order, has still not been adequately implemented.
2. Forcing efficiencies on the demand for investigations.
JSC report: "The Commission recommends that security clearances be requested only for personnel who require actual access to classified information or technology. For most of those who merely require facilities access, a position suitability determination based on the results of a National Agency Check with Inquiries (NACI) should be the maximum allowed."
"The Commission recommends that fee-for-service mechanisms be instituted to fund clearance requests with DOD and the Intelligence Community."
Fee-for-service mechanisms are being introduced and expanded. However background investigations continue to be requested for people who have access to facilities, but no access to classified data, as well as for some people who "might require access in the future". Controls need to be strengthened to better use scarce and still badly overburdened investigative resources. Further, there needs to be a realistic assessment of the need vs. investigative resources. The backlog for clearances is still far too large resulting in continuing expense for personnel who cannot be properly engaged in productive work.
3. Standards for compartmented access.
JSC Report: "The Commission recommends that: a) a single consolidated policy and set of security standards be established for Secret Compartmented Access information including all current SAPs, SCI, covert action, and various bigot list programs; b) Standards contain some flexibility, but waivers down from compartmented access security measures be permitted only when there is no impact on reciprocity."
We have been briefed on new processes being instituted within DOD to implement the above policy and have seen some progress in parts of DOD. Still, there continues to be strong and effective opposition on the part of some program offices who continue to establish individual and arbitrary clearance standards. These arbitrary standards are often at odds with established investigative or adjudicative standards and do not provide for sensible reciprocity.
4. Updating and codifying Information Security policies and procedures.
JSC Report: The Commission recommends that policy formulation for information security be considered under a joint DOD/DCI security executive committee, and that the committee oversee development of a coherent network-oriented information security policy for the Department of Defense and the Intelligence Community that could also serve the entire government".
Information systems security continues to be one of the most intractable issues addressed in the JSC Report. After five years of effort, the National Industrial Security Program Operating Manual still does not provide usable guidance to industry on the requirements and processes for adequate industrial security. This is the most consistent complaint heard by the Advisory Board. While DOD's C3I has now put together a "performance based" chapter eight and a "proscriptive" handbook, these products only now are being coordinated. Further, we believe it will take a far more authoritative push for the government and its industrial partners to meet the goal of delivering meaningful standards by the end of this year.
5. Centralized threat support.
JSC Report: "The Commission recommends that the Secretary of Defense and the Director of Central Intelligence appoint the DCI's Counterintelligence Center as executive agent for "one-stop shopping" for counterintelligence and security countermeasures threat analysis."
The Commission's one-stop shopping recommendation has not been realized for a variety of philosophical, organizational, and budgetary reasons. Consequently, threat information available to customers remains confusing, fragmented, and incomplete. The recommended centralization source, the National Counterintelligence Center (NACIC), is attempting to provide for some threat information through a variety of published reports and automated data base systems which are intended to provide customers easy access and timely information if the systems were completed. The NACIC has established an internet homepage, but envisions the majority of threat information to be disseminated via the Extranet for Security Professionals. The network, started in the DOD's DARPA, and now transferred to Carnegie-Mellon University, is currently only 15% complete, with no FY99 of FY 00 funding commitments. We have been impressed with the potential of Extranet for Security Professionals, and see it as a vehicle contributing to reciprocity and threat information. This program warrants the senior level support needed to get it on line without further delay.