Security Policy Advisory Board
Annual Report -- CY 2000
January 25, 2001
Dr. Condoleezza Rice
The White House
Washington, DC 20500
Subject: Advisory Board Annual ReportBackground
The Security Policy Advisory Board (SPAB) was chartered by Presidential Decision Directive 29 of 16 September 1994 to provide a non-government, public interest perspective on actions required to streamline and improve Federal security policies and procedures. Our frame of reference has been PDD-29 and the underlying recommendations of the report of the Joint Security Commission (JSC) dated 28 February 1994 and the five-year follow-up JSC II report, dated 24 August 1999.
Part of our charter is to provide the President, through the National Security Advisor, an annual report of our findings on the implementation of recommendations included in the JSC reports, with emphasis on the four key principles enumerated in PDD-29 that Security Policy: 1) match the threat; 2) be consistent and enable us to allocate scarce resources efficiently; 3) result in fair and equitable treatment; and 4) provide the security we need at a price we can afford.
To carry out our tasking, we hold a series of public meetings over the year to discuss a range of security issues and to solicit inputs from the public at large, with emphasis on industry whose business requires they meet government security standards. To encourage public participation, our meetings are advertised in the Federal Register, held in locations where there are significant concentrations of government contractors, and often scheduled in conjunction with meetings, conventions, or other gatherings of industrial security organizations. In 2000, meetings were held in Santa Monica, California, Cambridge, Massachusetts, Arlington, Virginia and Orlando, Florida.
The Security Policy Board (SPB), chartered as the intergovernmental body to implement the security improvements called for in PDD-29, has now been in operation for six years. The Board has successfully addressed a number of important issues as reported in past reports. Progress in addressing the many issues identified as relevant to the objectives of PDD 29 has not been as expeditious as we had expected. Still, the Advisory Board continues to believe that the SPB is the right vehicle for inter-governmental action on security needs.
There have been some notable achievements this past year. After several years of effort, guidance to industry on information security has been coordinated and published as Chapter 8 of the National Industrial Security Program Operating Manual (NISPOM). Research to provide some analytical basis for controversial aspects of clearance investigative standards is underway and making progress. There is now serious work underway to provide uniform standards for the security of special access programs. A number of other important security issues are now highly visible and there is continuing progress.
Still, overall progress has been frustratingly slow and much remains to be done to provide the means and motivation to meet the objectives of PDD 29. A year ago, an executive committee was formed to speed up the process and to provide for implementation decisions on issues that could be decided below the deputy departmental or agency level. While this has provided some acceleration, the results, so far, have not met expectations. In some areas such as security clearance investigations and databases, security management shortfalls continue to consume excessive resources while, in other areas, such as network defense, there continue to be inadequate structure and programs to address the risks.
We attribute this continuing set of deficiencies to the absence of a viable government-wide security strategy -- one which is supported by clear charters and the required funding and that positions responsibility for efficient and effective security at high enough levels within government agencies to ensure continuing appropriate attention.
Key Areas requiring increased focus and accelerated progress include:
For the Department of Defense, the scope of the problem of backlogs in the investigations process supporting security clearances is now well understood and there is the basis for a realistic assessment of the time and resources required to provide for adequate and timely clearance processes. There is a reasonably well-defined plan to fix the most immediate and costly problem of clearing the current backlog. A realistic estimate to achieve that goal is between two and three years. The Advisory Board endorses that plan even though it means continuing waste and frustration while people wait for the clearances they need to do their work. But the plan will not produce lasting success unless there is firm commitment to three irreducible needs: a process that accurately forecasts and provides reasonable control over the requirement for security clearances; a planning process that identifies the resources needed to meet the requirements; and a program that provides adequate resources. The current situation has some 350,000 initial background investigations and 162,000 reinvestigations currently in the system with another 300,000+ yet to be submitted to Defense Security Service. This situation was created by failure to provide for any of the three needs. There is still not an adequate process, across the department, to forecast and control the requirement and there is no assurance of a program with enough priority to ensure the resources.
In addition to the large and costly backlog, there are also tens of thousands of Department of Defense and defense contractor individuals holding clearances on an interim basis, pending investigations. There are 39,000 interims pending in defense industry alone. About half of these are over 6 months old, however, DSS says it is now in a position to finalize the investigation on interims granted to contractors within 180 days. The interim clearance policy is required to allow apparently trustworthy people to begin productive work expeditiously, though with some increase in security risk. That slight increase is appropriate if it is not prolonged, but some of these interim clearances are several years old. There is currently no way to evaluate the risk associated with clearances with no background investigation and hence no way to prioritize them. Given the current situation with interim clearances, it is unlikely that a massive program to clean up the interim clearance could be supported and executed. However, we can start on a solution by starting now to enforce a six-month limit on new interim clearances. Again that will require that the interim clearances be within the total forecast of clearance requirements and that the resources be based on providing background investigations, appropriate to the clearance level for all clearances.
To provide for accurate forecasts and control of clearance requirements, the Department of Defense needs to establish Central Requirements Offices at the Service level to review, quality control, and prioritize investigations in order to allow for interim and other high priority clearances to be completed on an expedited basis and to control unnecessary demand for investigations. DSS has established such an office for defense industry.
Quality vs. Quantity
It is also important that senior leadership does not allow the pressure to clean up the backlog to result in inadequate attention to the quality of investigations while single-mindedly pursuing the issue of quantity of investigations. It is far better to accept some extension in the time to address the backlog than to waste resources on inadequate investigations.
Part of the problem of providing adequate resources for background investigations is continuing controversy over the efficacy of some aspects of current background investigation requirements. Controversial issues include the utility of neighborhood checks, the use of telephone vs. face-to-face interviews, and the needed frequency of re-investigations. The current set of standards is the result of the series of compromises needed to reach intergovernmental agreement to make clearance reciprocity among departments and agencies possible. The compromises were based on the best collective judgments but not buttressed by credible study and analysis. The effort to provide that basis has taken far too long and needs to be completed quickly and a concerted effort made to end the controversy over investigative requirements.
Special Access Programs
Valuable work has been done in planning for applying common standards for Special Access Programs (SAPs). An agreed upon policy document has been forwarded to the National Security Council staff for approval and promulgation. We encourage the NSC to review and promulgate these standards and procedures expeditiously.
Even with the promulgation of standards, the system for determining SAP access and granting reciprocity will not work without an accurate and accessible database. Funding should be provided to establish and maintain such a database. We believe that the cost of doing so will be more than offset by the reduction in expenses and delays associated with the conduct of unnecessary investigations and/or adjudications. Furthermore, until there is such a database, there is no assurance that all appropriate security managers are aware of clearance suitability issues involving individuals with multiple SAP access clearances.
Information Security -- Reliable and Trustworthy Personnel
Joint Security Commission II again highlighted the importance of Information Security, One dimension of this problem is the requirement to vet personnel who, although they may not require access to classified information, have routine access to critical portions of the government’s information architecture. The potential for damage to security by such people far exceeds that of the vast majority of security clearance holders. Still, we have seen no progress in establishing the requirement for determining the reliability and trustworthiness of such individuals. This remains an important potential vulnerability in information security.
Information Security - Authority and Responsibility
As we observed in our 1999 report, national authorities, responsibilities and charters in the area of Information Security (Infosec) remain ambiguous and, in some cases, in conflict. There needs to be a much greater sense of urgency in resolving this issue within the Government. There is clear recognition that this is a complex area with multiple equities and interests involving government and the private sector. Still, there is little reason to expect progress until there is a rational and operational government organization for progress.
The current structure of authorities and charters for Infosec in the government has been evolving at a pace that has not kept up with the emerging threat. The incremental nature of the government response to this threat has resulted in legislation, regulation, policy documents, and charter assignments that are often unclear and overlapping and are sometimes contradictory. Yet there are few areas more critical to the orderly function of government than its ability to access, utilize, and rely upon its information. Responsibility for protection of this critical resource needs to be coalesced and focused. We strongly support an immediate effort to resolve this effort via Presidential Directive and/or legislation, and recommend that the National Security Advisor direct the co-chairs of the SPB to convene a panel made up of members of the SPB Executive Committee to draft the required guidance, and directives, or recommend the necessary legislation.
Information Security -- Network Defense in Depth
We have been encouraged by the progress in understanding this area, in assigning responsibility, and in setting up mechanisms for computer network defense. Within the Department of Defense, the operational responsibility has been assigned to US Space Command and a Computer Network Defense Joint Task Force has been established at the Defense Information Systems Agency with the deputy director of DISA dual-hatted as Commander, CND JTF. That is a good start on getting organized but we remain convinced of the need for special programs for rapid response to changes in threat capabilities and for programs to attract and retain the needed expertise. We also see a need for greatly increased emphasis on protecting essential networks -- classified and unclassified -- from denial of service. Adequate protection must include requirements for architectures that include backup and recovery provisions.
Further, there is still no charter for an organization with intergovernmental responsibility and there is great confusion regarding authorities for operations in response to attacks on U.S. computer networks.
Industry remains frustrated at their inability to conduct meaningful threat management per PDD 29 because of the lack of any definitive threat data. While the National Counterintelligence Center is the logical focal point for providing this data, it has not been effective in doing so. We hope that the CI-21 Study will result in the creation of an apparatus for providing meaningful threat data to industry consumers.