The meeting was opened at 0900hrs. by Mr. Bill Isaacs, who is a member of the Security Policy Board staff and serves as the Responsible Federal Officer in support of the SPAB. He welcomed all in attendance and introduced the advisory board members.
1. Chairman Welch presented a progress report on the reconvened Joint Security Commission (JSC II). He began by reiterating the four basic principles of an effective security program outlined by the original Joint Security Commission. They are: (a) policies and services matched to the threats—evolving as the threat changes; (b) policies and practices consistent and coherent—reducing inefficiencies; (c) standards and procedures that are fair and equitable and (d) policies, practices and procedures providing needed security at an affordable price.
The Chairman then outlined the tasks given to the JSC II. In phase I the commissioners will review progress in implementing the recommendations of the Joint Security Commission in support of the principles outlined in PDD-29, examine the operation of the Security Policy Board, and make recommendations to increase its effectiveness. Phase II will examine security issues requiring additional emphasis, specifically in the traditional electronic information security area, and provide recommendations on changes to the approach to security that better balance the most relevant threats to the most relevant security needs.
The General offered that the basic underpinnings of a viable security program are trustworthy and reliable people and an effective security education and awareness program. He then provided what he called some common information security imperatives in today’s changing environment. For information to serve national security, it must be relevant, reliable and timely. Hence, there are four intersecting factors that enter into the approach to information protection – ensuring it flows only to the intended place (flow control), ensuring its integrity (content control), ensuring that authorized people, and only authorized people, have access to the information and ensuring none of the above precludes it being available to the authorized recipient on a timely basis (temporal control).
|Flow Control||A solid paper trail, complicated by the copy machine||A largely unaddressed central challenge -- focus on network protection|
|Access Control||Controlled primarily by the clearance process and application of need to know||The major focus of much of the ongoing information protection activity -- heavy emphasis on improved encryption|
|Temporal Control||Generally not critical||Often critical|
2. Ms. Judy Hughes, Chief Operating Officer, Defense Security Service (DSS) gave an update on activities currently ongoing at DSS. Her briefing centered around the major problem that DSS is experiencing with their Case Control Management System (CCMS). Currently, there is a significant bottleneck at the front end of the system. The system was designed to have the information flowing into it be in an electronic format but, unfortunately, a significant amount of input is being sent to DSS in paper form which requires manual data entry into the system. Efforts are ongoing in earnest to increase the usage of the Electronic Personnel Security Questionnaire (EPSQ) to eliminate or significantly reduce the requirement to enter data by hand.
Ms. Hughes also indicated that, besides the front-end situation, other technical issues exist in the CCMS. She offered the following analogy in an effort to frame this issue. The current CCMS system she said allows information to flow as if it were on a one-lane road and currently the need is for an eight-lane information highway. She stated that DSS is working with the contractor to resolve these technical issues. She then offered some time lines for eliminating the bottleneck/backlog. Meeting these time lines will be contingent on the software fixes and the ability to secure enough resources to address the data entry problem. DSS has requested support from the military reserve establishment to help with the data entry as well as assist in the conduct of the investigations. Also, the Military Central Adjudication Facilities are helping in this effort. Finally, DSS has requested additional funds from OSD(C3I) for increased contract support to expedite the technical solutions.
The entire SPAB questioned the ability of DSS to meet the time lines outlined in the briefing. They opined that the DSS "get well plan" emphasis seemed centered around only eliminating the bottleneck at the Baltimore facility and did not address completely the issue of completing the investigations and subsequent referral to the adjudicative customer in an acceptable time frame. Also, Board member Ms. Stewart stated that it was shocking to her that pertinent data from PSQs had to be manually entered into the CCMS system in this era of automated information processing.
Ms. Olson’s presentation provided the background, contributing factors to what was described as the Information Systems Security Policy Conundrum, and offered some recommendations. She began by saying that the current policy has no true baseline set of requirements i.e. the NISPOM (Chapter 8) is not commonly accepted, the NISPOMSUP is separate (and not supplemental) and there is the DCID 1/16, AISSIM 200/300 etc. There are inconsistent interpretations and implementations, and current policy fails to adequately address current technology issues and threats. She offered four factors contributing to the situation: 1) the knowledge and experience levels of government information security policy makers (and the industry participants) is suspect because of the constantly changing environment, 2) too many special interest group agendas, 3) the argument has become one of "form rather than substance" and 4) there seems to be no agreement as to a strategic direction. She stated also that another significant contributing factor is that the Security Policy Board structure has failed to stand-up an Information Systems Security Policy Committee to allow for effective dispute resolution among the various government entities.
Ms. Olson’s briefing offered the following recommendations: The SPAB should: (a) champion the development of a unified national strategy to protect classified information and to preserve our Nation’s economic and technological interests by coordinating the numerous activities involving information systems security, critical infrastructure protection, information assurance and electronic commerce at the national policy level, (b) direct the production of an accepted methodology for risk management based upon reliable estimates of the threat to information systems, a clear understanding of the national policy objectives and operational needs, and the development of risk mitigation (or acceptance) standards which will satisfy legitimate national security requirements, (c) establish a partnership between government, industry and the information technology vendors to establish standards for development, testing and approval of security tools and procedures, create/maintain a central clearing house for approved procedures and tools, and provide necessary technical training (i.e. applicability/limitations of procedures and tools); and, (4) stand up the Information Systems Security Committee of the Security Policy Board to coordinate the various information systems related disciplines and to provide urgently needed conflict resolution. This group should comprise individuals with both advanced technical knowledge and current industrial security experience. Ms. Olson closed her briefing by offering industry’s pledge of support and involvement in solving the Information Systems Security Policy Conundrum.
Chairman Welch stated the Board agreed with the white paper and that they too were frustrated. He stated that Chapter 8 needed the leadership of the Department of Defense, Department of Energy and the Director for Central Intelligence to get it moving again. He committed to keep the pressure on to get this issue resolved.
5. The meeting was adjourned by Mr. Isaacs at 1130hrs.