Description of document Redefining Security A Report to the Secretary of Defense and the Director of Central Intelligence February 28 1994 Request date 26 October 2014 Released date 29-December-2014 Posted date 09-February-2015 Source of document Director Information Management Division Office of the Director of National Intelligence Washington D C 20511 Fax 703 874-8910 Email dni-foia@dni gov The governmentattic org web site “the site” is noncommercial and free to the public The site and materials made available on the site such as this file are for reference only The governmentattic org web site and its principals have made every effort to make this information as complete and as accurate as possible however there may be mistakes and omissions both typographical and in content The governmentattic org web site and its principals shall have neither liability nor responsibility to any person or entity with respect to any loss or damage caused or alleged to have been caused directly or indirectly by the information provided on the governmentattic org web site or in this file The public records published on the site were obtained from government agencies using proper legal channels Each document is identified as to the source Any concerns about the contents of the site should be directed to the agency originating the document in question GovernmentAttic org is not responsible for the contents of documents published on the website OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE WASHINGTON DC 20511 DEC 2 9 2014 Reference ODNI Case DF-2015-00042 This is in response to your letter dated 26 October 2014 Enclosure 1 received in the Information Management Division of the Office of the Director of National Intelligence ODNI on 10 November 2014 Pursuant to the Freedom of Information Act FOIA you requested a copy of the Joint Security Commission Redefining Security A Report to the Secretary of Defense and the Director of Central Intelligence Feb 28 1994 The report you requested is outside the scope of the ODNI functions as it predates the existence of ODNI ODNI stood up on 21 April 2005 The report you are requesting appears to be available on several independent websites on the world wide web However for your convenience we have prov d d a copy Enclosure 2 If you have any questions please call our Requester Service Center at 703 874-8500 Sincerely 14 1 L L-fT Enclosures Jennifer Hudson Director Information Management Division ENCLOSURE REDEFINING SECURITY A Report to the Secretary of Defense and the Director of Central Intelligence February 28 1994 Joint Security Commission Washington D C 20505 Joint Security Commission Washington D C 20505 February 28 1994 The Honorable William J Perry Secretary of Defense Pentagon Washington D C 20301 The Honorable R James Woolsey Director of Central Intelligence Washington D C 20505 Dear Sirs I Pursuant to your request the Joint Security Commission was convened on June 11 1993 The Commission was guided by your direction to develop a new approach to security that would assure the adequacy of protection within the contours of a security system that is simplified more uniform and more cost effective 2 This report presents the recommendations of the Joint Security Commission to achieve these objectives and to redefine security policies practices and procedures The report describes the threats to our nation's security and lays out a vision the Commission believes will shift the course of security philosophy We also propose a new policy structure and a classification system designed to manage risks better and we outline methods of improving government and industry personnel security policies We offer recommendations on developing new strategies for achieving security within our information systems including protecting the integrity and availability of both classified and unclassified information assets and we call for a new approach to capture security costs We provide recommendations for linking traditional physical and technical countermeasures to threat We believe that implementation of these recommendations will result in a security system that will meet the evolving threat while being fairer more coherent and more cost effective 3 In reaching its conclusions and recommendations the Commission drew upon the perspectives of policymakers Congress the military industry and public interest groups A though our charter was limited to a review of the Intelligence and Defense Communities we found that many of the problems and solutions have government-wide implications In those instances where we believe that a government-wide solution is the best answer we have offered recommendations to that effect 4 This report represents months of work by the Commissioners our staff and a vast number of citizens both in and out of government who graciously gave us their time and comments On behalf oft he Commission I would like to thank all who contributed to this effort and to give special recognition to our superb staff headed so ably by Dan Ryan Ultimately of course the Commissioners bear full responsibility for the analysis and recommendations contained herein 5 As you have directed the Commission will remain in place until June I to assist in the implementation of our recommendations We look forward to working with you to achieve the objectives you have laid before us Very respectfully Jeffrey H Smith Chairman Attachment ii EXECUTIVE SUMMARY The world has changed dramatically during the last few years with profound implications for our society our government and the Defense and Intelligence Communities Our understanding of the range of issues that impact national security is evolving Economic and environmental issues are of increasing concern and compete with traditional political and military issues for resources and attention Technologies from those used to create nuclear weapons to those that interconnect our computers are proliferating The implications and impacts of these technologies must be assessed There is wide recognition that the security policies practices and procedures developed during the Cold War must be changed Even without the end of the Cold War it is clear that our security system has reached unacceptable levels of inefficiency inequity and cost This nation must develop a new security system that can meet the emerging challenges we face in the last years of this century and the first years of the next With these imperatives in mind the Joint Security Commission has focused its attention on the processes used to formulate and implement security policies in the Department of Defense and the Intelligence Community In reviewing all aspects of security the Commission has been guided by four principles o Our security policies and services must realistically match the threats we face The processes we use to formulate policies and deliver services must be sufficiently flexible to facilitate change as the threat evolves o Our security policies and practices must be more consistent and coherent thereby reducing inefficiencies and enabling us to allocate scarce resources effectively o Our security standards and procedures must result in the fair and equitable treatment of those upon whom we rely to guard the nation's security o Our security policies practices and procedures must provide the needed security at a price the nation can afford The recommendations of the Commission presented in detail in this report fall mainly into three categories 1 recommendations that will maintain and hopefully enhance security but at a lower cost by avoiding duplication and increasing efficiency 2 recommendations that will reduce current levels of security but in accordance with risk management principles based on a changing threat and 3 recommendations that will create new processes to formulate and oversee security policy governmentwide In a very few cases-most notably concerning personnel security and information systems security-the Commission is recommending additional security requirements that will increase costs The Commission's recommendations also include changes that are revenue neutral but will make the security system both more rational and inherently more fair Although the Commission is recommending certain specific changes the primary concern of the Commission is to create new and flexible processes that will adjust security policies practices and procedures to achieve our stated goals as the political economic and military realities evolve iii - In the past most security decisions have been linked one way or another to assumptions about threats These assumptions frequently postulated an all-knowing highly competent enemy Against this danger we have striven to avoid security risks by maximizing our defenses and minimizing our vulnerabilities Today's threats are more diffuse multifaceted and dynamic We also know that some vulnerabilities can never be eliminated fully nor would the costs and benefits warrant trying While the Commission recognizes that the consequences of some security failures are exceptionally dire and require exceptional protection measures in most cases it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures We can then select a mix that provides adequate protection without excessive cost in dollars and without impeding the efficient flow of information to those who require ready access to it The Commission believes that the nation must develop a security framework that will provide a rational costeffective flexible set of policies practices and procedures This framework must use a risk management approach that considers actual threats inherent vulnerabilities and the availability and costs of countermeasures as the underlying basis for making security decisions Risk management requires evaluating the resource impact of proposed changes in security policies and standards This is practically impossible with today's accounting systems because they are not designed to collect security cost data The Commission believes that establishing a system to capture security costs is crucial to effective streamlining and cost reduction Therefore we have recommended the creation of a uniform cost-accounting methodology and tracking system for security resources expended by the Department of Defense the Intelligence Community and supporting industry The Commission believes two areas require particular attention First personnel security lies at the very heart of our security system No amount of physical information systems or procedural security will be sufficient if we cannot ensure the trustworthiness of those who must deal with sensitive and classified information Grave damage has been caused to the United States by current or former employees and contractors of the government who decided to become spies for our adversaries Therefore the Commission believes that renewed efforts must be made to strengthen our personnel security system The Commission also recognizes the necessity for enhancing the training we provide security officers managers and workers in the importance of security and of their roles in protecting the nation's information assets The processes we use to clear personnel in the Defense and Intelligence Communities vary widely from agency to agency Different standards are applied by different agencies clearances are not readily transferable and the time to grant a clearance ranges from a few weeks in one agency to months in others Accordingly we recommend common standards for adjudications and a joint investigative service to standardize background investigations and thus take advantage of economies of scale Second information systems security requires increased attention Productivity is in today's world directly related to information systems and their connectivity The Defense and Intelligence Communities are increasingly dependent on information systems in performing their complex missions on behalf of the nation Information systems technology is however evolving at a faster rate than information systems security technology Overcoming the resulting gap will require careful threat assessments well-thought-out investment strategies sufficient funding and management attention if our computers and networks are to protect the confidentiality integrity and availability of our classified and unclassified information assets The Commission believes that a systems approach is necessary in making decisions about the application of security countermeasures By placing all the responsibility for security on each of the security disciplines we have created requirements for multiple layers of security that add little value This is particularly apparent in physical security where classified documents may be stored in locked containers inside locked strong rooms within secure buildings in fenced facilities patrolled by armed guards-overkill even at the height of the Cold War much less in today's security environment A risk-managed systems approach would tailor countermeasures to threat and should result in significant savings that could be applied to improving personnel and information systems security or to maintaining or improving other areas directly related to successful performance of defense and intelligence missions iv Nowhere will the payoff from improving our security policies practices and procedures be higher than in the industrial base supporting the Defense and Intelligence Communities Our current practices subject industry to a bewildering array of requirements that are compliance-based inconsistent and often contradictory Security requirements imposed on industry far exceed the requirements used by government agencies and organizations to protect the same information While some budgetary and proprietary information must be withheld from some contractors in order to preserve competition the Commission has found little reason to treat industry differently from government for security purposes We must create a partnership between government and industry to enhance security leaving adversarial roles behind The Commission also believes that our security policies must not unnecessarily discourage foreign investment in American companies nor unduly burden our industrial base in competing for a larger share of the world's markets Central to the Commission's recommendations is the immediate formation of a single organization-a security executive committee chaired by the Secretary of Defense or his designee and the Director of Central Intelligence-responsible for the creation of security policies and overseeing the coherent implementation of those policies across the Defense and Intelligence Communities This committee would not of course supplant the existing statutory authorities of the Secretary of Defense and the Director of Central Intelligence including the latter's responsibility to protect sources and methods This committee would however replace numerous existing fora that today independently develop security policies and procedures that are often inconsistent and are sometimes contradictory A single source for security policies should result in reciprocity with consequential reductions in cost and improvements in efficiency Although it is outside the scope of our charter the Commission also believes that this committee should in the very near future be expanded by the addition of representatives from other government departments and agencies and given the responsibility to formulate governmentwide security policies The committee which should report to the National Security Council should oversee the security system and have an outside advisory panel of distinguished Americans to ensure that industry academia and public interest groups have a voice in the formulation of security policies To facilitate the formulation implementation and oversight of security policies practices and procedures the Commission proposes a radical new classification system that greatly simplifies the current system and eliminates the subjectivity inherent in it The Commission worked closely with the Task Force revising Executive Order 12356 on National Security Information in analyzing possible changes and their impacts and determined that a single level of classification with two degrees of protection should be adopted Most classified information would be protected using a coherent set of personnel physical information systems and procedural security standards and would be based on discretionary need-to-know as currently practiced for Confidential and Secret materials Highly sensitive information such as that protected at the Top Secret Sensitive Compartmented Information or Special Access Program levels today would be protected by using a more stringent set of standards and would be based on centrally managed need-to-know determinations Application of this system will be founded on risk management rather than complete avoidance of all risk and would concentrate on security as a service to our communities in place of the compliance-based punitive approach in use today The Joint Security Commission is pleased to present its recommendations for the creation of an improved process for the formulation management and oversight of security policies practices and procedures We believe that implementation of this process and the coherent application of its results should ensure that security countermeasures are chosen to match the evolving threat and that inefficiencies and costs are minimized The resulting security system would treat people fairly and provide a balanced mix of security needed to protect our information assets facilities personnel and our nation's interests v JOINT SECURITY COMMISSION Commissioners Jeffrey H Smith Chairman Duane P Andrews J Robert Burnett Ann Caracristi Antonia H Chayes Anthony A Lapham Nina J Stewart Richard F Stolz Harry A Volz Larry D Welch Staff Dan J Ryan Executive Secretary John T Elliff Deputy Executive Secretary Marisa Barthel John E Bloodsworth Sheila Brand Edmund Cohen Rene Davis -Harding Lee A Falcon Mary Griggs Helmut H Hawkins Dan L Jacobson Richard P Nyren Jr Maria N O'Connor Michael D Reynolds Martin E Strones Jim Sullivan Annette B Swider Larry D Wilcher CIA DoD CIA CIA NSA CIA DoD DoD DoD DoD DoD DoD NSA CIA DoE CIA CIA DoE Secretarial and Clerical Support Barbara Deve Josephine Harrison Betty L Richman CIA CIA CIA vi Table of Contents Chapter 1 Approaching the Next Century 1 Implementing the New Paradigm-Risk Management 3 Chapter 2 Classification Management 6 Classification-Driving Security 6 The Current Classification System-Cumbersome and Confusing 6 Special Access Programs-Lacking Faith in the System 7 A New System-Streanllined and Straightforward 8 A Simplified Controlled Access System 9 Limiting Use of Special Access Controls 10 Uniform Risk Criteria for Secret Controlled Access Information 12 Increasing the Flow ofData 14 Special Cover Measures 16 Security Oversight of Compartmented Access Progranls 17 Classification Management Practices 18 Dissemination Controls -Impediments to Getting Intelligence into the Hands ofCustomers 18 Sharing Classified Information 19 Billet and Access Control Policies 20 Secrecy Agreements 20 Declassification 22 Making the Classification System Really Work-An Integrated Approach with Appropriate Oversight 24 Dealing with Sensitive but Unclassified Information 25 Chapter 3 Threat Assessments-The Basis of Smart Security Decisions 26 Asleep at the Wheel 26 A Wake-Up Call 28 Chapter 4 Personnel Security-The First and Best Defense 30 The Process Begins 30 Requesting a Clearance 30 Prescreening and Fairness 32 Forms and Automation-Ending the Paper Trail 33 Investigations-Assessing Trustworthiness 34 Investigative Requirements-Streamlining the Process 34 Continuing Evaluation-Reinvestigations and Safety Nets 35 Clearance Processing-Time Is Money 36 Adjudication 37 Adjudicative Standards and Criteria 37 DoD Adjudicative Facilities 39 Reciprocity 39 Procedural Safeguards 40 DoD Contractor Personnel 41 DoD Civilian Personnel 42 Differences and Comparative Advantages 43 Military Personnel 46 Special Access Approvals 47 The Polygraph 48 Background 48 vii Applications of the Polygraph 49 Recommendations 52 Oversight 53 Standardization 53 Training Research and Development 54 Chapter 5 Physical Technical and Procedural Security 56 Physical Security Standards 51 Facility Certification 58 Facilities Containers and Locks 58 Industrial Security Inspections 59 TEMPEST 60 Technical Surveillance Countermeasures TSCM 61 Procedural Security 62 Central Clearance Verification 62 Certification of Contractor Visits 62 Communitywide Badge Systems 63 Document Tracking and Control 64 Document Destruction 65 Document Transmittal 65 Operations Security 66 Chapter 6 Protecting Advanced Technology 68 Foreign Ownership Control and Influence 68 Foreign Exchange Agreements-The Status Quo 70 Threat Analysis-Vital to Protecting Advanced Technology 71 The National Disclosure Policy 72 Recording Foreign Disclosure Decisions 72 Chapter 7 A Joint Investigative Senice 74 Personnel Security lnvestigations 74 Industrial Security 75 Establishment of a Joint Investigative Service 76 Chapter 8 Information Systems Security 78 The Threat to Information and Information Systems 79 Dated Policies 80 Failed Strategies 81 The New Information Systems Security Reality 82 Information Systems Security Policy forTomorrow 82 The Investment Strategy for Information Systems Security 83 Research and Development-A Need to Consolidate 84 Infrastructure Security Management 85 Auditing Infrastructure Utilization 85 Managing the Risk to Information Systems 86 Emergency Response-The Need for Help 86 Information Systems Security Professionals 87 Chapter 9 The Cost of Security-An Elusive Target 88 Understanding Security Costs 88 Costs in Black and White 88 Visible and Invisible Security Costs 89 There's No Way to Know How Much We're Spending on Security 90 viii Work to Date in the DoD 90 Intelligence Community Efforts 91 Capturing Security Costs in Industry 91 Moving Towards Consistency 92 CCtting to the Bottom Line-The Payoffls Long Tenn 93 With Up-Front Costs in the Near Tenn 93 The Bottom Line 94 Chapter 10 Security Awareness Training and Education 95 The Present 95 Training for the Future ··· 95 Chapter 11 A Security Architecture for the Future 97 The Present 97 The Future 98 Endnotes 100 Appendixes 103 A Statement of Commissioner Lapham on Secrecy Agreements 103 B Statement of Commissioner Chayes on Procedural Safeguards 104 C Statement of Commissioner Lapham on Polygraph 105 D Acronyms 114 E Acknowledgments 118 ix CHAPTER I APPROACHING THE NEXT CENTURY The first duty of government is to provide security for its citizens This security takes many forms including a strong military a robust economy and mutually beneficial international relationships In a democracy the people's security also depends on the health of the democracy itself This in tum depends on the protection of democracy's processes and the careful maintenance of the balance between the right of the public to know and the government's responsibility to provide for security As the twentieth century nears its end events require that the United States assess the basic assumptions and goals that guide the protection of government information facilities and people Our preoccupation with the specter of nuclear annihilation has been reduced the resources for national security programs are declining sharply and the information age has irrevocably altered the way we do business Concurrently the continued preeminent role of the United States in world political military and economic affairs makes our government and industrial activities of major interest to foreign powers In this environment the security practices and procedures that developed from World War II until the 1990s require fundamental reexamination For some time it has been recognized that the security system is fragmented complex and costly The Infrastructure Report of the Community Management Review requested by then Director of Central Intelligence DCI Robert Gates labeled current security policies and practices as the greatest deterrents to major savings in infrastructure and recommended the creation ofa DCI security commission to design and implement a new security system The DCl's Task Force on Standards of Classification and Control Report commonly known as the Gries Report called for revision of the classification and control system on the grounds that it was unsuited to the geopolitical and fiscal realities in the 1990s The Gulf War reinforced the military's need to analyze and move vast amounts of information to distant theaters of operation Industry has been concerned about the inconsistency and cost of current security practices and procedures Congress is convinced that change is necessary The Secretary of Defense and the Director of Central Intelligence acknowledged these concerns and established the Joint Security Commission in May 1993 The Commission's task was to review security policies and procedures with three simple goals I find what works and keep it 2 determine what no longer works and fix it and 3 identify what the future demands and implement it In the nine months since its creation the Joint Security Commission has attempted to fulfill this task by conducting an extensive security review within the Department of Defense and the Intelligence Community In doing so the Commission sought not only the perspectives of policymakers the Congress industrial leaders the military and public interest groups but also the technical expertise of government and industry security personnel Many will recognize their words and opinions in the text of this report and we acknowledge a debt of gratitude for their contributions We also commend the many initiatives already underway-such as those instituted by the National Industrial Security Program and the DCI's Security Forum-to streamline and modernize the government's security policies and practices and to incorporate risk management strategies The Commission's considered opinion however is that these changes alone are not enough The security system must not only overcome the inefficiencies of the past but also rise to the challenges of the future It must be dynamic flexible and forward looking Nowhere is this more apparent than in the area of information systems and networks The Commission considers the security of information systems and networks to be the major security challenge of this decade and possibly the next century and believes that there is insufficient awareness of the grave risks we face in this arena The nation's increased dependence upon the reliable performance of the massive information systems and networks that control the basic functions of our infrastructure carries with it an increased security risk Never has information been more accessible or more vulnerable This vulnerability applies not only to government information but also to the information held by private citizens and institutions We have neither come to grips with the enormity of the problem nor devoted the resources necessary to understand fully much less rise to the challenge Fundamental and very tough questions are involved What should the government's role be in helping to protect information assets and intellectual capital that are in private hands How should technology developed by the government to protect classified information be provided to the private sector for the protection of sensitive but unclassified information Protecting the confidentiality integrity and availability of the nation's information systems and information assets-both public and private- must be among our highest national priorities The Commission believes that there are fundamental weaknesses in the security structure and culture that must be fixed Security policy formulation is fragmented Multiple groups with differing interests and authorities work independently of one another and with insufficient horizontal integration Efforts are duplicated and coordination is arduous and slow Each department or agency produces its own implementation rules that can introduce subtle changes or additions to the overall policy There is no effective mechanism to ensure commonality The Commission believes that the complexity and cost of current security practices and procedures are symptoms of the underlying fragmentation and cannot be alleviated without addressing it We therefore propose that a security executive committee be created to assume responsibility for the development and oversight of security policy for the US Government and to function as a continuing agent of change We further propose that a security advisory board be constituted to interject a nongovernment and public interest perspective into government security policy These proposals are described in detail in chapter 11 Some other problems that we identify and discuss in this report are o Countermeasures are frequently out of balance with the threat They have too often been based on worst-case scenarios rather than realistic assessments of threats and vulnerabilities o The classification system is cumbersome and classifies too much for too long The zeal to protect information has sometimes inhibited the flow of information to those who need it o Personnel security is the centerpiece of the Federal security system but current procedures are needlessly complex and costly There are too many inconsistencies too many forms and too much delay o There are too many layers of physical security and they cost too much money A facility's security may include multiple layers-fences alarms guards security containers access control devices closed circuit television locks and special construction requirements-that are not necessarily needed o Large sums have been spent on technical security within the United States despite a minimal level of threat o Procedural security measures are not always effective Elaborate record keeping procedures for document control are costly and can no longer be relied upon to deter compromise in the age of personal computers facsimile machines copier equipment modems and networks which offer ample opportunities to copy documents without detection Procedural security that is still necessary such as badges and visitor control can be streamlined o Operations security OPSEC is important and sometimes critical in a military environment and for sensitive operations but it has been extended to inappropriate situations and environments 2 The problems are many and the mandate for change is strong but change must be guided by clear goals and principles We envision security as a dynamic and flexible system guided by four basic principles o Our security policies and services must be realistically matched to the threats we face The processes we use to fonnulate policies and deliver services must be sufficiently flexible to facilitate their evolution as the threat changes o Our security policies and practices must be consistent and coherent across the Defense and Intelligence Communities thereby reducing inefficiencies and enabling us to allocate scarce resources efficiently o Our security standards and procedures must result in the fair and equitable treatment of the members of our communities upon whom we rely to guard the nation's security o Our security policies practices and procedures must provide the security we need at a price we can afford The Commission believes that the application of these principles will make the security system less fragmented less complex and more cost effective We also believe that the progress made will be eroded over time without a fundamental adjustment in the way security is viewed and practiced Security can no longer be seen as an independent external authority that rigidly imposes procedures and demands compliance The Commission believes that it is time for a paradigm shift o Security is a service that should be based on an integrated assessment of threat vulnerability and customer needs Conceptually it should be the way that we think rather than a manual of rules Security then becomes a more positive undertaking that values the spirit over the letter of the law problem prevention over problem resolution and individual responsibility over external oversight It is a partnership between security and operations that balances the need to protect with the need to get the job done Industry is a valuable partner and participant in this process o Security must come from an integrated system that recognizes the interdependence of the individual security disciplines and establishes a logical nexus between the sensitivity of infonnation and the personnel physical infonnation and technical security countenneasures applied in protecting the infonnation In this model the individual security disciplines are interlocking pieces of a puzzle each critical to overall success but none sufficient by itself o Security is a shared responsibility Each individual has a role to play in ensuring the best possible protection for our infonnation personnel and assets Individual and management accountability for security actions and decisions are prerequisites for dynamic and responsive security processes o Security is a balance between opposing equities The imperative to protect cannot automatically be allowed to outweigh mission requirements or the public's fundamental right-to-know and it must never obscure the understanding that an infonned public is the foundation of a democratic government Implementing the New Paradigm-Risk Management In the past most security decisions have been linked one way or another to assumptions about threats These assumptions frequently postulated an all-knowing highly competent enemy For the better part of the last half century we viewed the Soviet Union and its allies as capable of exploiting our every weakness Against this danger we strove to avoid security risks by maximizing our defenses and minimizing our vulnerabilities Since the future of the free world was considered highly dependent on how successfully we maintained our secrets the costs of security programs the constraints on needed infonnation flow and the 3 negative impact on individuals and our economic competitiveness were all secondary considerations We used worst case scenarios as the basis for most of our security planning The threats today are more diffuse multifaceted and dynamic National security concerns now include a daunting array of challenges that continue to grow in diversity in our unstable and unpredictable world The possibility of failure of democratic reform in Russia poses a constant danger Further Russia's ability to maintain control of its special weapons China's supplying of equipment and technology to unstable countries and North Korea's Iran's and Iraq's attempts to develop nuclear weapons have serious and farreaching implications for regional security and stability Burgeoning ethnic and religious rivalries that cross traditional boundaries endanger both new and long-standing peace agreements drawing the United States into an expanding role in peacekeeping and humanitarian missions The bombing of the World Trade Center and the assassination of two CIA employees in Virginia heightened our sensitivity to the fact that terrorist activities against Americans can occur domestically as well as abroad Violent crime and narcotics trafficking in our neighborhoods also continue to threaten American lives and values The Commission recognizes that the consequences of failures to protect against some of these threats are exceptionally dire For instance terrorists' use of weapons of mass destruction or an adversary's foreknowledge of our battle plans could have consequences so grave as to demand the highest reasonably attainable standard of security This is true even if the probability of a successful attack is small and the cost of protection is high Some inherent vulnerabilities can never be eliminated fully nor would the cost and benefit warrant this risk avoidance approach In most cases however it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it We can and must provide a rational cost-effective and enduring framework using risk management as the underlying basis for security decision making The Corrmission views the risk management process as a five-step procedure I Asset valuation and judgment about consequence ofloss We determine what is to be protected and appraise its value Part of asset valuation is understanding that assets may have a value to an adversary that is different from their value to us 2 Identification and characterization ofthe threats to specific assets Intelligence assessments must address threats to the asset in as much detail as possible based on the needs of the customer These assessments may be commissioned at the national level to feed the development of security policies and standards at the program level to guide systems design or in planning intelligence support for military or other operations 3 Identification and characterization ofthe vulnerability of specific assets Vulnerability assessments help us identify weaknesses in the asset that could be exploited The manager may then be able to make design or operational changes to reduce risk levels by altering the nature of the asset itself Cost is an important factor in these decisions as design changes can be expensive and can impact other mission areas 4 Identification ofcountermeasures costs and tradeoffs There may be a number of different countermeasures available to protect an asset each with varying costs and effectiveness In many cases there is a point beyond which adding countermeasures will raise costs without appreciably enhancing the protection afforded 5 Risk assessment Asset valuation threat analysis and vulnerability assessments are considered along with the acceptable level of risk and any uncertainties to decide how great is the risk and what countermeasures to apply 4 This process is depicted in the following figure dentify and haracterize he threat Assess the value of the potential target Analyze Vulnerabilities Identify and cost countermeasures Risk ---nnanagement i--------iASsess risks decisions ost-effective security Figure 1 The Risk Management Process When any of these steps are left out the result can either be inadequate protection or unnecessary and overly expensive protection Frequently the missing element is the incorporation of specific up-to-date threat assessments in the development of security policies With no documented threat information countermeasures are often based on worst case scenarios The Commission stresses that managers must make tradeoffs during the decision phase between cost and risk balancing the cost in dollars manpower and decreased flow of needed information against possible asset compromise or loss Policy decisions resulting from the risk management process can then guide security planning At the national level these risk management decisions should form the backbone of and provide the standards for the security system The resulting standards would promote consistency coherence and reciprocity across programs and agencies 5 CHAPTER2 CLASSSIFICATION MANAGEMENT Classification-Driving Security The classification system is designed primarily to protect the confidentiality of certain military foreign policy and intelligence information It deals with only a small slice of the government information that requires protection although it drives the government's security apparatus and most of its costs Despite the best of intentions the classification system largely unchanged since the Eisenhower administration has grown out of control More information is being classified and for extended periods of time Security rules proliferate becoming more complex yet remaining unrelated to the threat Security costs increase as inconsistent requirements are imposed by different agencies or by different program managers within the same agency This accretion of security rules and requirements to protect classified information does not make the system work better Indeed the classification system is not trusted on the inside any more than it is trusted on the outside Insiders do not trust it to protect information that needs protection Outsiders do not trust it to release information that does not need protection This Cold War classification system can be simplified In place of more than 12 levels of protection and widely differing and inconsistent security policies and practices the Commission recommends a single rational governmentwide standard for the protection of classified infonnation The Current Classification SystemCumbersome and Confusing The classification system is more complex than necessary Classification is inherently subjective and the current system inappropriately links levels of classification with levels of protection The current classification system starts with three levels of classification Confidential Secret and Top Secret often referred to collectively as collateral Layered on top of these three levels are at least nine additional protection categories These include Department of Defense Special Access Programs DoD SAPs Department of Energy Special Access Programs Director of Central Intelligence Sensitive Compartmented Information Programs DCI SCI and other material controlled by special access or bigot lists Footnote 1 such as the war plans of the Joint Chiefs of Staff and the operational files and source information of the CIA Operations Directorate Further complicating the system are restrictive markings and dissemination controls such as ORCON dissemination and extraction of information controlled by originator NOFORN not releasable to foreign nationals and Eyes Only Classification TOP SECRET SECREf CONFIDENTIAL UNCLASSIFIED TS - BIGOT LIST S - BIOOT LIST C - BIGOT LIST Levels of Protection TS-SCI S-SCI C-SCI TS-DoD SAP S-DoD SAP C-DoD SAP Figure 2 The Current Classification System Currently proper classification depends on assessing the expected damage to national security caused by unauthorized disclosure of the information Information is classified as Confidential if damage is expected to occur Secret is used if serious damage will result Information is Top Secret only if 6 exceptionally grave damage will occur However because it is difficult to precisely define levels of damage reasonable persons can and do differ in their evaluation Yet it is not even clear why the effort to assess damage should be made since the protection required is not dependent on the level of damage For example greater protection is provided for Secret information in SCI channels disclosure of which would cause serious damage to national security than for Top Secret information that is not within a special access program disclosure of which would cause exceptionally grave damage Moreover from a Freedom of Information Act or an Espionage Act standpoint the significant issue is whether the information is classified not the level at which it is classified We conclude that there is no need for levels of classification Information is not more classified or less classified It either is classified or it is not Indeed thinking about information as more or less classified has led to statements that information is only Confidential or only Secret This thinking also has led to efforts to link classification levels with the length of time protection is required Yet we know that some Top Secret information such as an invasion date may need to be protected for days while some Secret information like the identity of a confidential source may need to be protected for decades Special Access Programs-Lacking Faith in the System Special access programs Footnote 2 are used to compensate for the fact that the classification system is not trusted to protect information effectively and does not adequately enforce the need to know principle For example the Top Secret classification is supposed to protect information that if improperly disclosed would result in exceptionally grave damage to the national security Yet the perception is that the regular classification system cannot protect such information because it has no provision for limiting which cleared persons have access to the information In the 1980s as confidence in the traditional classification system declined more and more information was put into SAP and SCI compartments based on assertions that the regular classification system provided inadequate need-to-know restrictions The special access system gave the program manager the ability to decide who had a need-to-know and thus to strictly control access to the information But elaborate costly and largely separate structures emerged According to some the system has grown out of control with each SAP program manager able to set independent security rules The Department of Defense divides these programs into three categories acquisition intelligence and operations and support Footnote 3 Programs in these categories are further defined as either acknowledged or unacknowledged Footnote 4 Some of the most sensitive DoD programs are waived or carved out from certain oversight and administrative requirements There are over one hundred DoD SAPs with many having numerous compartments and subcompartments designed to further segregate and limit access to information Each special access program manager is free to establish the security rules that will apply to his or her particular program Within the Intelligence Community the term Sensitive Compartmented Information SCI refers to data about sophisticated technical collection systems information collected by those systems and information concerning or derived from particularly sensitive methods or analytical processes Specific SCI control systems serve as umbrellas for protecting a type of collection effort or a type of information Within each SCI system are compartments and within them subcompartments all designed to formally segregate data and restrict access to it to those with a need-to-know as determined by a central authority for each system There are over 300 SCI compartments recently reduced from over 800 grouped into a dozen or so control channels Special activities have their own non-SCI control channels Rules relating to SCI programs are found in DCI Directives DCIDs but implementation is uneven and minimum standards are often exceeded In addition to the formal SAP SCI and covert action control channels strict need-to-know access restrictions also are imposed for other types of information within the DoD and the Intelligence Community 7 These include information identifying intelligence sources and liaison relationships as well as information about military plans such as the Single Integrated Operations Plan SIOP for strategic nuclear war or the battle plan for the invasion oflraq during the Gulf War Access to such information is generally controlled by access or bigot lists The Commission agrees that some types of classified information such as identities of intelligence sources information about sensitive intelligence methods plans for operations and technological advances that provide our military forces unique advantages on the battlefield may require more protection than others However we do not agree that each SAP manager needs to establish a unique set of security rules or that SAP security rules and SCI security rules need to be different Current practice has begun to recognize this fact and to coalesce around two standards one for Confidential and Secret the other for Top Secret and SAPs SCI In personnel security for example agencies do not have separate clearance standards for Confidential and Secret And a single clearance standard for Top Secret and SCI is evolving with DoD SAPs beginning to follow this standard even though program managers today have the authority to impose their own standards and many do so A New System-Streamlined and Straightforward The opportunity to change the classification system comes at an important point in our history In this post-Cold War period we can move away from a strategy that has been characterized as something close to total risk avoidance and develop instead an approach more clearly based on risk management We continue to recognize that there is information that needs the protection of the classification system and that there are costs associated with the unauthorized disclosure of information vital to the national security But we also recognize that in a democracy the public needs access to information about what its government is doing and that there are significant costs associated with keeping information classified and tightly controlled In sum it is important to consider the political economic and opportunity costs of classifying information as well as the costs of failing to classify information The Commission finds that the costly and complicated bureaucracy that provides security is a reflection of the underlying complexity of the classification management system The Commission believes that a less complicated system can help correct the current approach that has led to classifying too much at too high a level and for too long We propose a new one-level classification system Under this system information either is classified or it is not There would be a single legal definition of classified information and no need to pretend that we can precisely measure the amount of damage to national security that would be caused by an unauthorized disclosure Two degrees of protection will be available instead of the dozen or so now used Information either will be generally protected labeled SECRET or specially protected labeled SECRET COMPARTMENTED ACCESS Each protection level would be defined both in terms of the type of information to be included and the type of protection The protections available for each level will be standardized Most special handling and dissemination markings will be unnecessary and special access controls will be integral to rather than added onto the classification system In addition only certain clearly defined categories of information will qualify for special protection and only in certain clearly defined circumstances Classification Classified Unclassified Levels of Protection SECRET I SECRET CONIROLLED ACCESS I Figure 3 The Proposed Classification System The vast majority of classified information would be generally protected to promote the availability and accessibility of the information Baseline security protection standards will be established and discretionary need-to-know would apply a cleared individual could determine whether to pass the information to another 8 cleared individual Generally protected information would incorporate current Confidential and Secret documents which will not have to be remarked The Commission recognizes that most departments and agencies have and will want to continue procedures that govern the manner in which Secret information is disseminated within their organizations Some may also wish to maintain limited control on their information that is passed to other agencies such as a requirement that the recipient agency not pass the information on to a third agency without obtaining permission from the originating agency Finally there may be unique problems that arise in implementing this new approach that require an exemption from general rules such as the manner in which CINCs communicate with Navy vessels The Commission recognizes the need for flexibility but does not want to lose the advantages of the new system through creating loopholes by for example permitting heads of departments and agencies to create mini SAPs by imposing dissemination controls Therefore the Commission recommends that heads of departments or agencies be permitted to establish dissemination controls on Secret information only upon approval of the security executive committee proposed in chapter 11 As a result of risk analysis a limited amount of information would be specially protected as Secret Compartmented Access information Enhanced security protection standards would apply requiring a higher clearance standard for access and a centralized need-to-know control structure provided by an access or bigot list Compartmented access information would incorporate most current Top Secret Special Access and Sensitive Compartmented Information The Commission finds that classification management is the operating system of the security world Classification drives the way much of security policies are implemented and security practices are carried out Standards organizations procedures and policies governing everything from the levels of security clearance to procedures for processing information to sentencing guidelines for individuals convicted of espionage are based on our existing classification structure The complexity of the existing classification system is the root cause for much of the confusion of the existing security system Footnote 5 Simplify the classification system and simplification of the security system will follow The Commission notes that the existing classification management system is evolving naturally into a two-level system Confidential and Secret information is handled using similar or identical standards Top Secret SCI and SAP information is protected using more stringent and substantially common standards The Commission believes that this natural occurring division forms an excellent basis for an improved classification system The proposed system will better relate needed asset protection to security countermeasures In place of the myriad investigative and adjudicative requirements and the differing physical security standards two security standards based on analysis ofrisk would be developed to guide application of the two degrees of protection for these security disciplines Procedures for securing classified information would likewise have only two standards Similar simplifications would follow throughout the rest of the security system Recommendation 1 The Commission recommends the establishment of a one-level classification system with two degrees of protection A Simplified Controlled Access System The Commission concludes that the current special access system needs to be sinplified Enhanced security protection can be achieved with less compartmentation and fewer barriers to the flow of information Instead of the current complicated system with the multiple control officers and multiple control channels information requiring special protection would be marked SECRET COMPARTMENTED 9 ACCESS and would carry a designator such as a codeword or number identifying the relevant access list A single specially protected information control officer and channel would replace the panoply of structures and systems for protecting SCI SAPs or bigot list controlled access information Thus instead of the structure shown below in figure 4 PECIAL ACCESS ROGRAMS E O 'BIGOT LISTS igraphs rigraphs Subompartments Subcompartments Figure 4 Current Special Access Programs Structure We propose the following structure OMPARlMENTED ACCESS SYSTEM COMPARTMENTS Figure 5 Proposed Special Access Programs Structure Recommendation 2 The Commission recommends that a All special access SCI covert action control systems war plans and bigot list activities be integrated into the new classification system b A single control channel for SECRET COMPARTMENTED ACCESS information with a codeword for each need-to-know list replace all existing special control channels Limiting Use of Special Access Controls The Commission concludes that simplifying the system will aid in identifying and better protecting information that really needs enhanced security protection Viewing information as part of a special access program often meant that everything in the program had to be compartmented Analyzing the impact of the loss of specific information focuses attention on what needs special protection and what does not and would result in less information being placed at the compartmented access level Steps will be taken to limit the amount of information that is specially protected and to prevent the migration of information from the generally protected level to the specially protected level A first step is to identify clearly in an executive order those limited categories of information qualifying for special protection 10 The Commission suggests the following categories of information be considered for special protection o A technology application that provides a significant battlefield edge and that could be copied or countered if key information were disclosed to a potential adversary o A sensitive military operation or plans for the operation in circumstances in which disclosure might impair its current or future success o A fragile intelligence method when the opposition is not aware of either the fact or special capabilities of the method and were they to become aware of it could employ countermeasures to deny us information or use deception to feed the US incorrect information o A human source in circumstances in which the US would lose its ability to use the source and or the source or the source's family is likely to be harmed o A sensitive intelligence counterintelligence or special activity in circumstances in which disclosure would impair its success o Information that would impair US cryptologic systems or activities o Sensitive policy issues or relationships with a foreign government which if revealed would significantly harm foreign government cooperation with the US o A US negotiating position in circumstances in which such disclosure would cause us to lose a negotiating advantage o Scientific and technical information that describes the design of weapons of mass destruction that could significantly assist others to develop or to improve such weapons or to significantly enhance their ability to circumvent the control features of such weapons Recommendation 3 The Commission recommends that compartmented access be considered for the categories of information detailed above and any other categories of equally sensitive information and that all current and future Special Access Programs war plans requiring limited access controls Sensitive Compartmented Information covert action control systems and bigot lists be reviewed and validated against that list Perhaps the greatest weakness in the entire system is that critical specially protected information within the various DoD and SCI compartments is not clearly identified Individuals within government and industry are forced to protect everything within a particular compartment rather than just the small amount of information that truly needs compartmented access status and need-to-know controls One general officer likened the situation to trying to protect every blade ofgrass on a baseball field He had to have a hundred players to guard the entire field when only four persons to protect home plate would suffice The Commission believes a rigorous review is needed to identify and separate the information that will continue to require special protection from that which does not Such a review will allow many compartmented access compartments to be eliminated and will permit the consolidation of critical data within fewer remaining compartments 11 Recommendation 4 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence direct that managers for each compartmented access system undertake a review to identify information within all compartments and subcompartments that requires continued special protection This information should be consolidated in the fewest compartments possible Uniform Risk Criteria for Secret Compartmented Access Information The Commission believes that decisions to require special protection for sensitive information and activities should be consistently made based on common risk management principles The Commission found that uniform risk assessment criteria do not exist for establishing designating managing and disestablishing SAP and SCI compartments Each component develops its own procedures for assessing the risks dictating compartmented access protection often with little external guidance or oversight Some elements place unclassified technologies and independent research and development efforts directly under special protection as soon as a promising military application is discovered Others do not and thus disparities exist among agencies in the way the same basi technology or application is classified designated and protected The decision to designate a DoD SAP as unacknowledged radically increases its cost and severely inhibits oversight coordiniJtion and integration with other similar programs Critics advised the Commission that state of the art advances and efficiency gains may be sacrificed or significantly hindered once a technology-based program is brought under special controls If an acquisition SAP is unacknowledged others working in the same technology area may be unaware that another agency is developing a program The government may pay several times over for the same technology or application developed under different special programs within different agencies Two military services and the DoE have programs involving the same technological application One military service classified its program as Top Secret Special Access with a deadly force protection requirement The other military service classified its program as Secret Special Access with little more than tight need-to-know protection applied The DoE classified its program as collateral Secret adopting discretionary need-to-know procedures Despite the fact that the Commission did find one or two examples of programs coordinating common technology or scientific issues the potential still exists for disconnects in coordination and integration among various DoD SAPs and non-SAP programs In the above example the three government agency program managers are aware of the other programs but refuse to devise a common protection standard This problem is not uncommon The strict SAP control inhibits the flow of information One result is that comparable advances in state-of-the-art technology by related noncompartmented government research efforts are not readily accepted by some SAP managers as valid reasons to decompartment their programs The government pays a high cost when this occurs Continuing special security controls when they may not be necessary is expensive But the controls are probably much less costly than the lost opportunities caused by inhibiting non-governmental research initiatives with potential payoffs for the SAP itself The Commission applauds the DoD's action to establish joint coordination and review of Stealth and related low-observable technologies developed by numerous special programs However this effort should 12 be expanded to achieve integration across the DoD components and non-DoD agencies in other areas of technology to reduce apparent gaps in the integration of SAP decisions with national-level science and technology intelligence counterintelligence and counterproliferation intelligence analysis Again using the example above a common security standard is needed to reduce conflicting analyses regarding the true state-of-the-art or the actual threat to advanced technologies that in tum leads to the application of varying degrees of security and the resulting costs There also is the need for coordination ofDoD special program issues and decisions with other governmental interests such as foreign relations with the Department of State and national intelligence issues with the Director of Central Intelligence In the past decisions were made not to brief the Director of Central Intelligence on certain DoD programs that affected national intelligence interests Such decisions can occur when senior-level personnel are not made aware of for example the existence of a subcompartment or the impact of certain activities under special programs The Commission's recommendations on threat assessment and risk management should be followed in determining whether and how special protection is to be applied especially with respect to unacknowledged programs This criteria should form the basis for decisions made on special protection throughout the government Recommendation S The Commission recommends that the Secretary of Defense and the Director of Central Intelligence a Establish uniform risk assessment criteria for the consideration desWiation review management and decompartmentation of information requiring special protection b Conduct independent risk assessments of the unacknowledged status of compartmented access programs based upon all-source analysis of relevant intelligence and counterintelligence information c Review similar compartmented access programs to ensure reciprocity and eliminate redundancy d Institute a formal mechanism to review designation coordination and integration issues related to compartmented access programs to ensure that the DoD elements the Intelligence Community the Departments of State Energy Commerce and others are advised of compartmented access program issues affecting their interests Currently SAP security policies are developed independently by individual program managers Within the Intelligence Community actual SCI program practices often exceed the DCID standard The Commission found that many of the problems with the SAPs and the SCI programs are due to obsolete security standards and inconsistent program-specific applications The conflicting policies of the DoD and Intelligence Community elements add significant unnecessary expense to the system with no appreciable increase in security Common standards for special protection would bring coherence to the DoD and Intelligence Communities and bridge the gap between the DoDs SAPs and the DCis SCI programs Under the new classification scheme the security executive committee described in chapter 11 will work with security professionals and program managers to develop a single uniform security policy and set of standards adequate to protect all DoD and Intelligence Community special programs As a consequence there no longer would be the wide variances in security practices that significantly raise costs particularly in industry Managers of special programs would not be granted unbridled discretion in deciding which security measures to employ but they would be allowed to waive down from the standard in circumstances in which reciprocity is not affected In sum reciprocity integration and the ability to control overall costs requires that a uniform standard be followed in most cases but exceptions could be made in appropriate circumstances 13 Recommendation 6 The Commission recommends that a A single consolidated policy and set of security standards be established for Secret Compartmented Access information including all current SAPs SCI covert action and the various bigot list programs b Standards contain some flexibility but waivers down from compartmented access security measures be permitted only when there is no impact upon reciprocity Increasing the Flow of Data Many persons who spoke to the Commission were quite critical of the Intelligence Community's tendency to disseminate intelligence data within compartmented channels rather than at the generally protected level Combatant commanders are adamant that intelligence must be released at the Secret level to be useful to them Law enforcement agencies increasingly assert that most intelligence information passed to them is overclassified and therefore often unusable Excessive compartmentation precludes the timely dissemination of intelligence pending completion of reviews to remove or sanitize source and method revealing information or until permission is granted for release of originator-controlled data This has an adverse impact on the timeliness and specificity of intelligence The impact is very serious to users of intelligence in the DoD its agencies and the military services During the Gulf War the limited amount ofsanitized operations-related intelligence information forced one military officer to meet his warfighting needs by regularly flying two Captains back and forth to US installations in Europe to get additional information decompartmented and then to return with as much of this hard copy intelligence data and imagery as they could carry All users made clear to the Commission that they want intelligence provided in a more timely manner with as much specificity as possible and with fewer dissemination restrictions Currently compartmented data should be reviewed to remove source- or method-revealing information so that significantly more intelligence information can be made available as generally protected information Those sanitizing intelligence should also ensure as much usable data remains as possible Concerns have been raised that at times so much information is removed in order to protect sources and methods the ability of users of the information to make critical decisions is undermined The Commission is encouraged by efforts under way to limit the amount of controlled access information within the Intelligence Community Most intelligence reporting based on human sources is not compartmented because source-identifying information is deleted Further a significant amount of imagery is being released outside of compartmented channels While the National Security Agency has made progress in decompartmenting its information more can be done Significant benefit would be gained ifthe National Security Agency were to form a task force similar to the one formed by the Central Imagery Office to drastically reduce the amount of compartmented information it produces and to release more intelligence at the generally protected level The Commission believes that as a general rule only the limited amount of intelligence that would materially compromise sensitive sources and methods or collection strategies as well as that which has exceptional political sensitivity due to the nature of the target should remain within compartmented channels The remaining vast majority of data should be routinely released as generally protected information Where source-revealing information must necessarily be included the Commission strongly recommends the use of a tear line Those who need to know how the information was derived will have access to the information above the tear line marked SECRET COMPARTMENTED ACCESS Those who need to act on the information but do not need to know the source of the information will receive the generally protected information below the tear line marked SECRET 14 Recommendation 7 The Commission recommends that a All intelligence reporting within compartmented channels be severely restricted to the limited amount of information that would compromise sensitive sources and methods or collection strategies or that has exceptional political sensitivity b All other intelligence products particularly when related to military operations be released as generally protected information Advanced weapon systems and specialized intelligence capabilities are of little use to the military commander if he is unaware of them and unable to train warfighting elements in the use of the new capability Briefing commanders when compartmented access programs are ready for use is not enough Military elements must be kept aware of the program its goals and objectives and its potential employment well ahead of production and deployment in order to fully incorporate new capabilities into unit war plans Although many technologies weapon systems and intelligence capabilities are ultimately developed for use by the warfighter no effective procedure exists to ensure that combatant commanders are briefed on all such systems their capabilities and projected availability for use Moreover the Commission found that even when military elements are briefed they are put under such tight constraints that they are unable to use the compartmented access information in any practical way This prohibits field elements from being able to incorporate these capabilities into war planning and other crisis activities A senior military officer on the Joint Staff expressed concern that current classification and security procedures constrict the flow of operational information to the warjlghter at the tactical level He felt that we still treat certain capabilities as pearls too precious to wear-we acknowledge their value but because oftheir value we lock them up and don't use them for fear of losing them The Commission believes that more needs to be done to keep combatant commanders informed of current and upcoming programs capabilities weapons and operations that could potentially be used in a military venue Accordingly a separate small entity should be established and given the responsibility to work with the owners of compartmented access information to disseminate it aggressively to combatant commanders This entity with full access to all compartmented access programs would balance the perceived reluctance of special access program managers to share information against the perceived tendency of military entities to disseminate this information broadly within a command The intent is to ensure that combatant commanders are more fully informed about compartmented access activities while taking into account the sensitivity and fragility of the information Recommendation 8 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence a Establish a separate entity to work with special access program managers and combatant commanders to ensure that military commands are more fully aware of compartmented access information concerning current and projected technologies weapons techniques operations and programs that are pertinent to their responsibilities b Delegate authority to combatant commanders to brief staff members with a need-toknow on compartmented access information so that these capabilities can be incorporated into conflict planning activities 15 Special Cover Measures There are many valid reasons for the special cover measures used by some military and intelligence organizations such as potentially life-threatening high-risk covert operations and intelligence and counterintelligence investigations or operations However these techniques also have increasingly been used for major acquisition and technology-based contracts to conceal the fact of the existence ofa facility or activity or to mask government-contractor affiliations The Commission found that the use of cover to conceal the existence of a government facility or the fact of government research and development interest in a particular technology is broader than necessary and significantly increases costs For example one military service routinely uses cover mechanisms for its acquisition controlled access programs without regard to individual threat or need Another military organization uses cover to hide the existence of certain activities or facilities Critics maintain that in many cases cover is being used to hide what is already known and widely reported in the news media Several government agencies paid under various secure contracts to have a significant number of sterile telephones installed to hide contractors' affiliations with the government Jn many cases the sterile telephones were installed next to secure telephones required by other classified government contracts Jn one case a contractor had 200 sterile telephones next to J 73 STU-Jll telephones and 145 secure green phone lines These cover mechanisms are expensive and the marginal security benefits gained by compartmenting knowledge of the existence of a government or contractor facility often are outweighed by the costs of concealment including the costs to other programs that would benefit from sharing technical knowledge and sharing use of the facility Special protection generally should focus on the most sensitive uses of a facility rather than the fact of its existence Organizations with high-funding profiles and extensive contracts such as the National Reconnaissance Office have incorporated elaborate rules into their daily operations to conceal the fact of their existence and to hide the identity and affiliation of organization employees and contractors Even though the NRO's existence was finally declassified in 1992 classification for most of its personnel and activities remains in place We believe many NRO classification requirements currently imposed can be dropped without danger to essential NRO activities The Commission believes an overall review of the DoD and Intelligence Community organizations employing cover mechanisms is needed to determine whether such costly measures continue to be necessary Recommendation 9 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence a Rescind blanket classified status for the NRO and its employees b Review the cover status of the DoD and Intelligence Community elements and personnel rescinding cover for those without a documented covert intelligence or operational mission c Review existing covert contractual requirements to determine those that may be canceled as soon as advantageous to the government d Develop new policies for cover that limits its use to those situations for which it is needed 16 Security Oversight of Compartmented Access Programs The DoD management framework provides for oversight of all DoD compartmented access programs through reviews by the Deputy Secretary of Defense Oversight is also provided by reports to Congress The Commission has reviewed the reporting procedures that exist with respect to Congressional oversight of the DoD controlled access programs including those for programs that are waived from certain requirements due to their extreme sensitivity We see no need to modify existing reporting procedures and believe that the current system should continue without change Until recently there has been no procedure for centralized assessment of special program proposals submitted directly to the Deputy Secretary of Defense by the military departments The recent formation of the DoD Special Access Program Oversight Committee which the Commission fully supports will ensure that every program is reviewed by a panel of senior officials prior to its establishment and annually thereafter to determine whether compartmentation for each program is still required This new management structure is an important initiative to improve centralized review cross-program integration security policy guidance and oversight of special programs The Commission suggests that the Oversight Committee expand this review to incorporate a separate evaluation of the proposed or actual security countermeasures for each special program A separate review could yield alternate security countermeasures to replace the sometimes costly or inefficient countermeasures proposed by the sponsoring special program managers For existing controlled access programs the Committee should examine how previously-approved security countermeasures are actually implemented This may reveal security practices that are no longer necessary and help to lessen the gap between actual practice and policies for controlled access programs Finally the Commission believes that security cost-drivers such as unacknowledged special program status imposition of cover mandatory polygraphs for access and waivers from Defense Investigative Service inspections of contractors should be considered and approved separately by the DoD Special Access Program Oversight Committee before they are imposed These steps will aid the Oversight Committee in eliminating unnecessary and costly security practices and in redirecting scarce protection resources to other program priorities The Commission believes that the DoD's new approach to overseeing controlled access programs is reasonable However the Commission believes the process could be strengthened by establishing a security oversight arm that is wholly independent from the everyday management and security of controlled access programs An independent viewpoint is necessary to interject an unbiased broader perspective on controlled access proposals and practices because many believe that SAPs are created not simply for security reasons but to create a specialized cadre of experts streamline procurement limit oversight and thus speed development Others are concerned that fundamental questions about the propriety of controlled access activities may not be raised by those within the special program community or be presented to senior policymakers outside of the sponsoring military service This new oversight function would have to have up-front across-the-board access to all special access programs The Commission's proposed independent oversight arm also would provide valuable guidance with respect to access control practices applied to programs other than recognized SAPs In the past certain DoD components have limited the distribution of particular types of classified information such as military plans without formally designating the program as a SAP because SAPs require high-level approval and oversight These programs use labels such as LIMDIS limited distribution SPECAT special category or other less formal designations The Commission views these programs as SAP-like in that aspects of approved specially protected programs such as multiple compartments and nondisclosure agreements often are imposed upon those given access to the information However DoD officials have taken the position that compartmentation to protect military plans should not be considered a program within the meaning of Special Access Program regulations but simply a planning document As a result military plans currently are not included in senior-level special program reviews 17 In the future none of these plans versus program distinctions should matter under the Commission's proposed new classification structure However independent oversight will continue to be necessary for controlled access programs to ensure that security issues are fully aired to senior management Assigning independent responsibility for conducting inquiries regarding activities protected by special programs and similar compartments will give the Secretary of Defense a valuable check and serve as a safety valve in ensuring that security protections are not misused and that questionable practices are brought to light and resolved within the Department Recommendation 10 The Commission recommends that the Secretary of Defense a Under the auspices of the DoD Special Access Program Oversight Committee I Conduct a separate evaluation of proposed or actual security countermeasures for controlled access programs 2 Separately review and approve unacknowledged status imposition of cover mandatory polygraph for access requirements and waivers from Defense Investigative Service security ihspections of contractors before they may be imposed on controlled access programs b Assign security oversight responsibilities for controlled access activities to an independent DoD office outside the special program community CLASSIFICATION MANAGEMENT PRACTICES There are a number of additional areas dealing with the implementation and management of the classification system whether the current or the proposed system that require consideration and improvement Dissemination Controls-Impediments to Getting Intelligence into the Hands of Customers A senior intelligence official stated that the day-to-day most serious problem is that we don't get intelligence to the policymakers in a way that they can use it The issue is not merely that too much information is compartmented but that intelligence users may be denied timely access to intelligence data and other classified information due to an originator's tendency to include unnecessary control markings Four of the standard control markings Footnote 6 established by the Director of Central Intelligence for the Intelligence Community are security controls two are not Footnote 7 The Commission recommends that three of the four security control markings be eliminated They are duplicative unnecessary and impede the timely transfer of intelligence to those who need it WNINTEL Warning Notice - Intelligence Sources and Methods Involved is implicit in the specially protected category ORCON Dissemination and Extraction oflnformation Controlled by Originator is viewed as more of an impediment to intelligence users than a protection for intelligence producers and all US classified information is NOFORN not releasable to foreign nationals unless a decision is made to release such information Accordingly the REL TO authorized for release to control should suffice Under the new classification system security control markings apart from REL TO will not be needed or desirable for generally protected information labeled SECRET because such information will be under a discretionary need-to-know regime Similarly security control markings will not be needed or desirable for specially protected information labeled SECRET COMPARTMENTED ACCESS because such information incorporates centralized access controls that already specify the personnel government contractor foreign government who are to receive the information 18 The Commission recommends that the two remaining control markings PRO PIN PROPRIETARY INFORMATION and NOCONTRACT not releasable to contractors or consultants be combined into a single marking government-industry-restricted information GOVIND The NOCONTRACT marking as currently used often prevents contractors from obtaining the information they need to do their job This is particularly inappropriate in the case of Federally Funded Research and Development Centers FFRDCs These are non-profit institutions with no production facilities no products or services to sell in commercial markets and that are not supposed to compete with non-FFRDCs Accordingly procedures should be developed to routinely obtain advance agreement that corporate proprietary information is given to the government with the express understanding that such information can be shared with FFRDCs as required by the government In the system we propose government employees and contractors will be cleared to the same standard and appropriately indoctrinated Consequently there will be no need to restrict information from contractors with a need to know other than to protect two types of information The first is information that is provided to the government by a commercial firm or private source under an express or implied understanding that the information will be protected as a trade secret or proprietary data and will not be disseminated to a potential competitor The second is government information for example budgetary information that could give the contractor an unfair competitive advantage A new marking GOVIND would restrict both types of information Agency-specific dissemination controls such as Exclusive For Secret Sensitive or Eyes Only add to the confusion and are rarely enforced We recommend that no agency-specific disseminationcontrol markings be used for security purposes There is no consistency between agencies in the terms used Whatever unique handling restrictions they imply usually are not understood by the recipient agencies and are improperly applied Recommendation 11 The Commission recommends that with the exception of GO VIND and REL TO dissemination markings and controls be eliminated Sharing Classified Information The world is changing and US classified information not only is provided to close allies but also to coalition partners some of whom normally have interests quite divergent from ours The US also finds it necessary to provide classified information to the NATO and the United Nations in circumstances where such information once provided may be broadly distributed rt is not possible to anticipate every situation and flexibility must be preserved so that military commanders and foreign policy officials are able to meet the special needs and requirements of each situation Nevertheless it is helpful to have general govemmentwide guidance as to the types of information that readily can be shared or that pose particular problems This reduces the amount of information that must be assimilated and the number of decisions that must be made on an ad hoc basis in the heat ofa crisis The security executive committee should review information sharing requirements and ensure that guidance and expertise is readily available to inform and assist officials who must make release decisions Recommendation 12 The Commission recommends development of governmentwide guidance for sharing classified information with coalition partners and with the United Nations 19 Billet and Access Control Policies One of the most frustrating features of many current SAP and SCI systems is the resource-intensive bureaucratic procedure for authorizing access Military commanders and senior managers confront cumbersome approval requirements often including arbitrary numerical ceilings and rigid billet structures if they wish to bring another person with a legitimate reason for access into the compartment Program managers try to limit the number of people allowed access to many special programs by imposing an arbitrary ceiling on the number of individual billets spaces authorized for a particular organization or facility Both government and industry organizations are forced to resort to inefficient and costly practices to get around the access restrictions to get the job done The Commission found that the imposition of these numerical ceilings and rigid billet structures does not reduce the actual number of persons accessed nor enhance the security of a controlled access program Instead these practices add unnecessary complexity and confusion Because a special access program manager refused to approve a new billet structure with a higher billet ceiling a government superv sor briefed and debriefed multiple people against a single authorized billet to get the number ofpeople needed for the program The supervisor would briefan engineer telling the engineer to think about a particular controlled access issue then immediately debrief him her The same procedure was followed with other needed personnel until all had been briefed on the controlled access program given a problem to resolve under the program and then debriefed Several weeks later the supervisor used the same brief debrief method to obtain the solutions from the personnel These controls only give the illusion of security while adding excessive cost and inefficiency to the access approval process The Commission therefore recommends an end to the practice of limiting access to specially protected information based on the number of authorized billets or imposed numerical ceilings The Commission believes that to permit more effective accomplishment of mission tasks a zero-based review and update of controlled access rosters in concert with using elements is necessary to determine the personnel who truly have a bona fide contractual or job-related requirement for controlled access information The results of the review should form the backbone of new access management processes that should eventually feed into a data base system Quite simply the number of persons accessed to specially protected information should be based on the number necessary to accomplish the job Recommendation 13 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence direct that controlled access program managers conduct a zero based review to ensure that all personnel with a mission-essential need to know specially protected information receive access to the information The number of accessed personnel should meet the need for properly cleared and indoctrinated persons to support acquisition planning and operations and not depend on arbitrary ceilings Secrecy Agreements At present most US Government employees and contractors granted access to classified information sign a Classified Information Nondisclosure Agreement Secrecy Agreement in which they agree never to divulge classified information to an unauthorized person While this agreement does not contain a prepublication review provision the individual agrees that ifthere is uncertainty about the classification 20 status of information he will confirm with an authorized official that the information is unclassified before he discloses it Recipients of access to Sensitive Compartmented Information SCI and DoD Special Access Programs SAPs sgn a nondisclosure agreement or indoctrination statement with a prepublication requirement each time that they are admitted to a compartment program or category of information within a program The SCI agreement obligates the signer not to disclose anything marked as SCI or that they know to be SCI and to submit for review any material that contains or purports to contain any SCI or description of activities that produce or relate to SCI or that they have reason to believe are derived from SCI Recipients of National Security Agency information agree to submit for review all information that contains or purports to contain refers to or is based upon Protected Information essentially defined as classified information obtained as a result of their relationship with the NSA Recipients ofDoD SAP information sign a similar agreement that indoctrinates them into the program and obligates them to submit for review all information which contains or purports to contain any Designated Classified Information essentially defined as SAP information or description of activities that produce or relate to Designated Classified Information Central Intelligence Agency employees sign a secrecy agreement that contains a significantly broader prepublication agreement that obligates them to submit for review any material they contemplate disclosing that contains any mention of intelligence data or activities or contains any other information or material that might be based upon classified information There are strong arguments for this expansive language It has more teeth and gives broader legal protection Because the obligation is not limited to classified information the government can proceed against the individual simply for failing to submit for prior review information that mentioned or was based on intelligence without having to prove classification Most of the Commissioners are not persuaded that persons with access to the same classified information should have differing obligations Most Commissioners also are not persuaded that intelligence professionals at the CIA should be held to a higher standard than that applied to others in government who receive CIA information These Commissioners do however acknowledge that it is not unreasonable for a Director of Central Intelligence to conclude that CIA employees should be held to a higher standard because for example CIA employees are more likely to be exposed to sensitive sources and methods information over their career than many employees in other agencies Prepublication review is designed to guard against the malicious and the uncertain Those with malicious intent will not submit material for review no matter how broad the standard The conscientious employee or retiree uncertain as to whether information is classified will submit material even with a narrow standard The Commission is concerned about the chilling affect of any prepublication review but particularly the broad standards in the current CIA secrecy agreement Government employees should not forfeit the ability to participate in public policy debates merely because they have or had access to highly classified information Indeed their participation in the debate should be encouraged On balance the majority of the Commissioners concluded that there should be one standard secrecy agreement for government and contractor employees with access to compartmented information that does not incorporate the higher review standard in the current CIA version However the Commission also recognizes that the Director of Central Intelligence may conclude that his statutory responsibility to protect sources and methods requires that he maintain the stricter version Regardless of the prepublication review standard the Commission believes that it is neither legally required nor desirable with respect to SCI and SAP material for the individual to sign a separate nondisclosure agreement for each compartment subcompartment program and category of information within a program A single secrecy agreement obligates the individual not to disclose classified information A single prepublication provision obligates the individual to submit specially protected material for review Although there is no harm in reminding an individual ofhis obligation to protect the information the 21 multiple forms may in fact create the erroneous impression that unless a new form is signed for each type of information or for each compartment the obligation to protect the information and submit it for prepublication review is somehow not present Moreover -there are costs involved in producing using and storing the plethora of forms particularly in an environment in which many individuals have multiple accesses These costs can and should be avoided The Commission believes that standardization of secrecy or nondisclosure agreements and of prepublication review requirements is needed Footnote 8 Two agreement forms should suffice one agreement for generally protected information and one for specially protected information If an individual signs the agreement for specially protected information it will be the only agreement required Recommendation 14 The Commission recommends that no individual sign more than two nondisclosure agreements One standardized agreement without a prepublication review provision will be used for generally protected information the other standardized agreement with a prepublication review provision will be used for specially protected information If an individual signs the agreement for specially protected information signing an agreement for generally protected information would not be necessary Declassification Simply put the current system for declassification does not work Much of the information that is classified does not have a declassification date Generally it is marked OADR Originating Agency's Determination Required and remains classified indefinitely Detailed review of these documents is not feasible and arbitrary bulk or automatic declassification schemes are perceived as risking the loss of information that still requires protection The Cold War period produced a huge amount of classified information and thus an enormous backlog of potentially declassifiable information In addition to information held by individual agencies there are an estimated 300-400 million pages of classified information in the National Archives Millions of additional documents are classified each year The Information Security Oversight Office reports between 6-7 million original and derivative classification actions per year in Fiscal Years 1990 to 1992 Agencies generally are not willing to declassify information without review yet as the mountain of classified information grows it is clear that a line-by-line and document-by-document review of this information would be extremely expensive and time consuming Footnote 9 Moreover given public and congressional concern today that sufficient resources are not being devoted to current FOIA Privacy Act and mandatory review requesters diverting limited available resources to a time-consuming review process that is not driven by customer demand is unacceptable Any declassification regime therefore must be examined to ensure that it does not create a significant burden for government agencies without providing any great advantage to the public Put more positively a new classification system should maintain classification for the shortest possible time and make the declassification system more efficient rather than more costly We believe that a great deal of information can be automatically released in ten years and that most information can be released in 25 years What is necessary however is to distinguish those categories of information that are good candidates for declassification after 10 15 or 20 years from categories of information such as human-source information that may require protection for longer periods of time By correctly categorizing classified information we can reduce the number of times that the government needs 22 to review documents and develop a strategy that will allow release of information without the need for lineby-line review We recommend that a new Executive order on classification specify certain categories of information that can be exempted from automatic declassification at the end of I 0 years and also permit agency heads to nominate and the security executive committee to approve additional limited categories of information that may require protection longer than 10 but fewer than 25 years Information could then be marked at the time of its creation to reflect a date upon which it would be automatically declassified For example if it were believed with respect to a particular category of in formation that at the end of I 0 years classification would have to be extended for the majority of information in that category a longer time period would be selected Otherwise when the I 0-year automatic-declassification date arrived the agency would feel compelled to do a line-by-line review of the information most of the information probably would remain classified a great deal of cost would be incurred and little advantage would be derived by the public On the other hand if it were believed that most of the information in that category could be released at the end of 15 years then it would be expected that when the automatic declassification date arrived the agency would feel more comfortable adopting a risk management rather than a risk avoidance approach to the material The agency would be far less likely to see the need for line-by-line review of the information and far more willing to release the information with little or no review For example if it were believed that finished intelligence could be released in 15 years then it could be expected that at the end of that period reviewers might conclude that the release of 15-year-old political intelligence would not result in significant harm that the release of 15-year-old economic intelligence would not do significant harm but that there were a couple of weapon systems still in use and still of continued interest In such a scenario reviewers might look to see if 15-year-old military intelligence written on these two weapon systems still should remain classified but would not undertake a line-by-line review of the rest of the 15-year-old finished intelligence We are keenly aware that an important underpinning of our system of government is an informed citizenry and that without the prompt release of pertinent information intelligent public policy debate academic discussion and historical research is handicapped Nevertheless there are clear examples where the American people are better served by continued protection of certain classified information For example the revelation of the identity of a confidential intelligence source even after the passage of years can have a serious negative impact on that individual and would not serve US interests Similarly release of information about a previous generation of US weapons can still have a significant negative impact on the safety of US forces o We believe the proper balance can be struck in the Executive order by allowing agency heads to exempt at the time of its creation specific information from the 25 year automatic declassification This information would be within the following categories o Information that would jeopardize a human intelligence source or impair use of an intelligence method o Information that would compromise sensitive military operations o Information that would impair US cryptologic systems or activities o Information about weapons technology that provides the US with a battlefield advantage or would assist in the development or use of weapons of mass destruction 23 Recommendation 15 The Commission recommends that four principles drive the declassification system a A classifier should attempt to identify a specific date or event when information can be declassified b Ifno date or event is specified there is a rebuttable presumption that all classified information would be declassified no later than I 0 years from the date of creation c The Executive order should specify categories of information exempt from the 10 year declassification requirement that can remain classified for 25 years Agency heads should prepare guidelines to implement exemption of these categories These guidelines will be approved by the security executive committee d The Executive order should also specify very narrow categories of information that will be exempt from the 25 year automatic declassification requirements These categories should include information that would jeopardize a human intelligence source or compromise ongoing sensitive military capabilities Heads of agencies should develop guidelines that will implement the exemption of these categories from automatic declassification These guidelines would be approved by the security executive committee Making the Classification System Really WorkAn Integrated Approach with Appropriate Oversight The one-level classification system with two degrees of protection is designed to provide a framework that will support a coherent and consistent governmentwide approach to both classification and security It recognizes that classification drives security costs and that security practices are evolving naturally albeit slowly around two levels of protection It and the other classification management recommendations build upon steps already taken by and borrow from the ideas of thoughtful security professionals Nevertheless no system can be expected to work very well ifthere is no one in charge Today there are few governmentwide standards and even when standards are supposed to have general applicability they often are translated and interpreted in ways that do violence to the concept of standardization Often there is no penalty for noncompliance Moreover we conclude that the Information Security Oversight Office ISOO simply is not positioned to ensure compliance Without an effective policy and oversight structure no coherent security policy is likely to evolve Instead inconsistent rules will continue to be formulated and disputes will continue to impede the development of a uniform policy The proposed security executive committee on the other hand would be positioned to provide effective centralized oversight Its staff could include a strengthened ISOO headed by a security ombudsman with a broader security oversight role In addition the outside security advisory board we propose would provide a mechanism for nongovernment and public interest concerns about the system to be raised to the committee Although centralized oversight is a necessary and important innovation effective oversight must begin at the agency level We recommend therefore that each agency appoint a classification ombudsman whose mission is to encourage and act on complaints about over-classification The ombudsman also will be required to routinely review a representative sample of the agency's classified material This individual would have the authority to ask why a particular piece of information was classified and to order it declassified if no persuasive reason is forthcoming Real-time review of employee complaints cable traffic and other documents real-time identification of categories of information subject to misclassification and real-time identification of the individuals responsible for classification errors would add management oversight of classification decisions and attach penalties to what too often can be characterized as classification by rote The system outlined above in its broad contours has been in place in the 24 Department of State for the past two years and we are told that over the past six months noticeable progress has been made Information that previously had been classified is no longer classified and greater discipline has been injected into the entire classification process Recommendation 16 The Commission recommends a Strong centralized oversight by the security executive committee as well as more effective oversight at the agency level b A strengthened Information Security Oversight Office as a part of the security executive committee staff c A requirement that each agency appoint a classification ombudsman establish a hot line for employee classification questions and complaints and institute a spot check system Dealing with Sensitive but Unclassified Information The information universe usually is subdivided into classified and unclassified with best estimates of the ratio having classified as about ten percent of total government information Unclassified information is further subdivided into sensitive information-unclassified information which has some confidentiality requirement-and non-sensitive information which may be disseminated freely It has been estimated that as much as seventy-five percent of all government-held information may be sensitive Government-held sensitive but unclassified information is information whose loss misuse unauthorized access to or modification of could adversely affect the national interest or the conduct of Federal programs or adversely affect the privacy lo which individuals are entitled under the Privacy Act As with classified information this information must be protected to ensure its confidentiality integrity and availability In some cases we do not wish unauthorized persons to see certain information such as medical or personnel records Sometimes it is more important that information is not changed or destroyed such as with payroll or other payment records Finally it may be important to ensure the availability of these records within the period of time necessary for their particular use or application For example if a system were intentionally clogged or disrupted we might be unable to access treatment data to deal with a medical emergency or logistics data to deal with a military or diplomatic crisis The Commission believes that our information infrastructure is at increasing risk but its vulnerability is not sufficiently understood or appreciated and there is not in place a process to appropriately deal with the problem Increased attention must be paid to identifying and protecting sensitive but unclassified information within the Defense and Intelligence Communities In addition the information system security countermeasures that are developed should be available more broadly to protect such information in the rest of the government as well as information that while neither classified nor government-held is crucial to US security in its broadest sense We have in mind information about and contained in our air traffic control system the social security system the banking credit and stock market systems the telephone and communications networks and the power grids and pipeline networks All of these are highly automated systems that require appropriate security measures to protect confidentiality integrity and availability Recommendation 17 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence put in place a process to evaluate the vulnerability of sensitive but unclassified information within the Defense and Intelligence Communities and to explore appropriate countermeasures 25 CHAPTER3 THREAT ASSESSMENTS - THE BASIS FOR SMART SECURITY DECISIONS Asleep at the Wheel While our broad national security agenda helps set the stage for determining what to protect the actions of other states and individuals define more precisely where security must be focused The Commission has frequently been reminded that the United States is the single biggest intelligence target in the world Traditional long-range intelligence threat predictions are now of reduced value in a world of evolving alliances and volatile political socioeconomic cultural and regional crises Footnote I 0 Threats must be reassessed frequently The Commission found many instances discussed throughout this report where security countermeasures currently employed appear to be excessive in terms of the threats or are not linked to threats at all A critical element necessary to make smart security decisions is reliable usable intelligence data defining the threat Currently there are efforts underway in the Defense and Intelligence Communities to incorporate threat assessments when developing security policies For example the DoD's Acquisition Systems Protection Program ASPP designed to protect leading-edge technology calls for incorporating threat assessments in each phase of advanced weapon systems development Defector information and espionage lessons learned are taken into account in updating personnel security procedures Physical and technical security policies and countermeasures traditionally based on vulnerability assessments are now being developed using threat information As a result security policies are being revised and dramatically changed The Commission applauds these efforts However getting from the Intelligence Community-specifically the counterintelligence organizationsthe threat information necessary to support coherent risk-based security countermeasures policies military operations and industry is an ad hoc rather than a systematic process In the absence of access to threat assessment information security policies have been based on risk avoidance constrained primarily by the availability of resources The reasons for the failure to incorporate intelligence and counterintelligence information into security policies are numerous Traditionally the intelligence and counterintelligence communities have been separate and distinct from their security counterparts Intelligence and counterintelligence activities are discrete programs where budgets are built and justified in terms of collection and production against specific targets Security programs on the other hand are normally funded from base operating or administrative funds of various agencies and are difficult to link to specific programs These programs and funds when accounted for at all generally have not had to face the scrutiny of cost-risk analysis with some individual exceptions Security officials do not always know how to task the Intelligence Community for threat information They have neither the necessary clearances and contacts within the Intelligence Community nor an understanding of the contribution that intelligence producers can make The counterintelligence community for its part focuses on its mission of conducting investigations and collecting analyzing and exploiting information to identify and neutralize the intelligence activities of foreign powers that adversely affect US national security Yet the security policy community has not been viewed as a primary customer Consequently intelligence and counterintelligence requirements are not defined to support rational security decision making The Commission believes that the security community must work closely with the National Advisory Group for Counterintelligence and the newly appointed Issue Coordinators to develop collection and production strategies that address security consumers needs 26 When security officials do task for threat information support is not always timely and frequently is overclassified Department of Defense customers often wait months while counterintelligence requirements are forwarded through several operational levels for approval and to service headquarters elements for validation The requirement is then forwarded to analysis centers for drafting which requires an additional 120 days Some DoD personnel reported to the Commission response times longer than a year for critically needed requests Roadblocks are also encountered if classified information needs to be disseminated in an unclassified form The counterintelligence community seems unable to provide unclassified analyses One senior DoD official requested an unclassified report to use in a contractor security awareness briefing The report arrived six months later-stamped Secret Not Releasable to Contractors In the absence ofa comprehensive threat assessment process some security organizations have performed their own The Air Force's Special Access Program SAP has created dedicated analytic cells to provide timely assessments Air Force SAP intelligence specialists directly contact the scientific community and perform independent assessments on cutting edge Air Force technologies and developmental weapon systems Navy and Army SAP programs draw upon cleared service analysts Not possessing a cadre of analysts DoD field elements postulate the local threat using worst case scenarios until finished assessments arrive This results in employing stringent expensive countermeasures to prevent the loss of critical technologies information The field elements note that when the much awaited reports do show up they are either too general to be applicable or they contradict other services or the Defense Intelligence Agency's assessments often regarding the same technology A DoD program manager requested an assessment ofthe foreign intelligence threat to a city with particular emphasis on whether there was targeting ofthe advanced technology system that was being developed at a facility Eighteen months later the program manager received from one DoD element an assessment stating that the threat to his area was low with no particular foreign interest in the technology Another DoD element had already informed him six months earlier that there was an established aggressive foreign intelligence collection program targeting the developing technology There is a schism concerning threat information between security policy officials and the Intelligence Community that widens greatly when it comes to a supportive relationship between counterintelligence organizations and security professionals At the national level counterintelligence funding is under the purview of the DCis National Foreign Intelligence Program But the counterintelligence community is a loose confederation of separate activities held together by budgetary convenience not centralized management The five major counterintelligence organizations FBI CIA Army Navy and Air Force can work together collegially but frequently strike out on their own Some of these organizations have difficulty identifying their customers Indeed one senior counterintelligence official points with pride to the fact that we counterintelligence organizations are our own best customer Counterintelligence information is collected analyzed produced and disseminated separately from normal intelligence channels Critics charge that this process ignores national strategy and policymakers' needs This fragmented counterintelligence organizational structure has also created large gaps in knowledge For example there is no common counterintelligence data base either within the Department of Defense itself or among the counterintelligence organizations generally from which threat assessments might be drawn This shortfall may contribute to the difficulty counterintelligence organizations have had in supporting clearly defined customers like the National Industrial Security Program NISP Despite two years of work by counterintelligence representatives within the NISP no mechanism was created to communicate threat data to industry 27 For senior policymakers while there is an interagency coordination process to support them the products fall short National counterintelligence assessments such as the Winds of Change and the Triennial Threat Assessment of the Foreign Intelligence Threat and Effectiveness of US Counterintelligence and Security Countermeasures need to use more current data be made more policyrelevant and provide a clearer picture for the reader As now written these assessments do not respond in a timely manner directly to national-level requirements aid resource allocation or meet the needs of program managers and military commanders Future editions if any require a keen understanding of senior policymakers' requirements and tighter analytic presentation and packaging The Commission heard from many individuals within the Department of Defense about the need to streamline the counterintelligence structure and we understand that the Deputy Secretary of Defense and the Director of Central Intelligence the are considering options to do this The Commission believes such restructuring can bring savings and better service but we would expand the discussion to include the Attorney General and the Director of the FBI so as to incorporate other major counterintelligence organizations A Wake-Up Call Information about the dangers posed by foreign governments and organizations does not come solely from counterintelligence assets Much of it comes from human sources or defectors signals intelligence imagery assets our diplomatic corps and other sources that need to be more actively tasked by security officials In other areas of intelligence production consumers have a single place to go for analytic assistance For example counterterrorism and nonproliferation consumers have individual points of contact that respond in a coordinated fashion to their needs The DCis Counterterrorism Center CTC and Nonproliferation Center NPC personnel reportedly broker timely responses to policymakers' requests These offices do not compete with established production elements They serve as facilitators drawing on information and substantive expertise from within the community Recommendation 18 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence appoint the DCI's Counterintelligence Center as executive agent for one-stop shopping for counterintelligence and security countermeasures threat analysis The Commission does not intend by this recommendation to create a counterintelligence czar or to supplant existing authority for counterintelligence investigations operations or the unique individual analytic efforts in support of specific law enforcement or military operations Rather we seek a nationalIevel focal point for threat analysis that is easily accessible by government and industry to support broad security management decisions This one-stop shopping office must operate as a corporate information asset of benefit to all government and industry customers The Counterterrorism Center customer response office can serve as a model While the Counterintelligence Center lacks the expertise in domestic threats that the Federal Bureau of Investigation has it provides an established credible intelligence production office with professional analysts able to tap into the full range of intelligence and operational reporting It also has the most experience in providing analysis for senior policymakers However the Commission notes that the current analytic and community elements of the Counterintelligence Center must expand and change dramatically to include a broader community and industry flavor and to incorporate expertise in the security countermeasures areas that it lacks currently such as threats to information systems security The Commission expects that the Counterintelligence Center will draw upon the experience and knowledge of other agencies when preparing responses for risk management decision making and coordinate the products extensively This includes drawing upon the 28 NS As and the D ISAs ongoing efforts that focus on threats to information systems security Existing interagency analytic efforts such as the National Advisory Group for Counterintelligence's Analytic Working Group will fold into this initiative Further dissemination procedures need to be restructured allowing customers to pull the information they need from the system instead of having it pushed to them in restricted formats Threat information needs to get out to users at all levels in the Defense and Intelligence Communities and in industry The Commission is aware of and applauds a recent decision by the counterintelligence agencies to create an interagency data base However the data base needs to expand to allow for users with varying classification levels The Commission also urges the community to take advantage of the counterintelligence data base program now under way within the Department of Defense and ensure that the two data bases are compatible This interagency data base initiative should be undertaken and a prototype fielded immediately Recommendation 19 The Commission recommends that the DCls Counterintelligence Center serve as the executive agent to spearhead the rapid creation ofa communitywide counterintelligence and security countermeasures data base for government and industry use 29 CHAPTER4 PERSONNELSECURITYTHE FIRST AND BEST DEFENSE So far as concerns the DoD and the Intelligence Community the main purpose of personnel security programs is to protect the national security interests of the United States by insuring the reliability and trustworthiness of those to whom information vital to those interests is entrusted Because the government is so completely dependent on cleared personnel to safeguard classified information the personnel security system is at the very heart of the government's security mission Without adequate personnel screening the rest of the security mission would be a worthless facade and a waste of resources Recent history is regrettably all too rich in proof of the damage that a single cleared person can cause The Commission believes that the personnel security program will remain the centerpiece of the Federal security system in the post Cold War era particularly as we move to a new classification system in which more information is moved out of compartments and made available to greater numbers of people For this reason the Commission is recommending enhancements to the personnel security program These enhancements will result in increased costs but the Commission believes these costs will be offset by other improvements we suggest The process of granting clearances will always be controversial It makes determinations about security risk by examining personal background information to form a judgment that can have serious consequences for the individual and for the government There is no perfectly reliable or unarguably correct way to predict whether an individual will become a security problem in the future In the end all clearance decisions are judgments hopefully well informed and carefully made but nevertheless fallible From time to time the process will fall short either to the detriment of an individual when a clearance is denied or to the detriment of the government when a serious security problem develops The Commission finds that the clearance process is needlessly complex cumbersome and costly Security clearances are sought for too many persons who have no real need for a clearance There are too many different forms in use There is insufficient automation and little interconnectivity between agencies Investigation and adjudication are practiced inconsistently among agencies resulting in reciprocity problems delays and increased cost to both government and industry All too frequently clearances granted by one agency are not accepted by another or even by another program manager within the same agency The Commission believes that these shortcomings in the Federal personnel security system can be remedied Our goal is to establish a security clearance standard the application of which will be tracked in a communitywide data base and will be fully transferable and valid among all government agencies THE PROCESS BEGINS Requesting a Clearance Except where a clearance is required for initial employment the clearance process begins when management determines that a worker requires access to classified information or requires the authority to change information or systems in ways which may affect the integrity or availability of information Management submits a clearance request form an investigation is conducted and the results are forwarded to an independent adjudicative center which determines whether the individual is suitable for a security 30 clearance Clearance decisions are subject to appeal and review through formalized administrative procedures The government conducts similar investigations on all Federal civilian employees in the executive branch and on military members to determine whether they are suitable for Federal employment or service These position suitability determinations differ from clearance decisions in that they are not made according to standardized criteria Rather the hiring component not an independent adjudicative center makes the determination and fewer procedures are in place to appeal adverse decisions The Commission learned that thousands of costly security clearances are requested annually for persons who do not require actual access to classified information or technology or the authority to modify sensitive information or systems and who do not otherwise occupy sensitive positions For example guards shipyard workers various trades craft and maintenance custodial concession and cafeteria workers are routinely submitted for clearance even though they only require access to a controlled area facility access and thus may receive only superficial or inadvertent exposure to classified information Unfortunately many of these personnel have complex backgrounds which when applied against security clearance criteria require extensive investigation and administrative due process thereby overburdening an already overtaxed system This only serves to delay significantly the processing oflegitimate requests and increases costs Recommendation 20 The Commission recommends that clearances be requested only for personnel who require actual access to classified information or technology For most of those who merely require facility access a position suitability determination based on the results ofa National Agency Check with Inquiries NACI should be the maximum allowed The Commission found that many managers consider the clearance process slow and inefficient Because there is no cost incurred for submitting clearance requests military commanders and program directors often submit an excessive number of clearance requests to ensure that they receive an adequate number of cleared personnel to meet their needs Investigative and adjudicative organizations many of which face steadily declining budgets must accept all requests resulting in runaway costs and delays throughout the system A solution is needed that will impose discipline at the requester level while insuring that the system accommodates essential clearance requests quickly and efficiently A fee-for-service funding mechanism such as industrial funding or a revolving fund can impose a sense of cost on agencies that request clearances Rather than use appropriated funds industrially funded agencies charge customers for services provided and finance operations from this income Fee-for-service operations tend to be more efficient and appropriately scaled to size because customers must consider the cost of the service when making requests For example the Office of Personnel Management OPM which operates on a revolving fund found that investigative requests steadily decreased after it instituted industrial funding Similar decreases in clearance requests would likely occur with the adoption of an industrial funding mechanism throughout the DoD and the Intelligence Community to include industry Fee schedules could be developed that would allow agencies and organizations requesting clearances to trade off the advantages of expedited processing against higher costs The Commission recognizes that converting to a new funding strategy cannot be accomplished overnight However we believe that it is time to begin purposefully moving towards this new strategy Recommendation 21 The Commission recommends that fee-for-service mechanisms be instituted to fund clearance requests within the DoD and the Intelligence Community 31 Prescreening and Fairness Prescreening is the process of assessing the likelihood that individuals will be cleared before they are formally submitted for a clearance It generally involves the completion of a personal history statement or security questionnaire and or interviews with the subject or supervisors Prescreening saves a considerable amount of time and money by insuring that only those individuals with a reasonable chance of obtaining a clearance are submitted for processing All agencies in the DoD and the Intelligence Community prescreen applicants to some degree For example in the DoD prescreening is conducted at military enlistment centers and on all persons considered for SCI access The effectiveness of this program is evident in the very low clearance denial rates for these individuals The Commission learned that substantial problems may develop if government organizations ask private firms to prescreen their own employees for a security clearance Such firms are concerned about legal liability if they conduct prescreening as agents of the government Contractors may interpret the relevant security standards differently and are not able to waive the standards as do government organizations Consequently qualified individuals may needlessly be denied an assignment or even employment Further ifthe contractor performs the prescreening of its own employees instead of the government those eliminated have no appeal rights Furthermore suggestions have been made that some firms use the clearance process to weed out employees that they consider unsuitable For example government investigators conducting background checks sometimes find that the subject's managers and supervisors will not recommend the subject for clearance In other cases investigators discover that the individual whose name was submitted for clearance is not scheduled to work on a classified contract In these instances the clearance denial can afford the contractor a convenient explanation for terminating the individual's employment The Commission believes that it is the obligation of the contractor to nominate individuals who enjoy the full support of management within the firm Recommendation 22 The Commission recommends that formal prescreening of contractor personnel be solely performed by the government or an independent company hired by the government specifically for that purpose not by the company that employs the personnel While most prescreening programs appear effective in weeding out problem cases some special access programs have prescreened individuals without their knowledge or consent While this practice is not widespread it may result in adverse employment consequences and deprive the person of knowing the rationale for the employment consequences or having the right to appeal The Commission believes that unconsented prescreening should not be conducted unless warranted by extraordinary circumstances such as cover or counterintelligence operations Recommendation 23 The Commission recommends that within the DoD and the Intelligence Community individuals including employees of contractors considered for a contractual or employment relat d security clearance or access may be formally prescreened only with their full knowledge and consent unless conducted pursuant to procedures approved by the security executive committee 32 Forms and AutomatioirEnding the Paper Trail The Commission found that there are literally hundreds of different forms designed to establish clearance and access eligibility For example there are over 45 different prescreening forms in use throughout the government and industry all of which request essentially the same information Individuals must often complete several such forms to obtain access to different programs resulting in delays and ultimately in increased costs A number of forms and personnel security questionnaires are used to apply for security clearances None are accepted laterally Currently the Office of Management and Budget OMB supports the establishment of a single form for all positions in government that require a clearance or are otherwise designated as sensitive The NISP has developed such a standard form to replace all other personnel security questionnaires but it has not yet been adopted Until a standard government form is adopted the Secretary of Defense and the Director of Central Intelligence should require that all investigative agencies within the DoD and the Intelligence Community reciprocally accept the government approved personnel security questionnaires of other agencies Recommendation 24 The Commission recommends that a The personnel security questionnaire devised by the NISP be adopted for use throughout the Department of Defense and the Intelligence Community b A standard prescreening form be developed for use throughout the Department of Defense and the Intelligence Community The Commission supports the development of standardized forms in an electronic format as a way to facilitate reciprocity and reduce costs Currently most clearance request forms and questionnaires are paper-based Accordingly handling times add weeks to the process of conducting background investigations Moreover as many as 30 percent of these questionnaires are rejected due to missing or incomplete data adding as much as three months to the clearance process and thereby driving up costs Significant savings will be realized when personnel security questionnaires are developed in an interactive electronic format that guides the completion of each response and ensures that only fully completed forms are submitted The Commission believes that automation is crucial to improving efficiency and responsiveness throughout the clearance process Examples of ongoing and needed initiatives include o The CIA and the OPM have issued laptop computers to field investigators so that field reports can be submitted electronically rather than dictated and typed at separate locations o Some agencies are exploring the use of computer administered security interviews as a way to gather information from subjects in a more cost effective manner Computer administered interviews cost as little as $20 to $30 per interview versus up to $200 for a subject interview o Military members frequently arrive at assignments without the required security clearance driving up costs as they await clearances to perform duties One adjudicative organization has proposed that linkages be developed among investigative indices adjudicative data bases and personnel data bases forming an electronic data interchange that would ensure almost all military members arrive at their next assignment with clearance in hand Recommendation 25 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence invest in automation to increase timeliness reduce cost and improve the efficiency of the entire personnel security program 33 INVESTIGATIONS-ASSESSING TRUSTWORTHINESS In 1993 the DoD accounted for the majority of cleared personnel in the Federal Government about 60 percent of the over 800 000 individuals cleared to the Top Secret and SCI levels 97 percent of the 2 24 million individuals cleared to the Secret level and 99 percent of the 151 000 cleared to the Confidential level With such a large number of cleared personnel any attempt to increase investigative requirements for the DoD will result in substantial cost increases Currently Federal agencies conduct more than 15 types of investigations However the majority fall into the following three categories o The National Agency Check NAC or Entrance National Agency Check ENTNAC which involves records checks of national law enforcement and government agencies o The National Agency Check with Inquiries NACI which includes the records checks described above plus written inquiries to local law enforcement agencies former employers and supervisors listed references and schools attended in the previous five years o The Single Scope Background Investigation SSBI which is a full field investigation with a scope of I 0 years that includes the checks described above plus credit checks subject reference and neighborhood interviews as well as verification of birth citizenship education and employment Investigative Requirements-Streamlining the Process In 1991 National Security Directive 63 established the SSBI as the single investigative requirement for access to Top Secret and S ensitive Compartment Information throughout the Federal Government A 10year scope was adopted as a compromise between the 15-year scope of the special background investigation and the five-year scope of the background investigation While not required by DCID 1 14 certain agencies and programs augment SS Bis with some form of screening polygraph NSD 63 ordered that SSBis would not be duplicated and would transfer between agencies However some agencies citing variability in investigative quality take advantage ofa loophole in NSD 63 to upscope investigations conducted by other organizations The variability in the quality of investigations stems from differences in use of telephone interviews considered a substandard practice by many number of sources contacted and number and diversity of developed leads pursued Some agencies report results in full detailed narratives while others use summaries These inconsistencies serve as an obstacle to reciprocity and add to processing delays The Commission believes that the SSBI is a reasonable investigative requirement for access to specially protected information under the new classification system However it can be made more efficient by refining the scope and eliminating unproductive leads that are expensive and costly to develop A 1991 study by the DCI's Personnel Security Working Group PSWG determined that 90 percent ofadjudicative issues are developed within a seven year scope Moreover the Commission learned from the investigative community that requiring investigators to interview neighborhood sources at every residence and to conduct education and birth record checks in person is costly time consuming and rarely elicits significant adjudicative information They suggest that refining the SSBI to address these concerns will drive down costs without affecting the quality of the investigation For example subjects could be required to provide verification of birth and education rather than using investigative time to pursue these leads 34 Currently there is no common investigative requirement for Secret or Confidential access in the Federal Government Military enlisted personnel and officers upon entry into the military receive some variant ofa NAC that serves as the basis for granting Secret and Confidential clearances This is the lowest investigative requirement in government Federal civilian employees are granted Secret and Confidential access on the basis of a NACI or a limited background investigation As the Commission proposes to downgrade a significant amount of information from higher to lower levels of protection we are concerned by Intelligence Community representatives who have stated that they will oppose downgrading information ifthe only investigative requirement for generally protected access is a NAC They do not believe that the NAC provides an adequate assessment of trustworthiness or reliability The Commission concurs and believes that the only way to move more information out of compartments thereby increasing its availability to customers is to increase the investigative requirement for access to classified information that is generally protected Footnote 11 The Commission found substantial support in the Defense and Intelligence Communities for increasing the Secret clearance requirement to a NACI plus credit check The Stilwell Commission and the NISP made similar recommendations While this initiative will increase the cost of each investigation by SO percent from $48 to $72 12 offsets will be realized through an overall reduction in the number of individuals who undergo full field investigations and reinvestigations and operational economies derived through greater availability of needed classified information to the customer community Recommendation 26 The Commission recommends a The investigative standard for a Secret Compartmented Access clearance be an SSBI with a scope of seven years Moreover investigators should not be required to conduct education and birth record checks in person or neighborhood checks other than the most recent residence of six months or more b The investigative standard for a Secret clearance be a NA Cl plus credit check with expansion as appropriate to follow up only on issues likely to result in adverse adjudication Continuing Evaluation-Reinvestigations and Safety Nets The personnel security program continually assesses the integrity and trustworthiness of the cleared work force through periodic reinvestigations US espionage cases over the last 20 years have shown that most damage to national security is caused by already cleared personnel those insiders who volunteer to sell or give classified information to foreign governments Very few applicants intend to commit espionage at the time they seek employment Currently individuals cleared to the Top Secret or SCI levels are reinvestigated every five years and some agencies or programs may require a screening polygraph Those cleared to the Secret or Confidential levels are reinvestigated every I 0 years although the DoD with over 2 million cleared personnel is only current to IS years The Commission believes that current reinvestigation policies should be refined to increase efficiency For example an aperiodic reinvestigation interval would offer a greater deterrent effect and provide agencies with more flexibility to focus resources on priority investigations Adjudicative facilities also have indicated that based on revocation experience a seven year reinvestigation interval for a Secret Compartmented Access clearance and a I 0-year interval for a Secret clearance are the most efficient 35 Recommendation 27 The Commission recommends that a The reinvestigation standard for a Secret Compartmented Access clearance be an SSBI Reinvestigations will be conducted on an aperiodic basis but not less than once every seven years b The reinvestigation standard for a Secret clearance be a NAC local agency check and a credit check Reinvestigations will be conducted on an aperiodic basis but not less than once every 10 years While reinvestigation provides an important way to monitor the integrity of the work force safety nets are also needed to ensure that personnel do not become counterintelligence risks after they obtain a clearance Studies have shown that many American spies in the 1980s turned to espionage as a way to resolve personal problems or crises Some were disgruntled workers who wanted to strike out at the system for perceived injustices some were faced with pressing financial problems others were struggling with conflict-ridden family situations and still others had alcohol or drug abuse difficulties Many saw espionage as the only way to resolve their problems They volunteered to sell or give classified information to foreign governments after convincing themselves that they could spy safely and not be detected While only a very small percentage of employees with personal problems become involved in espionage or other serious security transgression the damage that can be caused by even one person with sensitive access serves to illustrate the value of programs that help employees resolve personal problems A few convicted spies have stated that at the time they began spying they were emotionally distraught and in need of counseling Employee assistance programs provide short-term counseling and referral services for a variety of problems including financial family vocational emotional and substance abuse Recognizing the value of these programs in increasing worker productivity many private corporations and some government agencies have established Employee Assistance Programs or contract out for these services National security organizations have an even greater stake in insuring that such services are available to their employees Recommendation 28 The Commission commends those agencies that have established Employee Assistance Programs and recommends that all agencies in the Defense and Intelligence Communities ensure that similar programs or contractual services are available to employees particularly those with access to specially protected information Clearance Processing-Time Is Money Delays in the investigative and adjudicative process contribute directly to customer and government costs As far back as 1981 the General Accounting Office GAO reported to Congress that nearly a billion dollars was wasted annually because of investigative backlogs at the Defense Investigative Service The GAO recommended solving this $980 million problem by increasing appropriations for the DIS by $12 5 million The Commission found that there is no performance standard for timeliness in completing investigations and adjudications The Commission repeatedly heard from the customer community that 90 days is an appropriate standard for completion of the average investigation and adjudication 65 days for the investigation However the DIS which has contended with declining resources completes SSBis in an average of 149 days including about 40 days for conducting overseas leads and does not charge a fee The OPM completes SSBls in 35 75 or 120 days and charges a variable fee A major SAP uses a private firm that completes investigations in an average of 34 days but if directed terminates some cases when significant adverse information is developed While private firms cannot handle a substantial volume at this 36 time contracting out investigations in special circumstances such as priority cases may enhance competitiveness and further lower cost by preventing the development of backlogs and delays The Commission found that several adjudicative organizations were quite timely in their processing Others however required as much or more time to complete the adjudication than was expended on the investigation Processing and appellate review of individuals facing a possible loss or denial of a clearance also range in processing time from 120 days at one organization to two years for organizations that offer an evidentiary hearing The Commission believes these areas are particularly amenable to cost savings through process improvement The cost directly attributable to delays in the investigative process in FY 1994 could be as high as several billion dollars assuming that the DoD incurs an average cost of$250 per day beyond the 90-day standard for each worker who is unable to perform his her duties while awaiting a security clearance In addition the DIS is scheduled to take further cuts through FY 1999 that will substantially increase average investigation completion times resulting in additional billions of dollars in lost productivity as workers are assigned other suboptimal duties while awaiting clearances Delays in the clearance process also contribute to increased costs for industry In today's difficult contracting environment many firms that do not hold classified contracts on a continuing basis are handicapped in pursuing new contracts because clearance eligibility lapses on key personnel A six- to nine-month delay can result while contractors await clearance revalidation Should the contract involve state-of-the-art battlefield technology this loss in time could equate to a loss of life for our forces Waiting time for personnel involved plus delay in contract deliveries amounts to a significant cost to the American taxpayer A private firm with government contracts reported that it has 5 7 employees in the Washington DC area who have been waiting six to nine months for clearances at a cost to the company and ultimately the government ofapproximately $2 6 million Recommendation 29 The Commission recommends that a All investigative adjudicative and appellate organizations begin an orchestrated process improvement program with the goal of continuing to ensure fairness and quality while vastly improving timeliness b Standard measurable objectives be established to assess the timeliness and quality of investigations adjudications and administrative process and appeals performed by all such organizations within the DoD and the Intelligence Community c As long as an individual has been investigated within the last I 0 years interim clearance at the previously maintained level may be granted based upon a favorable review of a personnel security questionnaire d Standard interim access procedures be established throughout the community for those not previously cleared to the generally protected and specially protected levels ADJUDICATION Adjudicative Standards and Criteria Adjudication is the process of determining whether an individual meets established criteria for access to classified information Once a background investigation has been completed the entire investigative packet including records of any prior investigations are forwarded to an adjudicative center An adjudicator determines whether problem behaviors are present and if so whether the behavior is severe 37 enough to warrant a denial or revocation ofa security clearance Factors that enter into the decision include the seriousness recency frequency and motivation of the behavior as well as any mitigating factors The Commission reviewed the adjudicative criteria used in the DoD and the Intelligence Community visited adjudicative and appellate operations met with senior officials regarding their adjudicative philosophy and sought the basis for a number of adverse adjudications occurring in the past 5 years that have resulted in public controversy The Commission notes that virtually all of the adverse adjudications that have resulted in recent public or congressional outcry appear to have occurred in either special access or special intelligence programs at a time when very limited procedural safeguards were made available to personnel working within such programs In October 1993 the last of these programs instituted procedural safeguards for those who face denial or revocation of their special access Those safeguards discussed below see pp 55-65 should provide much better protection but the Commission remains concerned about the lack of reciprocity of adjudications Efforts are underway to establish standard adjudicative criteria for the entire community and these must be brought to fruition The Commission also believes that the security executive committee should as a first priority develop a single governmentwide standard for granting security clearances for both Secret and Secret Compartmented Access This common standard should eliminate the lack of reciprocity among government agencies and between the government and contractors The process of developing common standards should also address concerns that have been expressed by civil liberties groups and others as to whether the criteria strike the right balance between the government's need for security and the rights of the individual The Commission is pleased to observe that such issues as sexual orientation no longer are per se bars to clearance or access In this regard the Commission notes that the Attorney General recently issued a statement on nondiscrimination in employment within the Department of Justice and the FBI issued investigative guidelines and security clearance adjudication guidelines The Commission has not had an opportunity to consider these guidelines in depth but believes that the principles expressed in these guidelines could be the basis for govemmentwide standards There are two sets of adjudicative criteria in the DoD and the Intelligence Community A Director of Central Intelligence Directive DCID contains the adjudicative criteria for SCI determinations While SAPs do not usually require access to SCI they may require that personnel meet at least the DCID criteria A DoD regulation contains the adjudicative criteria for Confidential Secret and Top Secret for the military The NISP has developed a set of adjudicative standards that merges Top Secret and SCI requirements These standards could be used in granting Secret-Compartmented Access clearances Parallel standards should be established for Secret clearances Implementation of standards for adjudicating background investigations can eliminate multiple readjudications For example the Commission found that the Defense Industrial Security Program sometimes grants clearances on the basis of precedent or case law amassed through years of appeal hearings In some cases adjudicative decisions appear to deviate substantially from adjudicative norms followed by other organizations in the DoD As a result of a few decisions various special access programs and Federal agencies have developed a wholesale distrust of the industrial clearance process leading them to readjudicate industrial security clearances The establishment and enforcement of a single adjudicative standard would eliminate the need for costly readjudications Savings would also be realized within departments and agencies that have suitability requirements not related to security which they apply in processing candidates for employment Such assessments could be accomplished in less time and at less cost ifthe requirement to also readjudicate security-relevant information is eliminated 38 Recommendation 30 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence develop and adopt a common set of adjudicative criteria for access to generally protected and specially protected information DoD Adjudicative Facilities The DoD currently has 18 separate adjudicative organizations but is in the process of consolidating them into eight facilities Staffing of the various adjudicative centers varies widely one center will have a staff of one and most are neither timely in their actions nor responsive to their customers Virtually all face significant budget reductions despite the fact that several are already substantially understaffed and underequipped Few adjudicative organizations have strategic plans for integrating their information with the customer base or employing automation to manage the process The DoD community would benefit substantially from consolidating its adjudicative operations By building on the most successful adjudicative processes and automation models consolidation would improve the efficiency effectiveness and consistency of the adjudicative system Research by PERSEREC has clearly demonstrated that larger adjudicative facilities tend to be more efficient The direct savings of having a single adjudicative facility in the DoD pale in comparison to the savings to be realized through increasing the timeliness and customer responsiveness of personnel security programs The Commission believes that the NSA should be excluded from the consolidation of adjudications in the DoD At the NSA the clearance process is inextricably linked to the hiring process much as it is for the CIA The Commission believes that it could be counterproductive to integrate such employment-related adjudications into the central adjudication facility Recommendation 31 The Commission recommends that all DoD adjudicative entities except the NSA be merged into one organization reporting to the appropriate Under Secretary or Assistant Secretary of Defense Reciprocity The Commission examined the practice of numerous program managers particularly those within SAPs exercising their option to readjudicate already cleared individuals This adjudication is ostensibly for access authorization and not for clearance but the process is virtually the same and may be repeated over and over again depending on the number of programs involved Recently I 49 engineers at a major defense contractor were all cleared or SCI to work on an existing contract After the contract was completed these same engineers were badly needed for another SCI contract in the same facility and complex However it took months for the engineers to be re-adjudicated and approved or the second SCI program The Commission is not convinced that such readjudications provide additional security benefits and is concerned about the significant costs resulting from the delays that such readjudications impose upon the system The Commission believes that if SAP and other special program managers truly have personnel security requirements that are not being addressed in the clearance process they should take action to insure their requirements become incorporated into current and future adjudicative standards Beyond that 39 validation of an existing clearance should be all that is required to give an individual access to information once it has been determined that the individual has a need to know the information Recommendation 32 The Commission recommends that a Any individual who has an existing clearance not be readjudicated b Program managers be limited to the following prerogatives when making access determinations l Verifying that the individual has the requisite clearance 2 Verifying that the individual has a need to know the classified information Virtually all agencies employ risk management to grant exceptions to the adjudicative standards for high risk high gain individuals This takes into account operational needs unusual expertise or other factors However few record these exceptions in shared information systems Any conditional clearance or waiver of normal adjudicative criteria should be readily identifiable to other organizations that may subsequently employ the individual This will be facilitated by implementation of central clearance verification as recommended below Recommendation 33 The Commission recommends that agencies identify conditional clearances or waivers through use of the standard codes in a new central data base PROCEDURAL SAFEGUARDS In this section of its report the Commission will deal with certain procedural protections and administrative remedies that may or may not be available when security clearances are denied or revoked In order to give its considerations some focus and manageable limits the Commission has elected to deal only with those questions to which its particular attention was called by the Conference Report that accompanied the Defense Authorization Act For 1994 Section 1183 of that Act directed the Secretary of Defense to conduct a review of the procedural safeguards available to Department of Defense civilian employees who are facing denial or revocation of security clearances and further directed that this review the results of which are to be reported to the Congress by not later than March 1 1994 should specifically consider the following A Whether the procedural rights provided to Department of Defense civilian employees should be enhanced to include the procedural rights available to Department of Defense contractor employees B Whether the procedural rights provided to Department of Defense civilian employees should be enhanced to include the procedural rights available to similarly situated employees in those government agencies that provide greater rights than the Department of Defense C Whether there should be a difference between the rights provided to both Department of Defense civilian and contractor employees with respect to security clearances and the rights provided with respect to sensitive compartmented information and special access programs These questions were further elaborated by the Conference Report as follows 40 The conferees direct the Secretary to ensure that the review specifically address each of the following procedural safeguards in the context of the denial or revocation of security clearances with respect to civilian employees of the Department ofDefense I notice of the reasons for the proposed denial or revocation 2 an opportunity to respond 3 the right to a hearing or other appearance before a tribunal 4 the right to be represented by counsel 5 the availability oftrialtype procedures such as the opportunity to present and cross-examine witnesses and 6 the opportunity to appeal any final decision If the Secretary determines that DoD civilian employees should not be provided with procedural rights that are as protective as those afforded to DoD contractor employees with respect to any of the foregoing matters the Secretary's rationale for each such difference should be set forth in the report The Conference Report then added this comment The conferees note that the subject of security clearances within the Department of Defense is undergoing detailed review by the Joint Security Commission established by the Secretary of Defense and the Director of Central Intelligence which is scheduled to complete its work by February I 1994 The conferees agree that the Secretary should obtain the views of the Commission on the issues set forth in the conference agreement but note that the final responsibility for addressing these issues and issuing an implementing regulations rests with the Secretary The Commission has adopted this comment as its framework Because both the broader questions posed by the Act and the more exact questions posed by the Conference Report take as their baseline the procedural safeguards available to DoD contractor employees some preliminary discussion is necessary in order to understand that baseline It is also necessary to understand how the procedures and remedies that lie along that baseline compare with the safeguards that are available to civilian DoD employees and with the different safeguards that apply when special access approvals are denied or revoked on security grounds other than need-to-know grounds DoD Contractor Personnel Background investigations relating to DoD contractor personnel are conducted by the Defense Investigative Service If an investigation develops information that must be adjudicated in order to determine if a security clearance should be denied or revoked the case is referred to the Directorate for Industrial Security Clearance Review DISCR which conducts the adjudicative process as it also does in cases involving contractor personnel doing classified work for some 20 other government agencies or organizations not however including the CIA or the NSA The adjudicative process is authorized and directed by EO I0865 1960 as amended by EO 10909 1961 and an implementing regulation DoD Directive 5220 6 The Director ofDISCR reports to the Deputy General Counsel of the DoD Thousands of cases are referred to the DISCR each year If in any case the DISCR is able to make the requisite finding of clear consistency with the national interest based on the criteria set forth in Directive 5220 6 that finding resolves the case and the clearance is granted Otherwise the DISCR prepares a Statement of Reasons which resembles a civil complaint and must state in detail so far as national security considerations permit the reasons why it may not be clearly consistent with the national interest to grant or continue a clearance The Statement of Reasons must be provided to any person to whom it relates Such persons also are informed that they are obliged to answer every allegation in the Statement of Reasons within 20 days that they have a right to a hearing before an Administrative Judge that the government will be represented by counsel at that hearing and that they may also be represented by an attorney of their own choice and at their own expense There is no provision for the assignment of defense counsel at public expense If the hearing right is exercised there is some opportunity for discovery essentially limited to proposed exhibits and non-privileged documents in the control of the DISCR Testimony at the hearing is taken under 41 an admonition by the Adirinistrative Judge that the Federal false statement statute which carries criminal penalties is applicable to that testimony Witnesses are subject to cross-examination except that under some circumstances again for reasons of national security the right of cross-examination may be curtailed or denied Although witnesses may be requested to appear or instructed by their agencies or employers to appear and are paid per diem and travel expenses if they do so neither government counsel nor the defense has the power to compel the attendance of witnesses by subpoena The government has an initial burden to show that the allegations in the Statement of Reasons have some substantial support but the ultimate burden-on the issue of clear consistency with the national interest-falls on the other side Defense evidence may be submitted not only in rebuttal but also in mitigation or extenuation The Federal Rules of Evidence are used as a guide The Administrative Judge renders a written decision which may be appealed by the losing party to a three-member Appeal Board which reviews the record and rules on alleged errors The Administrative Judge and the members of the Appeal Board are attorneys and are part of the DISCR organization If no hearing is requested the case is decided by an Administrative Judge on the written record including the Statement of Reasons documents that provide the basis for the allegations in the Statement of Reasons any answer or objections to the Statement of Reasons and any other material submitted in rebuttal mitigation or extenuation Decisions made on such a record are also reviewable by the Appeal Board DoD Civilian Personnel The procedural safeguards and administrative remedies available to DoD civilian personne and to military personnel as well are prescribed by another DoD regulation namely 5200 2-R This regulation provides that no final adverse action can be taken in any matter involving a personnel security determination unless the person concerned has been given I a written statement of the reasons for the proposed action as specific and detailed as Privacy Act and national security considerations permit 2 an opportunity to respond in writing to that statement to whatever authority the head of that person's component within the DoD may designate 3 a written decision by an identified official within 60 or at most 90 days thereafter again stating reasons as specific as Privacy Act and national security considerations permit and 4 an opportunity to appeal to a higher authority designated by the person's component within the DoD The opportunity to submit a written response although the regulation is not explicit on the point implicitly includes the chance to submit any materials in support of such a response whether in order to rebut the factual allegations or to explain any mitigating or extenuating circumstances Likewise although the regulation does not explicitly refer to representation by counsel as a practical matter any person desiring to retain counsel at his or her own expense could hardly be prevented from doing so The regulation also reserves to the Secretary of Defense the authority to bypass the prescribed procedures and to find that a person is ineligible for a clearance if national security interests so require That authority may not be delegated by the Secretary and so far as the Commission knows it has never been invoked A similar proviso is contained in the directive applicable to contractor personnel but again as far as the Commission knows it too has never been invoked The regulation in an appendix sets forth the same adjudicative criteria as the directive applicable to DoD contractor personnel 42 Differences and Comparative Advantages It is not the role of the Commission to attempt to pass judgment on the legal sufficiency of any of these procedural safeguards or remedies If any of them is legally defective either on its face or as it might be applied in any particular case an appropriate plaintiff will presumably come forward and any claims will then be duly determined by the courts with the benefit of adversary briefs and on the basis of a properly developed factual record There are however policy issues raised by the differences between the sets of safeguards available to DoD contractor employees on the one hand and DoD civilian employees on the other As the Commission sees it the most fundamental differences are the following contractor personnel have the assurance that they will have a chance to review all documents on which a decision is based whereas civilian employees although in practice they may be provided with such materials appear to have no such assurance contractor personnel unlike civilian personnel have a right to a trial-type hearing at which the government has an initial burden of showing that its allegations have some substantial support at which witnesses testify subject to cross-examination and at which the Federal Rules of Evidence are used in at least a guideline sense and more generally the cases involving contractor personnel assuming the hearing right is exercised are handled in a more formal manner akin to judicial proceedings with the government's side represented by a qualified trial attorney and with the final decision in the hands of an Administrative Judge who is also an attorney and a three-member Appeal Board also composed of attorneys It is the premise of the questions posed in the Conference Report to which we have already alluded and it is also the position of the American Bar Association which has been outspoken on the matter that the procedural safeguards available to DoD contractor personnel are superior to the safeguards to which DoD civilian personnel are entitled However it is not at all self-evident that this is so To begin with as nearly as the Commission can tell the right ofa contractor employee to demand a trial-type hearing before an Administrative Judge is made absolute by the applicable directive whether or not there are any factual disputes that need to be resolved Not even civil litigants operating under the Federal Rules of Civil Procedure have as broad a right On the contrary those rules effectively foreclose any opportunity for a trial in any case in which the material facts are undisputed and the only genuine issues concern the significance of those facts In addition contractor employees are evidently free to demand a trial-type hearing not only in circumstances where they do not contest the government's allegations and do not have any rebuttal evidence but also where they desire only to present some information that may be extenuating or mitigating Even assuming that such a broad hearing right may be superior from an employee's standpoint and may be available in other contexts involving for example the denial or revocation of professional licenses that does not mean that such a right is required in the name of fundamental fairness or that is should become the universal standard in connection with decisions that are as highly discretionary and judgmental as clearance decisions Second while it is true that contractor employees have the right to be represented by counsel at their own expense that right is empty for those who cannot afford that expense or obtain pro bono representation Such persons are left with the prospect of facing an experienced trial attorney alone and without representation Civilian employees may also go unrepresented but they are not caught up in a system in which there is an experienced trial attorney on the government side Further even where contractor employees are able to avail themselves of the right to counsel that may be only because their employers agree to bear the expense which is not a possibility in cases involving civilian DoD employees In our estimation although we haven't seen any evidence on the point there is a somewhat lower chance that an employee union might come forward to pick up the expense of such employees Third in contractor employee cases the employee's right of appeal from an adverse decision is confined by strict scope-of-review limits The Appeal Board may not consider any evidence not considered by the Administrative Judge Nor is the Appeal Board free to reverse a decision except on grounds that it 43 was arbitrary capricious or contrary to law or that the factual findings were unreasonable or that procedural error was committed These same constraints do not exist in civilian employee cases The appeal authorities in those cases can take an entirely fresh look and make what they believe to be the appropriate decision without regard for the lower-level decision which is apt to be far less detailed than a decision of an Administrative Judge in the DISCR process Further while either losing party which may be the government can appeal the decision of an Administrative Judge in civilian employee cases there does not appear to be any provision for appeals of decisions that are favorable to the employee Fourth the system of adjudicating contractor employee cases has a rigidity that can work against the employee No allowance is made in that system for the value that such employees may bring to the classified work being performed by their employers No matter how high that value it does not figure in the adjudicative criteria and it is therefore ignored The civilian employee system however is flexible enough to take account of that value In that system either at the lower level or the appeal stage decisions can be influenced by arguments that the employee is a big contributor that any security risk is manageable and therefore that the risk should be taken There is also a good chance that supervisors within an employee's component will actually come forward to champion such arguments or to make other arguments on the employee's behalf We do not say any of this to denigrate in any way the DISCR process Rather we make these points only to show that the policy debate is not one-sided and because it is very unclear to us whether given a choice between the DISCR process and the existing arrangements civilian DoD employees would opt for the former It is even more unclear to us that military personnel who have an understandable confidence in their own chain of comnand would opt for the DISCR process We come now to the specific questions posed by the Conference Report which were directed to the Secretary of Defense but as to which the views of the Commission were invited These questions asked why in each of six different respects DoD civilian employees should not be provided with procedural rights in connection with the denial or revocation of a security clearance that are as protective as those provided to DoD contractor employees 1 Notice of the reasons for the proposed denial or revocation In this respect as the Commission understands any difference between the rights afforded to the two classes of employees is a matter of degree The Statement of Reasons that commences the DISCR process is apt to be a more detailed statement than the notice provided to civilian employees Without attempting to draw any fine lines the operative principle here should be that affected employees are entitled to a statement that adequately informs them of the factual basis of any proposed adverse action and that identifies the adjudicative criteria that are relevant under the circumstances 2 An opportunity to respond Here again the Commission believes that this opportunity is already afforded to both classes of employees In any event the Commission believes that it should be 3 The right to a hearing or other appearance before a tribunal A hearing and a trial-type hearing are not synonymous terms Many forms of proceedings including some more informal than those now available to civilian DoD employees could accurately be described as hearings even though they don't have the characteristics typically associated with trials such as live testimony subject to cross-examination and precise rules governing the admissibility of evidence The real issue here is not whether there should be a right to some sort of hearing because civilian DoD employees already have that right The issue is whether the hearing rights of civilian employees and contractor employees should be conformed which is an issue we discuss in a moment under the caption The availability of trial-type procedures So far as concerns the right to an appearance before a tribunal the Commission understands that as matters stand today civilian DoD employees cannot demand with any assurance that the demand will be granted an opportunity to appear personally before any designated adjudicative authority that is 44 considering whether to deny or revoke a clearance The Commission believes such an opportunity should exist 4 The right to be represented by counsel This right exists today although it is diluted by the fact that employees who retain counsel must do so at their own expense and the cost may be beyond the means of many employees We note again that contractor employees particularly senior officials may have an important edge here because for them unlike civilian DoD employees there is at least a possibility that the employer may agree to bear the cost of any legal representation The Commission also believes that while the right to counsel is secured to civilian employees in the sense that there is nothing to stop them from consulting an attorney if they choose to do so such employees should be explicitly informed as are contractor employees that they have this right 5 The availability of trial-type procedures such as the opportunity to present and cross-examine witnesses The availability of such procedures to DoD contractor employees and their unavailability to DoD civilian employees is the most dramatic difference between the two adjudicative systems The hard question posed by the Conference Report is whether such procedures should be extended to the civilian employees The Commission recognizes that there may be complex legal issues that come into play here and that the nature of those issues may vary from one individual case to another depending for example on such circumstances as whether the person affected is an initial applicant for a clearance or already holds a clearance whether the denial or loss of a clearance leads to the loss of a job and whether and if so how far and in what way the person's reputation may be impaired or the person may otherwise be stigmatized by an adverse decision Again however any legal issues are for courts to determine and are beyond the purview of the Commission On balance from solely a policy standpoint the Commission does not favor the idea of extending trialtype procedural protections to civilian DoD employees As already noted the hearing rights currently granted to contractor employees are broader and more absolute in important respects than even the hearing rights available to civil litigants whose claims and defenses are adjudicated in the Federal courts No matter what interests such litigants may have at stake they are not entitled to a trial and their claims or defenses may be resolved against them on the basis of written submissions unless they are able to show that there is something to have a trial about-namely a material factual dispute that needs to be resolved Contractor employees faced with a denial or loss of a clearance however are evidently entitled to a trial-type hearing on demand without making such a showing The extension of such a broad hearing right to civilian employees could well result in a great many trialtype hearings in cases involving only undisputed facts It would certainly have the result of putting a great many more discretionary clearance decisions into the hands of judges It would also introduce new and significant delays into the system because it is unquestionably the fact that cases handled under the DISCR process if trial-type hearings are demanded on the average take far longer to resolve than cases adjudicated on a written record Such delays are not merely a matter of inconvenience One practical effect is that persons who are applicants for an initial clearance and have been assigned to positions requiring a clearance cannot move into those positions so long as the clearance outcome remains in doubt Other difficulties arise ifa person already holds a clearance that is threatened with revocation If that clearance is a job requirement and is suspended pending the outcome of the revocation proceedings the person cannot perform the job in the meantime If the clearance is not suspended pending the outcome a security risk must be taken in the meantime In all these circumstances there is a price to be paid not just by the employee but also by the government To be sure there will always be cases that do involve serious factual disputes and in which the existence or non-existence of those facts and the credibility of witnesses might be determined with more 45 certainty if trial-type procedures were employed There may also be cases in which an experienced Administrative Judge might be better able to apply the clearance criteria even to undisputed facts than other adjudicators These considerations however do not persuade the Commission to alter its policy advice Trial-type procedures are at their most effective in promoting fairness and accuracy only when both sides are equally represented In the DISCR process only the government is sure to be represented The same would be true ifthe DISCR model was followed for DoD civilian employees The Commission is also influenced in its view by the fact that such employees are less likely than contractor employees to lose their jobs or to incur serious damage to their careers if a clearance is denied or revoked And the Commission is also influenced by its doubt that if given the choice most civilian employees would prefer the DISCR process to the system now in place At the same time the Commission believes that the fairness of the system now in place can and should be improved In particular the procedural protections now available to DoD civilian employees should be expanded to include the same explicit right to review any documents on which a proposed denial or revocation of a clearance may be based or which are germane to such a proposed action that is presently afforded to DoD contractor employees This opportunity should be afforded as early in the process as possible so as to make it useful to the employee in preparing an initial written response to the allegations set forth in statement of reasons that commences the process 6 The opportunity to appeal any final decision This right exists today Indeed in some ways as already noted the appeal available to civilian employees may be a more valuable right than the appeal available to contractor employees because the latter is constrained by scope-of-review limits whereas the former gives the employee a true second bite at the apple Nevertheless the Commission realizes that the appeal procedures vary from one DoD component to another and believes that these procedures should be standardized and should provide for review by appeal boards consisting of three members In the Commission's view these boards should have a diverse membership including at least one senior official in the employee's DoD component and in the absence of an attorney adviser to the board one attorney Part of the purpose here would be to ensure a broad perspective and a review that is not solely in the hands of security officials Recommendation 34 The Commission recommends that a The DISCR process with its trial-type procedures not be adopted as the model for the adjudication of security clearance cases involving DoD civilian employees b All DoD civilian employees facing the possible denial or revocation ofa security clearance be explicitly informed that they have a right to counsel c Any documents on which a proposed denial or revocation of a security clearance is based or which are germane to such a proposed action be made available for timely review by the affected DoD civilian employee so far as applicable privileges and national security considerations permit d Any DoD civilian employee be given the opportunity to appear personally before any adjudicative authority that is considering whether to deny a clearance to such an employee or to revoke a clearance held by such employee e Any DoD civilian employee have a right to appeal any adverse clearance decision to an appeal board consisting of three members one of whom should be a senior official in the employee's DoD component and another of whom unless the board has an attorney should be an attorney Footnote 13 Military Personnel Even though issues relating to military personnel are outside the bounds of the recent congressional inquiries that the Commission took as its framework the Commission has considered whether there is any 46 good reason why DoD military personnel should be treated any differently than DoD civilian personnel in regard to the denial or revocation of security clearances In the Commission's view there is no such reason and it is bolstered in that view by the fact that the DoD regulation applicable to civilian personnel 5200-2-R is similarly applicable to military personnel Recommendation 35 The Commission recommends that so far as concerns the denial or revocation of security clearances DoD military personnel be afforded all the same rights as DoD civilian personnel Special Access Approvals The Commission now turns its attention to another question posed by the Congress in the 1994 Defense Authorization Act which was whether there should be a difference between the rights provided to both Department of Defense civilian and contractor employees with respect to security clearances and the rights provided with respect to sensitive compartmented information and special access programs This question arises because DoD Directive 5220 6 which is the regulation applicable to the denial or revocation of contractor employee clearances explicitly provides that it does not apply to cases for access to sensitive compartmented information or a special access program because DoD 5200 2-R which is the regulation applicable to the denial or revocation of civilian employee clearances may or may not be followed in connection with the denial or revocation of access to a SAP and because denials or revocations of access to Sensitive Compartmented Information SCI is governed by DCID 1 14 issued under the authority of the Director of Central fntelligence which establishes yet another set of procedures These different procedures owe their existence to the fact that special access and SCI security determinations have historically involved the application of more selective and stringent adjudicative criteria than clearance determinations If the Commission's basic classification system recommendations and its recommendation that there be a common set of adjudicative criteria are adopted the rationale for these different procedures would disappear There would no longer be any separate special access determinations except on need-to-know grounds The clearance decisions would then settle the matter of eligibility for all purposes either at the Secret level or at the Secret Compartmented Access level The denial or revocation of clearances in DoD contractor personnel cases would be subject to the DISCR process and the Commission believes that DoD civilian employee cases should then be subject to existing DoD procedures the 5200 R-2 procedures as modified by the Commission's recommendations in this section of its report If on the other hand the Commission's classification system and adjudicative criteria recommendations are not adopted with the result that SAP and SCI access determinations continue to be based on separate and more demanding requirements than clearance determinations then further judgments will need to be made about the procedural safeguards that should apply to the denial and revocation of an access approval In that event the Commission believes that the appropriate safeguards for both DoD civilian and contractor employees are those prescribed by DoD 5200 2-R again as modified by the recommendations in this section of the report The Commission does not recommend that the denial or revocation of an access approval if such an approval remains distinct from a clearance decision be made subject to the DISCR process even as to DoD contractor employees 47 THE POLYGRAPH The polygraph is a controversial investigative technique While some argue that the polygraph is the most effective information gathering procedure available others point to its lack of scientifically established validity the overreliance on passing polygraph examinations as a guarantee of trustworthiness and the belief that it is unacceptably intrusive and violates personal privacy The Commission was asked to undertake an objective review of the Federal personnel security screening polygraph program to determine how well it works how it could be improved and whether it should be continued Footnote 14 Background The polygraph Footnote 15 is a multichannel instrument that records changes in respiration cardiovascular activity and skin resistance in response to questions According to polygraph theory when a subject gives a false response to a relevant question questions of concern to security adjudicators the physiological reaction will be greater than the reaction to other questions control or irrelevant questions However contrary to popular belief there is no physiological response that is unique to deception The reactions measured by the polygraph can be caused by a variety of emotions This fact underlies much of the controversy surrounding the polygraph The polygraph process consists of a pretest interview test phase and posttest interview During the pretest interview the polygraph examiner tries to establish rapport with the subject reviews with the subject the background history statement familiarizes the subject with the polygraph instrument if necessary and then enters into a detailed explanation and discussion of the exact questions that will be asked during the test phase of the exam It is generally not explained to the subject that there will be two or more different types of questions asked during the examination There are questions of primary interest such as Are you engaged in espionage or Within the last 5 years have you used possessed or sold any narcotics or dangerous drugs These questions are also known as relevant questions Also included are a series of questions designed to assist the examiner in calibrating the subject's responses to the relevant questions during the test phase Depending upon the polygraph technique used such a question may be an irrelevant question Are you wearing shoes or some type of a control question Have you ever betrayed the trust of someone who depended on you The subject may or may not be asked to lie in response to the control questions and at present most subjects are not told to lie The examiner who is a trained investigator and usually highly skilled in interrogation will encourage the subject to come clean on each of the relevant questions while at the same time attempting to restrict or minimize the subject's answers to the control questions Significant admissions to relevant issues are explored fully through interrogation Unimportant admissions are excluded by modifying the questions with Except for what you have disclosed to me have you ever This process continues until the subject is able to answer all questions with a yes or no and the examiner is convinced the subject will properly respond to all types of questions posed during the exam that is a guilty subject will react to the relevant questions while an innocent subject will react most significantly to the control questions During the test phase the subject is attached to the polygraph instrument and is limited to responding yes or no to the relevant and control questions asked The test phase is generally very short in duration During the posttest phase the subject is given an opportunity to explain any reaction to certain questions Standard interrogation techniques are employed but only responses to relevant questions are explored with the subject If the subject offers an admission the test is readministered with the question causing the reaction changed to Other than what you have told me or a new set of questions are asked that focus more narrowly upon the issue s in question This process continues until the subject no longer reacts to any of the modified relevant questions the subject terminates the interview or the examiner determines that additional testing may need to be conducted at a later time 48 Establishing the proper examination setting is challenging for the examiner and can be very stressful to both innocent and guilty subjects Even innocent subjects have to undergo an extremely unpleasant selfexamination before a government investigator regarding highly personal information while knowing that the whole proceeding is being recorded Many Commissioners were troubled by the wide latitude given to examiners and the possibilities for abuse especially where relevant and control questions are used to elicit highly personal information of questionable relevancy to security screening While attempts can be made to minimize the discomfort level for innocent subjects such settings can and do result in anguish and in complaints of abuse Applications of the Polygraph The DoD and the Intelligence Community use the polygraph in the following areas specific issue investigations criminal and security personnel security screening and operations vetting and validation of intelligence sources The Commission evaluated the use of the polygraph in personnel security screening only Specific issue investigations and operational uses of polygraph were outside the scope of this review Two types of polygraph examinations are currently used in personnel security screening the counterintelligence-scope Cl-scope polygraph and the full-scope polygraph The Cl-scope polygraph focuses on espionage sabotage terrorism subversion mishandling of classified information and unauthorized contacts with representatives of foreign governments The full-scope polygraph covers all of the CI-scope questions and a number of issues that pertain to both security and suitability for employment questions that have been inaccurately labeled lifestyle These questions may address any of the following issues criminal history serious financial problems use of illegal drugs excessive use of alcohol falsification ofinformation on the personal history statement and serious nervous or mental disorders Questions about sexual orientation are no longer asked during polygraphs The entire polygraph process pretest test and posttest in the DoD and the Intelligence Community is recorded video and or audio The recording is justified on quality control grounds but it also raises concern because it creates a record of extremely sensitive personal information about the applicant Screening polygraphs particularly the full-scope polygraphs are more controversial than specific issue polygraphs because they cover a wider range of personal matters and are administered to individuals who are not suspected of specific wrongdoing Polygraph opponents argue that screening polygraphs are intrusive dragnets for information and that individual privacy interests outweigh the government's need for such wide-ranging searches Proponents contend that screening polygraphs are used only to seek information that is relevant to trustworthiness and therefore to national security interests They point out that these same issues are addressed in personal history statements personal interviews and background investigations and that the basis for asking them derives from approved adjudicative criteria The CIA and the NSA are the only agencies that use full-scope polygraphs to screen applicants for employment For these agencies the screening polygraph serves both security and suitability functions They require the polygraph as a condition of employment because any employee of these agencies may have access to a broad range of classified information in the course of his or her regular duties The DoD which uses a CI-scope polygraph only has been limited by Congress to 5 000 screening polygraphs per year with major exceptions such as the NSA the NRO and cryptographers The DoDs use of the screening polygraph is not related to employment Rather these polygraphs are administered to people who already occupy sensitive positions but require access to a specific or several sensitive programs for which the polygraph has been established as a requirement 49 The following arguments have been made in favor of the polygraph a A Unique Source ofInformation Officials at the CIA and the NSA point out that the polygraph elicits important adjudicative information that is often not obtainable by other investigative methods such as personal history statements personal interviews and background investigations In fact the most important product of the polygraph process is more likely to be an admission made during the interview than a chart interpretation While senior officials at the CIA and the NSA acknowledge the controversial nature of the polygraph process they also strongly endorse it as the most effective information gathering technique available in their personnel security systems They argue that without the polygraph the quality of their work force would suffer immeasurably The DoD uses a CI-scope polygraph only after individuals have been thoroughly investigated and favorably adjudicated Nonetheless DoD officials report that they have obtained significant security and counterintelligence admissions that were not developed through the prescreening and investigative process The DoD catalogues and reports these results annually to Congress The utility of the polygraph in eliciting important adjudicative information is not in doubt In addition the Commission found that the suitability or lifestyle questions particularly those that address criminal activity and illegal drug use have always elicited the most information Research studies have supported these views o In 1980 a working group of the DCI Security Committee found that the polygraph examination process was superior to other investigative methods in eliciting adverse information that ultimately resulted in denial or revocation of access o An April 1991 study by the Personnel Security Working Group an Intelligence Community interagency working group unequivocally identified the polygraph as the most productive source of derogatory information in the screening arena eliciting such information in 70 percent of the cases in which it is used o A September 1993 CIA study cited the following polygraph benefits it enables the CIA to forgo random drug testing for staff employees or those with staff-like access it facilitates the flow of classified information within the organization it enables the CIA to use minimal internal information systems security checks and it reduces the need for domestic physical security countermeasures b Deterrence Screening polygraph programs arguably have a deterrent effect Applicants who believe that the polygraph will elicit disqualifying information may be deterred from applying Cleared personnel also may be deterred from misconduct because they know that they will be required to take a polygraph in the future In fact the CIA's Inspector General noted that the polygraph has been instrumental in reducing the incidence of fraud and other wrongdoing at the CIA In addition a 1993 study by the DC I's Counterintelligence Center and an Intelligence Community research project have concluded that the polygraph is a significant espionage deterrent c Cost-Effectiveness The CIA and the NSA two agencies that routinely use full-scope polygraphs to screen applicants present a strong case that the polygraph serves as an efficient and effective costcontainment hiring tool When admissions made by a subject during a polygraph test result in a disqualification these agencies are saved the considerable cost and time of conducting a background investigation In addition the CIA's Office of Medical Services reported to the Commission that full-scope polygraphs enable it to detect and screen out 50 percent to 75 percent of the most troubled applicants They expressed concern that ifthe suitability questions were reduced or eliminated this would result in increased terminations for cause security breaches and medical lega and administrative costs arising from contested terminations and increased psychiatric difficulties in the work force 50 The following arguments have been made against the polygraph a Lack ofScientific Validity In 1983 the Congressional Office ofTechnological Assessments concluded that There appears as yet to be no scientific field evidence that polygraph examinations represent a valid test to prescreen or periodically screen government employees A 1991 government review of the polygraph in personnel security applications reaffirmed the earlier study and concluded that the number and quality of screening studies is insufficient to provide a basis for reliable estimates of validity The Commission reviewed many other studies as well The results of these studies were too varied to allow for definitive conclusions about the validity of the polygraph when used for personnel security screening The Commission also met with various research experts in polygraph and related fields and learned that due to the extraordinary difficulty of conducting screening polygraph validity research the scientific validity of the polygraph is yet to be established Many polygraph proponents and some research experts believe that it is unnecessary to study the validity of the polygraph process meaning its accuracy in distinguishing truth from deception They contend that as long as the polygraph elicits admissions to screen out unsuitable applicants and actual security risks questions about the polygraphs validity remain academic However ifthe polygraph does not have established scientific validity in the screening arena judgments about truthfulness based solely on chart interpretation will continue to be controversial Without established validity the process lacks full integrity and appears more like trickery because information is obtained from subjects under the pretense that it is in their best interest to be forthright since false answers will be discovered Furthermore arguments could be made that the polygraph may not have the same effect on a nonbeliever that is unless the validity of the process can be demonstrated there is nothing to prevent a practiced deceiver from passing a polygraph examination In fact circumstantial evidence lending credence to this view was documented by a President's Foreign Intelligence Advisory Board study in 1988 b Intrusiveness Polygraph testing can be a highly intrusive and emotionally grueling process Some claim that this results in lost talent when suitable individuals refuse to participate in a polygraph examination Other individuals and organizations have argued that there can be no justification for the use oft he polygraph The Department of State has refused to use the polygraph for personnel security screening even for those with access to the most highly protected information The ACLU views the polygraph as an unacceptable invasion of privacy an affront to human dignity a violation ofselfincrimination prohibitions and an unreasonable search and seizure Comparison or control questions are frequently identified as the most intrusive aspect of the polygraph Control questions are used to elicit untruthful or uncertain responses from subjects for example Have you ever violated the trust of a close friend Physiological reactions to these questions are compared to reactions to the relevant questions for example Have you ever committed a serious crime It is assumed that innocent subjects will react more strongly to the control questions than the relevant questions while the reverse will be true for guilty subjects For this reason innocent subjects frequently experience the control questions as intrusive or embarrassing indeed the intent is to generate some degree of discomfort and worry that their responses will be kept in a permanent record The DoD has developed a less intrusive type of control question called the directed lie In this technique the examiner directs the subject to lie in response to certain questions the control questions so that a physiological reaction can be obtained while lying Directed lie control questions differ from other types of control questions in that the subject is specifically instructed to lie to these questions and no admissions are solicited or allowed Knowing their true purpose people generally experience these questions as less intrusive Research is currently under way to further validate this technique As unpleasant as the polygraph process may be to some individuals the Commission did not find any ground swell of antipolygraph feeling among the government and contractor personnel who are most 51 heavily exposed to it On the contrary available surveys suggest the majority of those who take a screening polygraph believe that the examinations are conducted fairly and professionally c Over reliance In the absence of admissions polygraph tests are not infallible truthful subjects sometimes fail and untruthful subjects sometimes pass When the polygraph test result is used as a primary determinant of truth there will be occasions in which innocent people are falsely accused and guilty people avoid detection Despite assertions to the contrary adjudicative decisions have been made on the basis of polygraph chart interpretations without admissions Managers and security officers who make decisions based on polygraph test results need to be aware of the fallibility of the polygraph screening process Also the Commission is concerned that in times of declining financial resources agencies may be tempted to rely more on the polygraph at the expense of more thorough investigations decreasing the checks and balances provided to the personnel security process by background investigations and financial checks and increasing the likelihood of spies being hired or allowed to continue espionage activities started after initial employment Recommendations Despite the controversy after carefully weighing the pros and cons the Commission concludes that with appropriate standardization increased oversight and training to prevent abuses the polygraph program should be retained In the CIA and the NSA the polygraph has evolved to become the single most important aspect of their employment and personnel security programs Eliminating its use in these agencies would limit the effectiveness of security personnel and medical officers in forming their adjudicative judgments However the Commission unanimously endorses the adoption of procedural safeguards and oversight discussed later in this section to ensure that the technology is used in a reliable consistent and ethical manner We support the standardization of the process to ensure basic fairness and reciprocity We believe that the intrusiveness of the procedure should be minimized and mechanisms should be put in place to resolve ambiguous results quickly and efficiently The Commission believes that polygraph examinations should be limited to Cl-scope for all security screening examinations except for applicants seeking staff positions at the CIA and the NSA Almost all of the Commissioners believe that polygraph examinations for these CIA and NSA staff applicants can be restricted without reducing security benefits The Commission recommends that polygraphs for applicants for CIA and NSA staff positions consist of only the Cl-scope questions plus questions on serious criminal conduct and recent drug use This ensures uniformity between the two agencies and eliminates broader questions about financial problems alcohol use nervous or mental disorders and falsification of any information on the personal history statement The record indicates that the questions about serious criminal conduct and recent drug use are much more likely than the other questions to produce information of significant value in making security and suitability decisions These restrictions on the polygraph for CIA and NSA staff applicants will limit its intrusiveness without sacrificing its security benefits A CI-scope polygraph should be used for all reinvestigations even for CIA and NSA employees One of the ten Commissioners believes that the CIA and the NSA should be permitted to use the questions currently being asked during applicant screening polygraphs examinations with due regard for the need to standardize the questions as soon as possible The Commission is concerned about overreliance on the polygraph Under the security scheme we have proposed the polygraph would not be a general requirement for access to classified information a NACI plus credit will be required for access to generally protected information and an SSBI for access to specially protected information Nor would the polygraph necessarily be a requirement for access to multiple specially protected programs as it is today in the DoD Instead the polygraph should only be an option in those rare instances when the Secretary of Defense or the Director of Central Intelligence 52 approves its use for particular controlled access activities or if required as a condition for staff employment at the CIA or the NSA Recommendation 36 The Commission recommends that a The screening polygraph should be used by those DoD and Intelligence Community organizations that currently employ it as follows I Polygraph examinations should be limited to CI-scope for all security screening examinations except for initial applicants seeking staff positions at the CIA and the NSA 2 The screening polygraph examinations of initial applicants at the CIA and the NSA should be limited to CI-scope plus questions on serious criminal conduct and recent drug use 3 A CI-scope polygraph should be used for all reinvestigations even for the CIA and the NSA b The polygraph should not serve as a bar to clearance reciprocity or the exchange of classified or sensitive information c The intrusiveness of control questions must be minimized strict oversight must be established to prevent abuses information elicited by control questions must not be kept in a permanent record unless it relates to criminal activity and procedures must be adopted to ensure compliance with these requirements d Physiological reactions without admissions to questions during a polygraph examination should not be used to disqualify individuals without efforts to independently resolve the issue of concern Oversight The Commission is aware of the potential for abuse and the actual past abuses associated with polygraph programs For example in some instances examiners have pursued issues beyond the scope of the inquiry We believe that the polygraph process must minimize intrusiveness as much as possible This can be done by training examiners in less adversarial methods and by implementing rigorous quality control procedures While a number of safeguards have been built into the current system such as internal polygraph quality control procedures and Inspector General reviews the Commission believes that an external independent centralized oversight mechanism is needed to monitor the programs and manage complaints Such a mechanism would provide a focal point for tracking and investigating reports of abuse and ensure that the polygraph programs are responsive to the concerns of polygraph subjects Recommendation 37 The Commission recommends that an independent external mechanism be established by the security executive committee to investigate and track polygraph complaints This mechanism also should monitor and oversee the polygraph programs' compliance with standards and conduct periodic satisfaction surveys of polygraph subjects Standardization The Commission found that the personnel security screening polygraph program is characterized by a complicated web of inconsistent and misunderstood practices Agencies vary as to when or ifit is required where or how it is administered the subject areas covered and what techniques are employed in 53 administering the tests For example the Commission finds no acceptable reason why the CIA and the NSA should cover different subject areas in their full-scope polygraphs The Commission also is concerned that the same questions are worded differently and are therefore open to differing interpretations decreasing confidence in the objectivity of the process The Commission believes that these differences should be minimized Recommendation 38 The Commission recommends that standards be developed to ensure consistency in the administration application and quality control of screening polygraphs The need for standardization and consistency is also evident in the contractor world The NSA is the only agency that requires full-scope polygraphs for all contractors prior to granting access to compartmented information The DoD requires only a Cl-scope polygraph for their contractors but generally grants access prior to and sometimes without administering a polygraph Footnote 16 The CIA requires only CI-scope for those contractors outside its facilities but full-scope polygraphs for those contractors with regular working access to its facilities and computer systems Such inconsistent applications should be eliminated The Commission believes that enhanced efficiency and cost savings can be realized by establishing one organization to serve as the executive agent for conducting polygraphs on contractor personnel who do not require regular working access to government facilities The executive agency would oversee the operation of joint polygraph facilities at strategic sites that would serve to maximize the efficient accorrplishment of a maximum number of examinations The executive agency would also coordinate the scheduling of all contractor polygraph examinations to economize on travel requirements Most importantly an executive agency woulcl facilitate the standardization of the CI-scope polygraph as well as the reciprocal acceptance of polygraphs throughout the DoD and the CIA intelligence community The joint investigative service described in chapter 7 would be a logical organization to perform this service Recommendation 39 The Commission recommends that a The CI-scope polygraph be adopted as the standard for all contractor personnel b Polygraph examinations for all contract personnel working at contractor facilities be conducted under the auspices of a single entity Training Research and Development Many believe that the single most significant variable in the polygraph process is the competency and integrity of the examiner Any polygraph technique no matter how benign can be used in an abusive way by an improperly trained or misguided examiner Competence is a primary requirement for ethical practice For this reason the Commission believes that it is essential for examiners to be formally trained and professionally certified under a single entity Polygraph examiners also should be required to maintain professional certification through a formal continuing education program Recommendation 40 The Commission recommends that certification of polygraph examiners under the auspices ofa single entity should be mandatory Mandatory requirements for recertification also should be established Most polygraph training is conducted at the DoD Polygraph Institute DoD PI although the CIA trains its own examiners and some from the NSA In the interest of efficiency and consistency the 54 Commission believes that all government polygraph training and certification should be conducted by a single entity Incorporating the CIA training program into the DoD Polygraph Institute would standardize and enhance the quality of polygraph training provided by the government The DoD Polygraph Institute also should be made a national or Federal polygraph institute and if subject to relocation due to base closure consideration should be given to locating the institute closer to its customer base Recommendation 41 The Commission recommends that the CIA polygraph school be consolidated into the DoD Polygraph Institute to form a national polygraph institute that would conduct all training and certification of government polygraph examiners The Commission believes that it is imperative the government establish the validity of the polygraph for personnel security screening In the absence of admissions the ability of the polygraph to distinguish between truthful and deceptive reactions is critical While the Commission recognizes the difficulty of designing and conducting validity research on the screening polygraph the dearth of such research is not acceptable The Commission realizes that these recommendations have been made in the past with little effect A greater commitment must be made to sustain funding ofresearch to establish the validity of the polygraph in personnel security screening applications The Commission believes that research is also needed to determine which polygraph techniques work best in which situations and with which subjects The ongoing development of scoring algorithms and computerization would increase the objectivity of the polygraph process and provide a basis for addressing countermeasure threats We also believe that research should explore other methods of detecting deception that could be used in conjunction with or in place of the polygraph Recommendation 42 The Commission recommends a robust interagency-coordinated and centrally funded research program Footnote 17 should be established with the DoD PI as executive agent The polygraph research program must concentrate on the development of valid and reliable security and applicant screening tests and standardize their use 55 CHAPTERS PHYSICAL TECHNICAL AND PROCEDURAL SECURITY The physical protection of information assets and personnel is fundamental to any security system Closely related to physical security are the technical security safeguards required to protect certain facilities against intelligence collection or observation and security procedures adopted to monitor and control physical access to facilities and material Government rules for protection of classified information cover construction and storage requirements facilities locks alarms guards technical security requirements imposed on facilities storing classified information surveillance countermeasures TEMPEST audio attenuation and procedures affecting the conduct of operations within these facilities inspections document control visit certification and badges The Commission's focus was primarily on the domestic environment where there is the greatest potential for cost savings a lower level of threat and because it lends itself more readily to uniformity than do facilities at overseas locations Our review was limited to the protection of classified information and material It did not include protection of weapons munitions or nuclear devices which are governed by separate regulations Recently there have been significant policy changes affecting physical security within the Intelligence Community However it appears that cross-program management for physical technical and procedural security countermeasures is not uniform The relationships with industrial contractors vary from punitive compliance inspections to problem-solving advice and assistance In addition many of our physical security policies are out of date are not based on actual threat conflict with each other and have not been implemented in a uniform fashion As a result the end user is faced with a patchwork of multiple standards increased costs because facilities cannot be shared and irrational situations where information classified at a lower level Confidential and Secret is often more stringently protected than our government's most sensitive technologies and operations The wide variety of physical technical and procedural security requirements imposed on industry is the principal concern that lead to the development of the National Industrial Security Program NISP For Confidential and Secret information the Defense Industrial Security Program requires that contractors be inspected every six months that guards physically check safes that hold classified material and that stringent document control audits and inventories be maintained Director of Central Intelligence representatives normally inspect facilities housing Sensitive Compartmented Information once every two years require alarms rather than expensive guards and recently have dropped strict document handling requirements The Commission seeks to apply physical technical and procedural security consistent with the same basic risk management principles recommended throughout this report Security standards should provide two uniform degrees of protection for classified information Decisions to adopt special protection safeguards should be based upon risk management analysis of the value of the asset the threats and vulnerabilities and the costs of protection The relationship between government and industry should be a problem solving partnership that maximizes reciprocity New procedural mechanisms should be instituted to terminate unnecessary controls and facilitate ease of reassigning cleared personnel 56 Physical Security Standards Today's physical security policies evolved in the context of the Cold War when it was often assumed the enemy would attempt penetration and it was necessary to keep them out at almost any cost Organizations began to individually adopt different rules governing the protection of classified information As a result there is no single facility standard Facilities cleared for DoD Special Access Programs have rules which may vary from facility to facility and from program to program Facilities housing Sensitive Compartmented Information SCI are governed by the Director of Central Intelligence Directives Facilities holding collateral information follow differing standards depending on which organization is the sponsor Application of these differing standards by individual government agencies is also uneven resulting frequently in one government agency being unwilling to share space with another agency even though they both ostensibly use the same standard A facility's security may include alarms guards security containers safes access control devices closed-circuit television locks special construction requirements and a host of other countermeasures It also may include a requirement for two people to be in close proximity at all times so as to deter the unauthorized removal or copying of classified material With total risk avoidance as the goal the addition of each of these countermeasure is justified by assuming that the countermeasure will provide an additional measure of protection Cost is not a factor The physical security countermeasures at one industriaifacility include a fence roving guards and automated building access controls Inside the facility there is also a specially constructed room to which access is controlled by cipher and combination door locks Moreover the program manager of a special access program required that the five-drawer safe used to store program material have each drawer alarmed even though the safe was inside an area already alarmed Yet the great majority of past compromises have involved insiders cleared persons with authorized access who could circumvent physical security barriers not outsiders breaking into secure areas We have had numerous incidents of classified information being removed by cleared personnel but no documented evidence leading us to believe an agent of a foreign power has ever broken into a classified area inside the United States In reviewing the existing standards for physical security and their implementation in practice the Commission found that the amount of physical security provided to protect classified information in facilities within the United States is often excessive The Commission acknowledges the significant and ongoing policy changes affecting physical technical and procedural security requirements that are being developed especially through the DCI Security Forum and the National Industrial Security Program task forces Many improvements have already been introduced and some cost savings already realized For example the recent DCI policy decision to drop the two-person rule has permitted manpower savings in some contracts Other elements such as the military SAPs continue to enforce this requirement Not only do these inconsistencies produce confusion they seriously erode the user's faith in legitimate security practices Despite some positive efforts the Commission concludes that many of the rules governing phys£al and technical protection of classified information stored within the United States have yet to realistically reflect the actual threat The Commission believes that an integrated systems approach based on valid risk management analysis must be implemented to replace the current fragmented process Under risk management each countermeasure can be viewed in the context of a fully integrated system The introduction of two uniform degrees of physical security protection will remedy the current inconsistencies and permit the establishment of a more rational approach to the physical protection of information and material 57 Recommendation 43 The Commission recommends that classified material or information stored within the United States be protected by one of two levels of a national physical security standard Facility Certification Multiple standards variously interpreted have inhibited primarily in the DoD the efficient sharing of facilities and services resulting in increased cost to the US Government Sharing is more prevalent in the Intelligence Community where areas used for storing and discussing Sensitive Compartmented Information SCI are built to standards contained in a DCI Directive For years these areas called Sensitive Compartmented Information Facilities SCIFs have been certified by the first agency to use that particular space Written agreements allow additional agencies to use the same facilities accepting any waivers to the standards Facility clearance reciprocity is less prevalent but increasing for Special Access Programs All too often SAPs levy additional requirements by forcing contractors to add costly and excessive security upgrades or even build a new SCIF or SARF-Special Access Required Facility One west coast contractor said that the Intelligence Community usually grants approval for co-utilizing SC Fs within 48 to 72 hours Yet the same process usually takes 4 to 6 months in the SAP world Additionally SAP program managers may levy further requirements such as one manager who wanted $30 000 in upgrades made to an already accredited SCJF The Commission supports co-utilization of certified facilities and further believes a registration system would help enforce this process Once certified a facility should be registered in a central data base All government organizations desiring to operate at the relevant security level should accept the registered area without changes enhancements or upgrades The facility should also remain certified until it is modified or closed out Co-utilization of facilities is endorsed by the NISP and this registration process would complement the NISP effort Recommendation 44 The Commission recommends a data base registering certified facilities be established and that co-utilization and reciprocity of accredited space be mandatory Facilities Containers and Locks While uniform standards are important the standard itself must be supported by an analysis of actual threat and a reasonable risk management response The importance of this is shown by the example of the national standard adopted for security containers and locks Current national policy requires classified material be stored in GSA-approved safes or containers with approved locks Exceptions to this policy were routinely made in domestic settings during the Cold War in acknowledgment that other layers of security were in place or because of site specific factors such as floor loading restrictions Non-GSA-approved containers bar lock cabinets equipped with changeable combination locks and the open storage of classified information in specially constructed areas have been routinely allowed There is no evidence that these waivers have compromised security The risk management approach embodied in granting these waivers should become the basis for developing future policies The Commission strongly opposes recent efforts that are calling for more stringent standards An example is the current effort to replace existing container locks with the new GSA-approved electro-mechanical locks This replacement effort is not based on current threat data and will significantly increase costs For example one west coast contractor estimates that replacing all the locks for its facility would cost more than $7 3 million While new locks could be used 58 in new containers the Commission found no evidence that would warrant a large-scale replacement effort for locks already installed in approved facilities within the United States Recommendation 45 The Commission recommends that there be no replacement or retrofit of containers and locks currently approved for use in the United States Industrial Security Inspections Companies with classified government contracts are periodically inspected to ensure they are protecting classified material in ways consistent with government security standards These inspections take many forms to include an initial accreditation inspection a change of status inspection when there is new ownership or new spaces ands pecial interest inspections based on a specific incident investigative lead or threat In addition to these accreditation and incident-driven visits there also are routine reinspections required on a varying and arbitrary periodic basis depending on the contract and sponsor These routine inspections are conducted by the DIS the DoE the CIA the NSA or any number of individual DoD SAPs all using a variety of standards The CIA and the DoE inspect every two years allowing the contractor to self-inspect on the off years Until recently the NSA maintained a six month schedule The DIS responsible for the majority of the inspections also reviews all aspects of a contractor's security program every six months Less than one percent of these inspections result in unsatisfactory ratings Both the frequency and value of these routine inspections were questioned by contractors interviewed by the Commission One contractor stated that in 1992 DIS spent 480 hours inspecting the contractor's five facilities But in 1993 despite the contractor's 38-percent reduction in personnel 68percent drop in documents 40-percent less controlled area and 50-percentfewer classified holdings DIS needed 1413 hours to inspect the same five facilities Contractors with Special Access Programs are inspected on a program-by-program basis with each individual project having its own requirements For example a contractor with six SAPs may undergo six separate inspections with each having differing requirements Contractors state that routine re-inspections are time-consuming onerous costly and confusing They advise that the redundant inspections contribute little if any additional security One contractor had to contend with 26 inspections by DIS and SAPs over a I 0-month period in 1993 Inspectors were on-site for 99 out of 210 workdays An additional week ofplanned inspection was canceled Intelligence Community inspectors put less weight on fault finding and more emphasis on program review For example they may frequently visit a contractor to discuss programmatic or individual personnel security issues but rarely conduct form11l top-to-bottom inspections Some Intelligence Community components use award fee contracts with monetary awards as incentives for good security The Commission endorses the partnership or service approach towards security rather than an adversarial approach The Commission supports accreditation visits and special issue investigations but sees no need for each organization to conduct routine inspections These reinspections frequently involve a top-to-bottom review of construction storage and procedures complete with formal out-briefings to senior management They also often require an official response from the senior management Our vision of a government and contractor partnership rejects the concept of these punitive inspections The Commission believes that multiple compliance inspections and re-inspections are costly time consuming and of questionable value in providing better security A partnership or service-based approach should be encouraged 59 Recommendation 46 The Commission recommends that after an initial accreditation inspection reinspections be limited to aperiodic random inspections or those in reaction to specific incidents or threats Routine industrial security re-inspections should be eliminated TEMPEST TEMPEST an acronym for Transient Electromagnetic Pulse Emanation Standard is both a specification for equipment and a term used to describe the process for preventing compromising emanations The fact that electronic equipment such as computers printers and electronic typewriters give off electromagnetic emanations has long been a concern of the US Government An attacker using off-the-shelf equipment can monitor and retrieve classified or sensitive information as it is being processed without the user being aware that a loss is occurring To counter this vulnerability the US Government has long required that electronic equipment used for classified processing be shielded or designed to reduce or eliminate transient emanations An alternative is to shield the area in which the information is processed so as to contain electromagnetic emanations or to specify control of certain distances or zones beyond which the emanations cannot be detected The first solution is extremely expensive with TEMPEST computers normally costing double the usual price Protecting and shielding the area can also be expensive While some agencies have applied TEMPEST standards rigorously others have sought waivers or have used various levels of interpretation in applying the standard In some cases a redundant combination of two or three types of multilayered protection was installed with no thought given either to cost or actual threat A general manager ofa major aerospace company reports that during building renovations two SAPs required not only complete separation between their program areas but also TEMPEST protection This pushed renovation costs from $1 5 million to $3 million just to ensure two US programs could not detect each other's TEMPEST emanations In 1991 a CIA Inspector General report called for an Intelligence Community review of domestic TEMPEST requirements based on threat The outcome suggested that hundreds of millions of dollars have been spent on protecting a vulnerability that had a very low probability of exploitation This report galvanized the Intelligence Community to review and reduce domestic TEMPEST requirements Currently many agencies are waiving TEMPEST countermeasures within the United States The rationale is that a foreign government would not be likely to risk a TEMPEST collection operation in an environment not under their control Moreover such attacks require a high level of expertise proximity to the target and considerable collection time Some agencies are using alternative technical countermeasures that are considerably less costly Others continue to use TEMPEST domestically believing that TEMPEST procedures discourage collection attempts They also contend that technical advances will raise future vulnerabilities The Commission recognizes the need for an active overseas TEMPEST program but believes the domestic threat is minimal Contractors and government security officials interviewed by the Commission commend the easing of TEMPEST standards within the last two years However even with the release of a new national TEMPEST policy implementation procedures may continue to vary The new policy requires each Certified TEMPEST Technical Authority CTTA keep a record of TEMPEST applications but sets no standard against which a facility can be measured The Commission is concerned that this will lead to inconsistent applications and continued expense Given the absence of a domestic threat any use of TEMPEST countermeasures within the US should require strong justification Whenever TEMPEST is applied it should be reported to the security executive committee who would be charged with producing an annual national report to highlight inconsistencies in implementation and identify actual TEMPEST costs 60 Domestic implementation of strict TEMPEST countermeasures is a prime example of a security excess because costly countermeasures were implemented independent of documented threat or of a site's total security system While it is prudent to continue spot checks and consider TEMPEST in the risk management review of any facility storing specially protected information its implementation within the United States should not normally be required Recommendation 47 The Commission recommends that domestic TEMPEST countermeasures not be employed except in response to specific threat data and then only in cases authorized by the most senior department or agency head Technical Surveillance Countermeasures fSCM Technical Surveillance Countermeasures TSCM involves the search for technical surveillance devices or bugs The TSCM function is decentralized within the government and resources and requirements are determined at the department or agency level Traditionally TSCM teams conduct inspections of domestic facilities when they first open and on a routine basis thereafter TSCM teams are also called upon when there is some indication of a threat A recent classified study shows that over the last 40 years initial and routine domestic inspections uncovered few bugs with the exception of an occasional hazard such as an on-line telephone connection or a two-way intercom into a secure area The study also notes that few finds are uncovered in areas where good physical security and access controls are in place and that the overwhelming number of technical attacks against US interests occur overseas The failure to discover any use of technical surveillance devices domestically coupled with budgetary pressures influenced the application ofTSCM Within the last two years the interagency TSCM training academy and two technical security laboratories have had to curtail their operations because of lost funding Although there is little or no evidence of a domestic threat the Commission believes that overseas locations can be very vulnerable to technical invasion It is therefore very important to maintain an active focused interagency R D program in support ofTSCM Scarce resources should be directed both to specific threat-driven inspections and to the maintenance of an R D and training effort Recommendation 48 The Commission recommends a The elimination ofroutine TSCM inspections within the United States in favor of increased emphasis on overseas inspections Any domestic TSCM efforts should be specifically threat driven b The government fund a coordinated TSCM R D and training program to support overseas inspections and as a defense against future technological advances in technical surveillance equipment 61 PROCEDURAL SECURITY Central Clearance Verification The verification of an individual's clearance and level of access is a critical component in the management of interagency and industry visits to classified areas On any given day thousands of clearance access requests are made Hundreds of personnel are officially involved in clearance verification Many more are involved peripherally and failure of the process affects most cleared persons at some point The typical visit request goes through at least six steps involves at least three levels of the bureaucracy at each agency and can take anywhere from one to three days One security manager stated that she spends some 40 percent of her time handling visit requests and that she must rely on personal contacts and informal channels to get the job done Considering the hundreds of visits conducted daily within the community the productivity loss is enormous All too often individuals ask their security officer to pass clearance information and when they arrive at a meeting location they are told We did not receive your clearance you cannot enter the building A flurry of calls between the visitor and his security officer determines that the clearances were sent despite the fact that the receiving office has no record of the incoming clearance Time elapses sometimes after heated exchanges the clearance information is orally passed and the meeting starts Despite having his clearance passed a week before a quarterly meeting at the CIA a senior military officer was delayed some 30 minutes while his military assistant whose certification was passed and received at the same time had no difficulty entering The current clearance verification system draws upon clearance information contained in data bases maintained by the OPM the DoD and the CIA Some highly sensitive programs for example the DoD SAP community also maintain clearance access data bases that are withheld from the major data bases The CIA community-wide data base for certifying access to Sensitive Compartmented Information SCI is obsolete and scheduled to be replaced within two years The DoD's Defense Clearance Investigative Index DCII is being upgraded and will be interconnected with the Federal employment Suitability and Security Investigations Index SSH maintained by OPM The DoD and the OPM data bases contain more than 95 percent of all collateral clearances The proposed CIA system will include all of the SCI clearances By combining these data bases and adding special programs the user community would have a Central Clearance Verification System CCVS Such a system would reduce duplicative record systems administrative processing time delays and personnel requirements In addition a central clearance data base would provide the information backbone for the application of smart-card technology for instant clearance verification without human intervention for access to networks E-mail and facilities Recommendation 49 The Commission recommends that a Central Clearance Verification data base be developed and made available to industry and government The data base should contain all collateral and SCI clearances Sensitive clearance information should be encrypted or otherwise protected within the data base Certification of Contractor Visits The DoD industrial security rules require stringent control and prior approval of contractor visits especially when classified information is to be discussed Contractor visit requests must be provided in writing in advance of an actual visit However under certain circumstances contractor visit requests must also contain a signed certification from the cognizant government contracting officer or prime contractor 62 that the visitor has a need-to-know under a particular contract for access to classified information This policy does not apply to government employees The requirement to certify need-to-know for each individual visit request between contractors without a direct classified contractual relationship has increasingly caused significant problems and needless delays Contractors question the need for the certification process in view of the heavy dependence of the process on paper They maintain that the advent of facsimile machines and data base management systems for transmitting visit requests renders the exercise of obtaining a contracting officer's signature on each paper visit request obsolete Critics also cite the practical difficulty in locating a government authority to certify individual visits In many cases government certification of need-to-know is in fact a rubber stamp In circumstances such as contractor attendance at classified symposia and conferences involving general technical areas or subjects unrelated to any particular classified contract the certification rule becomes a real impediment to accomplishing normal legitimate business The Commission believes that the requirement for need to know certifications for contractor visits involving generally protected projects is outdated imposes a dual standard for government and industry security and should be abolished The process unnecessarily complicates and slows the accomplishment of necessary business and inhibits the exchange ofinformation that should take place between properly cleared and accessed personnel A requirement for government certification of a contractor's need to know should be restricted to those contractor visits or meetings involving specially protected projects rather than a blanket requirement for all classified visits between contractors without a contractual relationship Recommendation 50 The Commission recommends that the requirement for government certification ofneedto-know for contractor visits at the generally protected level be abolished Communitywide Badge Systems Interagency access procedures established by various security organizations serve two basic functions to verify a person's identity and to validate clearance level Virtually all agencies controlling access to their facilities rely on badges permanent staff and visitor automated and or guard access controls and administrative procedures for certifying and transferring clearance information Over the years each agency has developed its own badging system visitor control process and escort requirement to restrict unauthorized access When outsiders seek access on official business however the system frequently breaks down Badges are unique to each agency and vary in sophistication that is from serving purely as visual recognition to offering considerable encoded information readable by automated equipment at the point of entry Thus the lack of standardization makes for cumbersome procedures and contributes to frequent visitor delay at entry points In many instances cleared personnel must complete the same forms sign the same waivers and adhere to the same escort requirements as uncleared visi' ors despite having had their clearances passed One security manager stated The visit processing procedure is a cottage industry in need of modernization Several intelligence agencies the CIA the NSA and the DIA have recently adopted limited badge reciprocity in an effort to streamline interagency visit procedures Critics of the reciprocity program contend that it is difficult to administer too many badges for guards to remember reader incompatibility and so forth and that variability in implementing reciprocity has exacerbated an already inefficient process For example a CIA employee on an official visit to the NSA under the new badge reciprocity procedure must still visit the NSA central badge office fill out and sign a form get an NSA visitor badge and wait to be announced to his or her host by the receptionist exactly the same steps as would have to be performed if the visitor had no badge at all 63 The Commission concludes that the current badge control procedures are costly and impede interagency business by authorized personnel The Commission is aware that the DCI Security Forum has tasked the NSA with development of a community badge and that similar efforts are under way within the DoD and the DoE These efforts should be coordinated and combined to provide a single-badge standard throughout the security community Recommendation 51 The Commission recommends the development of a uniform badge system for the government's cleared community The badge system should provide for visual and electronic recognition automated access control and encoded level of access Document Tracking and Control The DoD Industrial Security Manual ISM requires itemized accounting and verification of Secret documents held by industry in support of classified contracts The DoD does not apply this standard internally Neither the DoE nor the CIA have this requirement for their contractors and the Director of Central Intelligence just approved the NRO's request for elimination of this requirement for certain Secret SCI documents Moreover the Task Force on Classification Standards recommended that accounting or strict tracking requirements for Top Secret material in SCI facilities be eliminated Contractors contend that document tracking and inventory requirements do not enhance security and are very costly One major contractor estimates a single classified document requires 98 minutes handling time annually Results from an informal survey conducted by the Commission suggest that eliminating the requirement to precisely track every Secret document could reduce document control personnel staffs by some 40 percent Most contractors would continue to maintain a basic data library function but security requirements for extensive inventories and recording of internal transfers would be eliminated A number of senior government officials similarly have questioned the cost effectiveness of this type of document accountability Some have opined that it is an expensive control system but that they know of no case in which document accountability has led to the identification ofa spy We have heard that when accountable documents are missing time-consuming inquiries inevitably led to the conclusion that the material was inadvertently destroyed One senior official has stated that the elimination of document tracking would not degrade security but could result in substantial savings if manpower associated with the current process is eliminated Contractors also object to the need for extensive justification and protracted negotiations currently required for retention of classified documents when a contract is completed They must frequently reinvent the wheel because information generated for one contract cannot be used in performance of another Required to tum information in at the completion ofa contract a contractor must then approach the government and ask for the product that was originally generated by the contractor Contractors also note that the regulations are inconsistent providing for retention ofR D classified information but not routine contract materials The Commission believes that the integrity and trustworthiness of personnel is the key to the proper protection of documents Strict document accounting and retention practices are costly and do not deter compromise of information To those who would cause damage personal computers facsimile machines copier equipment and modems and networks available in the normal office environment offer opportunities to compromise documents without detection despite elaborate and costly physical document accountability and control procedures The procedures mandated by the DoD Industrial Security Manual to account and track documents do not provide real protection There is no value in accounting for the physical possession of I 00 documents 64 in the morning and I 00 at the end of the day if at midday they can be copied electronically without detection and transmitted to an unauthorized party There is no evidence that the lack of tracking of Secret documents in government offices has led to an increase in compromises The industrial standard should be no different Recommendation 52 The Commission recommends that a The requirement for internal tracking and inventory and periodic inspections of classified documents be eliminated b Contracts be amended to allow routine retention of classified documents provided that they are properly safeguarded Document Destruction There are also similar accounting and verification requirements for the destruction of classified documents DoD internal regulations generally require records of destruction and the imposition of the twoperson rule for Top Secret documents destroyed by government employees There is a two-person rule but no destruction record required for Secret documents and only one cleared person is required to destroy Confidential documents The DoD Industrial Security Manual requires destruction records and the two-person rule for destruction of both Top Secret and Secret documents only one person is required to destroy Confidential documents The DoE does not require records of destruction for either Secret or Confidential For SCI documents there generally is no requirement for destruction certification but there is a twoperson rule The same logic that compels us to recommend the elimination of document accountability drives the conclusion that document destruction accountability requirements are a cost without a significant benefit and the requirement should be eliminated Anyone who wants to remove classified information can do so while leaving the accountable record copy untouched and then properly accounting for its destruction Destruction records which must be duly dated signed and retained and the two-person rule represent avoidable costs that give no more than an illusion of security Recommendation 53 The Commission recommends that item-by-item document destruction accountability be eliminated Document Transmittal In the current environment encrypted data transmission should be the rule Expensive labor and time intensive document transmittal by mail service or courier should be the exception To the extent that it is necessary to utilize older methods of document transmittal we recommend a standard be adopted for generally protected information and one for specially protected information Currently DoD internal regulations allow Confidential documents to be transmitted in US postal channels either by first class mail or by certified mail Secret documents must be sent by registered mail Top Secret SCI and SAP documents must either be sent by courier or hand-carried by appropriately cleared and 65 authorized persons The Industrial Security Manual requires use of US postal service express or registered mail for Secret and certified mail for Confidential documents The Commission believes there are no significant risks in routinely using registered or certified mail for transmitting generally protected information In some cases first class mail or commercial services are adequate The Commission also believes that the expense of using couriers or hand carrying all specially protected information is unwarranted in most cases Registered mail is used to safely transport expensive jewels and high-value negotiable instruments At the specially protected level managers should also have the option of using certified or registered mail instead of being forced to use expensive couriers While the Commission believes transmission options should be expanded the decision on which mode is best suited for individual programs should be made at the local level Recommendation 54 The Commission recommends that the document transmittal rules be revised for both generally protected and specially protected information Generally protected documents should be sent by US first class certified or registered mail or by a commercial delivery service Specially protected documents should be sent by either US registered mail or by courier Operations Security Some elements of the intelligence and defense community have been using the risk management process for many years under the rubric of Operations Security OPS EC Growing out of lessons learned in the Vietnam war OPSEC seeks to control information and observable actions about one's capabilities limitations and intentions so as to prevent or control their exploitation by an adversary S Footnote 18 Emphasis is placed on the analysis of unclassified information and public sources Seeking to institutionalize this process in 1988 National Security Decision Directive NSDD 298 mandated the implementation of a formal OPS EC program by each executive department and agency with national security responsibilities It designated the Director ofNSA as executive agent for OPSEC programs and tasked him to establish and maintain an Interagency OPSEC Support Staff IOSS l 9 to provide consultancy and training for executive departments and agencies required to have formal OPSEC programs The Commission believes that there is a clear and compelling need for operational security in a military environment and in the conduct of sensitive operations However in the years since the establishment of the National Operations Security Program a formal OPSEC structure has developed apace with OPSEC responsibilities being assigned at each organizational level ofDoD service departments and agencies at the DoE and at other government departments and agencies There is now a robust OPSEC community coexisting with but for the most part separate from the standard security structure The OPSEC Professionals Society boasts ofa membership of some 475 professionals with membership being equally divided between government and the private sector OPSEC is perceived by many particularly in industry as just a new way to repackage security requirements using elaborate procedures It is seen as a separate discipline not integrated with other security disciplines and competing with them for scarce resources National OPSEC requirements are framed in such general terms as to provide insufficient guidance for program managers and resource allocation Moreover despite the NSA's training of over 2 200 individuals in the OPSEC process over the past 3 years industry sources advise that government security managers contracting officers and program managers are not trained in and do not understand OPSEC methodology rarely request OPSEC surveys do not provide 66 specific threat data or inspect for OPSEC compliance Footnote 20 To meet the demands of government contracts industry which also has a shortage of experienced OPSEC people must recruit and train people to provide consultant support to ongoing classified industrial programs at unwarranted expense No one interviewed by the Commission questioned the appropriateness of selecting cost effective security countermeasures based on the assessment of risk What is questioned is the wholesale imposition of the separate OPSEC structure to all sensitive governmental activities including classified contracts with industry OPSEC should not be a separate program but part of the risk management philosophy that is integrated throughout the existing security structure Recommendation SS The Commission recommends that a Executive departments and agencies integrate OPSEC principles into the normal security staff structure and that risk management processes be incorporated into security and security awareness training programs at all levels b Mandatory requirements for formal OPSEC programs be deleted from all contracts except those in response to specific threats and then only when specifically authorized by the most senior department or agency head c NSDD 298 be reviewed revised or rescinded in accordance with these new requirements for OPSEC 67 Chapter6 Protecting Advanced Technology With the end of the Cold War and facing new challenges to US economic competitiveness policymakers are focusing on the threat from foreign government and nongovernment entities to US advanced technologies defense-related industries proprietary data intellectual property rights and trade secrets The increased value of US technical information necessitates balancing national policy objectives and the importance of sharing infonnation with the need to protect our leading edge technologies Highest priority is given to limiting the proliferation of weapons of mass destruction and advanced conventional weapons Counterproliferation and nonproliferation policies range from diplomacy and export control regimes to the development of new weapon systems and tactics to counter advanced foreign systems on the battlefield Negotiating and implementing a new international export-control framework is a complex task and bringing consistency and coherence to US export-control policy requires the resolution of sharply conflicting interests Both require an overall strategic direction that is beyond the Commission's mandate The Commission has focused on a smaller segment of the counterproliferation policy spectrum specifically the policies and procedures regarding foreign ownership or control of industrial firms performing classified contracts military exchanges with foreign governments and national disclosure of classified information to permit export and coproduction of classified weapon systems The risk in each of these situations is that foreign entities will exploit the relationship in ways that do not serve our overall national goals of preserving our technological advantages and curtailing proliferation These goals generally include keeping certain nations from obtaining the technical capabilities to develop and produce advanced weapon systems and from acquiring the ability to counter advanced US weapon systems In cases where US national interests require the sharing of some of our capabilities with foreign governments security safeguards must ensure that foreign disclosures do not go beyond their authorized scope Safeguards must also be tailored to new proliferation threats and applied effectively to the authorization of foreign investment in classified defense industry and the granting of access by foreign representatives to our classified facilities and information The Commission notes an additional area that is beyond the scope of this report but merits further attention This issue is the need to update counterproliferation guidelines for prepublication review of reports of scientific and technical research funded by the government Such matters involve the delicate balance between our paramount national commitment to an open scientific community and the imperative to control the spread of weapons of mass destruction by limiting access to unclassified but high-risk data Improved protection of classified technology as proposed by the Commission is only one part of the comprehensive counterproliferation program that our nation requires Foreign Ownership Control and Influence A basic tenet of our industrial security policy is that business firms engaged in classified government work should be controlled by persons who can be trusted to safeguard classified information DoD policy for example requires that any company bidding on classified contracts must hold a facility security clearance issued by the government The DoD also requires that the firm should not be subject to undue control or influence by foreign investors When a foreign investor buys or otherwise acquires influence over a US company the retention or initial issuance of a facility clearance is dependent upon a favorable Foreign Ownership Control and Influence FOCI determination During the Cold War regulatory policies governing FOCI determinations ranged from total risk avoidance to risk acceptance For example FOCI policy prohibited Soviet and other Communist countries from having a financial interest in or otherwise 68 influencing US companies However with respect to non-Communist countries especially our allies special procedures were developed to mitigate FOCI in order to permit foreign investment without compromising classified information Until 1992 there was a growing effort to accommodate the desires of foreign investors so as to encourage the infusion of capital and the development of joint projects to exploit technologies and markets to the benefit of both US companies and their foreign investors A controversy arose in 1992 when a foreign firm that was majority owned and controlled by a foreign government sought to acquire a leading US defense company performing work in support of highly classified programs Questions were raised about the sufficiency of traditional FOCI security arrangements generally legal instruments to insulate US managers and workers from foreign owners or limit the scope of classified contracting 2 l to protect classified leading edge technology from foreign exploitation The case triggered a DoD and Congressional review of FOCI policy and reflected a growing concern over foreign economic espionage aimed at advanced US technology As a result the DoD drafted a proposed new FOCI policy but the proposal proved controversial and was shelved waiting in part for the recommendations of this Commission Congress also enacted legislation in 1992 barring foreign government-controlled companies from acquiring US companies engaged in classified contracts unless the transaction is approved in accordance with the Exxon-Florio Amendment Footnote 22 The Commission supports foreign investment in the US defense industry base but believes that FOCI policy should ensure that foreign firms cannot undermine US security and export controls to gain unauthorized access to critical technology Essential to a sound policy is current intelligence counterintelligence and law enforcement information on attempts by foreign governments and commercial interests to obtain such access This requires a closer relationship between the industrial security programs and the Intelligence Community The Commission found that policymakers do not always have the information necessaiy to make sound and timely FOCI decisions Comprehensive counterintelligence or intelligence information as to ultimate ownership much less control or influence is not centrally collected analyzed and made available to FOCI decision makers The absence of a centralized FOCI decision data base also limits the flow of information and slows FOCI determinations Legal review of contract documents enunciating security provisions to isolate FOCI is performed by the CIA the DoE and the DoD However within the DoD FOCI contract documents are not consistently submitted for review by experts in the Do D's Office of General Counsel The Commission also found that there is no coherent national policy on FOCI When foreign investment is sought in US industries that work with the Defense and Intelligence Communities FOCI decisions arc independently made by the DoD the DoE and the CIA Each has its own procedures for developing and evaluating available threat information devising an acceptable security arrangement and monitoring compliance For example DoD FOCI determinations are made on a company by company basis whereas the CIA's determination is on a procurement by procurement basis Moreover an agreement such as the DoD's Special Security Agreement SSA is not acceptable to the CIA and the DoE because the SSA allows the foreign investor to exercise considerable management control over the US company The CIA believes this approach does not totally negate FOCI-related security problems Thus a major US firm with multiple contracts sponsored by the DoD the DoE and the CIA may be subject to more than one FOCI arrangement The lack of a common FOCI policy contributes to a lack of reciprocity among government agencies and may also place certain companies at a competitive disadvantage For example the CIA judged one company a significant FOCI risk but this did not stop the NSA from letting an unclassified but sensitive contract with that same firm Although a common FOCI policy is being considered by the DoD the DoE the CIA and industry there is no coordinating mechanism to ensure that the policy will be implemented uniformly applied and enforced 69 The Commission recognizes that foreign investment can play an important role in maintaining the vitality of the defense industrial base The existing FOCI policies and the political climate since the 1992 controversy have discouraged foreign investment However as a matter of policy DoD has a number of programs to encourage cooperative international R D and procurement with our allies to spread the burden of increasing costs and decreasing defense budgets The Commission encourages these efforts and believes that FOCI policy should not undermine them The Commission also believes that buy American provisions which preclude foreign firms from competing for US government contracts must be used only when US national security interests would truly be threatened by foreign participation Buy American restrictions should never be used for protectionist purposes Finally the Commission notes that international defense trade is increasing and that measures taken by the United States can invite retaliatory action by other nations that would harm US economic and security interests The Commission believes that the security executive committee should as a key priority develop a policy and a mechanism to balance these competing interests The policy should be based on a risk management approach that permits departments and agencies to tailor the measures that are needed in an individual transaction Rigid structures that inhibit foreign investment should be avoided Recommendation 56 The Commission recommends that a coordinated FOCI policy be developed by the security executive committee Foreign Exchange Agreements-The Status Quo Our foreign economic competitors focus a considerable amount of their collection efforts on United States leading edge technology and defense-related industry Information is obtained both overtly and covertly Foreign liaison and cooperative exchange programs such as the Defense Development Exchange Program DDEP and the Personnel Exchange Program PEP 23 allow the United States to exchange information concerning military technical or scientific data weapons weapon systems or operational concepts with its allies However the Commission has come to believe that the United States is losing more than it is gaining through participation in many foreign exchange agreements These programs designed to better marshal the technological capabilities of the United States and its allies as well as to reduce costs have also served as vehicles for covert exploitation of our most sensitive technologies Foreign governments frequently stretch the boundaries of intergovernmental program relationships with aggressive persistent and coordinated efforts to gain access to nonreleasable technological data that they can use to further economic competition with the United States This can be accomplished through international data exchange programs which have grown tremendously over the past 30 years as more and more industrial countries seek advanced US technologies There are approximately 750 DoD-wide agreements with over 310 data exchange agreements in one military service alone Foreign liaison officers working within key DoD organizations can gain knowledge and invaluable insight into US leading-edge technology programs under development Within one military service approximately 118 foreign military personnel from 19 countries work under the Personnel Exchange Program 43 foreign scientists or engineers from 6 countries work within its research and development facilities and 172 foreign liaison officers officially representing 22 countries are integrated within various other service elements Often foreign governments use this insider knowledge to target and pursue technical information early in a major acquisition systems life cycle and then work against civilian targets such as DoD contractors and university scientists engaged in defense work Foreign liaison officers can also exploit their official status to gain back door access to special access program technologies 70 On several occasions when a foreign liaison officer's request or sensitive technical information was denied by one military command the same request would surface through another foreign liaison officer at another command In one instance the second request occurred within one day of the first denial Critics of the Defense Development Exchange Program maintain that the program has become a oneway street for foreign governments to funnel United States advanced technology overseas while providing comparatively little of value to the United States in return A US Army Intelligence study Footnote 24 found that valuable classified and unclassified underlying technologies in many advanced weapon systems not authorized for release are being lost to foreign governments through the Defense Development Exchange Program These losses may eventually compromise our weapon systems and erode our technological superiority on the battlefield or at the very least provide advanced technology to US economic competitors Recommendation 57 The Commission recommends that the Secretary of Defense review existing data exchange programs using updated threat information to determine whether the programs should be continued canceled or renegotiated to ensure they are in concert with current US national security and economic goals Threat Analysis-Vital to Protecting Advanced Technology The Commission recognizes the gravity ofhaving leading-edge technology and weapons in the hands of foreign adversaries However the foreign exchange approval authorities of the military services generally make their determinations within the acquisition or international programs community and without participation by security intelligence and counterintelligence elements Moreover these authorities often do not ascertain the impact of proposed technology releases on the security of related future weapons or weapon support systems Intelligence and counterintelligence support elements can assist in devising the most effective course of action to deny foreign collection efforts Threat information is available through the DCI's Nonproliferation Center the DIA's National Military Intelligence Production Center and the CIA's Directorate oflntelligence The Commission's proposed interagency counterintelligence one-stop shopping effort will also provide a focal point for obtaining threat information needed for national level security policies For most organizations below headquarters level however the need is for information on the local threat to technologies under development or to critical facilities rather than information pertaining to the broad national threat Field organizations maintain that to be of value threat assessments must specify the foreign entity involved identify what programs or systems it is targeting and identify the specific areas of the country in which adversaries are operating As a first step in meeting the local need the DoD should modernize its counterintelligence collection and reporting system to speed the flow and improve the quality of both raw and finished counterintelligence products into a pull-down data base network Counterintelligence elements should then work in daily partnership with field elements to explain the issues associated with protecting particular systems provide practical local solutions and serve as a valuable feedback mechanism in the total security process The Commission believes the military services' counterintelligence elements must work closely with the FBI with these concerns in mind so as to ensure a seamless integrated capability and a consolidated FBI DoD and defense industry network against economic espionage 71 Recommendation 58 The Commission recommends that the Secretary of Defense direct that comprehensive coordinated threat analysis intelligence and counterintelligence support be provided to facilitate risk management for DoD critical technologies systems infonnation and facilities The National Disclosure Policy The National Disclosure Policy NDP 25 established under a Presidential directive provides the framework for approval or denial of disclosure of classified military infonnation to foreign governments and international organizations It also governs the export of classified military articles and unclassified military articles with embedded classified components The Secretaries of the military departments have been delegated authority to render decisions with respect to disclosure of their infonnation to the governments of most countries with which the United States has mutual defense arrangements In the case of other countries an exception to policy is usually required Exceptions to policy may be approved when it is determined that the proposed export or disclosure will result in benefits to the US Government that outweigh the damage that might accrue to US foreign policy national defense or military operational interests if the system or its underlying technology should be compromised The Commission notes that the National Disclosure Policy Committee NDPC chaired by the DoD coordinates foreign release policy and government-to-government agreements Exceptions to the National Disclosure Policy receive senior-level review within the DoD as coordinated by the NDPC However most routine release decisions are made by field elements under authority delegated by the Secretaries of the military departments This decentralized execution leads to different interpretations as to what is releasable within the broad outlines of the NDP and consequently different actual release decisions Moreover the Commission found that specific senior-level review decisions have not always been communicated to the midlevel acquisition or international program officials within the military services who over the years have made the day-to-day disclosure decisions under specific data exchange agreements A lack of understanding of the foreign disclosure process by less-senior individuals combined with the absence of current threat assessments and an automated DoD data exchange process prevents effective and consistent execution by elements involved throughout the DoD and the military services Recommendation 59 The Commission recommends that the Secretary of Defense a Centralize responsibility for coordinating and overseeing all foreign exchange programs and issues at a senior level b Improve and modernize the National Disclosure Policy process to ensure that seniorlevel disclosure decisions are readily available through a centralized dynamic interactive computer-driven mechanism Recording Foreign Disclosure Decisions The Commission commends the DoD for creating the Foreign Disclosure and Technical Infonnation System FORDTIS data base to house decisions of foreign release determinations and exceptions to foreign disclosure policy technology transfers and official foreign visits The Commission supports the DoD's ongoing expansion ofFORDTIS to military warfighting elements such as US combatant commanders to aid in detennining specific classified and unclassified technologies or weapon systems that are releasable to foreign coalition partners However the Commission believes that the critical foreign exchange information contained in the FORDTIS data base should be updated and made available to more DoD consumers to aid 72 them in analyzing programming and planning activities Counterintelligence elements in particular should use the FORDTIS data base in determining the current status of releases of US technologies and systems Recommendation 60 The Commission recommends that the Secretary of Defense a Expand access to the Foreign Disclosure and Technical Information System FORDTIS data base to command and other DoD consumers to support defense planning programming resourcing analysis and information-sharing activities b Ensure counterintelligence elements cross-check critical systems or technologies against the Foreign Disclosure and Technical Information System FORDTIS data base to determine 1 the extent to which baseline technologies on each system have been released to foreign nations and 2 the vulnerabilities posed to current or future weapons or weapons support systems if exchanges continue under the applicable Defense Development Exchange Program agreements 73 CHAPTER 7 A JOINT INVESTIGATIVE SERVICE The Commission has examined the organizational arrangements in the Department of Defense and the Intelligence Community for the performance of personnel security background investigations and industrial security functions The Commission believes that the effectiveness of these activities can be substantially improved by the establishment of a new joint investigative service For the DoD virtually all personnel security background investigations for civilian military and contractor personnel are conducted by the Defense Investigative Service DIS In the Intelligence Community personnel security background investigations are conducted by the DIS for the DoD component including the NSA and the DIA The CIA and the NRO have their own internal organizations that conduct or contract out background investigations for their employees and contractor personnel The NSA also has an internal investigative organization that performs a limited number of background investigations The DIS also performs for the DoD all initial industrial facility certifications which establish that a contractor facility is eligible to receive classified information The DIS then performs a full range of industrial security functions such as periodic inspections and assistance visits for all cleared facilities except for all Navy special access programs and for certain Air Force special access programs This contrasts with the Intelligence Community's decentralized approach that emphasizes integration of security with program management teams Personnel Security Investigations The Commission believes that one of the more effective means ofreducing overall personnel security costs while enhancing the security posture of our nation would be to reorganize current investigative resources and thoroughly modernize the process of gathering investigating reporting and storing background investigative information A previous section of this report outlined the substantial savings to be realized through improving the timeliness of the investigative product However we also heard from the end users that the investigative products they receive are uneven in quality and completeness Because of this organizations often upscope investigations completed by other investigative organizations or otherwise invest in additional types of vetting mediums to establish greater confidence in their personnel For example a major SAP contracts out investigations rather than take advantage of free investigations provided by the DIS because of concerns about quality and timeliness The Commission believes that establishing measurable objectives to improve the timeliness and quality of investigations offers a solution to at least part of the problem However the current deficiencies and impending budget reductions casts doubt on improving the situation under the present organizational structure For example the DIS faces a 25 percent budget reduction over the next 4 years Therefore the Commission believes decisive and innovative action must be taken to resolve these problems The Commission proposes forming a new joint personnel security investigative organization for the DoD and the Intelligence Community A new organization is needed to establish progressive leadership realize savings in manpower and personnel maximize economies of scale achieve commonalty of product provide a single focus for implementing technological improvements and efficiencies and enhance professionalism and career opportunities 74 The new joint investigative service would be charged with conducting all personnel security background investigations for military members civilian employees and contractors of the DoD the C A the NRO the NSA and all other entities reporting to the Secretary of Defense and the Director of Central Intelligence The only exceptions to the investigative jurisdiction of the joint investigative service should be I investigations of cabinet officials and political appointees currently performed by the FBI 2 investigations of new civilian employees hired into the DoD and the Intelligence Community who occupy nonsensitive positions and therefore fall under the jurisdiction of the OPM and 3 personnel specifically exempted by the Director of Central Intelligence The Commission proposes that the joint investigative service be established by incorporating the personnel security investigative elements and resources of the DIS the NSA the NRO and the CIA The Commission further recommends that the joint investigative service be staffed with both full-time investigators and rotational personnel from the security offices of the various agencies that it serves This would facilitate communication between the investigative agency and its customers and would provide government security officers with an opportunity to gain valuable investigative experience The joint investigative service should also establish specific units to handle individuals with cover considerations reporting these investigations through secure channels Moreover the joint investigative service would contract out domestic investigations when appropriate such as priority investigations and pursue overseas leads using in-place military and government resources on a reimbursable basis However individual agencies would continue to conduct their own special investigations such as counterintelligence and criminal investigations and perform their own adjudications The Commission believes that the joint investigative service should be industrially funded The most efficient and customer responsive agencies are those that operate on a fee-for-service basis For example the Commission learned that until the OPM became industrially funded it had a relatively poor reputation for delivering a timely quality investigative product Since instituting a revolving fund mechanism the OPM has cut investigation times dramatically initiated many innovative automation linkages with customer agencies and according to customers improved the quality of its investigations Recommendation 61 The Commission recommends that a joint investigative service be established that performs all personnel security background investigations on a fee-for-service basis for the DoD the NSA the NRO the CIA and other organizations that report to the Secretary of Defense or the Director of Central Intelligence Industrial Security With respect to industrial security the Commission found two distinct approaches to the protection of classified information by contractors centralized and decentralized The CIA the NRO the NSA and some of the DoD special access programs integrate security into program management This decentralized approach integrates small security elements into program management teams with core security functions provided by a centralized service Security is part of the program management team and provides direct support to organizational goals The disadvantage of this approach is that it has in some cases worked against standardization and reciprocity Particular SAP program offices have adopted their own security procedures The centralized approach embodied in the DIS seeks to leverage limited resources through standardized practices and procedures generally independent of specific contracts or programs Disadvantages of a centralized approach include inflexibility distance from the customer lack of direct accountability and a system based on achieving security goals independent of organizational goals On balance the Commission has found the programmatic approach to industrial security to be superior to the traditional centralized approach of frequent inspections to measure compliance with a detailed manual of security rules The program-oriented approach brings security closer to the customer and provides 75 greater flexibility to handle program issues This structure also makes security directly accountable for the quality and timeliness of its service Contractors appear to prefer the flexibility of a programmatic approach but insist that common standards are needed for reciprocity The Commission believes that a core industrial security function located within the joint investigative service would benefit the Defense and Intelligence Communities The new organization should be responsible for initial facility clearances for the previously recommended facility registration data base and for all detenninations concerning foreign ownership control and influence FOCI as discussed earlier in chapter 6 The new organization should provide an industrial security service to those Defense and Intelligence Community program offices for which a joint industrial security program is most effective It would also provide this service to non-Defense and Intelligence Community agencies as the DIS has done in the past It will centralize as a core service the staff to provide accreditation of facilities technical and computer security expertise guidance to handle treaty inspections central records and representation to industry and government forums The new organization should promote standardization and responsiveness to customers and coordinate the industrial security inspections previously discussed in chapter 5 It should draw upon the experience of the industrial security program of the NRO which has made great progress in recent years in combining a programmatic orientation with greater standardization The Commission emphasizes that the new organization must break with the past practices which have tended to focus on frequent inspections for compliance with a detailed regulatory manual Industrial security should be a service to the contract program office with security perfonnance measured in tenns of mission accomplishment rather than adherence to detailed security rules The joint investigative service should view its industrial security functions as a service to be used where a joint organization is more efficient and economical The Commission does not intend to force into joint organizations those program offices in the CIA the NRO the NSA and certain SAPs that function better by maintaining their own industrial security capabilities The Secretary of Defense and the Director of Central Intelligence will retain the discretion to authorize separate industrial security offices for specific programs The Commission recognizes that this decentralization of execution of industrial security runs a risk that general standards will not be applied unifonnly Indeed a major disadvantage of the separate SAP industrial security programs in the past has been their adoption of unique security procedures that added multiple burdens to industry which translated into increased unjustifiable costs to the government One purpose of establishing a single classification level with two degrees of protection is to standardize the security requirements for the controlled access programs The security executive committee should ensure that the standards are applied properly and the joint investigative service should provide a channel through which industry may bring concerns to the attention of the security executive committee Recommendation 62 The Commission recommends that a joint investigative service perfonn industrial security services of common concern for the Defense and Intelligence Communities as detennined by the security executive committee and in accordance with a programmatic customerservice approach Establishment of a Joint Investigative Service For the reasons set forth above the Commission has concluded that the Secretary of Defense and the Director of Central Intelligence should establish a joint investigative service to conduct all personnel security background investigations and updates for components of the Department of Defense and Intelligence Community as well as their contractors and to perfonn those industrial security functions that can better be done jointly The advantages include economies of scale greater commonality more unifonn implementation of standards and increased professionalism and career opportunities 76 The new organization should draw its personnel and resources from existing security organizations in the Defense Department and Intelligence Community It should take its policy guidance from the security executive committee While the Commission does not wish to prescribe the organizational details for a joint investigative service one model is the Central Imagery Office CIO lbe Director of the CIO is appointed by the Secretary of Defense on the recommendation of the Director of Central Intelligence Consideration should also be given to other joint DoD-DCI models that have been adopted for different functions The joint investigative service could report to the Secretary of Defense and the Director of Central Intelligence directly or through a senior official designated by them Above all the Commission urges that the establishment and direction of the joint investigative service receive sustained high-level attention which has not been the case with the Defense Investigative Service over the years Recommendation 63 The Commission recommends that the joint investigative service be established by the Secretary of Defense and the Director of Central Intelligence that its resources be drawn from existing security organizations and that it report jointly to the Secretary of Defense and the Director of Central Intelligence 77 CHAPTERS INFORMATION SYSTEMS SECURITY Information systems security is the discipline that protects the confidentiality integrity and availability of classified and unclassified information created processed stored and communicated on computers and networks The Commission believes it is imperative that the Defense and Intelligence Communities focus more attention on information systems security It together with personnel security is one of two security disciplines that the Commission believes needs more attention and recommends additional requirements that will increase costs The United States is increasingly dependent on information systems and networks Information systems control the basic functions of the nation's infrastructure including the air traffic control system power distribution and utilities phone system stock exchanges the Federal Reserve monetary transfer system credit and medical records and a host of other services and activities The world of the future within which our security policies and procedures must succeed will undoubtedly be characterized by even more widespread use of computers systems and networks It is already apparent that increased connectivity leads to significant improvements in productivity improvements that are necessary if our society is to prosper and we are to continue to lead the world's family of nations in economic political and military strength Initiatives like the National Information Infrastructure NII intended to be an information superhighway for our nation's commerce and government are based on this emerging reality The Defense and Intelligence Communities share this imperative to connect both within and between the communities and to the NII The Department of Defense already depends upon computers and communications networks in performing every aspect of its complex missions from command and control to acquisition of weapons systems to managing and paying for the worldwide activities of the department This dependence will certainly increase The DoD envisions a worldwide seamless web of computers and networks the Defense Information Infrastructure DII operating as a utility in support of the Department's warfighting intelligence and business functions The CIA and other intelligence agencies are increasingly tying together internal systems and are beginning to reach for connections beyond their walls The increased productivity that flows from such connectivity is essential to success in this era of declining resources Intelligence is after all information and must flow in a form and at rates useful to those who need it The Commission believes that those who steadfastly resist connectivity will be perceived as unresponsive and will ultimately be considered as offering little value to their customers There is no doubt that increased connectivity creates greater vulnerability Electronic access to vast amounts of data and critical infrastructure control is now possible from almost anywhere in the world Networks are so complex and so widespread that the identity of everyone with access to the networks to which our systems are connected can no longer be known with any assurance Moreover although our classified data is obviously of great interest to our enemies our communities depend on extensive data bases of unclassified information that if destroyed or damaged would cost billions to rebuild and could affect our ability to deploy and operate a flexible capable force Protecting information transactions within the subinfrastructure or network enclaves controlled by the DoD and the Intelligence Community requires an approach to security in which information systems security is seen as part of a balanced mix that also includes personnel security physical security and other security procedures Protecting information transfers between our enclaves and the rest of the infrastructure where we cannot count on other types of security requires a more stringent form of information systems security In addressing these issues the Commission examined current threat information as well as policies and procedures now in place to protect against such threats The 78 Commission found our policies outdated our strategies for obtaining necessary information systems security technology ineffective and our general readiness in terms of awareness and training inadequate The Threat to Information and Information Systems Thirty years ago computer systems presented relatively simple security challenges They were expensive isolated in environmentally controlled facilities and their use was an arcane art understood by few Consequently protecting them was relatively easy a matter of controlling access to the computer room and clearing the small number of specialists who needed such access As these systems evolved their connectivity was extended first by remote terminals and eventually by local and wide-area networks As size and price came down microprocessors began to appear in the workplace in homes and eventually on the battlefield and embedded in weapon systems What was once a collection of separate systems is now best understood as a single multifaceted information infrastructure operated as a utility To cope with this new reality our paradigm for managing information security must also shift from developing security for each individual application system and network to developing security for subscribers within the worldwide utility and from protecting the isolated systems we own to protecting systems that are connected and depend upon an infrastructure we neither own nor control Despite the enormous impact that could result from the compromise or destruction of our information systems the Commission believes that there is little public understanding of the threat or of the consequences of attacks on our systems One high-level official suggested that until there is a major information systems catastrophe appreciation of the need for information systems security will remain weak Attacks against information systems are becoming more aggressive not only seeking access to confidential information but also stealing and degrading service and destroying data The well-publicized Michaelangelo virus destroyed the information and applications software on the hard disks ofthe unwary Jn another example a small program appeared on computers connected to the Internet This program made copies of itself and sent the copies along to other computers on the network The copies made copies in turn and sent them along and the copies' copies made copies and so on Jn short order the network was so busy creating and sending copies of the program that it couldn't do anything else Some ofthe computers were down for most of the following week and the business enterprises academicians and government and private users were unable to use their computers for processing or to communicate among themselves Networks are already recognized as a battlefield of the future Information weapons will attack and defend at electronic speeds using strategies and tactics yet to be perfected This technology is capable of deciding the outcomes of geopolitical crises without the firing of a single weapon Our security policies and processes must protect our ability to conduct such infowars while denying our enemies that same advantage If instead of attacking our military systems and data bases an enemy attacked our unprotected civilian infrastructure the economic and other results could be disastrous Over 95 percent of Defense and Intelligence Community voice and data traffic uses the public phone system The economic consequences alone of a successful attack on the phone system or the National Information Infrastructure would be significant The nine-hour failure ofthe AT T public switch network in 1990 although the result ofa reliability failure and not a planned attack demonstrated how vulnerable we are Of the I 38 million long-distance and 800-number calls attempted some 70 million were rejected by the faulty system Many of those calls were business calls and the 79 failure to connect cost those businesses directly due to orders not being placed and operations being delayed or halted altogether There were indirect costs as well due to decreased efficiency and productivity Airlines hotels and car rental companies lost reservations Phoned catalog orders were not placed Service companies could not support their customers The threat to our information and information systems is increasingly sophisticated and comes from both insiders and outsiders While improving the personnel security methods used to ascertain the trustworthiness of our people will reduce the insider threat personnel security measures alone cannot be relied on to protect our information and information systems Foreign intelligence services including those of some of our allies are known to target US information systems and technologies using techniques that can give them access to our information without ever coming into our work spaces or approaching our people Some trends and specific incidents help indicate the scope of the information systems security challenge o Computer viruses are growing more common and more dangerous and may be virtually undetectable by conventional antiviral software Trojan horses logic bombs and other malicious software are appearing on our systems and require improved countermeasures and careful security procedures to defeat o Over 4 000 hacker attacks ranging from attempted password cracking to trying to obtain control of the system were detected on one government system during a single three month period Some hackers advertise their services for seeking any information including classified or sensitive information o Eighty-five percent of computer crime is committed by insiders with validated access to the systems and networks they abuse Before being fired from a private firm a disgruntled employee left a logic bomb in the company's personnel system that destroyed all personnel records Careless insiders ignoring security procedures have inadvertently inserted viruses into DoD and Intelligence Community information systems o Increasingly cheaper and more powerful commercially available electronics put signals intelligence intercept and processing capabilities within the reach of the smallest countries and even drug traffickers Targeting by signals intelligence of facsimile and data communications on land-based and satellite systems gives eavesdroppers access to international communications of US businesses personal telephone calls of US troops stationed overseas computer passwords and other data Dated Policies The Commission found a number of problems hindering the effectiveness of information systems security Problems include ineffectual and conflicting policies failed strategies for obtaining the necessary computer security technology poor mechanisms for obtaining timely threat information inherent systems vulnerabilities lack of effective audit data reduction techniques and accreditation processes that are far too slow The Commission also believes that there is a need to improve the quality and number of information systems security professionals and to increase training and awareness programs for management and nonsecurity personnel The policies and standards upon which the Defense and Intelligence Communities base information systems security services were developed when computers were physically and electronically isolated As a result policies and standards o Are not suitable for the networked world of today having been based on stand-alone architectures where the security requirements imposed on one system had little or no impact on the security for another system 80 o Were developed based on a philosophy of complete risk avoidance and so do not deal effectively with information systems security as part of a balanced mix of security countermeasures in protecting the confidentiality integrity or availability of our information assets o Do not provide the flexibility needed to address the wide variations among systems in use today and planned for tomorrow o Do not differentiate between the security countenneasures needed within and among protected network enclaves and those needed when information must travel to and from less protected or unprotected parts of the infrastructure o Are only beginning to combine computer science and public key cryptography effectively to protect information o Are not capable of responding in a timely manner to dynamically evolving information technology The Commission also found a profusion of policy formulation authorities all of whom are addressing essentially the same issues The Community Counterintelligence and Security Countermeasures Office CCISCMO is responsible to the Director of Central Intelligence for information systems security policy and standards for the Intelligence Community The DoD intelligence organizations must follow CCISCMO security policies and all of the DoD must follow the security regulations promulgated by its chains of command up through the Office of the Secretary of Defense OSD The National Security Telecommunications and Information Systems Security Committee NSTISSC creates policies that overlap those of both the OSD and the CCISCMO with regard to national security information and extends its policy authority to other government departments and agencies not covered by DoD or DCI policies The Office of Management and Budget casts its policies over all information systems security activities that expend tax dollars The National Institute of Standards and Technology NIST is responsible for creating standards for the protection of unclassified but sensitive information A result of these numerous policy authorities has been policies that although similar differ sufficiently to create inefficiencies and to cause implementation problems when organizations must coordinate their security protocols and procedures in order to interconnect Failed Strategies In addition to dated polices and inadequate standards the strategy for developing computer security software hardware and other security technologies has not served us well This strategy has been to encourage the private sector to design develop and manufacture products at their own expense In return the government promised that it would require these products be used in the systems and networks it acquired However the government did not follow through and buy these products when they became available One reason is that the products suffered long delays waiting government approval and were consequently obsolete before being approved for use In addition these products are often too expensive and lack functionality comparable to state-of-the-art nonsecure commercially available products As a result too few computer security products are available today and even fewer are in use These problems with obtaining commercial computer security products have been exacerbated by the government's failure to control and coordinate its own R D programs With each agency free to pursue its own R D initiatives some attractive lines of research have been neglected while there have been duplications of effort and products produced that are not readily interoperable with other computer security products Moreover research has been focused almost exclusively on providing protection to classified information and systems to the detriment of protecting unclassified information and our infrastructure assets 81 The New Information Systems Security Reality To meet the security needs of connected information systems using an infrastructure not completely under our control the Commission believes that there is a need for new information systems security policies and standards new strategies for obtaining products a more focused R D program and a better understanding of information security threats and vulnerabilities Security requirements for evolving Defense and Intelligence Community information systems include o Providing the ability to securely pass classified information over public or open communication links or networks to authorized users o Resisting computer viruses and other malicious software detecting and controlling penetration of networks systems applications and data bases by hackers and surviving full scale infowar attacks o Ensuring the authenticity of electronic messages and preventing repudiation of their receipt o Keeping confidentiality and integrity of medical files payroll records and other sensitive but unclassified information o Protecting the privacy of personnel files and investigative dossiers as required by law o Providing confidentiality of the identities of personnel in sensitive assignments o Ensuring integrity in electronic payments to vendors and contractors o Ensuring the components of the information infrastructure are designed for the rapid detection of malicious activities and for the ready restoration of required services o Effectively managing and controlling access to information at any protection level on a global basis Information Systems Security Policy for Tomorrow The Commission believes that information systems security policy must better address current and future electronic environments The network architecture of the future will comprise a seamless global web of unsecured electronic highways linked together to provide a common infrastructure operated as a utility Subscribers will be a heterogeneous group of individuals and organizations tied into the network to communicate with each other and to obtain various services offered by some portion of the network The Department of Defense and the Intelligence Community also will be subscribers and their networks will be subnets or enclaves within the larger infrastructure Subscribers will use common standards in supplying and obtaining services although security standards may vary from enclave to enclave But security standards must permit subscribers to benefit from authorized connectivity and services provided by the infrastructure and other authorized subscribers The new policies must be network oriented recognizing the need for coordination and cooperation between separate organizations and enclaves connected via the infrastructure Policies must be sufficiently flexible to cover a wide range of systems and equipment They must take into account threat both from the insider and the outsider and espouse a risk management philosophy in making security decisions And given the knowledge that unclassified information can be just as important and is even more vulnerable than 82 classified information the new policies strategies and standards must also ensure its protection Information that has no requirement for confidentiality may still require protection to ensure that it is not illicitly modified or destroyed and is available when needed To alleviate the overlap redundancy and conflicts inherent in the existing policy formulation process responsibility for generating the new policy must be given to a centralized security executive policy committee that represents both the Department of Defense and the Intelligence Community Furthermore in developing the new policy representatives from outside these communities may need to be included to assure that a governmentwide perspective will be used Recommendation 64 The Commission recommends that policy formulation for information systems security be consolidated under a joint DoD DCI security executive committee and that the committee oversee development of a coherent network-oriented information systems security policy for the Department of Defense and the Intelligence Community that also could serve the entire government The Investment Strategy for Information Systems Security A coherent set of policies is of no use if effective information systems security products are not available and programs can not be implemented that use them Given the problems with the current strategies and programs the Commission recommends a new approach based on a well-considered investment strategy that includes a more focused R D program It must obtain and use threat and vulnerability information in managing risk And finally it must result in a more robust efficient and responsive program for applying and managing information systems security in our systems and networks A new investment strategy is needed to ensure that products are available that will ensure the availability and integrity of both classified and unclassified data Within an information systems enclave security officials can rely on physical security to deny access to unauthorized users personnel security to provide some assurance that those who do have access are trustworthy and procedural security to manage access to and use of their subnets However protection against the outsider threat where the enclave connects to the outside infrastructure may require more stringent levels of protection There must be assurance that as information enters and leaves the enclave highly protected data does not cross the boundary to lesser cleared subscribers and that information can flow into the enclave from the outside infrastructure without permitting access to unauthorized users or the introduction of malicious software The new strategy also must identify capabilities and products that are needed to permit implementation of systems and networks providing various degrees of protection Many in the private sector currently rely on insurance to protect against losses to hackers criminals and malicious software The Commission expects that increased awareness of the economic risks inherent in connecting to or exchanging data with the information infrastructure will lead to an understanding that it is cheaper to protect information assets and information systems with technology than with insurance This will in turn encourage the development of secure products by the private sector Widespread use of such products will bring the cost down permitting security to be used as a marketing discriminator as consumers will prefer secure products to those without security so long as the difference in price is not great This process should result in the ready availability of affordable commercial off-the-shelf information systems and networks offering moderate levels of security assurance However the private sector is not expected to commercially develop those security products with the very high levels of assurance essential to some government systems and networks Accordingly the new investment strategy must provide for allocation of government funding to promote the development of high assurance products 83 Computer security exists today that is deemed sufficient to permit connectivity within secure enclaves as is the case at the CIA and the NSA However these same security countermeasures may not be considered sufficient when outside connections are established Worse interconnecting two secure enclaves that use different protection features may result in the failure of the security of both enclaves Technology that would control information transfers across enclave borders is on the drawing boards and in the labs but has not yet matured to a point where it can be used to protect connections between enclaves responsible for highly sensitive data and the unprotected infrastructure Providing such technology at the earliest possible date must be a high priority for the new investment strategy Adequate funding for information systems security is essential In keeping with the understanding that the information infrastructure is an essential element of the national security structure funds must be provided for the development of the technology needed to secure the infrastructure both within secure enclaves and across the networks Moreover sufficient funding must be included in the agencies' and departments' budgets to ensure that program managers can buy computers systems and networks that provide the security needed to protect the confidentiality integrity and availability of information assets and information systems For the Department of Defense the information infrastructure will be managed by the Defense Information Systems Agency DISA which must develop system and network security management capabilities as well as audit and alarm capabilities The DISA is ideally situated to perform these functions and has created the Center for Information Systems Security to ensure the successful performance of its security responsibilities The Center although newly formed has been doing an excellent job to date Any necessary high assurance technology for securing information and information systems will be provided by the NSA In reviewing the best practices of government and industry the Commission finds that an investment strategy that allocates five to ten percent of the total cost of developing and operating information systems and networks is appropriate and needed to ensure that those systems and networks are available when needed and safe to use Smaller investments are inadequate to achieve acceptable levels of risk Larger investments are unrealistic given the expected budgetary environment facing our communities Recommendation 65 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence develop an information systems security investment strategy including an emphasis on commercial production of computer security components at affordable costs The goal should be to use 5 to I 0 percent of the costs of infrastructure development and operations to ensure availability and the confidentiality and integrity of our information assets Research and Development-A Need to Consolidate As part of implementing the new information systems security strategy a carefully planned and wellmanaged research and development program is required Information systems technology is evolving much faster than information systems security technology The Defense and Intelligence Communities must reassess refocus and adequately fund our information systems security research and development efforts to design and develop the highly technical products needed if our countermeasures are to provide sufficient defense to responsibly manage the risk to our information systems However the Commission has observed that there is no communitywide focal point for information systems security research and development Each agency implements the R D activities needed for its own mission and as a result there have been both duplication of effort and products made that are of very limited use In addition research in the DoD and Intelligence Communities has been focused almost exclusively on providing solutions to protection of classified assets As discussed earlier the threats are changing and targets in the future may well be found in the country's unclassified infrastructure power grid controls 84 transportation systems the public switched networks stock exchanges and Federal Reserve monetary transfer system A new emphasis on developing solutions for threats to the unclassified infrastructure also is needed The Commission believes that a community-wide mechanism to determine priorities for information systems security research and development of products is needed as part of the information systems security investment strategy Recommendation 66 The Commission recommends that a Research and development programs be given high priority in creating the secure products which the DoD and the Intelligence Community need for protection of their classified and unclassified information networks and systems b The Secretary of Defense and the Director of Central Intelligence assign the NSA as the executive agent for information systems security research and development for both classified and unclassified information for the Department of Defense and the Intelligence Community Infrastructure Security Management Like other aspects of infonnation systems security the processes used to assess the security of our computers systems and networks must evolve With stand-alone systems individual organizations not only own the information that is created stored and processed on their systems they also own the systems themselves In connected environments information resources and processes are shared Our methods for assessing the security of and deciding acceptable levels of risk must change The existing processes are so slow that products and systems are frequently obsolete before we are satisfied that they are safe to use Infrastructure security managers must be able to detect when their networks and connected systems are under attack and respond appropriately If necessary it mu st be possible to perform triage and sever infected portions of the network or systems to save unaffected portions of the infrastructure Hygiene measures must be implemented to prevent problems Automated tools and security management workstations must be developed and implemented within our networks We must accommodate technology life cycles and provide for variations in the degrees of assurance required for differing applications and missions Automated tools that support security administration such as automatic monitoring and malicious code detection and eradication and management are badly needed and must be developed as part of the new strategy Our standards and processes should be compatible with international standards processes and protocols that influence the technical design of the worldwide telecomputing infrastructure upon which our nation increasingly depends Auditing Infrastructure Utilization Even though we place a high degree of reliance on the trustworthiness of cleared personnel given access to our systems we must still be able to determine if any portions of the infrastructure are being abused either by insiders or outsiders This determination can be made by recording and analyzing the information and control transactions that take place on the system a process called auditing or if conducted in real time monitoring Through auditing and monitoring one can establish normal operating patterns characterize trends detect aberrations and identify unusual activities If insiders or outsiders are attempting to obtain alter or delete information to which they are not entitled make unauthorized 85 connections to the networks or penetrate computer systems or applications auditing and monitoring provides a means to detect their activities However despite the importance of auditing and monitoring the Defense and Intelligence Communities currently are unable to conduct these activities effectively and efficiently Too much data in too many forms is being collected One hour of collected audit data requires an average of six hours of analysis for adequate review Nor are audit capabilities user friendly All too often audit records are left unopened or the audit capabilities are never activated To increase our ability to detect unauthorized activity the Defense and Intelligence Communities inust develop common auditing and monitoring record formats and automated tools to assist in the reduction and analysis of these records A focal point is needed for this activity The DISA is the logical choice for executive agent As the network manager for the DII the DISA is already involved in the identification of requirements and the development and use of automated security analysis systems for networks Recommendation 67 The Commission recommends that the DISA be the executive agent for the Department of Defense and the Intelligence Community for development of operational security management tools for infrastructure operations including more powerful audit reduction tools automated tools for use in assessing the security of our networks and connected systems and improving security management support technology Managing the Risk to Information Systems The Commission believes that a central data base containing security-related events should be established This data base would support the analysis of threats and vulnerabilities regarding information systems in the Defense and Intelligence Communities and will be useful in helping to frame risk management decisions To ensure the most comprehensive information is available to risk management decision makers contributing threat and incident information to the data base must be mandatory Because of the sensitivity of reporting vulnerabilities of and attacks on information systems the issue of whether to classify the database is contentious If unclassified it is feared that vulnerability information could be accessed and used by hackers foreign intelligence agents and others to gain a better understanding of exp Ioitable weaknesses However the use of a classified data base places restrictions on dissemination that would prevent use of vulnerability and threat information by those who need it to protect their systems Recommendation 68 The Commission recommends that the Secretary of Defense and the Director of Central Intelligence jointly establish and maintain an information systems security threat and vulnerability data base The data base should be available to all Defense and Intelligence Community organizations including industry and it must be mandatory that Defense and Intelligence Community organizations contribute all relevant information to it Emergency Response-The Need for Help The Commission recommends that in addition to creating a threat and vulnerability data base a central organization be identified to have the responsibility of working with system managers to prevent and protect against attacks to respond in a timely and effective manner if attacks occur and to alert others when a problem is recognized Such a capability should cooperate with the Computer Emergency Response Team CERT efforts now underway in private industry and academia and with other government agencies The 86 DoD has created the Automated Systems Security Incident Support Team ASSIST Program at the Defense Information Systems Agency to perform these functions The Intelligence Community should support and rely on the DISAs ASSIST program and we recommend establishing the Program as executive agent for this function govemmentwide Recommendation 69 The Commission recommends that the Secretary of Defense and Director of Central Intelligence appoint the DISA's ASSIST program as the executive agent for emergency response functions for the DoD and the Intelligence Community Information Systems Security Professionals The Commission's final recommendation deals with our most important information systems security resource people The Commission recommends creation ofa professional corps to execute the information systems security responsibilities The Commission also recommends that a vigorous training program be established to provide for the professionalization needed by the local security professional while maintaining security consistency across our networked environment in both government and industry The national cryptologic school is a good model for such professionalization training The information systems security problem is part of the larger security training and professionalization considerations discussed elsewhere in this report Recommendation 70 The Commission recommends the DoD and the Intelligence Community establish an information systems security professional development program as part of the overall development of security professionals 87 CHAPTER9 THE COST OF SECURITYAN ELUSIVE TARGET Understanding Security Costs The total cost of security is a complex interweaving of direct charges and shared hidden and opportunity costs that cannot be captured by budget line items or data calls alone The numbers do not tell the whole story and by themselves can be misleading They do not account for the costs associated with inefficiency excessive levels of protection or lost opportunities The Commission has tried to capture these less obvious costs in addition to the conventional ones in its findings and recommendations in the belief that once identified security costs can be better managed On the basis of information gathered in recent industry studies and our own analysis it is clear that no one has a good handle on what security really costs Our accounting systems are not designed to collect security cost data and do not provide the analytic tools necessary to support resource decision making The Commission discovered early the difficulty of isolating discretionary or controllable security costs from those that are inherently part of the cost of doing business Virtually every concern public or private buys some kind of security protection depending on the nature of the enterprise To illustrate this point figure 6 depicts various levels of security as a function of what is being protected It shows how the classified world of security rests on a substantial underpinning of security resources Even if there were no classified information or programs there would still be basic security costs We would fence off certain areas put security police on flight lines put locks on ammunition storage facilities and lock up expensive equipment Figure 6 also depicts what we see as a building-block approach to security countermeasures in government and industry The cost of doing business is represented in the four lower boxes Each successive block requires additional protection and entails additional costs The examples in each box are not all-inclusive but merely illustrative of the types of information being protected within each category Classified Unclassified INTELLECTUAL CAPITAL opyrights onnulas INTANGIBLE ASSETS Payroll Personnel Patents Ideas Data Bases TANGIBLE ASSET PTOTECTION Equipment Facilities Figure 6 Protection by Program Type Costs in Black and White Security costs can vary widely depending on the classification or the sensitivity of the work involved The Commission has received some verifiable data points that can be used to gauge security costs in 88 unclassified programs acknowledged or collateral programs and unacknowledged programs especially those that use cover 26 o In unclassified programs direct security costs typically fall within the range of one-half to I percent of total operating costs for government and industry o In acknowledged or collateral programs direct security costs range from I percent to 3 percent of total operating costs o For unacknowledged programs costs range considerably higher from 3 percent to I 0 percent of total operating costs One SAP program manager estimated security costs could be as high as 40 percent of total operating costs This estimate supports the widespread perception that SAP security costs can be exorbitant compared to acknowledged collateral programs Visible and Invisible Security Costs The cost of security can be depicted as an iceberg having four facets Two of the facets are visible and therefore more or less quantifiable The other two are hidden below the waterline and while difficult to measure experience suggests they may be very large indeed As shown in figure 7 the visible facets of the iceberg are made up of direct and indirect security costs Together they account for a small percent of the iceberg Direct costs are quantifiable charges such as labor equipment and facilities More difficult to quantify but still visible are indirect costs that contractors typically charge as overhead and general and administrative G A expenses G A and overhead charges are shared costs and may include for example guards who cover several program facilities or corporate security managers who service a number of programs Direct Costs Indirect Costs Opportunity Costs Figure 7 The Cost Iceberg Below the waterline are difficult to quantify and comparatively large hidden costs loosely defined as inefficiency and opportunity costs The Commission believes that attacking these kinds of costs can yield near-term savings without degrading effectiveness As part ofa contract to support a Special Access Program a large defense firm on the west coast must regularly visit a sensitive activity in the Boston area Based on the SAP security plan which specifies that for cover reasons the contractor must not be associated with the site the SAP program manager requires that contractor personnel traveling to Boston use circuitous routes by stopping at an intermediate location to change planes 89 Recently another contractor needed to reassign I 70 employees to work on a DIA contract Despite all of their employees' clearances being on record in the Intelligence Community's 4C clearance data base DIA required new personal history statements from each person and readjudicated each case After six months only 32 people had been processed With an eye toward the total cost of security the Commission adopted the following approach o Each of the subcommittees-threat physical technical personnel and information systems securityattempted to identify costs and investigated potential savings in its respective area o The staff reviewed cost data in the National Foreign Intelligence Program NFIP and DoD budgets excluding SAPs o The staff reviewed the just-completed final report of the NISP Resources Working Group Capturing Security Costs in Industry as well as other recent industry cost surveys o The Commission held extensive discussions with industry including three well-attended roundtable meetings in addition to meeting with professional associations and public interest groups We interviewed members of Congress and their staff senior public officials and working-level security officers in government and industry all of whom addressed the security costs of doing business There's No Way To Know How Much We're Spending on Security This oft-heard declaration sums up the feeling of many managers budget examiners and members of Congress alike Frustration in the Congress over the Intelligence Community's inability to justify its security expenditures in terms of the changing threat led to a 0 5 percent reduction in the NFIP in FY 1993 There have been more recent calls for cost clarity and containment Representative David Skaggs authored language in the FY 1994 Intelligence Authorization Act calling for the Director of Central Intelligence to report to the Intelligence Committees by 31 March 1994 on the cost of classifying documents and a plan for reducing classification-related costs The Commission believes that establishing a coherent system to capture security costs is crucial to streamlining and cost reduction While some progress is being made in the NFIP the DoD and the NISP these disparate efforts are not well coordinated and are proceeding far too slowly to offer any hope that a uniform cost accounting methodology is achievable in time to meaningfully capture any of the Commission's cost-impacting recommendations Recommendation 71 The Commission recommends the creation of an ad hoc panel to create a common approach and budget framework for defining and tracking security costs in the DoD the Intelligence Community and industry Work to Date in the DoD The DoD has embarked on an ambitious effort to capture security costs using Tactical Intelligence and Related Activities TIARA as a model Under the auspices of the Assistant Secretary of Defense C3I the Intelligence Programs Support Group IPSG is at work on the so-called CI SCM and Related Activities CISARA initiative which attempts to aggregate security costs that are not part of the NFIP Footnote 27 A new data base incorporating CISARA as well as NFIP costs will make it possible to identify the cost of security throughout the DoD's Major Force Programs 90 Intelligence Community Efforts The Intelligence Community under the auspices of the DCI's Community Management Staff CMS launched a parallel effort to capture security costs using methods compatible with the DoD's CI SARA effort For the first time Joint DoD-NFIP Program and Planning Guidance was issued for the FY 1995-99 program build Included as a part of a Common Budget Framework for programs in the Defense and Intelligence Communities were new security cost categories for NFIP and DoD programmers to follow in building and displaying resources allocated to security In a follow-on directive signed by the Deputy Director of Central Intelligence program managers were informed of the Commission's intent to use FY 1995 budget submissions as the primary source of security resource data Unfortunately the Commission did not receive usable resource data from all the NFIP programs The data we did receive are incomplete inconsistent and not coherently integrated into NFIP-wide cost estimates As a consequence the Commission has not been able to do much more than glimpse at the big security cost picture in the NFIP The Commission's recommendation to create a uniform cost accounting methodology and tracking system should bring about the accuracy uniformity and responsiveness currently lacking in the Intelligence Community Capturing Security Costs in Industry There is a commonly held perception in industry that industry has been subjected to indiscriminate inconsistent and unnecessary security procedures at costs not commensurate with the risk of compromise or level of threat The Commission concurs with the NISP's strategy to make security more effective and economical in industry by identifying o Cost efficiencies resulting from the development and application of baseline standards o Security standards for special activities or programs that exceed baseline standards and are not linked to demonstrable threats o Resource impacts of proposed changes in security standards and policies to aid risk-based decisionmaking Capturing security costs in government contracts is generally more difficult than capturing the other security costs because in industry security costs are frequently carried as indirect charges There is no separate requirement for industry to report these costs to the government The NISP tasked a working group Footnote 28 to develop a measurement tool to determine the cost of security in both baseline and special programs standards and then to identify the most feasible system for monitoring continued data collection The NISPs effort to develop cost metrics led to several broad-scope industry surveys that tried to collect security cost data from government contracts These surveys have had limited success for two primary reasons First they unsuccessfully attempted to capture indirect imbedded costs such as employee time spent completing personnel security questionnaires conducting clearance determinations and escorting visitors Second contractors are not required to respond to a survey conducted by a Federal agency Thus data calls are unlikely to yield a sufficient number of responses for a representative sampling But the surveys have provided information subsequently validated by independent auditors that helps size the problem 91 o Of the total costs billed to security for both collateral and special programs 60 to 80 percent is directly attributable to security labor wages salaries and benefits for security managers document control personnel guards and couriers o An additional I 0 to 30 percent of total security costs are for facility and equipment costs including buildings locks alarms and security containers o The remaining security costs are carried in overhead or G A and not identifiable as security costs per se o Between I 0 to 20 percent of contractors doing classified work for the government account for 60 to 80 percent of overall costs billed to security Since there are no common accounting practices for industrial security costs there are huge variances in cost tracking systems used by contractors The Commission believes that prescribing uniform accounting procedures for industry would be unworkable and unreasonably costly An independent study by a government organization estimates that for its contractors alone total start-up costs for a security cost reporting tracking system would be about $12 million with an annual recurring cost of about $8 million An alternative approach offered by the NISP and endorsed by a consensus of government and industry security experts is to focus on direct security labor and facility costs since these categories constitute approximately 90 percent of costs billed to security by industry Moreover these costs can be extracted from contractors' existing accounting systems Capturing the remaining I 0 percent which is no less important but harder to define can be accomplished by sampling a small number of major defense firms to gauge trends across the entire business base This strategy effectively divides costs traceable to security requirements into four categories o Routine security costs that would be incurred ifthere were no Federal Government contracts o Visible security costs usually associated with collateral programs and budgeted and controlled by the corporate security organization o Those contract-specific security costs for special activities and programs that are under the direct control of program or contract managers o Those imbedded costs not identifiable as direct labor that are related to security tasks and regulations and are accomplished by non-security employees and not recorded as security costs Recommendation 72 The Commission endorses the joint government and industry strategy for capturing industrial security costs and recommends that this strategy be incorporated within the new accounting and budget framework for security Moving Towards Consistency Capturing security costs in the DoD the NFIP and industry consistently and at some reasonable level of detail is essential to baselining security expenditures Unless all three define costs in a manner that lends itself to subsequent aggregation and analysis on similar program and budget cycles it will not serve the needs of policymakers and risk managers at all levels who have to make sound security decisions in a resource-constrained environment 92 Getting to the Bottom Line-The Payoff Is Long Term The Commission has made two types of cost-saving recommendations that will directly reduce costs First we have suggested ways to lower security costs eliminating inefficiencies and excessive layers of protection without degrading the effectiveness of protection Second the Commission has offered a number of specific proposals that will lessen the cost of security and reduce levels of protection without jeopardizing security by managing risk Because our focus has been on systemic problems the kind that appear below the waterline on the iceberg graphic there are a number of recommendations where the costsavings impact will be more gradual but nonetheless significant over the long term We have not been able to quantify the savings except in very rough terms o Overhauling the classification system will have cost-beneficial impacts on virtually every aspect of security We will be able to integrate our information architectures and exchange people and ideas more efficiently while protecting secrets effectively Moreover if we classify less and declassify more we will have to clear fewer people buy fewer safes and mount fewer guard posts o The personnel security system can be streamlined by mandating reciprocity consolidating functions and encouraging automation Long-term savings will result from merging investigative organizations for the Defense and Intelligence Communities reducing investigative lag times reducing the scope of the SSBI mandating reciprocity of adjudications consolidating DoD adjudicative centers using industrial funding strategies for select security functions consolidating security forms and establishing a personnel security questionnaire in electronic format o Revising physical security requirements will establish standards and ensure reciprocity Costs can be reduced by eliminating routine industrial inspections establishing a facility certification and registration system reducing domestic TEMPEST requirements discontinuing routine TSCM inspections and maintaining central data bases for clearances for all of government and industry o Introducing effective oversight and discipline into the security communities through the creation of the security executive committee and its supporting staff will reduce costs So will streamlining the policy coordination mechanism by consolidating several committees and their supporting structures into one cohesive policy management structure o Taking full advantage of existing Defense and Intelligence Community training expertise and facilities by pooling resources and coordinating training initiatives is also a cost saver o Avoiding conflicting research and development programs will protect critical efforts that track changes in foreign intelligence threats as well as technology while freeing up resources for other priority needs With Up-Front Costs in the Near Term o Start-up costs for a new DoD-Intelligence Community badge system are estimated at $3 million However the benefits ofincreased efficiency and productivity savings suggest that the system could pay for itself in one year o Increasing our investment in information systems security will be expensive in the short run However the consequences of a security breakdown in this area are so critical and far-reaching that committing additional resources is only prudent 93 The Bottom Line The Commission was not given a cost reduction target and without being able to define costs precisely meeting one would have been nearly impossble in any case Nonetheless the Commission believes that its recommendations can lead to net long-term savings Furthermore we believe there needs to be a sound resource strategy that o Links security countermeasures and costs to realistic threat assessments and risks o Provides a financial blueprint to guide resource allocation and establishes top-level policy direction and control over security expenditures Recommendation 73 The Commission recommends that the Secretary of defense and the Director of Central Intelligence develop a long-term resource strategy for security 94 CHAPTER 10 SECURITY AWARENESS TRAINING AND EDUCATION The success of the Commission's recommendations to improve security will depend in part on how well we can incorporate the concepts of risk management standardization reciprocity accountability and a service mentality into the way we do business and into the fabric of the workforce The security education community has a critical role to play in this process The Commission is proposing a fundamental change in how we view and manage security The concepts espoused demand greater responsibility from each individual Management must be educated as to its responsibilities in the new environment and provided the tools to apply risk management effectively Multidisciplinary security professionals will need to know the why as well as the how of security in order to move away from a compliance or checklist mentality toward a customer service philosophy Employees will need to understand their critical role and feel that they have a personal stake in identifying and implementing the goals and objectives of their organization in protecting its assets The Present The Defense and Intelligence Communities each have extensive training infrastructures in place focused primarily on their own needs Interaction with respect to curricula and access to courses and material is at best informal among the various training facilities Training criteria and requirements also vary between agencies and departments resulting in uneven performance levels of security officers While the Commission recognizes the need for agency and department specific training and criteria these independent efforts produce an inconsistent quality of training result in a duplication of effort and reinforce the parochial interpretation and implementation of national policy The Commission has also found that despite the importance of security awareness training and education programs these programs tend to be frequent and ready targets for budget cuts Training for the Future The security system of the future will place greater demands on the entire workforce but especially on the security professionals The focus on creative cost-effective solutions to security problems will require a thorough understanding of both the spirit and the letter of security policies practices and procedures The security professionals will be asked to implement the changes that we are proposing and to provide the expert input needed to make risk management a viable reality The expertise and energy that molded the present security system must be harnessed and directed to meet the challenges of the new security environment The standardization of security training programs and development of career development tracks are important steps in this process and should be the primary goals of the training community Uniformity in the skills and knowledge taught security professionals is needed not only to ensure the quality of work but also to foster a common understanding and implementation of security policies and procedures The demonstrated need for reciprocity among government agencies and facilities argues strongly for the creation of a career program structure with defined levels of proficiency for security disciplines professionalization criteria cross-discipline training rotational assignments and opportunities for advancement As noted in the Information Systems Security Chapter of this report no where is the need for standardization and professionalization more apparent than in information systems security Because ofa lack of qualified personnel and a failure to provide adequate resources many information systems security 95 tasks are not being performed adequately Too often critical security responsibilities are assigned as additional or ancillary duties We have not identified all of the missions and functions to be performed by information systems security professionals and lack comprehensive consistent training for information systems security officers security engineers charged with developing secure systems networks and security tools and certifiers and accreditors who can assure us that our networks operate securely Additionally in technical areas like information systems security and TSCM we should provide cross training between the defensive and offensive sides so that the lessons learned by one side can be of benefit to the other Building on the informal cooperation which already exists in some places a formal partnership between the Defense and Intelligence Communities should be established to achieve these objectives and to realize cost efficiencies Such a partnership would be based on the joint use of training facilities the creation of common career fields and professionalization programs and the consolidation of training management functions into an executive agent for security training Working in cooperation with the agencies and departments the executive agent would o Identify and catalog Defense and Intelligence Community requirements for security training and coordinate the development of courses to meet the requirements o Centralize training resources facilitate community-wide access to existing training centers and products and focus investment in training technology o Implement curriculum review and instructor certification o Establish community course codes and create a central database of available training o Develop security professionalization criteria Recommendation 74 The Commission recommends that an executive agent for security training be appointed This executive agent should standardize security training develop security professionalization criteria encourage joint use of training facilities and emphasize the development of information systems security training A focused effort is also needed to educate management as to its security responsibilities and to teach principles of effective risk management and its application to security countermeasures As the insider is cited as the major threat to the protection of information in government and industry today managers must know how to spot troubled employees how to help them what resources are available and how to use these resources to counter the insider threat Sensitizing employees to the continuing need for security will be a challenge in the post Cold War environment Government and industry must continue to be made aware of their responsibilities in protecting our nation's assets However the Commission found that all too often security awareness briefings while a cost-effective way to reach the workforce are viewed as boring irrelevant and out-ofdate Presentations are often made in the same manner regardless of whether the audience consists of new recruits or senior management Security awareness programs need to be tailored to the audience and refocused to provide current specific examples of the diverse and multifaceted threats emphasizing such topics as current counterintelligence issues and information systems security Recommendation 75 The Commission recommends that an increased emphasis be placed on developing and funding security education courses for management and up-to-date security awareness programs 96 CHAPTER 11 A SECURITY ARCHITECTURE FOR THE FUTURE Throughout this report we have identified problems that contribute to the complexity and cost of the security system and proposed recommendations for overcoming them But as noted earlier many of these problems are merely symptoms not causes The Commission unanimously believes that the fragmentation of the security policy structure is the prime cause of the problems now associated with security policies practices and procedures and that no substantive and long-term improvements can be achieved without a unifying structure to provide leadership focus and direction to the government security communities The Present US Government security policies and practices have evolved in an ad hoc manner over the last four decades Security policy is enunciated in a collection of documents Executive Orders National Security Decision Directives National Security Directives Presidential Decision Directives legislation and individual department or agency directives and orders prepared at different times by different people in response to different requirements and events not as part of a coherent planned effort Additionally the individual policy documents have been developed through consensus an approach that is not only time consuming and slow to respond to change but can also produce unsatisfactory results Policy is often weakened in order to achieve consensus As a result the departments or agencies are allowed to ignore aspects of policy which they do not support as has happened with the SSBI mandated by NSD 63 the new TEMPEST policy outlined in NSTJSSI 7000 and the elimination of the two person rule Industrial Security NISPStCom NISPPAC DIC OB ersonnel Security Def Pers Scty Com DD IA v CCISCMO DC Sec Forum AGISCM INFOSECCom MASINTCom SIGINTCom Security Training Natl Sec Ed Bd DoD SI Adv Com NCS Com of Principals Def INFOSEC Com ISOO Task Force hysical Security Phy Sec Rev Bd PSEAG Anns Ctl WG Cl Ops Policy CJ Sup to Ind WG NSD18 NSD47 Imp WG Figure 8 The Current Policy Structure 97 This piecemeal approach to security policy has led to a decentralized policy structure in which multiple groups with different interests and authorities work independently of one another Figure 8 represents some of the Defense and Intelligence Community groups that either have some role in the formulation of security policy or influence the process Many of these groups have overlapping memberships and responsibilities others operate in isolation but all exact a cost in terms of time energy and efficiency Each department or agency head is responsible for the appropriate implementation of security policy within his or her own organization This decentralization presents its own unique set of challenges The process is slow and some people never seem to get the word Multiple agency originated implementation documents while accommodating unique agency or department needs also allow ample opportunity for the introduction of subtle changes clarifications reinterpretations or additions that grow more pronounced with each iteration and can subvert efforts to standardize or update security policies and practices Oversight responsibility rests primarily with the department or agency heads and their respective Inspectors General Although the Director of Central Intelligence has statutory authority for the protection of sources and methods no comparable authority exists within the Defense Department where the Under Secretary of Defense Policy the Assistant Secretary of Defense Command Control Communications and Intelligence the defense agencies services and Joint and Unified Commands all have a responsibility for security policy In addition there is no effective mechanism to look across government to ensure that security policy is being implemented properly ifat all Some personnel interviewed in the Defense and Intelligence Communities believe that there is in fact no penalty for noncompliance with security policy The Future The problems inherent in this fragmented approach to security policy argue strongly for the creation of a security policy structure capable of pulling these disparate elements together and overcoming the bureaucracies' traditional resistance to innovation and change The Commission recommends the establishment ofa security executive committee to unify security policy development serve as a mechanism for coordination dispute resolution evaluation and oversight and provide a focal point for Congressional and public inquiries regarding security policy or its application Individual department heads would be able to request exceptions from general policies for their departments if deemed necessary Security Executive Committee Cochairs DEPSECDEF DCI I security Advisory Board I I I I Staff I Community Working Groups Policy Formulation - Implementation - Oversight I SECURilY POLICY I Figure 9 The Security Executive Committee In view of the national security responsibilities assigned to the Department of Defense and the Director of Central Intelligence we propose that the Secretary of Defense or his designee and the Director of Central Intelligence jointly chair the security executive committee In recognition of the need to view security from a national perspective the other permanent members would be the Deputy National Security Adviser the Deputy Secretary of State the Deputy Secretary ofTreasury the Deputy Secretary of Energy 98 the Deputy Secretary of Commerce the Deputy Attorney General the Chairman of the Joint Chiefs of Staff and the Director of OMB Other departments or agencies would be invited to attend committee meetings as required by the subject under discussion In the Commission's view the security executive committee should be established by the President under the auspices of the National Security Council The security executive committee would be assisted by a security advisory board composed of distinguished Americans who would provide a non-government and public interest perspective to security policy The board would act as a barometer for the committee to ensure that security policy and implementation is consistent with the overall goals of the government such as openness cost effectiveness and fairness A small permanent interagency staff would provide support for the security executive committee as required Our concept would be to focus the staff on four functional areas threat policy development implementation and oversight We would anticipate that the staff would facilitate track and expedite actions and would support whatever interagency committees and groups might be required to ensure full community participation in the development and coordination of security policy and to effect horizontal integration of the individual security disciplines The functions of existing staff structures such as the Information Security Oversight Otlice ISOO the National Security Telecommunications and Information Systems Security Committee NSTISSC Executive Secretariat and elements of the Community Counterintelligence and Security Countermeasures Otlice CCISCMO could be consolidated as subcommittees or in the permanent staff in order to streamline the structure and reinforce the concept of horizontal integration The security executive committee has a pivotal role in implementing the changes that we are proposing and in achieving our vision for the future If created it will facilitate the continuous and dynamic review of security policies practices and procedures needed to propel the government security communities into the new century The scope and stature of its membership will give greater prominence to security and will combine the government security communities into a cohesive framework that can address the full range of security issues It will monitor implementation to ensure that it is timely and consistent As an early goal we believe the committee should enunciate a cohesive national level strategy for security which lays out goals and objectives and assigns responsibilities across government The national scope of the strategy would ensure consistency and reciprocity among departments and agencies and recognize that security is a governmentwide responsibility Recommendation 76 The Commission recommends the establishment of a national level security policy committee to provide structure and coherence to US Government security policy practices and procedures The committee will I Develop government security policy and standards 2 Ensure long term and continuing implementation oversight 3 Serve as an ombudsman to resolve disputes 4 Monitor security resources expended and provide security program guidance As a first step the Commission recommends that the Secretary of Defense and the Director of Central Intelligence immediately establish a committee to fulfill these functions for the Defense and Intelligence Communities 99 ENDNOTES 1 The term bigot is said to have been coined during World War II with reference to the controls on information sent TO GIBRALTAR or TOGIB reversed as BIGOT 2 The Executive Order on classification allows Agency heads to create Special Access Programs to control access distribution and protection of particularly sensitive information These include DoD Special Access Programs SAPs the DCI's Sensitive Compartmented Information Programs and other information controlled by access lists This includes CIA human source and operational information and Joint Chiefs of Staff war plans 3 Acquisition programs for the protection of sensitive research development test and evaluation or procurement activities in support of sensitive military and intelligence requirements Intelligence programs for the protection of planning sensitive intelligence or counterintelligence operations or for the collection and exploitation of intelligence Operations and Support programs for the protection of planning and executing sensitive military operations or providing sensitive support to non-DoD departments and agencies 4 Acknowledged programs are those which are acknowledged to exist although the public may not be aware of the Special Access Program Details of the program are under special protective controls Unacknowledged programs are those of which the mere existence of the Special Access Program is protected from all within government and industry who have not been determined to have a needto-know Knowledge of the existence of the program could endanger its success 5 The current sentencing guidelines illustrate this confusion The guidelines are based on the assumption codified in the executive order on classified information that the disclosure of Top Secret information will cause greater damage than the disclosure of Secret information Under the existing guidelines a person will receive a more severe sentence for disclosing Top Secret than for disclosing Secret information However information protected as Secret SAP is often much more sensitive than collateral i e non-SAP Top Secret Thus the current sentencing guidelines could result in a person receiving a lighter sentence than is justified by the harm caused by the disclosure The sentencing guidelines must be rewritten to reflect the classification system recommended by the Commission 6 WNINTEL Warning Notice- Intelligence Sources and Methods Involved ORCON Dissemination and Extraction oflnformation Controlled by Originator NO FORN Not Releasable to Foreign Nationals REL Authorized for Release to Name of country ies or international organization 7 NO CONTRACT Not Releasable to Contractors or Consultants PROPIN Caution- Proprietary Information Involved 8 Commissioner Lapham's remarks on secrecy agreements are contained in Appendix A 9 It is not clear how many pages of information are involved Some of these documents may consist of one or two pages others may be much longer documents This is important because the Department of Defense DoD and the Central Intelligence Agency CIA which together account for between 84 to 87 percent of those classification actions report that an experienced reviewer is 100 able to review approximately 200 pages of classified documents per day We are informed by DoD that during its review of MIA POW documents an experienced reviewer was able to review about 200 pages of material per day but that the average rate of declassification could be as low as 75 to 100 pages per person per day Based upon this data we estimate that an experienced reviewer working an average of240 days per year and reviewing an average of200 pages per day could review 48 000 pages per year Assuming an average of three pages per document or 18 million pages per year it would require 375 reviewers to review a single year's product Assuming an average grade ofGS-12 about $43 000 per year this review would cost in excess of$16 million in direct salary costs This does not take into account the additional administrative costs for example of finding the documents and all of the copies Moreover creating a govemmentwide computer data base and entering all classification and declassification decisions will be a difficult and expensive undertaking IO 1993 Status Report on the Implementation ofNational Security Directive 47 11 PERSEREC has proposed that the NAC be expanded to include all current NAC inquiries plus checks of other national automated databases For example the Title 31 data base maintained by the Treasury Department contains information on large and or suspicious currency transactions that merchants and individuals are required to file with Treasury These publicly available databases can provide investigators with leads concerning unexplained affluence and or an important counterintelligence indicator that can be difficult to detect through traditional credit checks Searches of these databases also can be automated such that investigators are notified only when certain thresholds are reached 12 Based on OPM figures 13 Commissioner ChayesU supplemental view on procedural safeguards is contained in Appendix B 14 Commissioner Lapham's remarks on the polygraph are contained in Appendix C 15 Polygraph is Greek for many writings reflecting the multiple readings that are recorded simultaneously The instrument-which was basically developed by 1949-measures physiological changes in response to questions 16 NRO and CIA have approximately 40 000 contractors who have access and who have never been polygraphed 17 The goals of the program are to a provide an arsenal of valid and reliable security and applicant screening tests based on scientific evaluation of existing tests in comparison with new tests b eliminate privacy-invading or personally offensive control questions c evaluate a variety of sensors transducers and recording devices to establish the most effective and noninvasive physiological data collection systems d develop algorithms that provide valid and reliable diagnostic results for each screening test that meets acceptable levels of validity e develop countermeasure detection algorithms for all screening tests f evaluate the effectiveness and utility of applicant screening tests g determine the deterrent effects of the screening polygraph h develop other tools for detecting deception that could be used in conjunction with or in place of the polygraph 18 National Operations Security Doctrine lnteragency OPSEC Support Staff January 1993 IOI 19 Membership currently consists ofrepresentatives from the DoE CIA NSA GSA FBI and the Secret Service 20 The training of over 2200 government employees occurred from 1991 to 1993 21 Examples include voting trusts proxies special security agreements board resolutions and reciprocal agreements 22 The Exxon-Florio Amendment Section 5021 of the Omnibus Trade and Competitiveness Act of 1988 Pub L I00-418 enacted August 23 1988 permits the Presllent to halt or reverse the acquisition of a US business by a foreign firm ifhe believes it would harm national security in a manner not adequately addressed by other federal laws Executive Order No 11858 as amended 54 Fed Reg 779 Dec 28 1988 delegates to the Interagency Committee on Foreign Investment in the United States CFIUS the authority to determine when a proposed transaction warrants review investigations and to submit recommendations to approve limit or halt transactions 23 DoD Instruction 2015 4 dated 5 Nov 63 established the DoD Mutual Weapons Development Data Exchange Program and the Defense Development Exchange Program Cooperative efforts expanded in 1976 with the creation of the International Professional Scientist and Engineer Program followed by the Personnel Exchange Program 24 A two-year US Army study of the Defense Data Exchange Program found that foreign governments successfully used a variety of overt and covert collection methods to gain access to prohibited non-releasable classified and unclassified technologies weapons systems and programs 25 The NOP establishes criteria and conditions that implement the security requirements contained in the Arms Export Control Act AECA and Executive Order 12356 26 The terms white and black are also used to describe acknowledged and unacknowledged programs respectively Although there is no standard definition of these terms in the security lexicon in its broadest sense black refers to not only to the aspect of covertness clandestinity of a program but also to SAPs and other special activities that impose need-to-know or access controls beyond those normally provided for Top Secret Secret and Confidential information Because these terms are not clearly defined and could be considered offensive to some the Commission encourages the use of the terms acknowledged and unacknowledged 27 Resource Estimates for Counterintelligence and Security Countermeasures a study prepared for the Deputy Assistant Secretary of Defense C31 CI SCM by the Institute for Defense Analysis September 1992 updated December 1993 28 Capturing Security Costs in Industry Final Report of the National Industrial Security Program Resources Working Group December 1993 102 APPENDIX A STATEMENT OF COMMISSIONER LAPHAM ON SECRECY AGREEMENTS If this recommendation is adopted it will inevitably gut the secrecy agreement that is currently required as a condition of CIA employment The report suggests that the broad-form prepublication review provision contained in this agreement has no value because the malicious will disregard it anyway and the conscientious can safely be held to a less broad requirement I do not believe that the historical record supports this suggestion and I am mindful of the fact that DCis have repeatedly affirmed with reference to the current agreement or its predecessors that the broad-form prepublication review provision is vital to the protection of intelligence sources and methods I do not believe that this recommendation should be adopted ifat all without a much fuller accounting of the benefits that have been realized as a result ofthe obligations imposed by the CIA secrecy agreement and the risks that would ensue if that agreement were to be modified in accordance with the recommendation 103 APPENDIXB STATEMENT OF COMMISSIONER CHAYES ON PROCEDURAL SAFEGUARDS I support the conclusion reached in the main text that the procedural safeguards available to military personnel and DoD civilians facing denial or revocation of security clearances should be the same I would go further however in urging that different treatment for DoD government and contractor personnel also be eliminated Elementary fairness requires that we provide uniform treatment for both classes of people Reaching this state of affairs requires that we bridge the gap between the two sets of procedures currently in place For many of the reasons stated in the main text the formal trial-like procedures using the Federal Rules of Evidence as a guide and available to anyone who requests it whether or not there are any factual disputes that need to be resolved represents procedural overkill And while the process is perhaps more expensive and time and labor intensive than necessary at the front end it is less generous than it ought to be at the appeals stage A common set of procedures for both government and contractor personnel should require provision of a full and complete statement of the reasons for the proposed denial or revocation and a clear statement about the right to counsel at all stages of an appeal Appeal of the denial of an initial clearance should be decided upon a written response without an oral hearing Broader rights should be provided in cases involving the revocation of a clearance or the denial of a higher clearance In these cases so long as the person claims there is a factual dispute there should be the right to an informal hearing before a hearing officer who neither has any involvement in the issue nor is within the chain of command of those responsible for the clearance adjudication The hearing should resemble an informal arbitration with a transcript and the right to call and examine witnesses The Federal Rules of Evidence should not be used and the process should be expected to take one day or less A second written appeal should be available in all cases A board established to review these appeals should not be limited to strict scope-of-review limits but should be free to take a fresh look at the case in reaching its decision 104 AppendixC STATEMENT OF COMMISSIONER LAPHAM ON POLYGRAPH The Commission struggled hard to reach a consensus on issues relating to polygraph testing for personnel screening purposes In the end however I decided to go my own way on these issues and to prepare this separate statement of my views I did so not because I disagree with all of the Commission's recommendations and conclusions-indeed there are a number with which I agree-but mainly because I do not believe that the report contains an adequate or well-reasoned analysis of the issues and because I believe that shortcoming impeaches even those recommendations and conclusions with which I do agree Polygraph testing is an obviously invasive procedure the more so in screening contexts than in other applications In the more typical setting there is a single factual issue that needs to be resolved or some single event that is known to have happened and that is under investigation Therefore the scope of the test is apt to be narrow as is the class of persons who may have some relevant information to provide Screening polygraphs have no such natural limits Almost by definition they affect larger classes of persons and sweep more widely for information The goal is not to find out the truth about some event that is known to have happened but rather to find out about the background and personal history of the person being examined Given that purpose multiple topics are within the field of inquiry and the questions may range across an entire lifetime or a substantial period of years and may begin for example with the words have you ever or within the last five years have you ever The breadth of the inquiry is one reason why privacy interests are so deeply implicated by screening polygraphs and especially by the full-scope tests that include the so-called lifestyle questions There is also the matter of the surroundings in which the tests are conducted The atmosphere is clinical The chair is no more appealing than a dentist's chair The technology is apt to be mysterious and only one of the three machine-to-body connectors the blood pressure cuff is apt to be familiar There is an underlying premise that something about to be said or already said in a personal history statement may be a lie The examiner is a stranger and the entire session including the pretest interview and any posttest questioning is being tape-recorded or videotaped and is destined to become a government record Those circumstances are almost bound to make the test an unnerving and intimidating experience even apart from the extent to which the questioning encroaches on privacy zones Privacy interests however are not the same thing as legitimate expectations of privacy At least as 1 see it any analysis of the polygraph procedure like any analysis of other invasive techniques that are used to screen government personnel such as drug-testing programs in which urine samples are required to be given must involve a balancing of such privacy expectations against the governmental interests that are at stake and ultimately a determination as to whether the procedure is reasonable My personal conclusion is that the procedure is reasonable At least implicitly the Commission reached the same conclusion but I get there by a different route Governmental interests and individual privacy expectations At a threshold level the analysis is pretty simple and the balance is clearly in favor of the government Not long ago in 1988 the Supreme Court said that the nation's security depends in large measure on the reliability and trustworthiness of CIA employees That remark could just as well have been made with respect to others who occupy positions involving access to highly classified information The self-evident point here is that the government has a compelling interest in assuring itself that such persons meet high standards That interest necessitates a screening process Individuals who seek intelligence agency 105 positions or other positions of equal trust have every reason to understand and expect that such a process will be conducted and that it will include a searching inquiry into their personal backgrounds To be sure there is room for disagreement about the appropriate scope of such inquiries and as to the categories of information that are truly germane to the reliability and trustworthiness determinations that need to be made In my opinion however so long as the inquiries stay within rational bounds and are carried out by lawful means and with the consent of the persons affected those persons can have no valid objections based on legitimate expectations of privacy Where the screening process entails a polygraph test whether as a condition of initial or continued employment or as a condition of access that fact is made known in advance as are the topics to be covered A decision to submit to the test is a matter of choice requiring a voluntary consent by the person to be examined In some cases that choice may be personally difficult but then it is not the government's responsibility to make the screening process easy or painless Nor can hard or difficult choices be equated with compulsion A refusal to take a polygraph may have negative consequences as for example the loss of a job opportunity at CIA or NSA and there may be strong pressures to avoid those consequences but this does not mean that a decision to take the test is forced or involuntary While there are distinctions that can be made here between initial applicants for employment and persons who are already embarked on government or industry careers and for whom therefore the pressures are undoubtedly greater these distinctions are to some extent accommodated by the different test formats that are used and in any event it is still true that the tests are known-in-advance requirements are conducted on a consensual basis and not inconsistent with any fair expectations of privacy The relevance of the questions However compelling the government's interest the intentional collection of personal infonnation unrelated to that interest especially by invasive techniques is not defensible The issue here is therefore whether a rational link exists between the kinds of conduct that are probed by the relevant polygraph questions and the reliability and trustworthiness determinations that the government must make In other words the issue is whether these questions are relevant not just because they are so denominated in a polygraph test but because they are tied to conduct about which the government has legitimate reason to be concerned and to inquire My own belief on this score is that as the tests are currently structured in both the full-scope format and the counterintelligence-scope fonnat all the relevant questions in the line-up deal with matters that are proper subjects of inquiry Most of the controversy surrounds the so-called lifestyle questions which is the tenn commonly used to describe some of the questions that are asked when the test is given in the fullscope format as it is to all applicants for CIA and NSA employment I view the term lifestyle questions as an unfortunate misnomer The flavor of the term is that these questions have only to do with personal matters that are none of the government's business In fact however the questions deal with such matters as prior criminal conduct illicit drug use alcohol abuse and any history of serious financial or mental health problems These same subjects are matters of inquiry on personal history statement forms and associated forms and during background investigations If they were judged to be irrelevant they should be declared out of bounds on all these fronts not just on the polygraph front As I see it however all these subjects can readily be linked to reliability and trustworthiness concerns and to established adjudicative criteria Indeed it is hard for me to imagine a credible screening process in which these subjects were not pursued At the same time it is my opinion that some of the relevant questions including some of the lifestyle questions as currently approved for use in screening polygraphs are overly general and too broadly worded As a consequence as these questions are discussed between the examiner and the person to be examined during the pre-test interview there is a high likelihood that personal information will be elicited 106 perhaps embarrassing information that could have no value in any adjudicative decision 1 would therefore favor an effort to rework some of the questions so that they would have a sharper and more narrow focus at the outset and so that there would be a lesser chance of eliciting irrelevant personal information I would also like to see it become an explicit objective of polygraph examiners to minimize the incidental take of such irrelevant information I believe these steps would shorten the tests make them less intrusive and reduce the number of retests that need to be given all without any offsetting disadvantage Utility I agree with the Commission's finding that polygraph testing has high utility as a personnel screening tool The utility evidence is varied It consists partly of data showing that large numbers of significant admissions are made during the interview phase of the procedure that takes place before the polygraph machine is ever activated and during the questioning that may follow after the machine is deactivated There are also less tangible but nevertheless important utility considerations having to do with the deterrent effects of the procedure in relation to both applicants and employees with the mutual trust engendered among employees by their common polygraph experience and with the fact that the procedure is seen as eliminating the need for other personally invasive security safeguards as for example random drug testing programs Without exception the senior agency officials consulted by the Commission having direct responsibility for polygraph screening programs gave it as their opinion that these programs were the single most useful screening tool at their disposal and were the linchpin of their personnel security efforts Granting that these opinions hardly come from neutral sources they are still worthy of respect and are made all the more significant when considered in the light of the Commission's recognition that personnel security is the most vital ingredient in any security system Validity The question that lurks behind the utility evidence particularly insofar as it consists of data showing success in the elicitation of admissions is whether the procedure is otherwise a sham and succeeds only because it is orchestrated in such a way as to make it appear to persons being examined that they have only two choices one being to make admissions assuming they have something to admit and the other being to practice deception and be detected In other words as I see it the fundamental validity issue is whether the promise of detection is an empty threat and therefore whether the whole procedure is a trick or whether within some range of probability the procedure can actually distinguish a true answer from a false answer By endorsing various expert pronouncements that The scientific validity of the polygraph when used for personnel security purposes is yet to be established the Commission appears to come down on the first side of this issue As a consequence when it goes on to recommend that polygraph screening programs be continued with certain modifications the report apparently adopts the position that even though the procedure employed by these programs is or may be invalid the programs should be maintained in any event because they are useful If the lack-of-validity premise of that position is accepted the programs are likely to be discontinued despite their utility I am not so ready as the Commission to write off screening polygraphs as lacking in scientific validity in part because the Commission never explains what it means by that term and even ifl were ready to do so I still would not quickly jump ahead to the separate conclusion that polygraph testing has no validity as a personnel screening tool What follows is my own non-expert conception of the problem A polygraph machine monitors usually on three channels physiological reactions that are produced by persons as they respond to questions that can only be answered yes or no The reactions show up as tracings on charts The machine is not difficult to operate There is no real dispute that it does what it is l07 designed to do-which again is only to monitor physiological reactions and make them visible in the form of chart tracings-and that it does so accurately The validity problem arises not because the machine is fallible but rather because it requires an inference to derive some meaning from the charts and because there are numerous important variables that bear on the correctness and strength of such an inference the theoretical basis for which may itself be open to debate As the Commission notes in its report there is no physiological reaction or combination ofreactions that is known to be a unique earmark oflying or deception In isolation therefore any reaction or set of reactions to any one question is meaningless So for example ifl were placed on a polygraph machine and asked only the single question whether I was an agent of the foreign intelligence service of country X and the truth was yes but my answer was no the best polygraph examiner in the business could not make heads or tails of my physiological reactions to that question It is only in relation to my reactions to other questions that the examiner could begin to make sense out of my reactions to the key are you an agent question and have some basis for an inference that my answer to that question was false That inference would proceed on the theory that I would have a heightened concern about the key question and therefore react more strongly to that question than to others that were asked for the purpose of eliciting reactions that could serve as points of comparison All polygraph tests rely on this essential theory The charts are diagnosed or scored and inferences thus drawn in favor of or against the persons being examined by comparing the reactions to the relevant questions with the reactions to other questions Different polygraph examiners including CIA and NSA examiners use different examination techniques and different types of questions to elicit the reactions that are then compared with the reactions to the relevant questions in order to score the test Each of the different methods has its champions but nobody has ever discovered the magic formula No matter which technique is used no matter how skilled the examiner and no matter what scoring system is applied the resulting diagnosis may still be mistaken If a truthful person is diagnosed as deceptive the mistake is known as a false positive If a deceptive person is diagnosed as truthful the mistake is known as a false negative The accuracy and error rates of screening polygraphs are at best very difficult to estimate The same is true in non-screening contexts except in validity studies where mock crimes or some similar events are staged and the tests are then conducted in laboratory conditions allowing the variables to be controlled In such studies the guilt or innocence of the role-playing characters is known although not to the polygraph examiner and there is accordingly a stone tablet-a record of what is known in the business as ground truth against which the examiner's conclusions can be cross-checked Such tablets don't exist outside the laboratory and even where they do exist there is apt to be heated debate among experts about the design of the studies and about the extent to which their findings can be generalized None of this however leads me to believe that the use of polygraph testing for screening purposes is an unreasonable procedure To say that polygraphy may not be an exact science is not at all to say that polygraphers cannot reach credible and reasoned opinions let alone that such opinions can be dismissed as wild guesses We are not dealing here with a procedure in which an examiner simply hooks up a machine looks at the charts and delivers a verdict We are dealing instead with a much more careful procedure one in which both the relevant and other questions are previewed and discussed with the person to be examined and in which the examiner then seeks to adjust the relevant questions so as to eliminate possible causes of high-stress reactions not attributable to deception We are also dealing with a procedure in which equally careful efforts are made following a run on the machine that does not produce a clear chart to again eliminate by further adjustments in the relevant questions any high-stress reactions to those questions that could have causes or explanations other than deception At the end of the procedure ifthe high-stress reactions remain there at a minimum is a rational basis for an inference that deception is the most probable cause of those reactions 108 Where the Commission's report goes wrong it seems to me is in its apparent suggestion that the validity of polygraph testing is an all-or-nothing proposition The sense of the report is that one or another of two propositions must be accepted-either the procedure is able to distinguish truth from deception with scientific accuracy or it isn't able to distinguish anything at all If matters were this simple the policy choices would be far easier than in fact they are If polygraph testing produced results that were no better than random chance say no better than the results that could be obtained by flipping coins the arguments against it would be much stronger and might even be overwhelming despite the utility evidence and the government's compelling interest in conducting an effective screening process On the other hand if polygraph testing results had the same degree of certainty as say the results of the testing of urine or blood samples the arguments in favor of it would be much stronger although for different reasons the technique would still be controversial As it is however at least in my opinion the reality is somewhere in between probably much closer to the high end of the scale than to the coin-toss end but nevertheless at a point on the scale where there is some significant chance that opinions may be mistaken The hard policy problem for any manager or adjudicator then becomes how much credence can or should be given to such opinions and who should bear the burden of the doubt the government or the individual The Commission's report does not lay any of this out but instead sidesteps and masks this policy problem by its treatment of polygraph validity as an all-or-nothing proposition and leaves what I regard as a false impression both as to the state of the art today the inference being that validity is zero and as to the promise of research tomorrow the inference being that something approaching absolute validity might be established I am a strong supporter of further basic research but I have also come to appreciate the challenge of designing high-yield research projects in this field and I believe that any advances in knowledge will come slowly and in small increments Again in my view the opinion products of polygraph testing assuming the competence of the examiner are rational inferences either that a person is probably telling the truth or probably being deceptive or perhaps that the results are too inconclusive to support an inference one way or the other It may well be that a procedure that is so dependent on the competence of an examiner and that deals in inferences about probabilities could never meet exacting standards of scientific accuracy no matter how extensive or well designed any future research projects might be If my conceptions are right any DCI DirectorofNSA or Secretary of Defense who wishes to maintain polygraph screening programs now or in the foreseeable future will have to accept the uncertainty of accuracy rates and the inevitability of some false positive outcomes as facts oflife Likewise inevitable are some false negative outcomes On that side the possibility that the polygraph can be beaten by physical countermeasures or otherwise adds something although nobody can say how much to the accuracy rate uncertainty Insofar as polygraph testing results may play a decisive role in connection with security approval decisions these uncertainties mean that some deserving individuals will be screened out and some undeserving individuals conceivably even a trained foreign agent from whom we have the most to fear will make their way through These uncertainties however need to be kept in perspective While polygraph tests may not be scientifically exact the other available means of investigating a person's background are anything but foolproof themselves Personal history statements personal interviews and background investigations can be and often are carriers of information that is false distorted or misleading purposely or otherwise and record checks are not guaranteed to be reliable either Even in the best of circumstances the information derived from these other sources does not meet nor is it expected to meet any scientific accuracy standards and may be low-grade in terms of its value and credibility If anything polygraph testing is less open to being faulted on these grounds particularly considering the fact that it so often leads to admissions that have undoubted reliability Given a choice between two screening regimes one of which would involve a personal history statement and the other traditional non-polygraph means of investigation and the other of which would involve a personal history statement plus only polygraph testing my guess is that CIA and 109 NSA would vote for the second every time However there is no reason to make that choice because better decisions are likely to be made when all sources of information are used in tandem Whether I am right or wrong in any of this I do not think that any major policy shifts should be based on non-expert judgments concerning a set of issues that are as technically complex as the issues related to the validity of polygraph testing procedures used to screen personnel Recommendations of the Commission I will tum now to the various recommendations contained in the Commission's report Before doing so however I want to comment about one of the other statements in the Commission's report with which I strongly disagree In its catalogue of pro-polygraph arguments the report includes an alleged argument relating to cost-effectiveness and goes on to say that both CIA and NSA present a good case that w hen admissions made by a subject during a polygraph test result in a disqualification these agencies are saved the considerable cost and time of conducting a background investigation As far as I know neither CIA nor NSA has ever said that polygraph testing is conducted in order to save money What they have said is that it makes more sense to conduct the testing as they do at the front end of the screening process rather than as a last step in that process because when things were done in the reverse sequence as was formerly the case too often the background investigation would be successfully completed only to find that the applicant made disqualifying admissions during the polygraph test The real argument here is that polygraph testing often turns up information that background investigations do not Cost effectiveness has nothing to do with whether such testing is conducted only when it is conducted Counting cost effectiveness as a pro-polygraph argument is incorrect and only serves to belittle the serious pro-polygraph position Scope The Commission's first three recommendations relate to the scope of the relevant questions to be asked on screening polygraphs conducted by DOD and intelligence community agencies The first recommendation is that all such testing be limited to the so-called CI-scope questions except in the case of applicants seeking staff positions at CIA or NSA As I understand it this recommendation is principally aimed at the testing of contractor personnel and specifically NSA contractor personnel and some CIA contractor personnel who today are required to take the so-called full-scope tests I agree with the recommendation My reason for that agreement is that as I see it contractor personnel are in a somewhat different position so far as concerns their legitimate expectations of privacy than applicants for full-time staff positions at CIA or NSA The latter are seeking careers that would give them continued and wide-ranging access to highly classified information over a long period The former are apt to be persons who are already embarked on careers in industry which they may well have undertaken without any reason to believe that their personal backgrounds would ultimately be the subject of searching inquiry by the government and who in any event may have only less wide-ranging and only temporary access to highly classified information In my view these considerations support the recommendation The second recommendation is that the testing of applicants for staff positions at CIA and NSA be limited to the so-called Cl-scope questions plus questions about serious criminal conduct and recent drug use The rationale is that the other questions currently asked on the so-called full-scope tests do not produce much useful information and therefore should be eliminated producing a cost-free benefit in the form ofa reduction in intrusiveness In my judgment as I have said the other questions are not objectionable on relevance grounds and I would be slow to discard them without a fuller cost-benefit breakout than I think the Commission has ever seen The third recommendation is that all reinvestigation polygraphs be limited to CI-scope questions This recommendation would simply continue current practice 110 Reciprocity The Commission's fourth recommendation is that the polygraph should not serve as a bar to clearance reciprocity or to the exchange of classified or sensitive information This recommendation is not explained in the report and I am not sure what problem it is meant to correct or what the correction would be Control questions The fifth recommendation is a large mosaic of several ideas that the intrusiveness of control questions be minimized that there be strict oversight to prevent abusive control questions that information elicited by control questions not be kept in a permanent record unless it relates to criminal activity and that appropriate compliance procedures be adopted and enforced The predicate of this recommendation is a finding in the report that control questions are frequently identified as the most intrusive aspect of the polygraph I do not agree with the finding which I believe is based on several misconceptions but I do agree that there is probably room to narrow the scope of control questions just as I believe that there should be some narrowing of the relevant questions So far as concerns the idea of keeping no permanent record of information elicited by control questions I am very doubtful that this idea makes any sense although it may deserve further study If the idea were to be implemented it presumably would require that the audiotape or videotape be edited This would involve the partial destruction of these records even though one of the purposes for which they are kept is to assure their availability in the event of any complaint about misconduct or overreaching by the examiner Further these records are held very closely and I am unaware of any evidence that came before the Commission of any instance in which there was an improper release or any misuse of the kind of information to which the recommendation relates While the recommendation calls for implementing procedures it is impossible to know what sort of procedures the report might have in mind Over-reliance The Commission's sixth recommendation is that physiological reactions without admissions to questions during a polygraph examination should not be used to disqualify individuals without efforts to independently resolve the issue of concern This recommendation is low in clarity What kinds of efforts would be required to independently resolve the issue of concern and what could happen if those efforts failed Suppose there were two equally well qualified applicants for the same position and the polygraph tests resulted in an examiner's opinion of probable deception in one case but not the other Would that then mean that absent some confirmation of the probable deception opinion these results had to be ignored in making the decision as to which applicant to hire The recommendation raises more questions than it answers and provides no useful guidance Oversight The seventh recommendation is that a new independent and external mechanism be established to investigate and track polygraph complaints It is a given that polygraph programs should be subject to rigorous and effective oversight This recommendation is made however without any real review of existing oversight structures or any real effort to show how or why those structures might be inadequate or any indication of how the new mechanism would be expected to operate If the existing oversight is ineffective obviously it should be improved But within CIA for example there is already oversight within the Polygraph Section of The Office of Security and there is also a special oversight panel The Polygraph Complaint Oversight Board which includes a representative of the Office of General Counsel and that was formed in mid-1992 for the explicit purpose of resolving polygraph-related complaints not to mention the Inspector General's office Surely any recommendation calling for additional oversight should be based on some showing which the report does not contain that these checks and safeguards are insufficient Standardization The Commission's eighth recommendation is that standards be developed to ensure consistency in the administration application and quality control of screening polygraphs There is already a trend in this direction and I agree that further steps should be taken I do not understand for example why the relevant questions in whichever of the two basic formats the tests are given should be different depending on which agency is conducting the test The different practices to which this recommendation relates however are overshadowed by circumstances that the Commission's report barely even mentions 111 Polygraph screening programs are not in effect and have virtually no chance of being placed into effect in parts of the government where highly sensitive national security information is handled on a steady basis So for example no screening polygraphs are given to State Department employees at any level or to officials in the national security apparatus at the White House or to members of the defense and intelligence committee staffs in the Congress although many of these persons have access to much of the same information as intelligence agency employees or to equally sensitive information Even in DOD the program has a very spotty application if only because of the numerical limit on screening polygraphs imposed by the Congress Among other things high-ranking civilian employees are essentially exempt and many high-ranking military personnel are also unlikely to be affected If the programs are truly important to the protection of national security information the question that obviously waits to be asked is why the programs don't have more general coverage and acceptance If they are needed in one place why not in another The Commission's report never asks this question Instead it cites and singles out for criticism various differences in the ways in which polygraph screening programs are administered at CIA and NSA These differences are small matters however compared to the double standard that exists by virtue of the fact that such programs are used in one form or another by both these agencies and seen by both as indispensable security measures but are not used in any form by other agencies whose personnel have access to the same or equally sensitive information From a broad policy perspective it is this double standard not the much more minor differences cited by the Commission that has real significance because it points to a security system that taken as a whole is lacking in coherence and logic I am frankly at a loss to know where any of this leads but there is at least a need to raise these considerations and make them part of the debate Certification The Commission's next recommendation is that certification of polygraph examiners under the auspices of a single entity should be mandatory and that mandatory requirements for recertification also should be established I do not know what this recommendation means As I understand it polygraph examiners who complete the training curriculums at the DOD Polygraph Institute or at the CIA polygraph school already receive certificates reflecting their successful completion of training programs approved by the American Polygraph Association Further as I understand it that Association views these programs as the finest of their kind in the count ' I agree of course that superior training is a must because competence and professionalism on the part of examiners are key elements in any polygraph program but here again I have no basis to be critical of the way in which DOD or CIA polygraphers are trained and the report provides no such basis National polygraph institute The Commission's next recommendation is that the CIA polygraph school be consolidated into the DOD Polygraph Institute to form a national polygraph institute that would conduct all training and certification of government polygraph examiners This recommendation does not appear to have any cost cutting rationale since none is mentioned in the report Instead the stated objective is to enhance the quality of polygraph training provided by the government If such was the likely outcome I would favor the recommendation but here again the report provides no supporting reasons that point to such a likely outcome and the recommendation has the feel of one that was made just for the sake of moving some furniture around Research The Commission's last recommendation is that a robust interagency-coordinated and centrally funded research program should be established with DOD PI as executive agent and that this program concentrate on the development of valid and reliable security and screening tests and standardize their use I have already said that I am a strong supporter of further basic research DOD PI already conducts a broad research program however and I am not sure how the Commission would want to see this program redirected Nor do I understand how it could be the function of any research program to standardize the use of polygraph tests Only management decisions could have that result Further the wording of the recommendation suggests by implication that polygraph screening tests as currently 112 administered have no validity or reliability and I do not agree with that implication which may not have been intended Closing thoughts I am not blind to the fact that screening polygraphs for many people are hateful experiences The one such test that I took in my own life which was one of the full-scope models was certainly no picnic It is only natural for people to think of themselves as patriotic and fit to serve in government positions of trust should the opportunity to do so come along All probably resent the idea that their honesty or integrity might be impugned by a polygraph examiner armed with a set of form questions and a strange technology But there are higher stakes here because mistakes can have fateful consequences for the country Somewhere among us no reference here of course to any members of the Commission there are some bad apples Others among us whatever we may think of ourselves do not meet the standards of reliability and trustworthiness that the government is entitled to set and indeed must set ifthere are to be any personnel security controls at all rather than a system in which all comers are accepted no questions asked The standard-setting alone is a difficult job and judgmental to the core So is the sorting process I end up believing that polygraph testing is a reasonable step in that process I am also well aware of the fact that polygraph testing has a high potential for abuse There are few clear roadsigns here however and except in obvious cases as for example if an examiner pursues unauthorized lines of inquiry abuses are hard to define I favor an effort to develop an agreed set of ethical guidelines beyond any that exist today that would apply to the conduct of screening polygraphs I also favor the other steps to which I have referred in this statement but in substantial part I do not favor the Commission's recommendations and for that reason and the others I have already stated I concluded that I could not join in the Commission's report 113 AppendixD Acronyms AECA Arms Export Control Act ASPP Acquisition Systems Protection Program ASPWG Acquisition Systems Protection Working Group ASSIST Automated Systems Security Incident Support Team C31 Command Control Communications and Intelligence CCISCMO Community Counterintelligence and Security Countermeasures Office ccvs Central Clearance Verification System CERT Committee of Emergency Response Team CI Counterintelligence CIA Central Intelligence Agency CIO Central Imagery Office CI SARA Counterintelligence Security Countermeasures and Related Activities CMS Community Management Staff COPS Committee on Physical Security COTS Committee on Technical Security CSE Center for Security Evaluation CTC Counterterrorist Center CTfA Central TEMPEST Technical Authority DCI Director of Central Intelligence DCID Director of Central Intelligence Directive DCII Defense Clearance Investigations Index DDEP Defense Development Exchange Program DIA Defense Intelligence Agency DICOB Defense Industrial Security Clearance Oversight Board 114 DH Defense Information Infrastructure DIS Defense Investigative Service DISA Defense Information Systems Agency DISCR Defense Investigative Service Clearance Review Office DoD Department of Defense Do DD Department of Defense Directive DoDPI Department of Defense Polygraph Institute DoDSI Department of Defense Security Institute DoE Department of Energy ENTNAC Entrance National Agency Check EO Executive Order FBI Federal Bureau oflnvestigation FFRDC Federally Funded Research and Development Center FOIA Freedom of Information Act FOCI Foreign Ownership Control and Influence FORDTIS Foreign Disclosure and Technical Information System GAO General Accounting Office G A General and Administrative GOVIND Government-Industry Restricted Information GSA General Services Administration IA CSE lnteragency Advisory Committee on Security Equipment INFOSEC Information Systems Security IOSS lnteragency Operations Security Support Staff ISOO Information Security Oversight Office ISM Industrial Security Manual ISPG Intelligence Programs Support Group LIMDIS Limited Dissemination 115 MASINT Measurement and Signature Intelligence NAC National Agency Check NACI National Agency Check with Inquiries NAG SCM National Advisory Group Security Countermeasures NCS National Communications System NDP National Disclosure Policy NDPC National Disclosure Policy Committee NFIP National Foreign Intelligence Program NII National Information Infrastructure NISP National Industrial Security Program NISPPAC National Industrial Security Program Policy Advisory Committee NIST National Institute of Standards and Technology NOAC National Operational Security Advisory Committee NOFORN Not Releasable to Foreign Nationals NPC Nonproliferation Center NRO National Reconnaissance Office NSA National Security Agency NSD National Security Directives NSDD National Security Decision Directives NSTISSC National Security Telecommunications and Information Systems Security Committee OADR Originating Agency's Determination Required OMB Office of Management and Budget OPM Office of Personnel Management OPS EC Operations Security ORCON Dissemination and Extraction oflnformation Controlled by Originator OSD Office of the Secretary of Defense OSPG Overseas Security Policy Group 116 PERSEREC Personnel Security Research and Evaluation Center PEP Personnel Exchange Program PROPIN Proprietary Information PSEAG Physical Security Equipment Action Group PSWG Personnel Security Working Group R D Research and Development REL TO Releasable To SAP Special Access Program SARF Special Access Required Facility SCI Sensitive Compartmented Information SCIF Sensitive Compartmented Information Facility SCM Security Countermeasures SIGINT Signals Intelligence SIOP Single Integrated Operations Plan SOR Statement of Reasons SPECAT Special Category SSA Special Security Agreement SSBI Single Scope Background Investigation SSII Suitability and Security Investigations Index TEMPEST Transient Electromagnetic Pulse Emanation Standard TIARA Tactical Intelligence and Related Activities TS Top Secret TSCM Technical Surveillance Countermeasures usss United States Secret Service WNINTEL Warning Notice-Intelligence Sources and Methods Involved 117 AppendixE Acknowledgments The Joint Security Commission is pleased to thank the following individuals and organizations for advice counsel and support in the preparation of its report AEGIS Research Corp Aerospace Corporation Aerospace Industries Association American Bar Association American Civil Liberties Union American Defense Preparedness Assoc American Federation of Government Employees American Polygraph Association American Society for Industrial Security Analytical Systems Inc ARCA Systems Armed Forces Communications Assoc Arthur D Little Corp A VCOffextron Defense Systems BDM International Inc BETACCorp Boeing Bolt Barenek Newman Inc Booz-Allen Hamilton Advanced Decision Systems Bristol-Myers Squibb Co BTG Inc Central Imagery Office Central Intelligence Agency Charles Stark Draper Laboratory CODEM Systems Inc Communications Security Establishment of Canada Computer Sciences Corporation Contractor SAP SAR Security Working Group C S Draper Labs Cray Research Inc DCI Center for Security Evaluation DCI Community Management Staff DCJ Counterintelligence Center DCI Counterterrorist Center DCI Non-Proliferation Center Defense Information Systems Agency Defense Intelligence Agency Defense Investigative Service Department of Energy Department of Defense Department of Justice Department of State DoD Polygraph Institute Electronic Warfare Associates Inc ESL 118 E-Systems Inc Federal Bureau oflnvestigation Federation of American Scientists Galaxy Computer Services Inc Dr Robert Gates GDE Systems Inc General Dynamics General Electric Co General Research Corp Grumman Corp GTE Government Systems HotTman-LaRoche Inc Hughes Aircraft Co Hughes Information Technology Co IEEE Information Security Oversight Office Intelligence Programs Support Group Department of Defense International Information Integrity Inst ITT Aerospace Joint Chiefs of Staff Knoll Pharmaceuticals Knollsman Instruments Inc Litton Systems Itek Optical Lockheed Missiles and Space Company Lockheed Sanders Inc Logicon Ultrasystems Inc Loral Massachusetts Institute ofTechnology Lincoln Labs Martin Marietta Mattel Toy Company McDonnell-Douglas MITRE Corp MRJ Inc MVM Group Inc Mystech Associates National Classification Management Society Inc National Communications System Office of the Manager National Federation of Federal Employees National Institute of Standards and Technology National Intellectual Property Law Inst National Reconnaissance Office National Security Agency National Security Archives National Security Council National Security Industrial Association National Treasury Employees Union Naval Criminal Investigative Service Naval Post-Graduate School Northrop Office of Government Ethics Office of Management and Budget Office of the Secretary of Defense Office Technology Assessment 119 PERSEREC President's Foreign Intelligence Advisory Board Rand Corporation Raytheon Co SAIC Dr Roger Schell Schering Plough Secure Computing Corporation Secureware Security Affairs Support Association Software Products Association SRI International TASC Treasury Board of Canada Trusted Information Systems TRW United Technology Corporation US Air Force US Anny US Atlantic Command US Central Command US Coast Guard US House of Representatives US Marine Corps US Navy US Secret Service US Senate US Space Command US Special Operations Command UNISYS United Technologies Vitro Corp XEROX Special Information Systems 120