July 31, 1997
Underlying the development of Executive Order 12829 was the strong desire of Government and industry security officials to bring coherence and uniformity to industrial security by means of standardized policies and procedures that would apply to executive branch agencies and contractor firms alike. Implementation of these policies and procedures was to result in greater uniformity; the eradication of duplicative requirements; and the enforcement of cost-effective security measures. According to the Order, the National Industrial Security Program (NISP) Operating Manual-- to be issued and maintained by the Secretary of Defense with the cooperation of affected agencies-- was to give practical application to these objectives by serving as the single regulatory standard for the NISP.
The information presented in the enclosed report suggests that implementation of the National Industrial Security Program has produced considerable benefits. The findings also indicate that insufficient progress has been made to achieve the objectives of E.O. 12829. Duplicative practices, fragmented and uneven implementation, and weak enforcement, among other things, have hampered the full achievement of a single and cohesive NISP.
Uneven implementation has also carried considerable negative cost implications. The findings of the report also suggest weak adherence to the provisions of Executive Order 12958 on classification guidance, classification markings, and special access programs.
Although not wholly achieved, the goal of an effective National Industrial Security Program is still within sight. We hope that this report will help identify important aspects of the national industrial security program, as well as issues dealing with classification management and special access programs, that are in need of attention. We also hope that our recommendations will be useful to those who bear the responsibility for monitoring and enforcing industrial security and classification management policies and requirements. Integral to greater effectiveness in industrial security and classification management, including the management of special access programs, is affirmative leadership at the highest levels of executive branch agencies, together with determined efforts to bolster enforcement of common procedures at all levels within each Agency. Consequently, the need to address the weaknesses in implementation identified in this report should receive serious and prompt consideration. We look forward to receiving your responses to our recommendations to implement fully the NISP and provide a credible and effective enforcement capability. Specifically, our recommendations include taking appropriate measures to attain the objectives of E.O. 12829; ensuring compliance with the standards and procedures contained in the NISPOM and in the NISPOM Supplement; and requiring full implementation of the provisions of Executive Order 12958 on classification guidance, classification markings. and special access programs.
The evaluation team appreciates the assistance provided by officials of the various executive branch agencies with responsibility for implementation of the NISP. The team is also grateful to the individuals and private organizations who cooperated in providing information for this evaluation.
REPORT OF EVALUATION
OF SELECTED ASPECTS OF THE
NATIONAL INDUSTRIAL SECURITY PROGRAM
CONDUCTED ON JUNE 2 THROUGH 6, 1997
Evaluation Conducted by
Dr. Ethel R. Theis, Associate Director
Mr. Philip A. Calabrese, Program Analyst
Mr. Bernard S. Boyd, Program Analyst
Purpose. The purpose of the evaluation was to assess whether Contracting Agencies'3 implementation of the National Industrial Security Program (NISP) was in general agreement with the overall objectives of Executive Order 12829, with regard to:
Guiding Principles. The principles underlying this evaluation are those cited in E.O. 12829, namely, that it is in the economic and technological interests of the United States to standardize rules and procedures in the industrial security arena. The Preamble to the Order is specific in its emphasis that the National Industrial Security Program (NISP) shall serve as a single, integrated, and cohesive program to safeguard classified information released to Government contractors.4 The Order also makes explicit that the NISP "shall be applicable to all executive branch departments and agencies."
Method. In carrying out the purposes of the evaluation, the ISOO team relied on primary and secondary sources. The term "primary sources" refers to information obtained through a questionnaire developed specifically for the evaluation, and to certain unsolicited comments from contractors. Secondary sources are documentary materials, briefings and discussions which served as reference material or provided contextual background for the evaluation.
Secondary sources: These included:
This report neither identifies the contractors visited nor those that provided unsolicited comments. In providing confidentiality for the participants, ISOO sought to enhance the full and candid exchange of information. The evaluation team used two major criteria for selecting the participants in the evaluation. One was that the contractors involved had to consist of a mix of large, medium-sized, and small companies. The other was that the contractors had to have Government contracts involving collateral classified national security information, Restricted Data and Formerly Restricted Data information, and Sensitive Compartmented and Special Access Programs information.
Also, this report does not name the Contracting Agencies or Agency components or elements whose names came up during the evaluation. As emphasized throughout this report, the apparently uneven levels of application and enforcement are not confined to two or three Agencies or components, but are of a general nature.
The relatively small number of respondents vis-a-vis the large number of contractors holding classified contracts may prompt some to discount the validity of the findings reported here. Whatever the inherent limitations of this evaluation, the findings provide a valid first look into important aspects of the implementation of the National Industrial Security Program.
Many of the weaknesses in implementation discussed in this report predate the issuance of E.O. 12829. Indeed, the impetus for the establishment of a NISP, and the subsequent issuance of E.O. 12829, was the strong desire to bring coherence and uniformity to the industrial security program by means of standardized policies and practices that would apply to Contracting Agencies and contractors alike. Thus, implementation of the NISP was to result in more effective practices for safeguarding classified national security information provided to contractors. Although not wholly achieved, that goal is still in sight. Consequently, the need to address the weaknesses in implementation identified in this report should receive serious and prompt consideration by Contracting Agencies.
Also of significance as a backdrop to this evaluation are those provisions of Executive Order 12958 and its implementing Directive No. 1 dealing with classification guidance, classification markings, and special access programs.
The information presented in this report suggests that implementation of the NISP has produced considerable benefits. The findings also indicate that. insufficient progress has been made to achieve the objectives of E.O. 12829. Duplicative practices, uneven implementation, and weak enforcement, among other things, have hampered the full achievement of a single and cohesive NISP. Integral to greater effectiveness is affirmative leadership at the highest levels of affected agencies, together with determined efforts to bolster enforcement of common procedures within Contracting Agencies.
Some executive branch officials associate the slow progress in implementation of the NISP with the reluctance of contractors to bring issues of noncompliance to the attention of the Contracting Agency that they serve. This argument is not compelling for two reasons. First, the argument ignores the fact that many of the gaps in implementation result from systemic problems, which cannot be solved by ad hoc means. Second, the contractual relationship between Government and contractor is asymmetrical. Unlike the Government, the private firm operates in a competitive environment and would most likely be reluctant to jeopardize current or future contracts through complaints of noncompliance.
Discussion: The persistent efforts of the Defense Investigative Service (DIS) over the past few years to modify its approach to inspections have helped reshape the relationship between the DIS and the contractors under its cognizance. The DlS's former approach to inspections was compliance-oriented, and tended to cast Government and industry as adversaries. As such, the general perception within industry was that DIS inspections were carried out with a "we-are-here-to-get-you" attitude, and focused inordinately on "nit-picking" and "bean-counting" as opposed to substantive issues. This approach created unnecessary friction between Government and industry. This friction possibly may have had a negative impact on the effectiveness of the overall program by constraining communication and discouraging cooperation.
During the developmental years of the NISP the DIS began to modify its approach to inspections. The changes were considerably deeper than changing the name from inspections to security reviews. It involved a shift from an adversarial to an assistance approach to the conduct of reviews. The respondents view this change as an extremely positive development, and one for which the DIS deserves considerable praise.
DIS uses security reviews not only to assess contractor compliance with established requirements; but also as a means of providing and exchanging information. No longer adversarial, the relationship has become one of cooperation and trust. The visits of DIS representatives are now welcomed rather than feared. In fact, some respondents refer to the changed relationship as that of a partnership.
Although this modified approach to inspections predates the issuance of E.O. 12829, the impetus for change is associated with the development of the Order and the NISPOM. To a large extent, the origins of the NISP and the development of E.O. 12829 can be attributed to the growing cooperation among Government and industry officials to achieve improved, cost-effective security in industrial contracting.
Rapid growth in information technology is changing the patterns of obtaining, exchanging, storing and processing information. In that regard, it is not uncommon for private companies to be at a more advanced technical level in information technology than Government agencies. Also, at times, private companies may have increased capabilities, including possessing the latest electronic communications technology, for meeting the challenges produced by the diverse and changing environments in which information is used. Such capabilities may have cost implications. Often the application of outdated technology to solve problems of managing electronic information is excessively costly. These considerations suggest that the DIS give serious consideration to enhancing the communications technology skills of its professional staff. Without detracting from DlS's achievements, we believe that its operational effectiveness can be enhanced substantially by providing DIS security representatives with a certain level of technical skill in electronic communications technology, and DIS system security representatives with a high level of technical skill in electronic communications technology. This would strengthen significantly DIS capabilities to monitor industry's actions and reinforce the cooperative relationship.
Another area cited by the respondents where savings can be realized is in the processing of security clearances. In this regard, the cost of processing a clearance is positively correlated with the time it takes to process it, that is, as one goes up, so does the other. Although DISCO (Defense Industrial Security Clearance Office) has improved somewhat on the duration of its investigations, the time it takes to process a security clearance (about 12 months) is still far too long.
Recommendations: We recommend that the DIS:
DIS should report to the ISOO no later than November 3, 1997, on contemplated actions to implement these recommendations, and provide the Assistant Secretary of Defense for Command, Control, Communications and Intelligence, with a copy of the report to ISOO. DIS should also be prepared to brief the NISPPAC at its first meeting following the November 3 deadline, on progress made toward implementing these recommendations.
Finding: Mixed Record on Achieving Cost-Savings.
Discussion: The achievement of reductions in security costs without compromising the protection of classified national security information figures prominently as one of the objectives of E.O. 12829. In keeping with this objective, in a memorandum dated February 17, 1995,7 the Deputy Assistant Secretary of Defense (Intelligence and Security) stated that: "Since the NISPOM places greater emphasis on risk management in the administration of industrial security, immediate benefits should be realized by limiting and/or or reducing the cost of security."
The information obtained during the evaluation suggests that implementation of the NISP has decreased security costs in some areas, but the reductions have not been as dramatic as expected or desired. To lower security costs substantially the NISP relied, to a large extent, on the uniform implementation of standardized procedures by the Contracting Agencies, along with the elimination of duplicative and unnecessary practices. As the discussion in the next finding indicates, the information collected by the ISOO team suggests that implementation has been fragmented, with some instances of little or no implementation.
Relaxed standards in physical security, however, have reduced industry's administrative burdens in some areas and have, consequently, been conducive to lowering security costs. The general consensus of the respondents is that this is a positive development. It serves as an indication of the Government's efforts to achieve greater consistency in the safeguarding requirements levied on contractors vis-a-vis those followed by Contracting Agencies. Examples of reductions in security costs attributed to modified requirements include: (1) Controlling and destroying Secret classified information, (2) changing of combinations; (3) co-utilization of space; (4) authorizing visit requests, (5) reproducing classified information, and (6) allowing contractor self-certification of some automated information systems. Another area of cost-savings cited by some respondents involved preparing for DIS security reviews. Preparation for these visits is considered less resource-intensive than planning for the DIS inspections under the ISM, thus reducing the administrative burden on the contractor.
Nevertheless, some respondents view the relaxation of controls for Secret information with some ambivalence because contractors must keep an estimate of the number of Secret documents on hand for purposes of DIS reviews or Contracting Agencies' inspections.
One area of direct security costs of significant concern to industry is the requirement that, at some future date, all containers used to store classified national security information must be GSA-approved. As the respondents indicated, meeting this requirement will mean the significant expenditure of replacing containers that now do not meet GSA standards. In their view, this requirement does not seem to correspond with the risk management philosophy underlying the NISP. There seems to be little evidence to suggest that the replacement of non-GSA approved containers will buy more protection for the information or will make the information less subject to compromise.
Another area cited as having the potential for reductions in security costs is that of authorizing contractors to use a private carrier, such as Federal Express for the transmission of classified information with the exclusion of Top Secret information. It seems appropriate that the Secretary of Defense, as the official responsible for operational oversight of the National Industrial Security Program, examine the experience that some Government agencies have had with the use of private carriers for the purpose of transmitting classified information. In this regard, we make the following specific recommendations:
Recommendations: We recommend that the Secretary of Defense, in coordination with affected agencies, and the collaboration of the Director of Central Intelligence, the Secretary of Energy, the Chairwoman of the Nuclear Regulatory Commission, and the Acting Director of the Security Policy Board Staff:
Finding: Fragmented and Uneven Implementation Prevents Achievement of a Single, Integrated and Cohesive Program.
Discussion: One indicator of the effectiveness of implementation of the NISP is the degree to which Contracting Agencies comply with established policies and requirements. In this regard, the data collected by ISOO suggest that uneven and fragmented implementation by Contracting Agencies interferes with the achievement of a fully integrated NISP, and carries considerable negative cost implications.
Understanding the nature of a problem is helpful in devising corrective solutions. Consistent with the nature of systemic problems, the information collected indicates that unevenness and fragmentation of implementation is not confined to a single Contracting Agency, but that it runs throughout Agencies and subordinate components or elements, and is scattered across the gamut of the requirements of the Program. The systemic nature of the problem, and the fact that the NISP has been in place for several years raises questions about the level of Government commitment to the full implementation of the NISP.
For clarity of exposition, below we describe specific aspects of this fragmentation in a "bullets" format. This format is artificial, however. Looking at these factors in isolation obscures their interrelationship and, thus, their collective impact on the effective implementation of the NISP.
Recommendations: We recommend that the agencies and departments listed in Appendix B of this report:
Finding: The Management of Special Access Programs Shows No Change.
Discussion: Classified Special Access Programs (SAPs) are among the most costly because unique, and sometimes redundant, security measures are required. Their proliferation and inconsistent control over the years prompted the drafters of Executive Order 12958 to search for ways to restrain their growth and increase their accountability. The outcome of this effort is Section 4.4 of the Order that regulates the creation and management of SAPs. Section 4.4. of E.O. 12958 reinforces one of the key objectives of E.O. 12829, namely, to increase effectiveness and reduce costs in industrial security.
Section 4.4 contains several specific requirements concerning SAPs. For example, it limits the number of executive branch officials who may establish SAPs, instructs these officials to keep SAPs at a minimum, and specifies the conditions under which SAPs may be created. It also directs agency heads to account for SAPs, including the annual review of each SAP to determine whether it continues to meet the requirements of the Order; and makes SAPs subject to the oversight of the ISOO Director.9 Further, the Order requires each designated agency head or the principal deputy to review all existing SAPs under the agency's jurisdiction within 180 days after it becomes effective. Any SAP that does not conform to the specifications of the Order must be discontinued. SAPs which are continued must be considered as if it established on the effective date of the Order.
The unclassified supplement to the NISPOM outlines the procedures to be used by Contracting Agencies and contractors to protect classified SAP information and activities. The supplement also outlines enhanced security requirements, beyond those outlined in the NISPOM, for critical Restricted Data classified at the Secret and Top Secret levels, special access programs and SAP-type compartmented programs created and approved by the executive branch or the Director of the Central Intelligence Agency.
The information collected indicates that the Supplement provides greater standardization of physical security requirements than the previous Manual. It provides, for example, relief in terms of security checks. By contrast, under the previous Manual each SAP had its own standards in this area.
Nonetheless, progress on the whole seems slow. The information obtained indicates that, as a general rule, disparate levels of application and enforcement also prevail within SAPs. The generalized response to the question of whether the implementation of the NISP had resulted in any increase or decrease in the number of SAPs, was "no change." Non-standard guidance, inconsistent procedures, and differences among agencies in applying specified standards have produced minimal savings in the management of SAPs. As some respondents phrased it, implementation would be considerably improved if Contracting Agencies were "singing from the same sheet of music." These conditions are also present with respect to SCI information, but to a much lesser extent. Equally significant is that the data obtained suggest that either Section 4.4. of E.O. 12958 is being weakly implemented or not implemented at all. The information obtained suggests that few of the reviews required within 180 days of the effective date of the Order have taken place.
Specific examples of Contracting Agencies' inconsistent application of security policies and procedures in the areas of SAPs and SCI follow.
If properly and fully implemented, the policies and requirements outlined in Section 4.4 of E.O. 12958 promise cost-savings and better managed SAPs. These benefits should result from, inter alia, the more stringent requirements on the establishment of SAPs, including limiting the number of officials who may create them; and the conduct of an annual review of each SAP to determine whether it continues to meet the requirements of the Order. Also, the benefits of cost-savings and better managed SAPs can be increased by more aggressive enforcement of standard procedures already in place in the NISPOM Supplement. Experience with the implementation of Section 4.4, and the more aggressive enforcement of current NISPOM Supplement standards should also provide the SAPs Working Group10 with short-term valuable information on approaches toward improving the management and reducing the cost of SAPs. The recommendations that follow are intended to be complementary to any measures that Contracting Agencies may select to improve the management of SAPs, and to the work of the SAPs Working Group.
Recommendations: We recommend that the agencies and departments listed in Appendix B of this report:
We also recommend that the SAPs Working Group be prepared to brief the NISPPAC at its first meeting in calendar year 1998 on the status of the work of the Group.
2. Do you have any Top Secret, Secret, and/or Confidential classified contracts with DOE in volving: Classified National Security Information, Restricted Data or Formerly Restricted Data; and Sensitive Compartmented and Special Access Programs information?
3. Do you have any Top Secret, Secret, and/or Confidential classified contracts with CIA in volving: Classified National Security Information, Restricted Data or Formerly Restricted Data; and Sensitive Compartmented and Special Access Programs information?
4. Are you familiar with the Executive order establishing a national industrial security program?
5. Are you familiar with the overall objectives of the Order on industrial security?
6. Does the NISPOM do an adequate job of making clear the requirements and standards pre scribed?
7. Have you found any of the NISPOM requirements impractical or unreasonable or more costly to implement than previous requirements? If so, would you please elaborate.
8. Do you find the NISPOM sufficiently clear in providing information on whom to contact when in need of assistance?
9. How would you rate the quality and the timeliness of the guidance on implementing the NISPOM that you have received from your contracting or user agency?
10. In your view, has the implementation of the NISP/NISPOM had any impact on duplicate practices with regard to the conduct of agency onsite inspections?
11. Is the reciprocity principle with regard to facility security clearances being applied?
12. Is the reciprocity principle with regard to personnel security clearances being applied?
13. Has implementation of the NISP/NISPOM created uniformity and reciprocity in security procedures other than agency inspections and security clearances?
14. Overall, how do view the implementation of the NISP/NISPOM? Has it had a negative or positive ef fect on the achievement of the objectives established in the Executive order?
15. In your view, has implementation of the NISP/NISPOM produced any reductions in security costs? If yes, please explain. If no, why do you think that is the case.
16. Would you say that the implementation of the NISP/NISPOM has resulted in any increase or decrease in the number of SAPs?
17. Has the implementation of the NISP/NISPOM resulted in any increase or decrease in the number of SCI programs?
18. What are your views on the different requirements of the Department of Defense and the Department of Energy for safeguarding Secret RD information?
19. What are you views on the different user agency requirements in connection with automated information system?
20. Are you familiar with the NISPPAC and its role within industrial security? If yes, do you feel that it is sufficiently effective or that it could be more effective in achieving the objectives of EO 12829?
21. Are there specific areas, that have not already been discussed, in which implementation of the NISP has achieved the objectives of the Order on industrial security?
22. Are there specific areas, that have not already been discussed, in which little or no progress has been made to achieve the objectives of the NISP?
23. Can you suggest ways to improve the industrial security program? Please explain and provide examples.
24. Do you have any questions you would like to ask us?
25. Are there any questions in this evaluation that you feel we should have asked?
Clarification: On page 7 of the report is a parenthetical statement that security clearance investigations issued through the Defense Industrial Security Clearance Office take "about 12 months" to complete. This statement was based on anecdotal comments ISOO's reviewers received from several sources. However, it apparently represents the "worst case" scenario. We are advised that the current average industrial security clearance processing time for "Secret" or "Confidential" clearances that do not raise adjudicative issues is less than 40 days, and for "Top Secret" clearances that do not raise adjudicative issues, less than 120 days. During FY '96, DIS processed a total of 54,040 security clearance applications for industry employees, of which only 615 cases had been open for more than one year as of June 1997.
Director, Information Security Oversight Office
1. Federal Register, Vol. 60, No. 76, April 20, 1995, pp. 19825-19843.
2. Federal Register, Vol. 58, No. 5, January 8, 1993, pp. 3479-3483.
3. As used in this report, "Contracting Agency" refers to any executive branch department or agency--as well as any subordinate component or element of a department or agency--that has released classified information to a contractor, licensee, or grantee in connection with the performance of a Government contract.
4. This report uses "contractor," as a generic term to refer to any contractor, licensee, or grantee of United States agencies who are involved with classified contracts, licenses or grants. A contractor, licensee, or grantee may be a private firm, private company, or private organization.
5. National Industrial Security Program Operating Manual, DOD 5220.22-M, January 1995.
6. "Standardized Industrial Security Policy Developed," News Release, Office of Assistant Secretary of Defense (Public Affairs) No. 567-94, October 5, 1994.
7. The memorandum is addressed to the Assistant Secretary of the Army (Research, Development and Acquisition), the Assistant Secretary of the Navy (Research, Development and Acquisition), the Assistant Secretary of the Air Force (Acquisition), the Directors of Defense Agencies, and the Deputy Director (Acquisition), Defense Logistics Agency.
8. Not all agencies have approved Chapter 8. "Agency NISPOM implementing Guidelines," unsigned, with no letterhead, and dated March 1, 1995, states that on September 29, 1994, the Director of Central Intelligence approved the NISPOM on behalf of the Intelligence Community, with the exceptions of Chapter 8, and Chapter 5, Sections 3 and 8, "Physical Security Requirements." The Guidelines also state that, until a revised chapter 8 is approved by the DCI, "contractors are instructed to continue use of AISSIM 200 ...."
9. The Order allows one more ISOO employee to exercise oversight. Only the Director, however, may oversee SAPs that are extraordinarily sensitive and vulnerable.
10. The Working Group on Special Access Programs was established in response to one of the recommendations contained in the Report of the Commission on Protecting and Reducing Government Secrecy, S. Doc. 105-2, March 3, 1997. This particular recommendation stated that the Security Policy Board implement within one year the Joint Security Commission recommendation on establishing a single set of security standards for SAPs. The SAPs Working Group is cochaired by Richard F. Williams, Director, Office of Special Programs, Office of the Secretary of Defense, and John Elliff, Director, Controlled Access Program Coordination Office, DCI/CMS.