Redefining Security

A Report to the
Secretary of Defense
and the
Director of Central Intelligence

February 28, 1994
Joint Security Commission
Washington, D.C. 20505

Joint Security Commission
Washington, D.C. 20505

February 28, 1994

The Honorable William J. Perry
Secretary of Defense
Pentagon
Washington, D. C. 20301

The Honorable R. James Woolsey
Director of Central Intelligence
Washington, D. C. 20505

Dear Sirs:

1. Pursuant to your request, the Joint Security Commission was convened on June 11, 1993. The Commission was guided by your direction to develop a new approach to security that would "assure the adequacy of protection within the contours of a security system that is simplified, more uniform, and more cost effective."

2. This report presents the recommendations of the Joint Security Commission to achieve these objectives and to redefine security policies, practices and procedures. The report describes the threats to our nation's security and lays out a vision the Commission believes will shift the course of security philosophy. We also propose a new policy structure and a classification system designed to manage risks better, and we outline methods of improving government and industry personnel security policies. We offer recommendations on developing new strategies for achieving security within our information systems, including protecting the integrity and availability of both classified and unclassified information assets, and we call for a new approach to capture security costs. We provide recommendations for linking traditional physical and technical countermeasures to threat. We believe that implementation of these recommendations will result in a security system that will meet the evolving threat while being fairer, more coherent, and more cost effective.

3. In reaching its conclusions and recommendations, the Commission drew upon the perspectives of policymakers, Congress, the military, industry, and public interest groups. Although our charter was limited to a review of the Intelligence and Defense Communities, we found that many of the problems and solutions have government-wide implications. In those instances where we believe that a government-wide solution is the best answer, we have offered recommendations to that effect.

4. This report represents months of work by the Commissioners, our staff, and a vast number of citizens both in and out of government, who graciously gave us their time and comments. On behalf of the Commission, I would like to thank all who contributed to this effort and to give special recognition to our superb staff, headed so ably by Dan Ryan. Ultimately, of course, the Commissioners bear full responsibility for the analysis and recommendations contained herein.

5. As you have directed, the Commission will remain in place until June 1, to assist in the implementation of our recommendations. We look forward to working with you to achieve the objectives you have laid before us.

Very respectfully,

Jeffrey H. Smith
Chairman

Attachment

Executive Summary

Chapter 1. Approaching the Next Century

Implementing the New Paradigm-- Risk Management

Chapter 2. Classification Management

Classification-- Driving Security
The Current Classification System-Cumbersome and Confusing
Special Access Programs-Lacking Faith in the System
A New System-Streamlined and Straightforward
A Simplified Controlled Access System
Limiting Use of Special Access Controls
Uniform Risk Criteria for Secret Controlled Access Information
Increasing the Flow of Data
Special Cover Measures
Security Oversight of Compartmented Access Programs
Classification Management Practices
Dissemination Controls-Impediments to Getting Intelligence into the Hands of Customers
Sharing Classified Information
Billet and Access Control Policies
Secrecy Agreements
Declassification
Making the Classification System Really Work-An Integrated Approach
with Appropriate Oversight
Dealing with Sensitive but Unclassified Information