USAID Management Challenges FY2011: Safeguarding Classified Material

FY 2011 USAID MANAGEMENT CHALLENGES
[...]

Challenge Safeguarding Classified Material. In response to a November 2010 OMB memorandum that noted the "significant damage to our national security" caused by WikiLeaks disclosures, USAID conducted: (1) a self-assessment of the Agency's handling of classified material; (2) an external review by the Information Security Oversight Office and the Office of the National Counterintelligence Executive (ONCE); and (3) a review by the OIG. All three of these efforts noted areas for improvement in safeguarding classified material.

Actions Taken
Policy. The recommendations of the ONCE to improve the policy, standards, operating procedures, processes and guidelines for classified operations were embraced by USAID. As a result USAID drafted new management policies for classified operations, communications security, cable room operations, conducting secure meetings and conferences, and personal electronic device management.

Safeguard and Protection. To assure secure system baselines, USAID re-imaged 131 classified system hard drives to the latest DOS ClassNet operating system baseline, between July and October 2011. Further, all system hard drive antivirus signatures were validated and current. The software was validated to ensure it actively monitors ClassNet systems. USAID performed an internal assessment of current infrastructure against future requirements. This assessment spanned user-classified processing systems, secure video telecommunications, secure voice, and controlled, secure print capability and protected distribution systems at future planned secure operations locations to harden protective capabilities of physical connections. USAID planned, researched, and invested in thin client infrastructure, personal identification number (PIN)-secured networked print devices, TEMPEST-certified secure video teleconference with TEMPEST-certified secure Voice Over Internet Phone (VOIP) for both Secret and Top Secret-Sensitive Compartmented Information environments. USAID also purchased encryption device upgrades with appropriate administrative training packages to reinforce proper administrative capability within the Agency. USAID plans to be fully migrated to a thin client-managed environment by June 2012. In addition, USAID is developing a local model that adopts and mirrors the Defense Information System Agency safeguard and protective measures, to include implementation of minimum required, limited, designated Agency "trusted agents," who will be authorized to reproduce classified documentation, and will be accountable for tracking, documenting, transferring to internal and external bureaus and/or agencies, and dispositioning media on behalf of USAID.

Continuity of Operations Program. USAID has initiated actions to fully implement thin client infrastructure to support classified computer processing and upgrade to Internet Protocol-based secure video telecommunications and voice capability no later than March 2012. The protected distribution systems will be installed to protect classified computing connections during non-operations hours.

Accountability. USAID developed a local inventory and labeling mechanism that resulted in 100 percent accountability of classified hardware, printers, and hard disk drives. All stand-alone computing devices were removed from the operational environment in July 2011.

Training and Awareness. The Chief Information Security Office and the Office of Security training coordinators jointly revamped initial and annual refresher training and tracking mechanisms. A baseline, automated training program will be developed, customized and implemented throughout the Agency, aimed at increasing awareness, automating annual training, and tracking and sending training reminders to users.

Information Security. Under Executive Order 13526, training has been developed for Original Classification Authorities (OCA). The training is designed to ensure OCAs are familiar with their roles and responsibilities in the classification, safeguarding, and declassification of classified national security information. Individuals authorized to hand-carry classified materials must carry with them a Form AID500-7, and a Courier Authorization Card. To ensure the safeguarding, control, and accountability of classified material and courier cards, effectively October 15, 2011, the Office of Security is the only office authorized to issue Courier Authorization Cards to USAID-designated couriers.

Portable Electronic Devices (PED). USAID developed a new policy which encompasses a risk-management approach that combines the use of security technology products with user awareness and procedural controls and measures to minimize the vulnerabilities inherent with PEDs.

Counterintelligence and Insider Threat. As outlined in Executive Order 13587, USAID developed an Insider Threat program called Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.

Actions Remaining
Culture. In response to assessments by the Office of the Director of National Intelligence and OIG, USAID formed a steering committee to oversee, recommend, and guide the Agency's unified activities to address, direct and improve protection, safeguard, administration, accountability, inventory, and effective use of classified information and systems. The target completion date is June 2012.

Capability. USAID is soliciting expertise and input from all Agency security offices, business units, and bureaus to assure policies, culture, and activities support Agency business goals and objectives, encompass all 10 security domains, and result in well-rounded, vetted, and unified actions across the Agency.

Competency. USAID is reviewing strategy to align with Department of Defense 8570 Information Assurance training requirements to increase, train, and retain well-qualified, knowledgeable information assurance and IT staff. Classified equipment issue, safeguard, and protection responsibility will be assigned at the highest level in each USAID bureau. The target implementation date is June 2012. Agency policies related to personnel, physical, and industrial security programs; counterintelligence program; and PEDs are under technical review. USAID expects to formally approve them by June 2012. In addition, USAID will implement an Insider Threat Detection and Prevention program under Executive Order 13587.

Challenge	Safeguarding Classified Material. In response to a November 2010 OMB memorandum that noted the "significant damage to our national security" caused by WikiLeaks disclosures, USAID conducted: (1) a self-assessment of the Agency's handling of classified material; (2) an external review by the Information Security Oversight Office and the Office of the National Counterintelligence Executive (ONCE); and (3) a review by the OIG. All three of these efforts noted areas for improvement in safeguarding classified material.
Actions Taken	Policy. The recommendations of the ONCE to improve the policy, standards, operating procedures, processes and guidelines for classified operations were embraced by USAID. As a result USAID drafted new management policies for classified operations, communications security, cable room operations, conducting secure meetings and conferences, and personal electronic device management. Safeguard and Protection. To assure secure system baselines, USAID re-imaged 131 classified system hard drives to the latest DOS ClassNet operating system baseline, between July and October 2011. Further, all system hard drive antivirus signatures were validated and current. The software was validated to ensure it actively monitors ClassNet systems. USAID performed an internal assessment of current infrastructure against future requirements. This assessment spanned user-classified processing systems, secure video telecommunications, secure voice, and controlled, secure print capability and protected distribution systems at future planned secure operations locations to harden protective capabilities of physical connections. USAID planned, researched, and invested in thin client infrastructure, personal identification number (PIN)-secured networked print devices, TEMPEST-certified secure video teleconference with TEMPEST-certified secure Voice Over Internet Phone (VOIP) for both Secret and Top Secret-Sensitive Compartmented Information environments. USAID also purchased encryption device upgrades with appropriate administrative training packages to reinforce proper administrative capability within the Agency. USAID plans to be fully migrated to a thin client-managed environment by June 2012. In addition, USAID is developing a local model that adopts and mirrors the Defense Information System Agency safeguard and protective measures, to include implementation of minimum required, limited, designated Agency "trusted agents," who will be authorized to reproduce classified documentation, and will be accountable for tracking, documenting, transferring to internal and external bureaus and/or agencies, and dispositioning media on behalf of USAID. Continuity of Operations Program. USAID has initiated actions to fully implement thin client infrastructure to support classified computer processing and upgrade to Internet Protocol-based secure video telecommunications and voice capability no later than March 2012. The protected distribution systems will be installed to protect classified computing connections during non-operations hours. Accountability. USAID developed a local inventory and labeling mechanism that resulted in 100 percent accountability of classified hardware, printers, and hard disk drives. All stand-alone computing devices were removed from the operational environment in July 2011. Training and Awareness. The Chief Information Security Office and the Office of Security training coordinators jointly revamped initial and annual refresher training and tracking mechanisms. A baseline, automated training program will be developed, customized and implemented throughout the Agency, aimed at increasing awareness, automating annual training, and tracking and sending training reminders to users. Information Security. Under Executive Order 13526, training has been developed for Original Classification Authorities (OCA). The training is designed to ensure OCAs are familiar with their roles and responsibilities in the classification, safeguarding, and declassification of classified national security information. Individuals authorized to hand-carry classified materials must carry with them a Form AID500-7, and a Courier Authorization Card. To ensure the safeguarding, control, and accountability of classified material and courier cards, effectively October 15, 2011, the Office of Security is the only office authorized to issue Courier Authorization Cards to USAID-designated couriers. Portable Electronic Devices (PED). USAID developed a new policy which encompasses a risk-management approach that combines the use of security technology products with user awareness and procedural controls and measures to minimize the vulnerabilities inherent with PEDs. Counterintelligence and Insider Threat. As outlined in Executive Order 13587, USAID developed an Insider Threat program called Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.
Actions Remaining	Culture. In response to assessments by the Office of the Director of National Intelligence and OIG, USAID formed a steering committee to oversee, recommend, and guide the Agency's unified activities to address, direct and improve protection, safeguard, administration, accountability, inventory, and effective use of classified information and systems. The target completion date is June 2012. Capability. USAID is soliciting expertise and input from all Agency security offices, business units, and bureaus to assure policies, culture, and activities support Agency business goals and objectives, encompass all 10 security domains, and result in well-rounded, vetted, and unified actions across the Agency. Competency. USAID is reviewing strategy to align with Department of Defense 8570 Information Assurance training requirements to increase, train, and retain well-qualified, knowledgeable information assurance and IT staff. Classified equipment issue, safeguard, and protection responsibility will be assigned at the highest level in each USAID bureau. The target implementation date is June 2012. Agency policies related to personnel, physical, and industrial security programs; counterintelligence program; and PEDs are under technical review. USAID expects to formally approve them by June 2012. In addition, USAID will implement an Insider Threat Detection and Prevention program under Executive Order 13587.

Source: Department of State