Report of the Joint Security Commission II

FAS |Gov't Secrecy | SPB Docs |||Index |Search |Join FAS

DRAFT

A Report by the
Joint Security Commission II
Phase I

TABLE OF CONTENTS

INTRODUCTION

PART I: MEETING THE GOALS OF PDD-29

        Progress in Policy and Implementation
                Areas Where New Policies Are Developed, Promulgated, Partially Implemented
                Areas of Progress in Developing Policies
                Areas of Limited Progress

        Key Underpinnings of an Effective Security System
                Reliable and Trustworthy People
                Education, Training and Awareness, and Accountability

        Cross-Cutting Issues
                Security Policy Board Structure and Process
                Restructuring the Security Policy Board Structure
                The Concept of Risk Management
                Understanding the Threat
                Understanding the Cost
                Security Policy Board Staff Position Funding
                The Extranet for Security Professionals

Industrial Security

Overseeing Compliance--A Need Overlooked

Annexes

A Summary of JSC-II Phase I Recommendations

B List of Commissioners and Staff

C Summary and Status of Original JSC Recommendations (Not w/this document)

INTRODUCTION

Almost six years ago, the Secretary of Defense and the Director of Central Intelligence established the first Joint Security Commission, based on their belief that the Nation's security systems were slow to move beyond the Cold War, were inefficient, had built-in inequities, and cost more than they should. In February 1994, the Commission proposed a set of policies, practices, and procedures for a forward-looking, rational, fair, and cost-efficient security system. The Commission proposed the creation of the Security Policy Board to oversee development and implementation of security policy. The current Deputy Secretary of Defense and Director of Central Intelligence have directed that the Joint Security Commission reconvene for two purposes:

To assess progress toward the goals recommended in the original report of the Joint Security Commission and directed in PDD-29, as well as the continued relevance of those goals.
To examine emerging security issues that may require increased emphasis as the security environment becomes increasingly dominated by electronic data systems, networks, and communications systems, and as business and technology become increasingly global.

Our report treats these two purposes in turn. Part I assesses the current state of progress towards the goals directed in PDD-29. Part II will focus on the increasingly vital business of the security of electronic information and information systems.

PART I: MEETING THE GOALS OF PDD-29

Progress in Policy and Implementation

The Security Policy Board structure has helped achieve significant progress in accomplishing the objectives described in PDD-29. The following sections discuss important issues where there have been varying degrees of progress. The sections cover important and difficult issues where:

New policies have been developed, promulgated, and implemented through much of the government;
There has been important progress in developing policies but where work remains to promulgate new policies; and
There has been much attention but only limited progress towards agreement on policies.

Areas Where New Policies Are Developed, Promulgated, & Partially Implemented

Developed and approved within the Security Policy Board process, approved by the President, and promulgated by the NSC, uniform adjudicative guidelines and investigative standards form the basis for reciprocity of both investigations and adjudicative decisions for classified access across the government. With these standards and guidelines in place, there is no longer a legitimate reason to reinvestigate or readjudicate when a person moves from one agency's security purview to another. This policy saves time and resources and helps ensure fair and equitable treatment. These guidelines reflect hard-won compromises, incorporating tradeoffs between ideal security and the fiscal facts of life. Of particular importance is their recognition that, with extensive decompartmentation of once highly classified information, and with more and more sensitive material now available at the secret level, the secret-cleared population requires greater security attention than before. The regime they impose for secret access derives from this recognition. Still, there are important issues regarding the appropriateness of some of the standards that will need to be resolved. There are also important issues regarding the adequacy of any concept that focuses exclusively on protecting classified information. In the modern operational environment, it may be impractical or impossible to bring information critical to the mission under the safeguards provided by classification. These issues are discussed further in the "Key Underpinnings" section in this report.

There are other noteworthy accomplishments. The facilities security community, working within the framework provided by the Board, has effectively achieved facilities reciprocity by issuing common standards that address relevant issues.

Areas of Progress in Developing Policies

The special access community, long regarded as a repository of arbitrary security practices, has made substantial progress toward more effective security by eliminating duplication and other venerable but questionable customs, by working toward much greater reciprocity of access eligibility decisions, and by standardizing security requirements across programs to a considerable extent. DoD's Overprint to the National Industrial Security Program Operating Manual Supplement has replaced multiple service-specific Special Access Program security manuals with a single set of rules; this is particularly valuable in industry, where facilities housing multiple programs need no longer work to multiple sets of overlapping yet conflicting guidance.

The Security Policy Board forwarded the Safeguarding Directive required by EO 12958 to the National Security Council nearly a year ago for final approval, but approval or disapproval has yet to come. The Safeguarding Directive updates uniform procedures for the handling, storage, transmission and destruction of classified information as a result of the replacement of EO 12356 by EO 12958. It also establishes baseline definitions for designation of Special Access Programs (SAPs). In early 1998, the Forum approved and forwarded to the Board the financial consent form required by EO 12968; final Board action came only a year later. These two examples suggest that closure is an issue that the Board must more aggressively address.

Areas of Limited Progress

The Board has not succeeded in addressing information systems security (INFOSEC), having been unable to create the intended INFOSEC committee, nor has it established a mechanism for oversight as PDD-29 provides. We will discuss information systems security in Part II of this Report.

Key Underpinnings of an Effective Security System

Whatever the specific problem being considered—physical security, the classical task of protecting classified information, protecting computer and network systems, or protecting all classes of critical mission information—there are two basic underpinnings of an effective security system:

Reliable and trustworthy people, and
Training, education, security awareness, monitoring, and accountability of people and activities within the cleared system.

The following sections address these. Reliable and Trustworthy People

Ensuring that all our people with access to classified information, to other mission critical information, and to information systems control and administration are and will remain reliable and trustworthy remains beyond the range of reasonable expectation. The achievable goal is for a system that maintains a reasonable and affordable standard for vetting people for reliability and trustworthiness. There has been continuing discussion about the rigor of the entry-level clearance process, with some citing the fact that the spies who damaged U.S. security interests were people who had such clearances. The Commission found that to be a circular argument; since we define spies as people who violate their trust by divulging classified information to unauthorized people, the spies under discussion will come from the population of cleared individuals.

Investigation and reinvestigation cannot carry the full burden of ensuring reliability and trustworthiness. Instead, the initial investigation provides assurance that a person has not already demonstrated behavior that could cause a security concern; it is predictive to the extent that past and future behaviors are related and to the extent that the investigative practices are able to uncover relevant past behavior. Reinvestigation is an important, formal check to help uncover changes in behavior that have occurred after the initial clearance. It is, to some extent, analogous to a periodic physical. But just as a physical is only a part of a good health program, reinvestigation is only a part of continuing personnel security. Neither investigation nor reinvestigation relieves supervisors and seniors of the responsibility and accountability for being attuned to the continued security health of their people, and for identifying problems and working to solve them outside the routine reinvestigation cycle.

Some have suggested that the investigation standards should be tied to the individual's current access level. While that is, to some extent, a current practice, attempting to formally adjust the level of interest in the reliability and trustworthiness of individuals to their current level of access would, at best, be administratively very difficult. At worst, it would signal giving up on the idea of a standard that establishes confidence in all but a dangerous few who will dishonor their commitment to protect security information.

Controversy should not be about the importance of the goal, but about the utility of approaches to checking for reliability and trustworthiness. For example, there are three issues regarding background checks that continue to generate debate, each of which impacts cost and risk assessments. The three areas are neighborhood checks, telephone interviews, and financial data reporting. At present there is little analytical basis for judging the cost effectiveness of these measures. However, many security professionals strongly support them. Without analytical data on risk, there is little choice but to stay with long-standing practices in spite of doubts in parts of the community about their utility.

There are other important unknowns that need to be resolved to ensure that the process is expending resources on valid approaches to assessing reliability and trustworthiness. Data mining to detect anomalies that could indicate someone thought to be reliable and trustworthy is engaging in unauthorized activity is one example of a technique that may hold promise for reducing the amount of fieldwork. However, it could also have the opposite effect of generating productive leads that warrant further investigation. To make intelligent decisions about the future substance of personnel security, there is a critical need for authoritative research to determine the value of various practices.

The type of research envisioned is an interagency, multi-year effort, separately funded, conducted by research professionals under the direction of the Security Policy Board. The Commission notes efforts already underway, including the ongoing work to consolidate and coordinate personnel security research under Board auspices, recent funding initiatives in the Defense and Intelligence Communities, and a test of the cost and value of financial disclosure.

Modest resources are needed to conduct this needed research to determine whether extant security policies, standards, and criteria are adequate to support the operational security and mission assurance needs of departments and agencies in a threat-based and cost-effective manner. To help avoid duplication and waste, the commission suggests a discretionary budget line for the SPB to be used as bridge and seed money to fund projects executed by a designated department or agency.

Recommendation #1: The Co-Chairs of the Security Policy Board, leveraging efforts already contemplated or underway, should commission and fund a research effort to determine the efficacy of personnel security policies and to resolve issues about their effectiveness. The Co-Chairs should monitor this effort, ensure the proper assessment of its results, and use those results to develop appropriate policies.
The Security Research Center (SRC), formerly PERSEREC, no longer reports directly to OASD C³I, but to DSS. Because personnel security research must involve the whole process, not investigations alone, the SRC needs to report, not to the investigative agency, but to the policy element, which is OASD C³I. Evaluating the results of research through the Security Policy Board structure can be expected to lead to new policies, and to their implementation. However, except in extraordinary circumstances where the benefits to be gained are immediate and substantial, the temptation for individual agencies to depart from agreed to standards is detrimental both to standards and to interagency reciprocity. Likewise, the DoD Polygraph Institute (DoDPI) now reports to DSS. DoDPI must function as the government's single polygraph institute, yet its organizational placement and even its name weigh against this. Like SRC, DoDPI should report to OASD C³I; its name should be changed to the National Polygraph Institute to reflect more accurately its actual function. Recommendation #2: DoD should reassign SRC to OASD C³I; moreover, DoDPI should be redesignated the National Polygraph Institute with the Security Policy Board designated the National Manager and DoD OASD/C³I the Executive Agent.
All government agencies have agreed to background investigation and adjudication standards. The standard for reinvestigation is 5 years for top secret and 10 years for secret clearances. Failure to adhere to these standards can jeopardize reciprocity—acceptance of one agency's clearances by another. More important, such a failure signals to the workforce that the leadership does not believe in the security standards. Such an attitude could be highly detrimental to security awareness, monitoring and accountability.

Further, many security professionals and the Commission believe that reinvestigations are even more important to ensuring reliable and trustworthy people than the initial clearance investigation, since people who have held clearances longer are more likely to be working with more critical information and systems. Yet estimates of overdue periodic reinvestigations in the Department of Defense are as high as 700,000, with the backlog still growing at the time of this report. CIA is also not meeting the standard for top secret clearances, but has developed a plan to reach the standard by 2000.

While 5 years and 10 years are arbitrary, the need for a standard that all agencies adhere to is not. Still, it is simply not practical for the DoD to quickly dig its way out of the current situation regarding reinvestigations. Even if funding were no issue, it is likely to take several years to provide the needed added investigators and to work through the backlog. Hence, the Commission suggests that DoD set near-term dates to start adhering to the standard as new reinvestigations come due. Further, the Department should screen all those overdue for reinvestigation to determine those who pose the greatest risk based on position and access, working off all those in that category as soon as possible. It is unlikely that the Defense Security Service (DSS) will have the capability to deal with this requirement. Hence, increased outsourcing may be needed. Regardless, the commitment of senior leadership and appropriate resourcing can solve this problem, as the example of the National Reconnaissance Office—which actually exceeds reinvestigation standards—proves.

At present, there is no limit on the duration of an interim clearance. DoD should set a limit of 180 days, requiring that the needed background checks and adjudication processes are completed within that period.

Recommendations #3 and 4:

The Department of Defense should begin first to fully enforce the standards for reinvestigations and then, within 90 days, should screen all overdue for reinvestigation to identify those whose positions and access suggest the highest risk, and should provide the resources to complete those reinvestigations promptly; the Central Intelligence Agency should expeditiously execute its plan to eliminate its backlog by 2000.

DoD and CIA should set a limit of 180 days for new Interim clearances, requiring that the needed background checks and adjudication process be completed within that period. In addition, they should screen all existing Interim clearances and promptly close out those where positions and access suggest the highest risk.

For a number of years following the completion of the work of the Joint Security Commission in 1994, we saw little progress in addressing common standards for Special Access Programs (SAPs). In the past eighteen months, however, there has been an energetic and effective effort to apply the principles from PDD-29 to these programs. The engine for this progress has been the SPB-sponsored Special Access Program Security Standards Working Group (SAPSSWG).

While recent progress is encouraging, a continued focus will be required to complete this work. Significant issues remain, including full implementation of SAPSSWG-approved personnel security reciprocity policies for SAPs and the elusive but desirable goal of reciprocity between the SAP and SCI communities. Fielding a SAP access database is essential to both efforts. Such a database, subject to appropriate security controls, would provide the single source for information regarding SAP eligibility determinations necessary for effective reciprocity. Its continued lack has stymied implementation of the genuine advances made in SAP policy.

Recommendations #5 and 6:

The Security Policy Board should maintain a high priority on applying common standards to Special Access Programs and require that any needed policy recommendations go from the SPB to the NSC within 180 days.

DoD should immediately provide adequate funding and field a SAP access database, with appropriate security controls, to facilitate effective reciprocity.

Reliability and trustworthiness are not requirements solely for those needing access to classified information, but apply as well to those in positions that are sensitive for reasons other than classified access. The question arises whether compartmenting security and employment suitability continues to make sense, or whether new policy should require a single program that assesses reliability and trustworthiness for both. Separate, though overlapping, Executive Orders—10450 and 12968—currently apply. There is a need to reexamine screening of personnel, both federal employees and contractors, whether for appointment to the federal, military, or foreign services, or for access to classified information or other sensitive information or facilities. Such a reexamination would recognize that harm to the nation can come from not only the improper actions of people who have access to classified information, but also from those of people with access to unclassified yet sensitive information, to computer systems, and to the critical infrastructures upon which our society depends. Recommendation #7: The Board should propose to the NSC a new Executive Order that takes a comprehensive approach to addressing the suitability, reliability, and trustworthiness of persons employed in sensitive duties on work for the federal government. This would include individuals working in any capacity, and based upon the sensitivity of the duties, regardless of access to classified information. A proposal from the Security Policy Board for such an order is consistent with its stated mission in PDD-29.
Personnel security policies and practices must account for the fallibility of people and the inability to predict future behavior. Past behavior and present conditions, can shape what a person will do in the future but do not always determine it. Good personnel security, therefore, goes beyond the finding and sorting out of facts—the essence of investigation and adjudication—and moves toward creating a security-aware environment. In such an environment senior officials demonstrate a commitment to security; and from this flows the accountability of line managers. It enhances both security protections and security awareness by appropriate supplemental means; for example, some agencies may consider more frequent counterintelligence polygraph examinations for people in particularly sensitive positions. Such an environment increases integrity by eliminating pointless opportunities to violate it. For example, it establishes straightforward, system-administered need-to-know regimes for classified material stored in electronic systems and eliminates unnecessary use of portable media. Clearly, ensuring the reliability and trustworthiness of the cleared workforce requires more than investigation, no matter how critical an element investigation is. It requires vigilance, awareness of people and their problems, and application of necessary if sometimes restrictive and intrusive security measures in a way that makes clear they exist to benefit those who must comply with them rather than to suggest that everyone is a suspect in some as yet undefined crime.

Education, Training and Awareness, and Accountability

The time from the Commission's last report to the present has been turbulent for the security training field. Organizational downsizing and the reallocation of funding have adversely affected virtually every agency in the Executive Branch. Disbanding the Department of Defense Security Institute, which provided quality training for both DoD and non-DoD security professionals, has proven particularly damaging. Agencies that had depended on others for training have not only found their training budgets dramatically reduced, but have been challenged to find other government courses able to accept external students, even with the remaining funds for training. Yet effective security awareness programs are essential for maintaining a workforce that is sensitive to security issues and that understands the relationship between security and the success of their own work. GSA, OPM, CIA, and DoD need to take immediate steps to re-vitalize their security training apparatus. Furthermore, because the need for training and awareness resources is significant, and because critical requirements can materialize outside the normal budgeting cycle's ability to react, a need exists for a ready source of bridge and seed money to initiate projects that a designated department or agency would then execute. Such monies could be best provided through a discretionary budget line through the SPB.

Security awareness is the responsibility of each supervisor and each individual with access to classified information or other mission critical information or systems. There is no substitute for a high level of such awareness at all levels and for accountability in line management. Counter-intelligence and line management responsibility for security must go hand-in-hand in that there can be no effective counter-intelligence if left to a handful of professionals without the commitment of line managers who deal with their people every day.

Even so, commitment to a professional security force will continue to be essential to effective security education, training, and awareness program. It is important that this profession be considered a key part of the management and operational chain. A robust national security training program is an important element of risk management. No one agency should bear the burden of supporting all of the federal government, but one or more agencies can lead with resources and attention to ensure that adequate security training will simply be available. Future success in developing a national training program depends on obtaining adequate funding and support from the federal community. The Commission supports continued efforts toward creating a national training program for security professionals.

Yet the role of the security professional is to lead and advise the process. Security is a line management responsibility. Effective security demands a cleared workforce that is knowledgeable and motivated. Security awareness programs are an essential element in creating such a workforce. Their revitalization is essential.

Recommendations #8, 9, and 10:

Ongoing efforts to create, coordinate, and implement core national training for both government and industry security officers should continue. The SPB needs to ensure that such a program is funded and supported, with a goal of implementation within two years.

The SPB should charter a coordinated, government-wide security awareness program to be fully implemented within two years.
A funding line for bridge and seed money should be created to be used for initiating security training and awareness projects, and for research initiatives, executed by designated departments or agencies.

Cross-Cutting Issues

Security Policy Board Structure and Process

Key national security leaders perceive that the Security Policy Board process is cumbersome and unwieldy, takes too long to formulate policy, and results in spotty implementation of the policies it does put in place. These perceptions are justified.

We address in detail some important remaining obstacles to faster and more relevant progress in the following pages. However, the overarching issue is that both the daily detailed attention to long-standing security issues and the emerging issues demanding more emphasis and new innovation require the commitment of senior leadership to ensure effective and efficient security policies and practices. Part of that commitment has to be adequate resources directed at the right challenges. At present, the security profession is struggling with a downsized workforce and diminished resources while facing a more complex threat environment. The most obvious consequence of not matching resources to declared policy is the large backlog of overdue periodic reinvestigations already cited. However, there are others; for example,

In the Department of Defense, security clearance processing is far behind schedule. Consequently, organizations are granting a record number of interim clearances. Furthermore, until recently, DoD secret clearances were based on National Agency Checks alone, without the Credit Checks and Local Agency Checks (of local law enforcement records) required by the standard. Since some 22 states do not report data to the National Agency data base, forgoing the Local Agency Check means that an applicant could have committed felonies in multiple states with no adverse information in the records checked.

The Defense Security Service has been unable to conduct security assistance visits to much of the industrial complex supporting the Department's facilities for several years.

Agencies have canceled core security training and awareness programs vital to addressing insider threats.

Information systems security policy remains fragmented at the managerial level, with responsibilities poorly defined and spread over multiple bodies.

The continued organization of threat analysis into specialty areas (such as separate centers for counterterrorism, counterintelligence, infrastructure protection, and so on) makes it difficult for policymakers and security professionals to obtain an accurate and usable picture of the threat to the things they are charged with protecting.

The disconnects between policy and resourced practice in both the Department of Defense and the CIA can be interpreted as signaling that the senior leadership has not been convinced that policy implementation warrants priority resourcing. Discussions with senior leaders in DoD indicate doubt that the policies are as relevant to the modern threat situation as should be the case. There have also been concerns expressed regarding the affordability of the policies, though the funding required is not of the magnitude that would raise an affordability question if senior leaders had confidence in the validity of the policies. In any case, there are obvious disconnects between the policy making apparatus and the resource allocating authorities. Since the intent was for the SPB decision process to reflect the views of these same resource allocation authorities, this raises the question of the effectiveness of the current Security Policy Board structure and process.

The Security Policy Board has been operating for over four years. Figure 1 shows the current structure.

Diagram of SPB Structure

Figure 1: Security Policy Board Structure

Participants in the committees are subject-matter experts from the agencies that have an interest in a particular area. The committee members do the detailed work needed to formulate recommended policies. The Forum is composed of representatives from all the agencies involved in the security structure. The Forum meets as needed to assess the recommendation of the committees. For some issues, the Forum can approve the policy for agency implementation. For others, it passes recommendations up to the Security Policy Board, co-chaired by the Deputy Secretary of Defense and the Director of Central Intelligence and composed of senior representatives from various departments and agencies.

In our review, we found a Security Policy Board structure that is functioning at the committee level much as the original Joint Security Commission had envisioned. Furthermore, an important side benefit has proven to be the forging of positive working relationships across the government security community, enhancing rapport and cooperation and minimizing distrust among vested interests. The Security Policy Forum has demonstrated value, though it is at this level that the desire to achieve consensus on policy formulation and approval has resulted in a process that is unwieldy, time consuming and frustrating. Hence, with the Forum often unable to resolve issues at its level, too many of them have been seen as requiring Board action. The problems of cumbersome, time-consuming processes, and spotty implementation might vanish if the Board principals exercised their decision authority on the range of issues that tend to produce stalemate in the Forum. Still, it is not surprising that they have not been willing to do this, insisting, instead, that issues brought to the Board be ones appropriate in detail and in scope of action for the level of its participants. The right solution for the Board is to empower and require the Forum to resolve the difficult issues at the right level with or without consensus.

The Security Policy Board structure is not addressing the increasingly important issues associated with greatly expanded electronic network systems or the globalization of business and technology. There is no integrated structure currently in place to address security policies associated with this class of challenges.

Restructuring the Security Policy Board

The Security Policy Forum has been particularly valuable as a means to increase the flow of information and knowledge about security matters and to create buy-in among the members. As already indicated, it has also provided the leadership needed to make important policy changes and to make significant progress towards implementation, but has done so with a high price in the time and energy expended. There needs to be a careful balance between consensus building and decision making.

Because the Forum, envisioned in PDD-29 as a body of Assistant Secretaries, has evolved into a de facto congress of Security Directors, an important management level has been effectively excluded from the security policy process. This void has, in turn, played a role in the difficulty in resolving issues at the Forum level. It has also played a role in the apparent lack of commitment to resourcing the policies. To fill this void, the Commission proposes creation of an Executive Committee, consisting of a few key players at the Assistant Secretary level. This should not be viewed as an additional layer. It is intended, instead, to be the resolution level for most issues. This Executive Committee would establish specific priorities, provide the Forum guidance as necessary, and serve as the primary avenue of communication between the Board and its subordinate structure. Working with the Board staff, the Executive Committee would be responsible for ensuring that policy initiatives, regardless of their source, do not flounder in prolonged debate, but are brought efficiently to resolution. The Forum Co-Chairs, together with the committee chairs, would jointly be responsible to the Executive Committee for day-to-day operations of the policy process.

The Commission believes that both purposes—consensus building and decision making—can be served by continuing the present membership of the Forum while creating the Executive Committee. At the call of the chair(s) of the Executive Committee, additional members with specific interests and equities could be invited to participate for specific issues.

Recommendation #11: The Security Policy Board should appoint an Executive Committee. Its members, at the Assistant Secretary level, would come from the nine agencies with permanent representatives on the Board, and would be empowered by their principals to act for them in all but the most key issues.
Under this concept, the Board would meet only to consider a few key issues. Board members would interact on matters of interest to them primarily through their empowered representative in the Forum or Executive Committee.

The Concept of Risk Management

The basic concept for a cost effective security system is risk management rather than the unattainable and unaffordable goal of risk avoidance. However, the concept of an effective and affordable system based on risk management assumes an understanding of the threat, the capability to measure the cost, and some means of measuring the risk. At present, there is little reliable analytical data for any of these parameters. Instead, the focus is on the cost of some specific sub-element of security practices without consideration of the impact on other security costs or on risk. Some specific examples are discussed in following sections.

Understanding the Threat

Recognition of the need for a better approach to understanding the threat led to creation of the National Counterintelligence Center (NACIC). The NACIC has made significant strides toward facilitating the flow of information to those cleared individuals who use it daily to form security countermeasures. However, for those seeking an authoritative source of available relevant threat intelligence, the picture is more complex. Diverse areas of concern include espionage, terrorism, threats to critical infrastructures and environmental safety, information/cyber warfare, illicit technology transfer, drug and other international crime organizations, and intellectual property fraud. Multiple infrastructures of intelligence producers, disseminators, and users—spread across agency lines—provide threat products.

This fragmentation has made it significantly more difficult for the security countermeasures community, both government and industry, to obtain timely and accurate threat data. The most effective way to overcome this fragmentation is through a single organization designated to provide customers from the cleared community with one central location for their threat intelligence needs. The National Counterintelligence Center today has as its area of responsibility the dissemination of foreign counterintelligence information. Given additional resources and responsibility, it could become a community reference center that would provide consolidated threat data or, as a minimum, refer customers to sources of other kinds of threat data relevant to their needs. In conjunction with an expanded NACIC, advancing technology provides other possibilities for disseminating threat information, such as computerized pull-down systems that would provide data when the user needs it.

An expanded NACIC should also be given greater responsibility for providing meaningful threat information to industry partners. Both government and industry officials have information they do not often share with one another. If the NACIC adopted a more collaborative approach whereby it consulted regularly with industry officials, the few classified threat "briefings" the NACIC now provides could turn into more useful threat "seminars," providing both government counterintelligence officials and industry security representatives with better two-way communication. This would allow both parties a far better understanding of the range of current problem sets and how to defend against the threat in a consolidated manner.

In April 1997 an interagency group chartered by the SPB to identify and address the process of threat dissemination issued its coordinated Comprehensive Intelligence Production Requirements Statement in Support of Security Countermeasures Consumers, identifying intelligence items relevant to specific security needs. It was intended as a first step in developing an effective, efficient process and dialogue supporting dissemination of threat intelligence information. While it has proven helpful, there is much more potential in the group's work. The National Security Advisor, giving formal recognition that it reflects the needs of the security community, should issue the document. Once this is done, the process and infrastructure necessary for meaningful dissemination of threat data need to be more fully addressed.

Recommendations #12 and 13:

Charter, fund, and staff the NACIC as the single clearing house for threat information for the security community.

The Security Policy Board should formally request the National Security Advisor to issue the Comprehensive Intelligence Production Requirements Statement in Support of Security Countermeasures Consumers.

Understanding the Cost

As the Commission pointed out in its 1994 report, the cost of security is an elusive target. It remains so today. The Commission believes limited progress has been made, however. In 1994, responding to a House Appropriations Committee tasking, OMB first captured security cost estimates for safeguarding classified information within the Executive Branch. During 1994-95, the Security Policy Board developed a framework for estimating all security costs, not just those associated with the protection of classified information. Beginning in 1995, this framework was adapted to collect security cost estimates for protecting classified in the Executive Branch on an annual basis as required by EO 12958.

However imperfect, the annual cost reporting under EO 12958 is the most broadly applicable, if not the sole measure, of security costs to Government. Additional partial indicators of the costs of security are the special authorizations for FY99 totaling $12.2 billion. Of this amount, $2.8 billion has been authorized for computer security and biological warfare defense, $8 billion for physical security of embassies around the world, and $1.4 billion for critical infrastructure protection. Also, while not a measure of the costs of security, the exigency funding for Y2K is a rare example of spending for other priorities that will incidentally benefit security.

We see several important limitations threatening continuing progress toward accurate security cost accounting. The most important is that few Executive Branch departments and agencies have separate budget line items for security. In many cases, security resources are included in overhead accounts. Additionally, differentiating security costs related to classified and unclassified matters is problematic because security personnel and physical assets typically contribute to both realms simultaneously. OMB recognized that initial reports for the EO 12958 annual collection would be estimates at best, and that the data could not initially be audited. OMB hoped that over time the data would become more credible through repetition and familiarity with the collection parameters and refinement of collection techniques. In fairness, however, we note that there has been no follow-up measurement to ensure applying appropriate rigor to these annual collections or doing them on a department/agency-wide basis. This means that problems of comparability due to widely varying systems, security data standards, and data reliability among agencies limit the accuracy and completeness of current reporting. Furthermore, there is generally no tie-in between agency security budgets and execution of national security policies. A commitment to collect security costs by functional category against the framework developed by the SPB would overcome this shortcoming and would permit establishing, in each agency, separate budget lines for security, which would provide a straightforward and readily understandable answer to questions of security costs.

Given today's budgeting practices, and varied perspectives on what security means, there is no one simple answer to the question, "How much do we spend on security?" Post-Cold War notions abound that "security costs too much" or that a "peace dividend" should be found by decreasing security resources to match supposedly diminished threats. Such notions are simplistic and misinformed. Whatever its effect on our national security, the loss of the popular notion of a single, all-encompassing threat has only obscured the emergence and proliferation of often less restrained and more virulent security threats. Such novel challenges require vastly different security countermeasures prescriptions, for which the resource implications remain undefined.

Recommendations #14 and 15:

The SPB should mandate collection of all security costs against the security cost framework already developed.

Agencies should call out security as a separate line item in their annual budgets.

Security Policy Board Staff Position Funding

The Commission found that assignments to the SPB Staff during the first four years of the Board's existence generally worked well to promote the SPB's mission. Personnel detailed to the Staff brought wide-ranging experience and expert practitioner knowledge to the policy making process. However, the informal nature of the commitment creates turbulence and adversely affects Staff functions. The SPB should be supported with funded staff positions.

Recommendation #16. Provide funded Security Policy Board Staff positions and contractor support where needed.
The Extranet for Security Professionals

Effective security that has reciprocity as a key component requires effective communications among those responsible for administering it. Such communications are important for activities ranging from policy coordination to rapid announcement of changes to day-to-day tasks such as clearance passing and access verification. The Extranet for Security Professionals (ESP), currently experimental, provides a vehicle for such communications. The experiment is proving successful. ESP holds particular potential for resource savings through providing clearance and visit certification throughout government and industry. Full development and continued operations and maintenance resourcing of the ESP, with attention to providing confidence in its future, should greatly expand its use and ensure the continued availability of what should prove to be an essential tool for more effective security.

Recommendation #17: The SPB should continue to support the ESP, ensuring its continued development, funding, and eventual operational status. Industrial Security

Including industry observers in the committees and at the Forum has facilitated a dialogue between industry and government that has proven beneficial to both. Industry is and will remain a critical contributor to national security. As such, it is important that the dialogue continue, but not merely at the policy level. DSS security assistance visits play an important role in ensuring effective security programs, both by serving as a means for identifying problems and potential problems and by conveying to management that the government continues to place value on security. Yet DSS's ability to conduct these visits has eroded to the point that they have become sporadic: still good in some areas, but nonexistent in others. Industry continues to suffer from excessive backlogs in the clearance process that delays putting people to work. The government suffers as this slows progress on classified projects and ultimately drives up costs.

There has been a notable lack of progress since 1995 in producing usable INFOSEC guidance for the defense industry. Chapter 8 of the NISPOM baseline is mired in disagreement between major players—DoD, CIA, and DoE. This situation creates a vacuum in an area that urgently needs effective, up-to-date security policy. Of particular importance is the issue, as yet unresolved, whether the document should be performance-based or prescriptive. Policy uniformity and consistency of implementation must be elements of all INFOSEC guidance. The continued inability to provide guidance to industry is creating enormous frustration in industry and weakens national security INFOSEC programs. This is an issue deserving and demanding the attention of the senior leadership in information systems security. The NISPOM must become, as it was intended, the single governing document for the industrial security program.

Recommendations #18 and 19:

The Deputy Secretary of Defense should immediately put the Defense Security Service on a footing to revitalize the program of industrial security visits and to provide timely background investigations that meet the agreed-to guidelines.

The Security Policy Board Co-Chairs should require that the Executive Committee provide the full Security Policy Board an agreed-to baseline Chapter 8 for approval within 180 days.

Overseeing Compliance—A Need Overlooked

PDD-29 assigns the SPB the responsibility for formulating and coordinating policy. It is, however, silent about mechanisms for oversight of implementation. EO 12958 charters the ISOO, but circumscribes its area of responsibility and does not address resources for it. Other relevant documents, including EO 12968, PDD-63, and OMB Circular A-130, do not provide for national-level oversight.

There is internal agency oversight, and it is essential; however, no effective mechanism is in place today to monitor policy implementation for coherence and consistency, and to ensure that policies are applied equitably and in ways consistent with national goals for standard security policies and interagency reciprocity. Such oversight is not a matter of compliance inspections, but a matter of consultative review at the policy level, designed to ensure that policy is practical, understandable, and addresses real issues, and to identify and resolve implementation issues. The SPB should establish a process for timely reporting of progress towards compliance by all agencies. The SPB is well positioned to assume this national-level oversight role.

Contributing to the general problem of oversight of implementation is the lack of a clearly defined and broadly accepted mechanism for the Security Policy Board to issue its decisions. Once the Board approves a policy, and even when a policy is endorsed in a memorandum from the National Security Advisor, there is no definitive way to institutionalize that policy for the government as a whole. This shortcoming could be easily overcome by creating a recognized and recognizable series of binding policy documents.

Recommendations #20 and 21:

Clarify the role of the SPB in national level security policy oversight, reemphasizing the SPB as the primary oversight body.

Establish a recognized mechanism for promulgating SPB decisions.

Annex A

A Summary of JSC-II Phase I Recommendations

Reliable and Trustworthy People

Recommendation #2: DoD should reassign SRC to OASD C³I; moreover, DoDPI should be redesignated the National Polygraph Institute with the Security Policy Board designated the National Manager and DoD OASD/C³I the Executive Agent.

Recommendation #3: The Department of Defense should begin first to fully enforce the standards for reinvestigations and then, within 90 days, should screen all overdue for reinvestigation to identify those whose positions and access suggest the highest risk, and should provide the resources to complete those reinvestigations promptly; the Central Intelligence Agency should expeditiously execute its plan to eliminate its backlog by 2000.

Recommendation #4: DoD and CIA should set a limit of 180 days for new Interim clearances, requiring that the needed background checks and adjudication process be completed within that period. In addition, they should screen all existing Interim clearances and promptly close out those where positions and access suggest the highest risk.

Recommendation #5: The Security Policy Board should maintain a high priority on applying common standards to Special Access Programs and require that any needed policy recommendations go from the SPB to the NSC within 180 days.

Recommendation #6: DoD should immediately provide adequate funding and field a SAP access database, with appropriate security controls, to facilitate effective reciprocity.

Recommendation #7: The Board should propose to the NSC a new Executive Order that takes a comprehensive approach to addressing the suitability, reliability, and trustworthiness of persons employed in sensitive duties on work for the federal government. This would include individuals working in any capacity, and based upon the sensitivity of the duties, regardless of access to classified information. A proposal from the Security Policy Board for such an order is consistent with its stated mission in PDD-29.

Education, Training and Security Awareness Recommendation #8. Ongoing efforts to create, coordinate, and implement core national training for both government and industry security officers should continue. The SPB needs to ensure that such a program is funded and supported, with a goal of implementation within two years.

Recommendation #9. The SPB should charter a coordinated, government-wide security awareness program to be fully implemented within two years.

Recommendation #10. A funding line for bridge and seed money should be created to be used for initiating security training and awareness projects, and for research initiatives, executed by designated departments or agencies.

The Security Policy Board Structure and Process Recommendation #11: The Security Policy Board should appoint an Executive Committee. Its members, at the Assistant Secretary level, would come from the nine agencies with permanent representatives on the Board, and would be empowered by their principals to act for them in all but the most key issues. Understanding the Threat Recommendation #12: Charter, fund, and staff the NACIC as the single clearing house for threat information for the security community.

Recommendation #13: The Security Policy Board should formally request the National Security Advisor to issue the Comprehensive Intelligence Production Requirements Statement in Support of Security Countermeasures Consumers.

Understanding the Cost Recommendation #14: The SPB should mandate collection of all security costs against the security cost framework already developed.

Recommendation #15: Agencies should call out security as a separate line item in their annual budgets.

Security Policy Board Staff Position Funding Recommendation #16: Provide funded Security Policy Board Staff positions and contractor support where needed. The Extranet for Security Professionals Recommendation #17: The SPB should continue to support the ESP, ensuring its continued development, funding, and eventual operational status. Industrial Security Recommendations #18: The Deputy Secretary of Defense should immediately put the Defense Security Service on a footing to revitalize the program of industrial security visits and to provide timely background investigations that meet the agreed-to guidelines.

Recommendations #19: The Security Policy Board Co-Chairs should require that the Executive Committee provide the full Security Policy Board an agreed-to baseline Chapter 8 for approval within 180 days.

Overseeing Compliance Recommendation #20: Clarify the role of the SPB in national level security policy oversight, reemphasizing the SPB as the primary oversight body.

Recommendation #21: Establish a recognized mechanism for promulgating SPB decisions.

Annex B

Commissioners and Support Staff

Commissioners Larry D. Welch, Chairman
Duane P. Andrews
Robert F. Behler
` Thomas A. Brooks
J. Robert Burnett
Ann Caracristi
Antonia H. Chayes
Cynthia P. Conlon
James J. Hearn
Bernard A. Lamoureux
Anthony A. Lapham
Frank K. Martin
James R. Philblad
Dan Ryan
Ross E. Schipper
Nina J. Stewart
Harry A. Volz

Staff Dan L. Jacobson, Executive Director Navy
Edward S. Wilkinson, Jr., Deputy Executive Director CIA

Wayne Belk Air Force
Christopher Bythewood NSA
Gary Gower State
Gary Harris CMS
Doug Hinckley CIA
Joseph Holthaus CIA
Willard Isaacs DoD/DSS
Virginia (Ginna) Kerry NSTISSC
Daniel Knauf NSTISSC
Ray LaVan Treasury
Winiford (Winnie) Lehman Energy
Stephen MacKnight Navy
Dan McGarvey NRO
William Mussen DIA
Roger Schwalm CIA
Dave Stevens NSA

Administrative, Secretarial and Clerical Support:
Annette Purcee CIA
Phyllis Norling Navy
Deborah Jermunson IDA

Annex C

Summary and Status of Original JSC Recommendations

END of DRAFT Phase I Report