The 14 March 1997 meeting of the Policy Integration Committee (PIC) was called to order by Mr. Peter Saderholm at 1000 hours at the Hayes Building Conference Center, The Mitre Corporation, 725 Colshire Drive, McLean, Virginia.
The following Committee members and observers were in attendance:
Committee Members or
Alternates Attending
Larry Berenson (FEMA)
Gene Boesch (Air Force)
Mike Brown (Navy)
Paul Buskirk (Commerce)
Bill Cope (Transportation)
John Crandell (OPM)
Jerry D'Alessandro (NIMA)
Carl Darby (CMS)
Jim Fradel (Justice)
John Frields (ASDC3I)
John Gannon (Interior)
Bob Irvine (USMC)
Bernie Lamoureux (Industry)
James Long (USDA)
Gerry McGrath (State)
Michelle Moldenhauer (Treasury)
Vic Patrick (DISA)
Patty Postel (NRO)
John Pugrud (JCS)
Jeff Rank (NSA)
Richard Rees (CIA)
Joe Rodriguez (GSA)
Mary Ronan (NARA)
Peter Saderholm (SPBS)
Ethel Theis (ISOO)
Larry Wilcher (DOE)
Dick Williams (OUSD(P))
Drew Winneberger (DIA)
Allan Witzgall (FBI)
Ray Brady (NRC)
Observers Attending
Rosalind Baybutt (DoD/C3I)
Greg Bishop (SPBS)
Jake Boesen (DOE)
Bob Gleeson (CIA)
Dave Haag (CIA)
Dennis Hanratty (NSA)
John Herzich (NSA)
Helencia Hines (SPBS)
Joe Holthaus (SPBS)
Dan Jacobson (SPBS)
Winnie Lehman (SPBS)
Steve Lewis (DIS)
Dan McGarvey (SPBS)
Nicole P. (USG)
Jim Passarelli (SPBS)
Joe Reynolds (CISWG)
Roger Schwalm (SPBS)
Dave Shaeffer (NACIC)
Keith Shaver (OUSD(P))
Terry Thompson (SPBS)
Daryl Toms (Energy)
Doug Wickman (CISWG)
Member Organizations/Observers Not Represented
Mr. Saderholm opened the meeting and welcomed Mr.Joe Reynolds and Mr. Doug Wickman, Contractor SAP/SARWorking Group (CSSWG) Board Members, as observers to the meeting. He then called for any modifications or corrections to the 13 February 1997 meeting minutes; there being none, he declared the minutes final and marked For Official Use Only per the direction of theSecurity Policy Forum (Forum).
Committee Reports
Facilities Protection Committee (FPC):
Mr. Toms, Committee Chair, reported that the FPC last met on 11 March. Administratively, new charters were approved for the Facilities Access and Researchand Development working groups. He also reminded the members that the Ninth Annual Biometric Consortium meeting would be held 8-9 April 1997 at the Crystal City Holiday Inn.
Mr. Toms said two issues were discussed at the meeting. One dealt with the committee's acceptance of the Technical Surveillance Countermeasures (TSCM) Equipment and Foreign Liaison Matrix, a document that identifies which countries have been exposed to which TSCM equipments and procedures. Secondly, discussions were held concerning security container requirements to replace lock bar cabinets, scheduled for phaseout by 2012. He said the FPC was not sure how to deal with this issue at this time; there is some question as to whether General Services Administration, through the IACSE, should develop standards for a replacement device.
Personnel Security Committee (PSC):
Mr. Haag reported for Mr. Crandell that in accordance with the tasking from the Forum, the PSC had begun its analysis of the guidelines now in use by the SPB member departments and agencies for vetting personnel security clearances. He indicated that the PSC's initial cut at this task suggested significant amounts of information gathering, review and analysis would be required. This will eventually lead to an extensive research effort, perhaps taking up to two years, and would not be inexpensive, perhaps costing between $2 and $4 million. This effort will address the very basics of personnel security, i.e. the fundamental objectives of a personnel security system: the utility of a background investigation as a personnel security tool,and if there is utility, how the investigation should be structured; and, the kinds of personal behavior, past and present, which are predictive of future reliability. Mr.Haag concluded that this effort will be comprehensive and unprecedented.
Training and Professional Development Committee (TPDC):
Mr. McGarvey reported in Ms. Bauer's absence. He said the committee's next meeting would be 18 March1997.
Relative to the development of guidelines for training adjudicators, he said the initial part of the working group's study focused on the ongoing training programs conducted, and considered to be successful, by the CIA, DoDSI, and Energy. From these three programs representative knowledges, skills, and abilities (KSA) for adjudicators have been identified and are in final staffing for incorporation as part of a draft set of guidelines. It was anticipated that these KSAs would be voted on at the 18 March TPDC meeting. The second part of the guidelines will include training standards for adjudicators.
Mr. McGarvey reported that the Derivative Classification Working Group had completed roughly 80 percent of its effort towards developing a set of guidelines for training personnel who derivatively classify information. He anticipated that the group would complete its effort within two weeks--at which time the recommended guidelines would be sent on to the TPDC for approval and ultimately on to the Classification Management Committee for adoption and distribution method determination.
Mr. McGarvey concluded his remarks by noting that he had received an update by PERSEREC's Dr. Jim Reidel on the methodology, protocols, and activities to date relative to the National Counterintelligence Center's CI Awareness Study. It is anticipated that PERSEREC's comprehensive look at the state of CI awareness, the actual information provided, who provides it, and methods used to convey the information, will be concluded by August 1997. The study includes both federal and contractor venues.
Classification Management Committee (CMC):
Dr. Theis reported in Mr Garfinkel's absence. The CMC last met on 27 February 1997.
She announced that the Information Security Oversight Office (ISOO) would resume its on-site reviews of Executive Branch department and agency security programs during the remainder of FY 1997. The Air Force, Navy, and Army reviews have already been completed; among others, she mentioned that CIA, State, USIA, and NRC program reviews were also scheduled. The reviews focus on two aspects of Executive Order (E.O.) 12958. The first aspect involves department/agency implementation of declassification actions for historical records. The second aspect involves security education and training programs. Specifically, the review will ascertain department/agency efforts to include the basic requirements of E.O. 12958 in security indoctrinations and follow-on training efforts as appropriate. She also alluded to an on-site review, related to the above security education and training aspect, for contractors in a selected US locality.
Dr. Theis also addressed ISOO's earlier plans to host a symposium in the June 1997 time frame to address the Secrecy Commission recommendations impacting E.O.12958. She advised that the Archivist believed June was not a propitious time owing to the size and scope of the Commission's report and recommended that sometime during the fall 1997 would allow for a more thorough preparation for such an effort.
Dr. Theis concluded by announcing that the next meeting of the National Industrial Security Program Policy Advisory Committee (NISPPAC) would occur on 25 March 1997 and the final agenda would soon be circulated to the NISPPAC members.
International Security Working Group (ISWG):
Mr. Williams reported in Mr. Wilson's absence. He said that since the 13 February PIC meeting there had been no progress in bringing to closure the draft National Disclosure Policy document. CIA remains in agreement in principle with the draft but the changes they want made have yet to be resolved. Mr. Williams concluded that State remains very much opposed to the draft.
OLD BUSINESS
Comprehensive Intelligence Production Requirements Statement for Security Countermeasures:
Mr. Wilcher, Chair, Threat Requirements Committee (TRC) reported. He distributed to the PIC members copies of a revised requirements draft which is an update from the draft disseminated at the February 1997 PIC meeting. The new draft incorporates comments received from ten PIC member departments/agencies. Mr. Wilcher described the new draft as a better product; he also reported that input from the ten departments/agencies characterized the draft as a good product. Inputs received were used to streamline the draft. He also reported that inputs to the original draft were also received from the intelligence productioncommunity. He said their comments were particularly useful to ensure a "common language" was spoken in the draft between those who require intelligence and those who produce it.
Mr. Wilcher then introduced a topic paper developed by the TRC and the SPB Staff and included as part of the read ahead package for the meeting. The paper requested approval of a process (included with the paper) for identifying comprehensive intelligence production requirements to intelligence producers in order to assist security countermeasure managers developing risk management decision packages.
Mr. Wilcher described the process. Mr. Long, Agriculture, questioned the nature of the 18 "CI Issue coordinators" included in the draft process. Mr. Saderholm said these coordinators were assigned by the National Intelligence Council (NIC) and came from a variety of backgrounds such as the military services and academia.
Mr. Wilcher then asked the membership whether their reviews would support this draft as a workable process; if not, how did it need to be corrected? He indicated the next step forward for this issue would be to establish dialogue with the NIC on this process. Mr. Saderholm indicated the NIC would strongly believe this effort was worth doing, and absent any dissent from the membership at this time relative to the draft process, he interpreted this posture as an OK to approve the process as presented and recommend the TRC continue its efforts.
In conclusion, Mr. Wilcher said the TRC would next meet on 7 April 1997 at the Gloucester Building. In preparation for that meeting, he asked the members to look again at the new requirements draft to ensure their intelligence needs were adequately addressed. He asked that any such requirements or other related comments be forwarded to Ms. Winnie Lehman, SPB Staff, as soon as possible.
Risk Management Strategy:
Mr. Saderholm introduced and presented this topic.He said that even after two years and nine months of grappling with security risk management as an issue for the SPB processes to resolve, he was still somewhat of a "mixed mind" about the utility of security risk management and remained somewhat unsure that he understood the matter completely. He used a cartoon to underline his perspective that there was no consistent interpretation, language, or understanding about risk management in the SPB departments and agencies. He said he thought the SPB goal should be to use a "thoughtful process to accept risk as opposed to avoiding risk which is terribly costly and/or terribly stupid."
Mr. Saderholm referred the membership to the "DraftRisk Management Strategy Coordination"; issue paper which was part of the read ahead for this meeting. He said that paper maintained focus for this meeting based upon three points agreed to at the last PIC meeting: 1) PDD-29 requires use of a risk management process; 2) the SPB structure would benefit from common risk management terms and definitions; and, 3) the SPB would benefit from a strategy for developing national level security policies.
Mr. Saderholm suggested to the members that the first point above "PDD-29 requires use of a risk management process" was the critical point for resolutionof this matter. In essence, he recommended that the PIC interpret this requirement to apply to the development of national level security policies and programs, all of which would be underpinned by application of the Risk Management Strategy. Furthermore, departments and agencies could opt to use this same strategy for their own internal operations if they believed it would lend credibility to their safeguarding decisions, but they should understand if they choose the phrase "risk management" others will expect something similar to this strategy. Finally, he suggested that departments and agencies might also choose to use this strategy to buttress their safeguarding recommendations whenever shared assets were involved and other department or agency agreement was necessary to sufficiently safeguard the asset and assure reciprocity.
Mr. Saderholm then recognized that 28 PIC members had responded to the task from the 14 February PIC meeting to comment on the draft strategy. Of those 28, 13 essentially expressed concurrence with the strategy. Fifteen members provided substantive written or verbal comments, all of which he had reviewed in depth.
Mr. Saderholm said that from his review of member comments, he was able to distill a critical set of member perspectives, themes, or concerns. He then recapped for the members the various member comments and related them to what he considered six keys to resolving discussion and acceptance of this strategy. He said in hindsight,that he believed there was also a seventh key; to wit, language used in this draft strategy needed to connote a risk management "strategy", vice "policy." Other keys involved the use of a risk management process, common terms and definitions, threat availability, senior management endorsement, oversight, and how to advance/resolve this issue. Mr.Saderholm concluded his review of member comments by saying that he felt in whole, with the exception of risk management terms and definitions, there was sufficient convergence of views to allow the PIC to adopt the proposed strategy otherwise as constructed and written. He qualified his view on this matter by reemphasizing his perspective that the strategy should be used as the underpinnings for developing national level security policies and programs as part of the SPB processes; itwould be at the discretion of the PIC member departments and agencies to use this strategy to safeguard their own or shared valued assets.
Mr. Fradel commented that to move forward with the policy as originally presented was a major decision with potentially significant cost and risk. Mr. Fradel proposed that the Risk Management methodology put forth be implemented in this important policy decision process to demonstrate how the methodology would be employed and allow an informed decision of its utility. This proposalwas voted down by the Committee.
Mr. Saderholm concluded his presentation by requesting the PIC members endorse his recommendation to adopt this strategy with the exception of the aforementioned risk management terms, definitions, and language and to accept his offer to stand up a small working group from the PIC member departments and agencies to expeditiously review the terms, definitions, and language to ensure they support the SPB processes to develop national level security policies and programs. The PIC members agreed with Mr. Saderholm's recommendation and accepted his offer to stand up the working group.
Safeguarding Directive Update:
Ms. Hines updated the PIC members on the changes incorporated in the 28 February 1997 revision to the draft Safeguard Directive. She advised that the revised draft would be presented to the Forum on 21March 1997 for final review and approval. The changes were recommended by the working group established for this purpose which met on 28 February and which was chaired by Mr. Perritt, OASDC3I.
Ms. Hines indicated that a major change to the draft was found in Annex B and involved language relative to US requirements in the interest of safeguarding foreign government information. Paragraph 5, "Third CountryTransfers," was modified so that prior consent for release by the US did not have to be in writing from the foreign government information owner; rather, the consent could be verbal. Furthermore, a reference to "bilateral exchange" was included to acknowledge such a relationship bound by this paragraph.
She also stated that the major changes for SectionIX, "Loss or Possible Unauthorized Disclosure," were focused on law enforcement and administrative issues. In addition, the language regarding damage assessments was relaxed to allow more flexibility.
NEW BUSINESS
Security-in-Depth:
Ms. Hines drew the membership's attention to Mr. Saderholm's memorandum (SPB 044-97, dtd 10 March 1997,subject: Security-In-Depth (Safeguards Directive SectionV-(b) (1) (B)) in their meeting packets. This memorandum established a small working group under PIC auspices to provide clarification to the term "security-in-depth" as tasked to the PIC by the Forum at the 21 February Forum meeting. She said the group's initial focus would be to cite and describe examples of how security-in-depth is currently employed at various government and contractor venues. She said there was also a need to identify the security decisionmaking processes in play at these various venues whenever security-in-depth is employed.
She concluded that the working group's report would be provided to the PIC for discussion and review prior to forwarding to the Forum. She also suggested that the PlC's report to the Forum be cast as a potential tool for making security-in-depth determinations.
Update to "An Inventory of Standards Affecting Security"
Mr. Schwalm addressed this agenda item and said that the document included in the membership's packet for this meeting was the updated version compiled by the Staff. At the August 1996 PIC meeting, the membership was requested to identify additional material to be included, and this document contains suggested changes posed by the membership.
Mr. Saderholm questioned whether this inventory could be placed on the SPB Internet Home Page to facilitate access.
Mr. Schwalm indicated in the affirmative; however, he suggested a need for the PIC to agree to this and asked the membership to review the inventory for items under their respective department/agency cognizance to ensure reference to any particular document(s) in the inventory would not be proscribed from public access. He asked that the PIC members review their inventory submissions and report back at the next PIC meeting on 10 April, three issues; first, any removals from the document; second, any additions to the document, and third, specifically identifying any documents which should be proscribed from the inventory if it were placed on the WWW.
Mr. Brady questioned whether placing the inventory on the WWW would generate FOIA requests. Mr. Schwalm said he believed many of the inventory items were in the public domain, so this should not be a significant FOIA matter; classified documents included as items of reference in the inventory are, of course, exempt from release under the FOIA. Dr. Rees queried as to who would maintain the inventory if it were placed on the WWW. Mr. Saderholm said the SPB Staff would maintain the inventory and periodically update it. Mr. Rank said NSA definitely needed to review their respective inventory items and urged all others to do likewise .
OPEN FORUM DISCUSSION
No items were offered fordiscussion.
SUMMARY OF ACTIONS
The next meeting is scheduled for 10 April 1997, 1000-1200 hours in Mitre's Hayes Conference Center.
ADJOURNMENT
Mr. Saderholm adjourned the meeting at 1130 hours.