FAS | Gov't Secrecy | SPB Docs ||| Index | Search |


MINUTES
SECURITY POLICY ADVISORY BOARD MEETING

March 8, 1999
The Boeing Company
Flight Safety Training Center
Tukwila, Washington

On March 8, 1999 a public meeting of the President’s Security Policy Advisory Board (SPAB) was held at the Boeing Company’s Flight Safety Training Center in Tukwila, Washington. Board Chairman General Larry Welch, USAF (Ret) presided with board members Rear Admiral Thomas Brooks, USN (Ret) and Ms. Nina Stewart also in attendance. Approximately 50 persons from the public and private sector also attended.

INTRODUCTIONS

The meeting was opened at 0900hrs. by Mr. Bill Isaacs, who is a member of the Security Policy Board staff and serves as the Responsible Federal Officer in support of the SPAB. He welcomed all in attendance and introduced the advisory board members.

PRESENTATIONS

1. Chairman Welch presented a progress report on the reconvened Joint Security Commission (JSC II). He began by reiterating the four basic principles of an effective security program outlined by the original Joint Security Commission. They are: (a) policies and services matched to the threats—evolving as the threat changes; (b) policies and practices consistent and coherent—reducing inefficiencies; (c) standards and procedures that are fair and equitable and (d) policies, practices and procedures providing needed security at an affordable price.

The Chairman then outlined the tasks given to the JSC II. In phase I the commissioners will review progress in implementing the recommendations of the Joint Security Commission in support of the principles outlined in PDD-29, examine the operation of the Security Policy Board, and make recommendations to increase its effectiveness. Phase II will examine security issues requiring additional emphasis, specifically in the traditional electronic information security area, and provide recommendations on changes to the approach to security that better balance the most relevant threats to the most relevant security needs.

The General offered that the basic underpinnings of a viable security program are trustworthy and reliable people and an effective security education and awareness program. He then provided what he called some common information security imperatives in today’s changing environment. For information to serve national security, it must be relevant, reliable and timely. Hence, there are four intersecting factors that enter into the approach to information protection – ensuring it flows only to the intended place (flow control), ensuring its integrity (content control), ensuring that authorized people, and only authorized people, have access to the information and ensuring none of the above precludes it being available to the authorized recipient on a timely basis (temporal control).

Activity
Documents
Electronic
Flow Control A solid paper trail, complicated by the copy machine A largely unaddressed central challenge -- focus on network protection
Access Control Controlled primarily by the clearance process and application of need to know The major focus of much of the ongoing information protection activity -- heavy emphasis on improved encryption
Temporal Control Generally not critical Often critical

2. Ms. Judy Hughes, Chief Operating Officer, Defense Security Service (DSS) gave an update on activities currently ongoing at DSS. Her briefing centered around the major problem that DSS is experiencing with their Case Control Management System (CCMS). Currently, there is a significant bottleneck at the front end of the system. The system was designed to have the information flowing into it be in an electronic format but, unfortunately, a significant amount of input is being sent to DSS in paper form which requires manual data entry into the system. Efforts are ongoing in earnest to increase the usage of the Electronic Personnel Security Questionnaire (EPSQ) to eliminate or significantly reduce the requirement to enter data by hand.

Ms. Hughes also indicated that, besides the front-end situation, other technical issues exist in the CCMS. She offered the following analogy in an effort to frame this issue. The current CCMS system she said allows information to flow as if it were on a one-lane road and currently the need is for an eight-lane information highway. She stated that DSS is working with the contractor to resolve these technical issues. She then offered some time lines for eliminating the bottleneck/backlog. Meeting these time lines will be contingent on the software fixes and the ability to secure enough resources to address the data entry problem. DSS has requested support from the military reserve establishment to help with the data entry as well as assist in the conduct of the investigations. Also, the Military Central Adjudication Facilities are helping in this effort. Finally, DSS has requested additional funds from OSD(C3I) for increased contract support to expedite the technical solutions.

3. Mr. Greg Gwash, Director Security & Fire Protection, The Boeing Company presented a white paper on information systems security policy on behalf of the Aerospace Industries Association to Chairman Welch. Mr. Gwash also indicated that the paper had the concurrence of the Industry members of the NISPPAC and the MOU signatories. The content of this paper was briefed to the group by Ms. Marie Olson of Mr. Gwash’s staff.

Ms. Olson’s presentation provided the background, contributing factors to what was described as the Information Systems Security Policy Conundrum, and offered some recommendations. She began by saying that the current policy has no true baseline set of requirements i.e. the NISPOM (Chapter 8) is not commonly accepted, the NISPOMSUP is separate (and not supplemental) and there is the DCID 1/16, AISSIM 200/300 etc. There are inconsistent interpretations and implementations, and current policy fails to adequately address current technology issues and threats. She offered four factors contributing to the situation: 1) the knowledge and experience levels of government information security policy makers (and the industry participants) is suspect because of the constantly changing environment, 2) too many special interest group agendas, 3) the argument has become one of "form rather than substance" and 4) there seems to be no agreement as to a strategic direction. She stated also that another significant contributing factor is that the Security Policy Board structure has failed to stand-up an Information Systems Security Policy Committee to allow for effective dispute resolution among the various government entities.

Ms. Olson’s briefing offered the following recommendations: The SPAB should: (a) champion the development of a unified national strategy to protect classified information and to preserve our Nation’s economic and technological interests by coordinating the numerous activities involving information systems security, critical infrastructure protection, information assurance and electronic commerce at the national policy level, (b) direct the production of an accepted methodology for risk management based upon reliable estimates of the threat to information systems, a clear understanding of the national policy objectives and operational needs, and the development of risk mitigation (or acceptance) standards which will satisfy legitimate national security requirements, (c) establish a partnership between government, industry and the information technology vendors to establish standards for development, testing and approval of security tools and procedures, create/maintain a central clearing house for approved procedures and tools, and provide necessary technical training (i.e. applicability/limitations of procedures and tools); and, (4) stand up the Information Systems Security Committee of the Security Policy Board to coordinate the various information systems related disciplines and to provide urgently needed conflict resolution. This group should comprise individuals with both advanced technical knowledge and current industrial security experience. Ms. Olson closed her briefing by offering industry’s pledge of support and involvement in solving the Information Systems Security Policy Conundrum.

4. Jim Passarelli of the Security Policy Board staff presented an overview of the Extranet for Security Professionals (ESP) visit certification and clearance passing project. He provided a background for the project as well as its objective, beta test implementation and anticipated project outcome. In terms of a background he stated that the ESP Board of Governors in a January 1999 meeting designated this project as the current number one priority for the ESP. This project offers a quick payback with high visibility and should attract users and resources to the ESP. One of the objectives of the project is to demonstrate the capabilities of the ESP but more importantly, to replace the letter, fax or phone as the modes of delivery for passing visit certifications. At this time no linkage to the clearance databases is anticipated. The project will be beta tested. The Department of Energy, some industry elements and NASA are participating in the test. An SPB working group is developing the visit certification format, processes and policies. The plan is to begin the beta test April 15, 1999 and end it by June 15, 1999. The desired outcome of this test is to offer a workable visit certification and security clearance data transmission through the ESP in a cost effective, real time secure manner to the SPB Forum departments and agencies, and to industry.

5. The meeting was adjourned by Mr. Isaacs at 1130hrs.




FAS | Gov't Secrecy | SPB Docs ||| Index | Search |