Comparing Information Protection Practices.
Many similarities exist between the Department of Energy (DOE) and the Department of Defense (DoD) in terms of how they deal with contractors to ensure the protection of classified information. The differences in their procedures are, however, far more interesting and instructive. Ideally, one would hope that these organizations could find a way to blend the best of both their policies. With that goal in mind, here's a brief look at the most striking differences as seen from the view of one who has dealt with the implementation of these requirements in the field.
It should be noted that the focus of this article is on contractors awarded contracts to execute technical tasks for which accessing classified information is necessary. These observations are not intended to apply to management and operating (M&O) companies that manage and operate nuclear sites for the DOE.
NISPOM. Before getting into specific differences, a general comment is warranted. The initial sense among many professionals may be that no significant differences exist between DOE and DoD because both are committed to compliance with the National Industrial Security Program Operating Manual (NISPOM) DoD 5220.22M.
While this is true in the broadest sense, the DOE continues to formulate and promulgate "DOE Orders," which have long been the practices and procedures that govern the protection of classified information, special nuclear material, unclassified controlled nuclear information (UCNI), and other sensitive information, for the DOE and its contractors. These orders tend to exceed the requirements of the NISPOM.
It is not the purpose of this article to discuss the merits of DOE's overall approach in diverging from NISPOM, but rather to look at the merits of the specific procedural differences that have evolved between DOE and DoD as a result and their impact on information security.
Sensitizing the CEO. One of the more interesting differences between the two departments is how they deal with contractors when initially granting clearances. The DoD takes the opportunity to sensitize the CEO to his or her security responsibilities at two points in the clearance process, while the DOE does not.
When a contractor wants to do business with the DoD, the Defense Security Service (DSS), that arm of the DoD that audits its contractors for compliance, requires that the company's home office, and the top-level executives, or "key management personnel" (KMP)--including the chairman/president/CEO (hereafter referred to as the CEO)--be identified and investigated to see if they are qualified to be granted a security clearance. An inability on the part of the CEO to qualify for a security clearance equates to an inability on the part of the company to qualify for classified contracts.
Clearing the CEO and other key management personnel is one part of the process for clearing the facility. To that end, DSS requires that a DD 441 Security Agreement be reviewed and signed by an officer of the company, preferably the facility's top executive. The DD 441 documents that the company has agreed to comply with the requirements for the protection of classified information for the DoD.
This security agreement is not unlike a contract. In signing it, the company's top executive is affirming that the company will comply with government security requirements and cooperate in security reviews (audits). It legally binds the company to a number of obligations.
The DoD industrial security representative also asks the company to execute a Foreign Ownership Control or Influence (FOCI) document and a KMP list, which includes the facility security officer (FSO) and the top executives who possess significant authority, all of whom must qualify for clearances.
In accordance with DoD requirements, the CEO and the FSO (once cleared) must be personally briefed by the DSS. During this briefing, the DSS highlights key security points such as:
* How the DoD views the CEO as the person ultimately responsible for the protection of classified information (and how it behooves him or her to have a qualified FSO).
* The need for the contractor's FSO to have direct access to the CEO.
* The need for the FSO to submit "adverse information" reports on employees to the DoD when an employee's ability to protect classified information is brought into question. In this regard, DoD will also explain that the FSO and the company are exempt from civil lawsuits related to such reports because they are required by the government.
The DSS industrial security representative seeks some sort of verbal affirmation from the CEO that he or she will protect classified information in accordance with the requirements and that the ESO will have an open door to the CEO. This is not a canned statement; rather, it is sought in normal conversation. In addition to sensitizing CEOs to the company's legal requirements to protect classified information, this briefing makes CEOs feel, and correctly so, that they are members of that unique community charged with the protection of our nation's secrets.
The value of this type of meeting with the CEO is immeasurable. In many companies, for example, midlevel managers may seek to influence an ESO or other security personnel into winking at some security requirements, perhaps to reduce costs or accelerate a process. These efforts are less likely to succeed in an environment where the CEO's awareness has been raised and where the FSO's access to the CEO has been established.
The DOE approach is very different. The DOE requires that an OODEP (officers, owners, directors, and executive personnel) listing be provided. It is the same as the KMP list, and in fact OODEP is an acronym the DoD used for years before changing to KMP. But the DOE has nothing like the DD 441 Security Agreement that the CEO must sign, and there is no one-on-one meeting with the CEO to raise awareness about security. Requirements for protecting classified information can be found in contract clauses, but a CEO is not likely to read the contact.
Only now is DOE seeking to emulate DoD in clearing the CEO and other key management personnel, but it is hampered by its own lack of funding to conduct the required background investigations. Consequently, some CEOs may be less than sensitive to a contract with the DOE that has classified aspects.
If issues should surface that require the CEO's attention, an educational process relative to security requirements must first ensue. Further, if the FSO were to approach a nonsensitized CEO with an issue, he or she might be directed to use the chain of command when the problem may be in the chain of command. All this can be avoided with the DoD system.
Personnel clearances. The DoD's clearance processing is more technologically advanced than the DOE's. Unlike the DOE, DoD clearance processing is centralized and electronic. Candidates for secret and top secret clearances are given three computer diskettes of software, which they load on their computers. They complete their Electronic Personnel Security Questionnaires (EPSQ) on their computers and return their disks to their personnel security specialists. The EPSQs are then transmitted electronically to the DoD in Columbus, Ohio, where they are processed. It is noteworthy that the premature deployment of this clearance processing software has caused some problems that have been widely reported in the press (because the software still has some bugs), but once those problems are resolved, it should be a smooth-running process.
DOE clearance processing is not centralized, and the agency still distributes the hard copy SF 86 Questionnaire for Sensitive Positions form. Every DOE site has its own personnel security staff that processes personnel for "Q" and "L" clearances for that particular site. This approach is less efficient than what the DoD is doing.
Another problem with clearances concerns funding. A few years ago the Office of Personnel Management (OPM), the government office that does background investigations for the DOE, privatized its background investigation function. Like any good profit-making company, U.S. Investigations Inc., the privatized company, has attached firm price tags to its background investigations. Every DOE site is now allotted a fixed budget for processing security clearances.
One result is that contractors are prioritized behind the DOE and its laboratories for being granted clearances. Consequently, contractors may experience difficulty in performing adequately on their contracts because they lack proper clearances. At times there can also be tension between the DOE and its contractors over the limited number of clearances granted.
The DoD is considering a fee-for-service plan. It is different from DOE's procedure and in synopsis will work like this: Money previously allotted by DoD to the DSS for investigations and inspections is to be given to the user agencies. Those agencies will use that money to purchase services from the DSS. The expectation is that agencies will keep a closer eye on the number of contractor employees being submitted for security clearances if they have some financial stake in what it costs.
This plan is still unfolding, and many contractors are viewing it with skepticism. But recent changes in DSS management could reverse or alter this course. (In fact, implementation of the plan was looking less likely as the magazine went to press.)
Clearance lifespan. At the DoD, if all classified contracts are completed, the contractor is allowed to retain its facility security clearance (FCL) and personnel security clearances for 18 months. The time frame can be extended if potential classified contracts are on the horizon. The rationale for this policy is that a contractor must already possess an FCL to qualify to bid on a classified contract in some cases.
The DOE adheres to a different practice. As soon as use of classified material for a classified contract ends (after completion of a classified contract), the DOE terminates the facility clearance and all personnel security clearances. It is not necessary in the DOE environment to have a facility security clearance or personnel clearances to bid on a classified contract (although it can be advantageous).
Essentially, this means the DOE must start from scratch even with contractors who have previously held clearances. Clearly, DoD's approach is more efficient.
Audits. The DoD has cognizance for many user agencies such as the Departments of State, Commerce, Treasury, and Justice, as well as NASA, FEMA, GSA, GAO, and others. The DOE tends to audit only the DOE. Both departments conduct audits of their contractors to ensure compliance with their requirements, but their approaches to auditing differ.
A few years ago, DoD discarded its Industrial Security Operating Regulation, which was the manual used to determine how to oversee the contractor. Perhaps this was an error, for it has left the agency rudderless in many respects, including the critical function of auditing contractors. But DoD is now formulating the Industrial Security Operating Manual (ISOM). It is a government manual the DSS will use to enforce the NISPOM. It will replace the ISOR. The expectation is that this manual will alleviate some concerns addressed in this section.
The DoD now calls its audits reviews. These are less exhaustive undertakings than formerly, when they were called inspections. What's more, the DoD used to refer to problems uncovered as "deficiencies." Now, there is no term, which perhaps could be interpreted to mean there are no longer problems to uncover.
The DOE seems to spend considerably more time preparing for its audits, which are called surveys, and the process is more intense than DoD's. The DOE also tends to use specialists. A TEMPEST specialist will audit only TEMPEST, for example. The same applies to operations security (OPSEC) classification, etc, DoD industrial security representatives, by contrast, tend to be generalists.
DOE sends out a multipage questionnaire to the contractor in advance of the survey, and the answers give the auditors a pretty fair overview of the contractor's security posture. A detailed survey is then conducted.
At the end of its audit process, the DOE writes a very detailed report describing the results. A report can easily be 70 pages. If there are enough findings and they equate to vulnerabilities, the report will be classified as confidential or secret. Through the report, the DOE assigns to the facility a composite rating of satisfactory, marginal, or unsatisfactory.
Ratings are also assigned to categories (called topics) such as program planning and management, protection program operations, (nuclear) material control and accountability, information security, and computer security. Further, each of these topics has subtopics such as safeguarding and security plans, control of top secret documents, technical surveillance countermeasures (TSCM), and security education. Consequently, a contractor could receive a composite rating of satisfactory but receive a marginal rating in computer security or vice versa.
The DOE allows itself 90 days to complete this report. It is sent directly to the contractor's security manager. Therein lies a problem, which will be discussed in a moment.
The DoD does not have the opportunity to devote as much time in preparing for an audit (inspection) because of the volume of contractors an industrial security representative (ISR) may have to inspect. A single DoD ISR may have 100 or more contractors to look after. (This situation is now being corrected as the DoD is hiring additional industrial security representatives for the first time in many years.)
After an inspection, the DoD does not write a lengthy, detailed report, as does the DOE. Rather, auditors write a simple letter stating that an inspection was conducted on a certain date. The authority for conducting the inspection and the results of the survey (such as satisfactory or unsatisfactory) are cited. The DoD does not have a marginal rating, but it may issue a rating of "satisfactory under marginal conditions."
The DoD letter, which equates to the FSO's report card, does not go to the FSO. It goes instead directly to the CEO, with a copy to the FSO. This approach is in marked contrast to that of the DOE, where the survey report is sent to the contractor's security manager, not the top executive. The problem with the DOE practice is that, if the report is unfavorable, the security manager is in a position to keep it secret from management.
The DoD could learn a lot from the DOE in how to conduct audits and the DOE could benefit from the DoD's approach of reporting the results to the top executive of the contractor.
Training. Training by the DOE tends to be more rigorous than at the DoD. Greater demands are often placed on the attendees. Testing is not uncommon. The DOE manages to train and test its contractors even when they are located across the country. By contrast, little is required of attendees at most DoD training sessions, who nevertheless earn a certificate.
As a part of training sessions, the DOE gets speakers who are experts in their fields. The DoD often relies on generalists, rather than specialists. This is particularly true in computer security. Perhaps the DOE has an advantage in that it can recruit from its laboratories, which are staffed with personnel who are highly technical and who have developed sophisticated computer programs for the protection of classified information. Ideally, DoD should also be able to recruit from these sources for their DoD seminars, but they do not appear to do so.
Document classification. DOE security has formulated an excellent classification guide that addresses all the essential elements that make up the information security program. It is CG-SS-3 Classification Guide for Safeguards and Security Information. It is for the entire DOE security community and provides classification guidance on threats, computer security, counterintelligence, OPSEC, TSCM, foreign and terrorist information, and much more.
The DoD has nothing resembling such a document. Furthermore, in the DoD environment, anyone with or without classification training can classify documents. The DOE has formal training for DOE employees and its contractors. Testing is the norm, and successfully passing a test is impossible without study.
Anyone who completes the DOE's training and testing is designated an authorized derivative classifier (ADC) in the case of classified information, and a reviewing official (RO) in the case of unclassified controlled nuclear information (UCNI). Only ADCs and ROs may classify ("determine" in the case of UCNI) in the DOE environment.
In both DoD and DOE environments, there are occasional instances in which classified information inadvertently finds its way into what are supposed to be unclassified documents. With the DOE, it is well known that this has occurred, and to identify the document, say, by title, is in itself classified at the same level as the information inadvertently compromised. With the DoD, this rule does not seem to apply, and the matter is handled as unclassified.
The DOE's approach to classification is far superior.
Classified visits. The DoD procedure for a cleared person to access classified information at another cleared facility has remained essentially the same for more than 20 years. The FSO formulates a letter or completes a form, which can be designed by the contractor. It contains pertinent information (name, Social Security number, level of clearance, date of birth, purpose, etc.), and it is forwarded to the facility to be visited. The FSO's signature on the form is acceptable as certification of the visitor's security clearance. It can be effective for one day or up to one year.
Prior to acceptance at the facility to be visited, the FSO confirms the cage code (an ID given each facility) and clearance level of the sending facility. The visitor may then access classified information when such access is required to meet the objectives of the visit. The clearance is effective only at the facility for which it was granted.
The DOE has a similar system, hut it applies only when access to SIGMA information (nuclear weapons data) is required. The difference is that use of a specific form is required, and it must go to DOE headquarters for approval.
DOE Security confirms with the party to be visited that access to SIGMA information is required. When SIGMA access is not required, anyone with a DOE badge that reflects a security clearance can go to any other DOE facility and access classified information at the level reflected on his or her badge.
On the surface this practice may appear risky. It is not an unacceptable risk Classified information is secured, and custodians are responsible for ensuring that recipients are cleared and have a need to know prior to dissemination.
DD 254 and FDAR. When the DoD awards a classified contract (or even an RFP for a classified contract), accompanying it is a Department of Defense Contract Security Classification Specification, DD Form 254. The DD 254, as it is known, does not actually provide classification guidance as the name implies; it provides an overview of the security requirements for that contract. It identifies the prime contractor and up to two subtier contractors. It includes all applicable cage codes but not the classified mailing address. It identifies all the elements of the information security program that will apply, such as COMSEC, OPSEC, TEMPEST, etc. It identifies the contract number and the level of Facility security clearance required. The DD 254 is valuable in that it enables an FSO to determine the extent of resources required to perform on a classified contract.
The DOE has no such form but does have something called a U.S. Department of Energy Facility Data and Approval Record (FDAR). The FDAR identifies the prime contractor and its classified mailing address, and also the highest level of classified information to be accessed. It identifies the contractor security officer by name.
The purpose of the FDAR is principally to have a record of the DOE contractor providing classified services to the DOE. The problem is that the FDAR does not help the contractor understand the overall needs of the contract, so one finds out piecemeal that you need encryption devices and an OPSEC program, defense courier services, etc. DOE should consider adopting an approach similar to that of the DoD.
Vaults/open areas. The two departments also take divergent approaches with regard to how and when classified information can he accessed and discussed. The DOE designates limited areas, exclusion areas, and other areas of a restricted nature in which classified information can be processed and discussed. With the DoD, classified information can be discussed virtually anywhere in a cleared facility when reasonable measures have been taken to ensure its protection. The DoD has closed and restricted areas, but they tend to be for specific applications, such as computer security.
Data relative to nuclear weapons warrant a higher level of protection, and DoD is inclined to establish special access programs when a classified technology is so sensitive that it warrants additional protection. Where special access programs and special access required programs are concerned, the DoD will require vault-type rooms (VTR), and all classified and sometimes all unclassified work is conducted in those VTRs.
The DoD method is more convenient but less secure. DOE's approach is more expensive, but superior.
Contractor facilities. The DoD used to have a program called the Key Asset Protection Program or KAPP. Its purpose was to identify those contractors whose production was critical to the military, particularly in time of war. The Defense Investigative Service, as the Defense Security Service was called then, would survey the infrastructure and identify vulnerabilities.
A report detailing vulnerabilities and corrective action would be recommended to the contractor. The program's corrective actions, however, were not funded and the contractor was under no obligation to implement any of the recommendations.
KAPP has been replaced with the Critical Asset Assurance Program, or CAAP, which unfortunately has never been fully implemented, and it is challenging to find a contractor that can say it has been affected by CAAP. Consequently, some contractor facilities are potentially vulnerable to unrecognized threats, such as domestic terrorists. They could drive an Oklahoma Cityclass explosive up to such a facility and destroy the product, the facility, and the highly educated, highly trained contractor employees inside.
DOE does not have a similar program for its off-site contractors; however, production of nuclear weapons, components, and special nuclear material is restricted to DOE facilities and its labs. Protective measures taken at those DOE facilities are extensive and comprehensive, contrary to impressions given by media reports.
There are many other ways in which DOE and DoD differ. These are just some that appear notable.
The security ranks of the DoD and the DOE are filled with people who are experienced, bright, competent, and truly concerned about the protection of classified information, and each of them executes certain parts of the mission, protecting classified information extremely well. Yet mechanisms that allow for the exchange of information and methodologies are wanting. Departments and agencies charged with the nation's defense could do better by pooling their experience, talents, innovations, and practices, with the goal of continuously honing their methodologies in protecting our nation's secrets.
G. Ernest Govea, CPP, is corporate facility security officer for Fluor Corporation in Aliso Viejo, California. He has more than 20 years of experience with defense contractors, and he sewed four years in the military. He is a member of ASIS.
|Printer friendly Cite/link Email Feedback|
|Author:||Govea, G. Ernest|
|Date:||Sep 1, 2000|
|Previous Article:||It's All in Their Heads.|
|Next Article:||Stone Walls Do Not a Prison Make.|