Information Security Oversight Office (ISOO)

NISPPAC Minutes - May 21, 2002

Tuesday, May 21, 2002
(As approved at the meeting of September 25, 2002)

The National Industrial Security Program Policy Advisory Committee (NISPPAC) held its nineteenth meeting on Tuesday, May 21, 2002, at 2:00 P.M., at Davis-Monthan Air Force Base, Tucson, Arizona. Laura L. S. Kimberly, Acting Director, Information Security Oversight Office (ISOO), chaired the meeting. The meeting was open to the public.

  1. Welcome, Introductions and Announcements. After welcoming those in attendance, the Chair began the meeting by thanking William A. Davidson, Administrative Assistant to the Secretary of the Air Force; Daniel Bishop, Directorate of Security Forces, HQ USAF; MSgt Eric C. Wilke, 355th SFS, and other members of the 355th Wing at Davis-Monthan Air Force Base for hosting the meeting. Following these remarks, the Chair asked that each of the NISPPAC members and guests introduce themselves. A roster of attendees is attached. The Chair submitted the minutes of the November 7, 2001 meeting for approval. The members approved the minutes with two corrections. The first correction appears on page four, line nine. The Department of Energy (DOE) representative clarified that DOE reported one major case involving the loss of classified information instead of one package missing. The second correction also concerned a clarification on page four, line thirteen. The Department of Defense (DOD) representative clarified that the General Services Administration has published guidance on the discontinuance of purchasing the X07 lock, not the X08 or X09 locks. As there were no other comments or corrections to the minutes, the NISPPAC members approved the minutes as corrected. The Chair was pleased to announce that on June 3, 2002, J. William Leonard, Principal Director, Security and Information Operations, Office of the Assistant Secretary of Defense (C3I), would become the Director of the Information Security Oversight Office (ISOO). Copies of a biographical sketch on Mr. Leonard were made available to the membership. The Chair also reported on the status of the revisions to Executive Order 12958, "Classified National Security Information." A subcommittee of representatives from the Departments of Defense, Energy, Justice, State, the Central Intelligence Agency and the National Archives and Records Administration had been tasked by the Policy Coordinating Committee (PCC) for Records Access and Information Security to reconcile the agencies' comments on the first draft revision of the Order. The Chair explained that the reconciliation process had been completed and that a second draft, on May 17, had been presented to the membership of the Classification Management Working Group for comment. The Chair reminded the NISPPAC members that comments on the second draft should be submitted to ISOO by May 31. She explained that the goal was to submit the proposed revisions to the Order to the PCC by mid-June. The Chair also briefly discussed the Personnel Security Working Group's (PSWG) review of Executive Order 12968, "Access to Classified Information," which establishes the Federal personnel security program for employees. Because the PCC believes the Order is working well, the PSWG does not expect that any revisions to the Order will be considered for some time. However, the PCC has agreed to the PSWG's recommendation of the elements that should be included in a standard financial disclosure form for employees with access to classified information. Additionally, the PCC has asked that the PSWG consider ways to incorporate these elements into a form without amending Executive Order 12968. At the conclusion of the announcements, for informational purposes, the Chair made available to the membership copies of (1) the Andrew Card memorandum on Weapons of Mass Destruction, dated March 19, 2002, and its accompanying guidance paper and (2) the John Jester paper that outlines lessons learned concerning the recovery of classified materials after the 9/11 attack.
  2. Executive Agent's Update. Rosalind Baybutt, Deputy Director for Industrial Security, Office of the Assistant Secretary of Defense (C3I), reported on the following issues: (a) Chapter Eight of the National Industrial Security Program Operating Manual (NISPOM); (b) the Industrial Security Mission Analysis Assessment; (c) Fee-for-Service and (d) the review of the NISPOM on an annual basis.
    1. Chapter Eight of the National Industrial Program Operating Manual. The four Cognizant Security Agencies, Defense Security Service (DSS) representatives and industry representatives met in January 2002, to resolve the policy issues concerning Chapter Eight. The meeting went very well and the representatives resolved the issues. The minutes of this meeting will be formally released once they have been approved. The policy issues that were decided will be formally published in an Industrial Security Letter and possibly on the DSS web site. Ms. Baybutt assured the members that the next area of discussion on Chapter Eight would be procedural issues.
    2. The Industrial Security Mission Analysis Assessment. At the direction of the Office of the Secretary of Defense (OSD), C3I, the Institute of Defense Analysis has completed its review and drafted its report of the Industrial Security Mission. Some minor technical corrections have been made to the report. It has been forwarded to the Air Force, DSS and J. William Leonard, Principal Director, Security and Information Operations, Office of the Assistant Secretary of Defense (C3I) for further technical review. It is not clear if and when the report will be distributed. As soon as a decision has been made, Ms. Baybutt will notify the members of the Memorandum of Understanding Group and the NISPPAC. Finally, Ms. Baybutt pointed out that the possibility of moving the Industrial Security Mission of the DSS to the Counter Intelligence Field Activity (CIFA) was not specifically addressed in the report. As a result, the authors of the study were asked to provide a white paper on this issue to Mr. Leonard.
    3. Fee-for-Service. Ms. Baybutt informed the NISPPAC members that it is unlikely that the Department of Defense will pay for contractor investigations. Based on a study,* which included participants from the DOD comptroller, acquisition and C3I, DOD's cost would increase by 34% for each investigation. Further, upon inquiry, concerned components and services in DOD were not receptive to paying for contractor investigations. The final report from this group, due to the Secretary of Defense by the end of May, in essence, states that fee-for-service is a terrible idea. Ms. Baybutt added that the DOD Comptroller had not signed off on the report. As soon as the Comptroller signs the report, she will inform the members of the Memorandum of Understanding Group and the NISPPAC. As Ms. Baybutt concluded her remarks, she mentioned that in about two years DOD plans to look at fee-for-service for its non-DOD user agencies. *The Defense Contract Audit Agency reviewed the five major defense contractors to determine each contractor's cost for a $2500 background investigation.
    4. Annual Review of the National Industrial Security Program Operations Manual. Ms. Baybutt informed the members that the four Cognizant Security Agents have agreed to examine the NISPOM on an annual basis to consider changes to the NISPOM. She asked those NISPPAC members with recommendations to submit them to her as soon as possible. Ms. Baybutt expects any changes to the NISPOM to be published by late summer.
  1. Defense Security Service (DSS) Update. Ronald W. Iverson, Deputy Director for Industrial Security, Defense Security Service, announced that William A. Curtis, Director for Information Technology Investment and Acquisition, Office of the Assistant Secretary of Defense, Command, Control, Communications, and Intelligence, has been appointed as the Acting Director for the Defense Security Service. He added that, the current Director, Lt. General Charles J. Cunningham, Jr., is retiring on May 31. After this announcement, Mr. Iverson proceeded with his discussion of personnel security investigations, the DSS's initiative to facilitate the transmission of classified information overseas and the use of contractor support to certify Automated Information Systems (AIS).
    1. Personnel Security Investigations. Mr. Iverson reported that with the Office of Personnel Management's (OPM) assistance DSS has made tremendous progress in clearing up its backlog of personnel security clearance investigations. To date, there are 148,000 clearances pending. A year and a half ago there were 492,000 clearances pending. Unfortunately, OPM now has 250,000 clearances pending and is no longer able to assist DSS. Security clearance investigations are returning to DSS: Air Force in May and Army in June. The returning workload, according to Mr. Iverson, is 20% more than planned by DSS. Of the 148,000 cases pending, approximately 80,000 are over 360 days old. As DSS has processed the older cases, it has discovered that about 10% of the cases can be eliminated because a security clearance is no longer needed. As a result of this finding, DSS hopes to work with its customers to determine whether the older requests for security clearances are still needed. DSS anticipates that this would greatly reduce its workload and enable it to eliminate its backlog by June 2003.
    2. Transmission of Classified Information from Government to Government. Mr. Iverson noted that DSS is testing a program that will ease the burden on DSS and industry for sending classified information overseas. Currently, a DSS representative is directly involved in packaging and delivering classified information to the embassy here, in the United States, which then sends the package to the overseas Ministry of Defense. Then the company picks up the package from that Ministry of Defense. The test takes the DSS representative out of packaging and handling and puts an industry Empowered Official in that role. The Department of State and Customs Service have raised several concerns about this test process. It is not clear whether the test process will become the approved practice. Mr. Iverson believes this is an area where DSS and industry can improve the process.
    3. Possible Contractor Support to DSS for AIS Certification Mr. Iverson informed the membership that DSS is looking at conducting a pilot over the summer which would involve using Information Technology contractors to do certifications AIS systems. This certification information would then be provided to DSS Information Systems Security Professionals to conduct accreditations of their systems. Mr. Iverson noted again that projects like this one help DSS streamline its processes with industry and standardize accreditation and do so in a timely manner.
  1. NISPPAC Subcommittee Update - Implementation of Recommendation Number Four Recommendation number four calls upon ISOO to increase its oversight of Executive Order 12829, "National Industrial Security Program" and its implementing directives. The goal of this recommendation is two-fold: (1) to strengthen the National Industrial Security Program and (2) to facilitate ISOO's role in developing, verifying, and crystallizing issues. ISOO Program Analyst Bernard S. Boyd briefly explained ISOO's initiatives to implement the recommendation. First, ISOO plans to conduct a new and expanded electronic survey of the contractors to ascertain their views on the operation of the NISP. ISOO expects to reach at least 4,700 contractors. The survey is scheduled to begin in June. Second, ISOO plans to conduct on-site visits. On-site visits will be determined by the results of the survey and suggestions from the Defense Security Service. Third, ISOO is in the process of developing three marketing products to promote the NISP. These include: (1) a brochure that describes the NISP in a nutshell; (2) a pamphlet that provides detailed information on the policy of the NISP, the significant NISP players and their role; and (3) a bookmark that quickly references contact information for the NISP. Draft copies of these products were distributed to the NISPPAC members. ISOO has also enhanced its web site so that more information on the NISP is readily available. The Chair added that suggestions for any of the products are welcomed and suggested that the NISPPAC members might want to consider forming an ad-hoc working group to develop other products that may be useful for promoting the NISP.
  2. Industry's Five Issues Concerning the Improvement of the National Industrial Security Program Patricia B. Tomaselli, Director of Sector Security, Northrop Grumman Corporation, reported on industry's five issues and identified specific concerns for each. They are listed in the chart below.
    The Five Issues Specific Concerns
    (1) Meaningful clearance reform - The clearance process is a strain on industry resources, particularly since 9/11, because it impacts on industry's ability to move people and effects the periodic reinvestigation process. Industry is conducting a study.
    • The Personnel Security Investigation Process Reform (timeliness initiatives)
    • Investigative and Adjudication Reform
    • Impact of the Smith Amendment
    • Impact of Additional Vetting on Resources
    (2) Reciprocity - The biggest issue for the NISPPAC because of its actual take on what industry believes to be the value of the NISP--a cost-effective system. The two areas of concern are: (i) personnel clearance, and (ii) physical and cyber security. Industry is proposing a working group to address this issue.
    • Impact of Smith Amendment
    • Impact of Appendix K to the 5200.2R
    • Impact of the 5200.39 Draft Mandatory Procedures for R&D Protection
    (3) Fee-for-Service - This is a bad idea for business. Industry will wait for DOD's resolution.
    • Contractual obligation of Government to provide clearances
    • Oversight in place to eliminate unneeded clearances
    • Additional fees to pass through contract dollars
    • Impact on programs and flexibility of personnel
    (4) Sensitive but unclassified information protection - Questions about reciprocity and the development of a fourth classification level. NDIA* has offered to conduct a study and provide a white paper from industry.

    *National Defense Industrial Association
    • Inconsistency and vagueness in definitions
    • De facto fourth classification level developing
    • Over 14 organizations have developed requirements
    (5) Chapter Eight - Propose an industry study to enhance communication and interpretation. Will work with the CSAs and Information System Security Programs (ISSP).
    • Receipt and dispatch procedures
    • Protection of LAN and WAN based information
    • Exemptions and waivers versus consistency in DSS

    Following the presentation, the Chair asked the NISPPAC members for their views on industry's clearance reform study. Ms. Tomaselli welcomed Government representation on this study and expects that this group will consult with Government agencies that currently conduct their own personnel security investigations such as the National Reconnaissance Office and the Central Intelligence Agency. She further commented that the experience of these agencies could be helpful. One member noted that it would be appropriate to also include a representative from the intelligence community's personnel security management community. At the end of the discussion, the Chair suggested that a member of the Personnel Security Working Group also be invited to participate.

    Ms. Tomaselli agreed to all of the suggestions and again invited Government representatives to join as well. The Chair advised those individuals interested in working on this issue with industry to contact Ms. Tomaselli.

    The discussion then turned to the issue of reciprocity. Because of the number of studies on this issue by various groups and the current ISOO study, the members decided to table this issue until the next meeting. The members also agreed to table the discussion of fee-for-service until the issuance of the DOD report.

    As the discussion turned to the fourth issue, protection of sensitive but unclassified, Ms. Tomaselli informed the NISSPAC membership that the National Defense Industrial Association (NDIA) had offered to conduct a study that examines how sensitive but unclassified information is handled in industry. As the discussion concluded, Ms. Tomaselli informed the NISPPAC members that the results of the NDIA study would be presented at the next meeting. The Chair commented that the NISPPAC would welcome NDIA's report because it could assist in establishing uniform procedures for handling sensitive but unclassified information. She also added that the Office of Management and Budget is working with the Office of Homeland Security to develop a directive for this type of information.

    Because the NISPPAC members felt that Chapter Eight of the NISPOM, "Automated Information Systems," had been thoroughly discussed, there was no more discussion on this issue.

    • The Director of Central Intelligence's (DCI) Special Security Center Edward S. Wilkinson, Director, Special Security Center, informed the NISPPAC members that the Special Security Center will be in operation on October 1, 2002. It will consist of 70 positions. The purpose of the organization is to ensure the proper handling and maintenance of classified intelligence information. Before 9/11, the Director of Central Intelligence had concerns about the intelligence community's handling of such information and asked senior officials to conduct a self-inspection of their programs. The self-inspections revealed that the DCI's directives were not being uniformly applied. The DCI's solution to this problem was to form the Special Security Center. Oversight and compliance has become even more critical, now that the intelligence community provides actionable operational information on a daily basis to individuals in the Government who have never had access to Sensitive Compartment Information or intelligence information. The Special Security Center will be providing assistance and guidance in the handling of classified intelligence information to the intelligence, defense, law enforcement and foreign affairs communities, as well as industry. In his concluding remarks, Mr. Wilkinson explained that the Special Security Center is not a CIA organization in its office of security. The Director of the Special Security Center reports directly to the Special Assistant to the DCI for Security.
    • Open Forum Dianne Raynor, Facility Security Officer, MCA Engineers, Inc., raised two issues before the NISPPAC members. The first concerned the indiscriminate use of social security numbers as an identifier. The discussion of this matter revealed that pending legislation in the House of Representatives might take care of this matter. The second issue concerned the requirement to have a security clearance to access unclassified Government databases. After a brief discussion the members remarked that since 9/11 this seems to be becoming a standard requirement. At the Chair's request, Ms. Raynor indicated that she would provide the Chair and the NISPPAC members with more information on this topic.
    • Closing Remarks and Adjournment The Chair again thanked everyone at Davis-Monthan Air Force Base who helped with the arrangements for the meeting. There being no other business the Chair adjourned the meeting. The next meeting is scheduled for September 25, 2002, in Washington, DC.

Attendance Roster Industry Attendees (Members)
Maynard Anderson
Lonnie Buckels
Gregory Gwash
Bernie Lamoureux
Jim Linn
Mike Nicholson
Dianne Raynor
Pat Tomaselli

Industry Observers
Joe Cotela
Diane M. Doherty
Richard "Lee" Engel
Kent Hamilton
Ray Kang
Lori Slicker
Glen Ulvinen

Government Attendees
Air Force:
Bill Davidson Dan Bishop Barry Hennessey
Army
Kathi Weick
CIA
Ed Wilkinson
DoD
Rosalind Baybutt
DSS
Ron Iverson
DOE
Geralyn Praskievicz Ray Holmer
NSA
Dan Hanratty H. Robert Kennedy
State
Andrea Jones

ISOO Attendees

Laura Kimberly
Emily Hickey
Bernard Boyd
Dorothy Cephas

Top