National Industrial Security Program Policy Advisory Committee Minutes of the Meeting
SEPTEMBER 11, 1997
The National Industrial Security Program Policy Advisory Committee (NISPPAC) held its tenth meeting on September 11, 1997, at 2:30 p.m., in Building 36 of the National Imagery and Mapping Agency (NIMA), 3200 South Second Street, Saint Louis, Missouri. Steven Garfinkel, Director, Information Security Oversight Office (ISOO), chaired the meeting. The meeting was open to the public.
Welcome, Introductions and Announcements.
During the welcome and introductions, the Chair announced that Rudolph H. Waddy, Senior Program Analyst, ISOO, was replacing Ethel R. Theis, Associate Director, ISOO, who recently retired, as the ISOO representative to the NISPPAC.
The Chair remarked that today's meeting was the last meeting of the last three original industry NISPPAC members: Thomas J. Adams, John P. O'Neil and Richard P. Grau. The Chair added that he had been advised that they would receive a letter from President Clinton thanking them for their service as original representatives on the NISPPAC.
The Chair announced that Raymond I. H. Kang, Bernard A. Lamoureux and Susan Davis Mitchell would be replacing the outgoing industry members beginning October 1, 1997. He introduced Mr. Kang and Mr. Lamoureux to the NISPPAC members. Due to an illness in her family, Ms. Mitchell was unable to attend the meeting. The Chair submitted the minutes of the March 25, 1997 meeting for approval. The members approved the minutes without correction.
National Industrial Security Program Operating Manual (NISPOM) Issues.
J. William Leonard, Director, Security Programs, Office of the Secretary of Defense, led the discussion of the following NISPOM issues.
Amendments to the NISPOM to Conform with Executive Order 12958 and its implementing Directive.
Mr. Leonard reported that NISPOM Change One, which principally addresses the implementation of Executive Order 12958, had been approved and published. It is currently available on line and can be accessed on the Defense Investigative Service (DIS) Home Page. (Subsequent to the meeting, DIS was renamed the Defense Security Service (DSS)). He added that Change One was also attached to the most recent Industrial Security Letter, 97-1, which had been printed and distributed. He indicated that the printed version should be waiting for the industry members when they returned to their offices.
Revision to Chapter Eight, "Automated Information Systems."
In response to the NISPPAC's recommendation to publish a revised Chapter Eight by January 1998, Mr. Leonard provided the NISPPAC members with a progress report on the Executive Agent's efforts to revise Chapter Eight and the timetable to accomplish the revision by January 1998. This included a scheduled meeting on September 30, 1997, to discuss initial reaction to the "performance-based" draft.
Department of Defense Security Certification and Accreditation Process for Information Technology (DITSCAP).
Several NISPPAC members requested that Mr. Leonard comment on a draft Department of Defense (DOD) instruction that addresses how DOD intends to handle the accreditation and certification of its information technology systems. Mr. Leonard stated that most of the DOD services and DOD agencies have established their own accreditation and certification processes for automated systems
Consequently, a plethora of accreditation and certification processes for automated systems exist within DOD. Mr. Leonard explained that the intent of the instruction is to set forth a process, not necessarily the process, that DOD components could use to accreditate and certify components that comprise the Defense information infrastructure. He emphasized that this is an instruction and not a directive. Hence, it is not intended to promulgate policy. Rather, it is intended to reflect the current policy in the Computer Security Act of 1987 and DOD Directive 5200.28, "ADP Security Manual: Techniques and Procedures for Implementing, Deactivating, Testing, and Evaluating Secure Resource-Sharing ADP Systems." Mr. Leonard added that this initiative is also in response to the long standing requirement that Federal automative systems have a formal certification and accreditation process. As Mr. Leonard continued his comments, he indicated that the instruction will have a moderate impact on industry. The instruction will come into play in those instances in which industry supports the Defense information infrastructure or actually runs a significant portion of the Defense information infrastructure. The instruction will provide a process that may be used for accreditating and certifying contractor operated systems that comprise the DOD information infrastructure. The instruction calls for sponsoring DOD components to determine when a contractor operated system falls within the purview of the Defense information infrastructure and whether it requires accreditation and certification by the DOD. Once it is determined that the system falls within the Defense information infrastructure, the requirement will have to be proposed contractually. Once it is proposed contractually, the DOD component should work with the contractor to pursue the accreditation and certification process.
Currently, the draft indicates that the DIS will assume the role of accreditating and certifying automated information systems in the Defense industry. A number of DOD organizations have taken exception to DIS accreditating and certifying the DOD information infrastructure because it is not within its purview, particularly in regard to sensitive unclassified systems. The role of DIS has yet to be resolved.
As Mr. Leonard concluded his remarks, he indicated that the instruction should not conflict with the NISPOM.
Status Report on the Revision of Chapter Ten, "International Security."
The Change Two package, containing a rewrite of Chapter Ten, is in circulation. Mr. Leonard briefly informed the NISPPAC members that misleading and extraneous discussions of the protection of unclassified information were deleted from the chapter.
Update on Chapter Nine, Communications Security (COMSEC) Supplement.
Mr. Leonard reported that a new section four has been added to Chapter Nine. The rewrite of section four was a joint effort by the National Security Agency and the Defense Investigative Service. Section four totally supplants the COMSEC supplement that currently exists in the Industrial Security Manual. It significantly abbreviates and addresses the core requirements with regard to the protection of classified COMSEC material. Discussions on the protection of unclassified COMSEC material and administrative procedures that the central office of record follow have been deleted from the chapter. The new section four is also included in the Change Two package.
Use of Private Carrier.
The Industrial Security Letter 7-1 will allow a contractor to transmit classified information by an overnight private carrier, Federal Express, for "Secret" and "Confidential" information. When transmitting information to non-DOD agencies, Mr. Leonard advised the industry members to follow the contract carrier procedures for those agencies.
Chapter Nine, Section Three -- Intelligence Information.
This will incorporate the revisions from the Director of Central Intelligence Directive 1/7. Mr. Leonard informed the NISPPAC members that there will be a delay in getting this revision into the NISPOM because several issues remain to be resolved. As the members discussed Chapter Nine, Thomas Adams, industry, raised the question of whether the Department of Defense and the Department of Energy had resolved the issue on investigative standards for obtaining a "Restricted Data/Secret" level clearance. Because neither the Department of Energy representative nor Mr. Leonard could confirm whether the matter had been resolved, Mr. Leonard agreed to provide an update on this matter at the next meeting.
Report on Information Security Oversight Office (ISOO) On-Site Review of Selected Aspects of the National Industrial Security Program.
ISOO Program Analysts Philip A. Calabrese and Bernard S. Boyd presented highlights of ISOO's review of the NISP. Briefly, the purpose of the review was to obtain some contractors' views on the progress made, thus far, in the implementation of the NISP. Eight contractor facilities in the Boston-metropolitan area participated in the review.
The results of the on-site review revealed four findings: (1) a relationship of cooperation and trust developing between the Defense Investigative Service and industry; (2) the implementation of the NISP has decreased security costs in some areas, but the reductions have not been as dramatic as expected or desired; (3) the fragmented and uneven implementation of the NISPOM by contracting agencies precludes the achievement of a single, integrated and cohesive program; and (4) the contractors' perception of no significant change in the management of classified Special Access Programs.
A lively discussion of the on-site review followed the presentation. Several NISPPAC members vigorously questioned the review's findings. In particular, the discussion centered on the contractors' perception of inconsistencies in the implementation of the NISP. The ISOO Program Analysts reported that the eight contractors experienced inconsistent application of the NISPOM in similar areas. Moreover, it seemed that formal instruction decreased significantly with the issuance of the NISPOM, but the contractors could not rely on the contracting agency to implement the program through the NISPOM. In one instance, a contractor stated that he was not subject to the NISPOM.
The ISOO Program Analysts briefly discussed the next phase of the on-site review process and explained that ISOO would involve the contracting agencies to ascertain their views on the implementation of the NISPOM.
Update on the Organizational Structure of the Office of the Assistant Secretary of Defense (Command, Control, Communications and Intelligence) (C3I).
Mr. Leonard informed the NISPPAC members that it is still not certain how the reorganization of the Department of Defense will affect C3I. He further reported that Joan A. Dempsey is no longer the Deputy Assistant Secretary of Defense (Intelligence and Security). She is now Chief of Staff for the Central Intelligence Agency. Tony Valletta is the Acting Deputy Assistant Secretary of Defense (Intelligence and Security). Douglas G. Perritt remains as the Principle Director, Information Warfare, Security and Counterintelligence, Office of the Assistant Secretary of Defense (C3I).
Security Policy Board (SPB) Update.
Daniel Jacobson, Director of the Security Policy Board staff, outlined some of the ongoing activities of the SPB. He announced that on December 2, 1997, the SPB will hold its first annual Security Policy Board summit. The summit is for the Board itself. A memorandum will go out to organizations within industry and the Government requesting them to identify, for the Board, the top five priorities for the Board to address and to champion in 1998.
The Safeguarding Directive.
The Safeguarding Directive has been approved by the Board and is in the process of being signed out by the Board co-chairs for transmittal to the White House.
As Mr. Jacobson continued his remarks, he told the NISPPAC members that, as the Safeguarding Directive was being drafted, the Department of Justice objected to the manner in which the agencies handle the issue of unauthorized disclosures. The Department of Justice takes exception that agencies, knowing that there will be no Federal prosecution, wash their hands of the matter by simply referring unauthorized disclosures to the Federal Bureau of Investigation. The Department of Justice feels that a better system is needed. The Department of Justice is preparing a recommendation to address this matter. It will be presented at the next Policy Integration Committee meeting.
Special Access Program/Sensitive Compartmented Information (SAP/SCI) Standards Working Group.
Mr. Jacobson and Shawn Daley, Massachusetts Institute of Technology, Lincoln Laboratories, reported on the initiatives that the working group is proposing to address the SAP/SCI issues. There will be a single set of standards for the SAP/SCI community to follow. The working group expects to complete its task by June 4, 1998.
Update on the Status of Executive Order 12958, "Classified National Security Information".
Steven Garfinkel, Director, Information Security Oversight Office, briefly discussed three issues concerning the security classification program. (1) the proposed statute for governing classification and declassification programs in the Government; (2) the requirement to report security costs; and (3) the progress made in the area of declassification.
As a result of the recommendations of the Commission on Protecting and Reducing Government Secrecy, otherwise known as the Moynihan Commission, legislation was introduced to establish a statutory framework for the security classification program. The process took off quickly and was focused in one committee in each House of Congress: The Senate Governmental Affairs Committee and the House Reform and Oversight Committee, formerly the House Government Operations Committee. By focusing the legislation in two committees, Congress hoped to assure that action would take place on the legislation and that it would not become moribund in several committees. Hearings began in the Senate Governmental Affairs Committee; however, the issue of campaign finance reform has overtaken other legislative initiatives in these committees for this year.
Nevertheless, the National Security Adviser requested that the Director of the Information Security Oversight Office chair an interagency working group to address the merits of a statute for the security classification program. The Chair reported that there is strong disagreement among the working group members on the legislation issue, as well as other issues. Most of the members are adamantly opposed to the legislation. However, several members felt differently about the validity of legislation. Because of the differing views, the group intends to submit an analysis of the legislation that represents a consensus but not unanimous view on the concept of a statutory framework for the security classification program. Each member may also submit a dissenting view, a contrary view or an auxiliary view to the National Security Adviser. The working group expects to forward its final product to the National Security Adviser by mid-September.
Mr. Garfinkel reported that the appropriations bills, that are due to be passed by Congress, will again include the requirement for the Government to report the costs for maintaining the security classification program within Government and industry. The security costs figures are due to Congress by May 1, 1998. The Executive Agent would like industry to submit its figures to the Office of Secretary of Defense by March 1998. NISPPAC member Shirley E. Krieger is the industry point of contact for the cost collection effort.
In its 1996 Report to the President, the Information Security Oversight Office reported extraordinary data in the area of declassification. Mr. Garfinkel directed the NISPPAC members to refer to the chart, on page 4 of the Report, which shows the number of pages declassified from fiscal years 1980-1996. In fiscal year 1996, the agencies declassified almost 200 million pages. Mr. Garfinkel added that the declassification program will continue, although the question of whether or not Executive Order 12958 will be amended to provide more time for the agencies to implement the declassification program remains open. As he concluded his remarks, Mr. Garfinkel indicated that this question would ultimately be decided as a political question. He added that it would be easier for the administration to grant agencies some relief if successes can be pointed out along the way and that the agencies are demonstrating good faith in complying with the declassification requirements.
"Parting Shots" of Outgoing Industry Members.
The Chair invited Thomas J. Adams, Richard P. Grau, and John P. O'Neil to make farewell remarks. All three expressed that a lot of progress had been made with the NISPPAC and that respect and understanding are being established between Government and industry.
The Defense Investigative Service's (DIS) Plan To Institute A "Fee For Service" Remuneration System.
Mark R. J. Borsi, Deputy Director, Security, Logistics, Aircraft, and Industrial Relations Division, National Aeronautics and Space Administration (NASA), provided the NISPPAC members with a copy of letter from him to Steven T. Schanzer, Chief Operating Officer, Defense Investigative Service, that concerned DIS's plan to bill agencies for its services. Basically, the letter raised two issues: (1) NASA was not given much consideration in the "fee for service" scheme; and (2) the industrial security program may return to a fragmented system if agencies discover that it is cheaper to pay a contractor for the services that DIS provides. In response to Mr. Borsi's concerns, Rene Davis-Harding, Deputy Director for Policy, DIS, and Mr. Leonard explained that the Quadrennial Defense Review directed DIS to streamline the security process so that costs savings would result. Moreover, they expressed that in today's fiscal climate DIS can no longer afford to bear the financial burden of providing its services at no cost to the agencies.
Membership of the Security Policy Board (SPB).
The Chair commented that, as he reviewed prior NISPPAC minutes, he noticed that the Security Policy Board staff has played a significant role in the NISPPAC. In his continuing remarks, the Chair asked the members to consider adding the SPB to the NISPPAC. The Chair indicated that he would discuss this matter with Mr. Jacobson and depending on those discussions he might have a motion to amend the NISPPAC bylaws at the next meeting. He added that the NISPPAC members should consider whether to add an industry member as well, since this addition, if approved, would increase the Government's membership on the NISPPAC.
Next NISPPAC Meeting.
The Chair announced that the first meeting for fiscal year 1998 will take place in the Washington, DC metropolitan area, in late February or early March. As the time for the meeting approaches, Dorothy Cephas, Executive Secretary for the NISP will contact the members with further details.
The Chair adjourned the meeting at approximately 4:30 p.m.