Information Security Oversight Office (ISOO)

NISPPAC Minutes - September 14, 2000

Minutes of the Meeting
Thursday, September 14, 2000

The National Industrial Security Program Policy Advisory Committee (NISPPAC) held its sixteenth meeting on September 14, 2000, at 2:00 p.m., at the Naval Air Warfare Center, Training Systems Division, in Orlando, Florida. Steven Garfinkel, Director, Information Security Oversight Office (ISOO), chaired the meeting. The meeting was open to the public.

Welcome and Introductions: Approval of Minutes; Introduction of Incoming Industry Members; and Presentation to Outgoing Industry Members
The Chairman began the meeting by submitting the minutes of the April 6, 2000 meeting to the Committee for approval. They were approved with only minor changes. After welcoming those in attendance and the self-introductions, the Chair welcomed incoming industry members, Pat Tomaselli, Northrop Grumman Corporation, and Lonnie Buckels, Buckels Security Management Solutions. After introducing the new members, the Chair presented letters from President Clinton to outgoing industry members Carol Thomas and Ed Halibozek. The Chair added his deep appreciation on behalf of the NISPPAC, and stated that he hoped that they would maintain an ongoing dialogue with the NISPPAC and its members.

Executive Agent's Update
Rosalind Baybutt, Deputy Director for Industrial Security, Office of the Assistant Secretary of Defense (C3I), Office of the Secretary of Defense, discussed changes to Chapters 8 and 10 of the National Industrial Security Program Operating Manual (NISPOM); the industrial security regulation; Pentagon security; the proposed amendment to Department of Defense (DOD) legislation; and the Joint Personnel Adjudication System (JPAS).

Change 2 to the NISPOM
Mrs. Baybutt reported that Mr. Arthur L. Money, Assistant Secretary of Defense, signed Change 2 on May 1, 2000. She also stated that the change is going through the publication process.

Chapter 8
Mrs. Baybutt said that the Office of the Secretary of Defense is working on an industrial security letter concerning changes to Chapter 8 and plans to implement it May 1, 2001.

Industrial Security Regulation
Mrs. Baybutt shared that the industrial security regulation, the companion document to the NISPOM, has been rewritten and will be coordinated with industry. She also mentioned that several topics would be covered, including the Defense Security Service (DSS) mission oversees and the international problem with government to government transmission.

Pentagon Security
Mrs. Baybutt's remarks centered on the new entrance and exit policy within the Pentagon. She remarked that there will be random entrance and exit checks and advised that persons entering or leaving the building with classified information to have it wrapped properly.

Proposed Amendment to DoD Legislation
Mrs. Baybutt indicated that Senator Robert C. Smith from New Hampshire has proposed an amendment that would prohibit DOD from granting a clearance to anyone who has been convicted of a crime punishable by more than one year in prison, dishonorably discharged, convicted of using illegal drugs, or declared mentally incompetent. She stated further that this amendment, if passed, could change adjudication standards within DOD and thus, adversely impact reciprocity with other agencies.

Joint Personnel Adjudication System (JPAS)
Mrs. Baybutt stated that JPAS, the computer system that contains clearances, is currently operating within the Air Force and is being extended to all the DOD activities and industry. She also stated that in the near future, one will be able to verify access and transfer clearances based on a social security number. Beta testing for the system is 45 days behind. She expects industry to be on-line and functioning within the system by September 2001.

Chapter 10
Mrs. Baybutt expressed that comments pertaining to Chapter 10 were forwarded to the office responsible for international security policy. She expressed that in a defense authorization bill there is language that will allow protection of foreign government information and restricted data under the Freedom of Information Act. She added that if that were to happen, government agencies will be able to lower the standards for restricted data and would not have to protect it as Confidential.

DSS Update
Valerie Heil, Deputy Chief of Staff for Industrial Security, DSS, reported on DSS' headquarters realignment; the Case Control Management System (CCMS); the Electronic Personnel Security Questionnaire (EPSQ); interim and final clearances; additional staffing; and the DSS Academy.

Headquarters Realignment
Mrs. Heil shared that under the new realignment, headquarters will consist of a Director and five Deputy Directors in the areas of personnel development, security programs, field operations, resources and program analysis and evaluation. Under this new structure, all the major reporting areas will be reporting to the same senior executive. Mrs. Heil stated that the field structure will experience very little change.

Case Control Management System (CCMS), the Electronic Personnel Security Questionnaire (EPSQ), and the Clearance Backlog
DSS still has a backlog of investigations for security clearances. However, Mrs. Heil shared that DSS is making progress. She said that DSS' goal for FY 2000 was to utilize CCMS to produce 2500 reports for adjudication daily. She stated that in addition to exceeding its goal with an average of 2800 reports a day, DSS had improved its workflow process for EPSQ's. She said the workflow process improved from days to hours and in some cases minutes. She indicated that DSS has deployed some software enhancements that will automatically open government EPSQ cases that have met certain validation criteria. She also mentioned that there are instances when industry cases are expedited. She explained that while industry cases go to the Defense Security Service Contracting Office first through the electronic path for an interim clearance decision, they could also be expedited if they meet prescribed validation criteria.

Interim and Final Clearances
DSS is now issuing interim clearances within seventeen days and hopes by late October the numbers will be down to 8 days or less. As for final clearances, Mrs. Heil shared that the Director of DSS set a short term goal of completing them for industry within 180 days provided they are non issue oriented and require no overseas leads. Currently, DSS is taking between 250 and 300 days to issue a clearance. She added that by mid-October DSS will be in a better position to assess progress.

Industrial Security Program Representatives
DSS is focusing on its core competencies and has hired half of its new industrial security representatives. In response to a prior question concerning DSS' Industrial Security Operating Manual, Mrs. Heil explained that the manual is to be used as a standard operating manual for DSS' internal use only. She further stated the manual was not to be used to cite security findings. She added that the manual is used within DSS to ensure quality, consistency and timeliness. She also mentioned that DSS is continuing its evaluation of resource needs. To date, she said the Defense Security Service Contracting Office has been working to fill 20 new positions, has added seven additional field automated information systems (AIS) specialists and is working to hire an AIS manager for each region.

DSS Academy
Mrs. Heil indicated that the Defense Security Service Academy has a curriculum and a web site. She also remarked that on DSS' web site, one can verify receipt of the EPSQ and subscribe on-line to the EPSQ e-news for periodic updates and usage tips.

DCI: Industrial Security Program Improvements
James Kirkman, Chief, Personnel Security, Central Intelligence Agency (CIA), provided an overview of CIA's efforts to improve the cycle time for approving security clearances. Those efforts include improved profile markers that automatically allow the system to forward specific cases for faster completion. Mr. Kirkman also noted that the CIA leadership is now placing greater emphasis on improving communications with contractors regarding personnel matters. This is being accomplished through quarterly newsletters and meetings.

SPB Update: Oversight; Extranet for Security Professionals; Personnel Security Research; and Information Systems Security

Oversight
Mr. Ed Wilkinson, Deputy Director, Security Policy Board Staff (SPB), reported to the members on the status of SPB activities and initiatives. Mr. Wilkinson acknowledged that just over a year ago, as a result of a recommendation by the Joint Security Commission II (JSC II), the SPB Executive Committee (ExCom), was established. The ExCom is Co-Chaired by Joan Dempsey, Deputy Director of Central Intelligence for Community Management and Art Money, Assistant Secretary of Defense for C3I. He noted that one of the principal findings that came out of the JSC II report was a lack of oversight within the executive branch of federal agencies. While there is a conflict resolution mechanism within the SPB, there is no oversight mechanism to ensure full implementation of these policies, programs and executive orders that have been approved at the national level.
Mr. Wilkinson reported that at the last SPB meeting, Larry Welch, Chair of the SPB Advisory Board, had delivered his report to the board members, which ignited considerable discussion about the topic of "oversight." There was some concern from member agencies about oversight being simply an audit mechanism. Mr. Wilkinson said that this perception was clarified and put to rest by General Welch. Mr. Wilkinson stated that the SPB, having had the ExCom approve the concept of oversight, has now the directed the SPB Forum to devise implementation plans. He stated that the development of the first national oversight process for six executive orders is underway. The data complied in this effort will be used as the basis for the SPB annual report to the President.

Extranet for Security Professionals (ESP)
Mr. Wilkinson indicated that an executive agency was approved for the Extranet for Security Professionals (ESP). The Office of Personnel Management (OPM) has agreed to be the host on behalf of the government. Currently, they're working through some vital issues relative to intellectual property matters between Carnegie-Mellon, the developer and the U.S. government (DARPA). Mr. Wilkinson acknowledged DSS for approving the use of the ESP as a method for transmitting and verifying security clearances. He also acknowledged the Department of Energy and the National Air and Space Administration for their significant role in this endeavor.

Personnel Security Research
With respect to personnel security research, Mr. Wilkinson noted that the JSC II report recommended improved implementation in this area and that it should be based on identifiable reason as opposed to simply thinking that some things are good ideas. In that context, Mr. Wilkinson stated that DOD and CIA have been developing directives and national standards for scopes of background investigations based on what the traditional architects of personnel security thought was the "right thing." The JSC II report says, "We've got to do this better, smarter, and we have to be able to justify with rational thought why we're doing this stuff." One of the major JSC II recommendations was to develop personnel security research. At the suggestion of the Intelligence Community (specifically Jennifer Carrano), the Intelligence Personnel Research Group, in concert with DOD, has begun reprogramming funds for personnel research. Under the auspices of the Personnel Security Committee and the Research Sub-Committee, a nation-wide evaluation of the various kinds of research is now ongoing. Currently, a total of 83 projects have been identified. Forty-five are under way and 38 are projected to start in the immediate future. The total funding for these projects surpasses $16 million. Mr. Wilkinson underscored the significance of these projects and mentioned that they are being vetted through the Personnel Security Committee with the notion that standards and policies would not change unless there is causal research that justifies alterations and supports intelligent implementation.

Information Systems Security
Mr. Wilkinson stated that information systems security policy is fragmented and there is no coherent national execution strategy. In addition to the JSC II report, he added that this problem was identified in the first JSC report, Sen. Daniel Patrick Moynihan's Commission report, "Protecting and Reducing Government Secrecy," and in a letter from the Aerospace Industries Association to the Security Policy Advisory Board. He indicated that there is a proposal to use collaboratively the individual authorities of the SPB; the SPB Advisory Board; the National Security Telecommunication Information Systems Security Committee (NSTISSC); and the CIO Council to handle information systems security issues and policies in an aggregate way. He stated further that these entities would retain their individual authorities, while increasing their collective effectiveness by collaborating in a programmatic manner. Mr. Wilkins announced that he, Dan Jacobson, Director, SPB, J. William Leonard, DASD, Security and Information Operations, Jennifer A. Carrano, Director of Requirements, Plans and Policy Office, Community Management Staff, will meet with John Spatello, Office of Management and Budget, to talk about this particular issue. Mr. Wilkinson concluded his update on an optimistic note. He stated that a meeting of the ExCom would occur before the end of this Administration to at least come up with an interim solution that minimizes, if not eliminates, the fragmentation of information systems security policy.

DOE Update
Joseph Mahaley, Director, Office of Security Affairs for DOE reported on the creation of a joint policy group with DOD to reconcile inconsistent DOE and DOD protection/classification policies for nuclear weapon design information. Mr. Mahaley also briefed the members on DOE's efforts to implement enhanced protection measures for classified material, including the improvement of encryption technology, agency-wide use of high technology lock systems, and complete accountability of classified material.

Discussion of Next Meeting and Adjournment
The next meeting was tentatively scheduled for the first or second week in April 2001, and will be held in Washington, DC. The membership will be polled in order to come to a mutually convenient date in April 2001. There being no further business, the Chair adjourned the meeting at 4:00 p.m.

Top