Information Security Oversight Office (ISOO)

NISPPAC Minutes - March 25, 1997

Minutes of the Meeting March 25, 1997

The National Industrial Security Program Policy Advisory Committee (NISPPAC) held its ninth meeting on March 25, 1997, at 10:00 a.m., at the National Archives Building, 700 Pennsylvania Avenue, Northwest, Washington, D.C. Steven Garfinkel, Director, Information Security Oversight Office (ISOO), chaired the meeting. The meeting was open to the public.

Welcome, Introductions and Announcements.

After a welcome and introductions, the Chairman read a letter from President Clinton thanking Carol Donner and James Van Houten for their service as original industry representatives on the NISPPAC into the record.

The Chairman submitted the minutes of the September 24, 1996 meeting for approval. The members approved the minutes with one correction. The correction is on page one, line three. The spelling of the acronym "NISPPAC" was corrected. As there were no other comments or corrections to the minutes, the NISPPAC members approved the minutes as corrected.

Reinventing the Defense Investigative Service.

Steven T. Schanzer, Principal Deputy Director, Defense Investigative Service (DIS), reported that budget constraints have prevented DIS from getting the funding it needs to conduct its security services and to implement new security policies issued by the Security Policy Board. Consequently, DIS plans to use two initiatives to change its business strategy. First, DIS will seek to declare itself as a fee for service performance-based organization through the Vice President's National Performance Review program. As a performance-based organization, DIS can negotiate service agreements, and relax civil service personnel rules and acquisition rules so that it serves its customers more effectively. By charging fees for its security investigations, DIS will have the necessary funding to carry out its security services and implement new security policies. DIS will start charging non-DOD customers in 1998. DOD customers will be charged in 1999.

Second, DIS will become an "information utility" provider for Government and industry. For instance, DIS intends to explore the use of a secure server on the Internet that allows security officers access to portions of the Defense Central Index of Investigations. This will allow visitor requests to be passed electronically and will eliminate the paper transfer of security clearance information.

Additionally, DIS is making changes to its organization and the processes within its organization to help meet the business strategies. All operational units have been moved under a Director of Operations and all policy matters have been moved under a Director of Policy. To help evaluate the business objectives that DIS is implementing, the Office of the Inspector General (OIG) now functions as a strategic planning and inspection office. Hence, the OIG functions as an auditing office that looks at how well DIS is operating. The Office of the Comptroller has been modeled after the Office of the Secretary of Defense.

DIS is also exploring methods to cut down the time it takes to conduct personnel clearance investigations. DIS's goal is to complete a personnel investigation within 30 days.

National Industrial Security Program Operating Manual (NISPOM) Issues.

John E. Frields, Deputy Director for Industrial Security Programs, Office of the Secretary of Defense, led the discussion on the following NISPOM issues:

Amendments to the NISPOM to Conform with Executive Order 12958 and its implementing Directive No. 1.

Mr. Frields presented to the NISPPAC members the final draft amendments to the NISPOM, entitled, NISPOM Change 1 "Final Draft." Before the NISPOM Change 1 is issued, formal concurrence must be sought from the Department of Energy, the Nuclear Regulatory Commission, and the Central Intelligence Agency. Mr. Frields does not anticipate any problems in getting these agencies to concur. As soon as the concurrence is received, NISPOM Change 1 will be promulgated. Copies will be available in electronic and hard copy format.

In the discussion that followed, Tom Adams, Industry, raised questions about industry's comments on Chapter 3. 3-107. Refresher Training and Chapter 5. 5-205. Generation of Classified Material. Mr. Adams noted that the language did not seem to reflect industry's comments and asked whether changes could still be made to the paragraphs. In his response, Mr. Frields reminded the NISPPAC that industry's recommendations concerned additional record keeping and paper work that could be eliminated with the publication of the NISPOM. These recommendations could not be used because the Executive order and the implementing directive do not allow much room for flexibility. Although Mr. Frields and his staff were sympathetic to industry's concerns and argued the industry point of view, they were unable to garner the support needed from Government to incorporate industry's position in the NISPOM. Mr. Frields added that the paragraphs are substantially different from the original draft and that he and his staff deviated from the directive, as much as they could, to reflect industry's point of view.

As the discussion continued, Mr. Frields asked Mr. Garfinkel, as Director of the Information Security Oversight Office, to comment on the directive's flexibility. Mr. Garfinkel noted that, to the extent that a requirement is mandated by the directive, it does not allow much room for deviation. However, a directive is a directive until it is changed. The directive's goal is to create uniform requirements both within Government and industry. He added that if experience shows that the directive goes too far, or that procedures are too expensive or over time unnecessary, it can be amended.

Mr. Garfinkel further commented that the Commission on Protecting and Reducing Government Secrecy Report calls for more documented refresher training and training programs. Because the Commission's recommendation is contrary to relaxing the requirements for refresher training, Mr. Garfinkel could not predict what the future would hold for this requirement. Mr. Garfinkel emphasized that the key thing to understand about refresher training is the degree of flexibility that organizations have to determine what is refresher training and the freedom to design training programs that are appropriate for their security employees.

Mr. Frields again pointed out that the section on refresher training incorporates the flexibility envisioned by the directive. As the discussion concluded, Mr. Frields suggested that the NISPPAC track, for one year, the additional costs and the perceived benefits of implementing the section on refresher training and any other part of the NISPOM to see if it is favorable to the industry members.

The NISPPAC members accepted Mr. Frields' suggestion and all parties agreed to revisit this issue within a year.

Mr. Adams also raised questions about Chapter 5. 5-205(b). The Chair and Mr. Frields briefly addressed Mr. Adams' concerns and expressed that they would be willing to discuss the matter further with him at a separate meeting rather than taking up the committee's time with this issue.

Proposed Plan to Revise Chapter 10 of the NISPOM.

Mr. Frields reported that the draft of Chapter 10, which contains the international security requirements, should be circulated in April for comment. Sixty to 90 days will be allowed for executive branch agencies and industry groups to submit comments. As soon as the comments are incorporated into a final draft, the draft will be forwarded to the Central Intelligence Agency, Department of Energy and the Nuclear Regulatory Commission for approval.

Briefing on a Renewed Office of the Secretary of Defense Initiative to Revise Chapter 8.

Mr. Frields presented the NISPPAC members with a hand-out that outlines the Government's approach for updating chapter 8 of the NISPOM. The Executive Agent feels that the update of chapter 8 must be done quickly. It is the most critical chapter of the NISPOM. To move the process forward, the Executive Agent is recommending that Government and industry piggyback on the Intranet for Security Professionals (ISP) program sponsored by the Defense Advanced Research Projects Agency (DARPA) to develop proposed changes to chapter 8.

At this point in the discussion, Mr. Frields also provided the members with a handout that described the Intranet for Security Professionals. He also introduced Matt T. Donlon, Director, Security and Intelligence Office, DARPA, to the members and asked that he explain how the ISP works.

After Mr. Donlon's presentation, Mr. Adams, Industry, remarked that using the ISP as a vehicle for developing chapter 8 is a great idea. However, chapter 8 has been on the NISPPAC agenda for quite some time and very little has been done to revise the chapter.

Mr. Adams moved that the Executive Agent utilize the ISP to prepare a draft chapter 8 for review within 60 days and make a completed product available by January 1998.

The NISPPAC members passed the motion unanimously.

The Chair noted that a letter reflecting the NISPPAC's position on revising chapter 8 would be forwarded to the Executive Agent. Copies of the letter will be made available to the members.

Kudos to Industry on its Second Annual Submission of Cost Data.

Mr. Frields expressed thanks and appreciation to Tom Adams for serving as the industry point of contact to collect the 1997 industrial security cost figures.

Mr. Frields reported that the second cost collection effort of industrial security costs was a success. This year the Executive Agent reported a cost of $2.6 billion to the Information Security Oversight Office. This was an 11% decrease from last year's figure of $2.9 billion.

Mr. Frields reminded the industry members that next year's figures are due in March 1998. He also asked that industry designate a representative to assist him with the collection of the 1998 industrial security costs. He further asked that a larger sample be provided so that more accuracy could be put on the data collected. To assist in this effort, DOD will refine the categories listed in the data collection for security costs.

The Chair asked the industry members to provide Mr. Frields with a representative within 30 days. Shirley E. Krieger, Director, Support Services, Satellite Systems Operations, Honeywell, Incorporation, agreed to be the industry point of contact for the cost collection effort.

As the discussion concluded, the Chair noted that the Information Security Oversight Office would be reporting decreases in security costs for both Government and industry. The report is due to Congress by the first of May. Members of the NISPPAC will be provided with a copy of the letter reporting the security cost figures for 1997.

Status and Discussion of Security Policy Board Initiatives.

Peter D. Saderholm, Director of the Security Policy Board (SPB) staff, reported that progress is taking place in several areas. In the area of personnel security, the SPB has been informed that the administration has approved adjudication guidelines and investigative standards.

As it concerns facilities protection, the SPB has completed the last issuance of the safeguarding directive and will shortly forward it to the Office of the Deputy Secretary of Defense. Due to the fact that there has been some confusion about the use of the term "security in-depth," the SPB staff is drafting a supplement that will explain this term.

The Policy Integration Committee (PIC) continues to work on a risk management strategy for agencies to use in policy deliberations in the national security policy forum process. The PIC is fairly close to having a strategy that will be useful for national level policy deliberations. Individual agencies will have the option of implementing this policy.

Among other things, Mr. Saderholm also reported that the SPB is: (1) looking at data base linkage for security clearance information; (2) examining the investigative process to determine which activities are useful and which are not; (3) drafting policy for protective guard forces (the development of this policy is in response to the bombing of the Federal building in Oklahoma); (4) looking at issues surrounding special access programs; and (5) working on its Security Assurance Document.

Report on the Findings of the Commission on Protecting and Reducing Government Secrecy.

Eric Biel, Staff Director, Commission on Protecting and Reducing Government Secrecy, provided the NISPPAC members with a brief overview of the Commission's findings. Mr. Biel explained that the report is intended for security professionals and for individuals outside of the security policy community who have an interest in gaining access to Government information. The findings in the report are unanimous and there is no dissenting opinion.

In his concluding comments, Mr. Biel expressed that the Commissioners are committed to developing a process for following up on the report. John D. Podesta, Deputy Chief of Staff, White House, will work to develop an action plan to handle follow-up interest in the findings of the report.

Copies of the Commission's report were made available to the NISPPAC members.

Fine Tuning of Executive Order 12958, "Classified National Security Information."

The Chair provided the NISPPAC members with a copy of a letter to all Executive branch agencies inviting them to participate in the prospective fine tuning of Executive Order 12958. Mr. Garfinkel informed the members that the National Security Council has endorsed the conduct of this review, but is not currently committed to any particular changes to the Order. Mr. Garfinkel invited industry members to participate in this process.

Information Security Oversight Office (ISOO) Planned On-Site Review of Selected Aspects of the National Industrial Security Program.

Ethel R. Theis, Associate Director, ISOO, reported that ISOO will conduct a review of selected industry programs in early May.

Improving the NISPPAC Process of Handling National Industrial Security Program (NISP) Issues.

Industry representatives Edward Halibozek and Frank K. Martin led the discussion of the process for handling NISP issues. The NISPPAC members were provided with a flow chart showing how an issue would be considered by the NISPPAC. The Chair remarked that he had received a copy of the flow chart this morning and that he did not have adequate time to review the chart. However, he noted that a few modifications to the process could improve the mechanism for handling NISP issues.

As the discussion continued, other members also recommended slight modifications to the process. Recognizing that the NISPPAC members had not had sufficient time to examine the process for handling NISP issues, the Chair invited the members to bring their recommendations, if any, to the September meeting.

Open Forum.

Federal Express for Overnight Transmission of Secret and Confidential Classified Information.

Shirely Krieger, Industry, asked John Frields to explain the incorporation of using Federal Express for overnight transmission in the NISPOM. Mr. Frields responded that the changes will be provided in a miscellaneous package because it is an implementation problem and not a formal change that requires approval. Therefore, once an agreement is reached, it can be implemented overnight.

The Communications Security Supplement.

Tom Adams, Industry, asked that the Executive Agent look at the process for handling communications security information. The Chair asked that industry prepare a proposal to address the supplement. Mr. Frields suggested that this proposal be used as a test case for the new process of handling NISP issues.

Membership List.

The Chair provided the members with a list of the industry members showing their terms of service on the NISPPAC. He also reminded industry members that the time had come to submit nominations to replace outgoing industry members.

Next NISPPAC Meeting.

The Chair announced that the final meeting for fiscal year 1997 will take place in St. Louis, Missouri, in the second week of September.


The Chair adjourned the meeting at approximately 12:00 noon.