On May 14, 2018, the General Accountability Office (GAO) issued GAO-18-407, a Report to the Subcommittee on Emerging Threats and Capabilities, Committee on Armed Services, House of Representatives entitled, Protecting Classified Information: Defense Security Service Should Address Challenges as New Approach Is Piloted.
The National Industrial Security Program (NISP) was established to safeguard federal government classified information released to the industry, and is administered by the Defense Security Service (DSS) within the Department of Defense (DoD). The Report presented the GAO’s findings with respect to the questions of how DSS administration of the program has changed since GAO’s last report in 2005 and how it is addressing challenges as it pilots a new approach, which it calls “DSS in Transition” or DiT.
GAO concluded that DSS has upgraded its capabilities since 2005, but expressed suspicion about DiT program execution. GAO found that until DSS identifies roles and responsibilities and determines how it will collaborate with stakeholders for the new DiT effort, GAO cannot accurately assess whether the ambitious new program is effective in protecting classified information.
Interestingly, GAO made reference to its Standards for Internal Control of the Federal Government to point out that DSS has a duty to coordinate with stakeholders (including cleared industry) specifically for the purpose of clearly defining roles and responsibilities. GAO made further reference to its interagency management guidance to stress the importance of matching sufficient resources with policy objectives.
A comprehensive security review under the new DiT process will look to cleared industry to identify assets of national security interest and to develop tailored security programs based on risk. Practical challenges regarding roles, responsibilities, and resources are likely to center around (a) sharing unclassified proprietary or privileged information with DSS personnel and (b) withholding a facility security clearance or interfering with the award of a government contract because of a disagreement about security measures not clearly related to NISP authorities. In executing DiT, DSS will presumably consolidate technical information from across the Defense Industrial Base into one basket, for which DSS must then protect against espionage and misuse. GAO notes that interagency policy coordination for DiT should include DoD security, intelligence, and acquisition components.
The DiT approach is best understood in the broader context of counterintelligence and security integration. Integration goals include supporting security programs with counterintelligence information and using security programs to collect information useful to counterintelligence analysis. As a result, several industrial security reform efforts have been launched in recent years. To get an idea of the breadth of these reforms, industry representatives on the NISP Policy Advisory Committee have produced an excellent summary of these efforts in their most recent Security Policy Update.
GAO commented that DSS challenges with respect to managing staff workloads and providing relevant training will only add pressure to an agency accepting a background and security investigations mission that has significant backlog and timeliness challenges. And, there is some evidence that DSS is already vulnerable to timeliness challenges. For example, DSS handles the initiation phase of processing personnel clearances. DSS processing times on initial TOP SECRET personnel clearances grew from 18 days in first quarter 2015 to 48 days in first quarter 2018. In addition, GAO pointed out that the 2017 DSS Biennial Report to Congress shows that the average amount of time to approve and implement a foreign influence mitigation plan more than doubled since the previous report to 204 days, and that DSS did not conduct security reviews at about 60 percent of cleared facilities in fiscal year 2016.
DSS concurred with the GAO recommendation that DSS determine how it will collaborate with stakeholders, including identifying roles and responsibilities and related resources, as it pilots DiT. The Report is important if it helps ensure a functional industrial security program that can operate with reasonable efficiency.