TRANSFORMING THE FBI SECURITY PROGRAM
Building Strong Management, Policy, Training, and Infrastructure Support
- Elevated the role of security within the FBI.
- Brought security expertise to the FBI from other Intelligence Community
- Established a Security Division, which for the first time in FBI history,
will serve as a point of integration for all Bureau security matters.
- Moved the programmatic responsibility for facility protection
and police services to Security Division, as well as the operational
responsibility for protecting FBI headquarters and the Washington
- Moved the Polygraph Unit to the Security Division.
- Started the development of a joint "business plan" with
the Laboratory Division to ensure technical security resources are
properly directed against Security Division requirements.
- Appointed a Director of Security, at the Assistant Director level,
who serves as the senior security executive. This AD has the full support
of and access to Director Mueller who has communicated his support for
the Security Program to all FBI employees.
- Provided needed infrastructure support to the Security Program by:
- Shifting internal resources to the Security Division as part of
the on-going FBI restructuring plan.
- Establishing additional "detail" assignments to the Security
Division from the Central Intelligence Agency (CIA) and the National
Security Agency (NSA).
- Applying resources received in the fiscal year 2002 budget process
to security requirements.
- Submitting a fiscal year 2003 budget request that includes significant
resources for the Security Division.
- Initiated a comprehensive review of national, Director of Central
Intelligence, Department of Justice, and FBI policy directives to establish
a traceability matrix that will be used to establish the effectiveness
of existing security policy.
- Initiated the development of a comprehensive security education, awareness,
and training program. The initial objective of this program will be
to address information systems security issues followed by an expansion
to all other elements of the Security Program.
- Developing a professional Security Officer cadre through the establishment
of a comprehensive career program that identifies and hires candidates
with appropriate skills, successfully retains them via a competitive
pay and reward structure, builds expertise through appropriate training
and assignment opportunities, and prepares them to assume program and
management roles of increasing responsibility. Elements of this initiative
- Establishment of a Security Career Service Board that focuses
executive attention on all elements of the professional Security
Officer career track.
- Certification of proficiency for security professionals and key
non-security personnel, such as system administrators, in critical
- Re-designing the field Security Officer program to:
- Rely less on agents and more on the professional Security Officer
cadre we intend to build over time.
- Restructure the field offices so that all security responsibilities
fall under the control of the Security Officer.
- Direct more resources to the field to support the Security Program.
- Modifying the operation of the FBI Security Council to ensure it is
appropriately staffed by senior executives and addresses security policy
issues of significance to the Bureau.
Establishing an Effective Information Assurance Program
- Instituted a policy requiring regular access reviews of the FBI's
most sensitive cases.
- Initiated the development of a formal Information Assurance Program.
- Implemented an aggressive certification and accreditation effort to
discover and address vulnerabilities within existing and proposed FBI
- Collaborated with the Trilogy Program and the Virtual Case File team
to deliver, upon deployment, enhanced security measures and to provide
the framework for improved information systems security measures in
- Initiated the modernization of cryptographic key management to improve
the security of FBI information and to facilitate the immediate deployment
of Trilogy infrastructure.
- Assigning an experienced IA professional from the Intelligence Community
to run the FBI's IA Program and adding strategic "consulting"
resources from the IC, as appropriate.
- Designing a comprehensive IT security architecture for FBI systems.
As part of this architecture, identifying the baseline for IA tools
or techniques, such as PKI, virtual private networks and LANs, single
sign-on, intrusion detection, network scanning, auditing, and other
methods to identify anomalous activity and system vulnerabilities.
- Establishing an Enterprise Security Operations Center to centrally
manage the security of FBI IT systems and networks.
- Re-evaluating and improving the certification and accreditation process
so that it mirrors best practices and is tied to the IT system development
- Establishing a number of experienced Information Systems Security
Managers as customer focal points for expeditious handling of IT security
questions and issues.
- Continuing the close collaboration between IA and Trilogy Program
personnel to implement improved IT system security as part of the on-going
Improving the Vetting Used to Establish Trustworthiness
- Expanded the use of the polygraph for personnel security processing.
- Moved Polygraph Unit from the Laboratory to the Security Division.
- Enhanced the analytical capability afforded to those persons with
access to the most sensitive FBI information.
- Implemented a written case summary format for reviewing security adjudication
- Defining the requirements for an integrated security information management
system and data integration efforts, as well as, executing a limited
number of "pilot" efforts using funds received in the fiscal
year 2002 appropriation.
- Working with the Records Management Division to improve control of
FBI security files and ensure they contain the necessary information.
Eventually, as part of the effort to develop an integrated security
management system, transitioning to an electronic security file.
- Automating security data collection processes in a web-enabled environment.
- Identifying new sources of information that add value to the vetting
process and assist in the determination of trustworthiness.
- Establishing a Financial Disclosure Program and developing the capability
to conduct security-related financial analysis.
- Exploring the use of a specific-issue polygraph examination to address
the issue of deliberate unauthorized disclosure of FBI information.
Ensuring Against the Compromise of Information
- Reassessed access procedures for FBI facilities eliminating special
exemptions afforded executives with "Gold Badges".
- Established the position of Special Security Officer for the FBI and
selected an Intelligence Community officer to serve in this role as
- Completed a review of handling procedures for sensitive information.
- Conducted a comprehensive review of sensitive accesses resulting
in a net decrease of FBI employees with such access.
- Conducted a "Back-to-Basics" day for all employees where
security was one of the key areas of focus.
- Establishing a Security Incident Reporting Program that includes management
of all potential information compromises through a central, Security
Division component. This component will ensure the security incidents
are properly investigated; assessments are conducted of potential damage
to the national security or FBI operations; remedial action is taken,
as necessary, to ensure the compromise does not happen again; and personal
accountability is assigned, if appropriate.
- Establishing a capability to resolve security anomalies, no matter
their source, and to integrate information resulting from the investigation
of these anomalies into the FBI CI Division.
- Developing an enhanced capability to securely process sensitive information
- Developing an appropriate accountability and tracking system for sensitive
hard copy documents.
- Investigating technology to better account for and track sensitive
information and the media, paper or magnetic, on which it is stored.
- Developing and conducting training on the proper classification of,
accounting for, and control of classified information.