1. On 24 January 1997 the Security Policy Advisory Board (SPAB) met in the auditorium of Tracor Aerospace from 0900 to 1200. Chairman Larry Welch presided, with Board members Nina Stewart and Thomas Brooks also in attendance. Other attendees included:
1. Terry Thompson opened the meeting and introduced the Chair, General Welch (Ret.) USAF, Chairman of the SPAB. General Welch welcomed everyone and provided the attendees a brief history of the SPAB to include its mission, scope and objectives.
INTRANET FOR SECURITY PROFESSIONALS
1. Mr. Thompson introduced Mr Matt Donlon from the Defense Advanced Research Projects Agency. Mr. Donlon began by elucidating some of the multitude of problems facing today's security professional to include high costs; fragmented, unconnected databases; a lengthy policy cycle (over seven years to create the NISP) and poor communication. The objective of the INTRANET for Security Professionals (ISP) is to create a private network that will provide a tool for affordable, real time communication to the security professional. He indicated most professionals are already connected via the Internet and consequently the necessary infrastructure is currently available.
2. Mr. Donlon then described the numerous applications the ISP might have. Those include: passing of clearances, policy discussions and the drafting of policy documents, a digital reference library, on-line security forms, a records source for security equipment storage and a training and education resource--to name just a few. He advised the system will be linked to industry thereby providing them with an opportunity for real time input. Several government agencies and corporations have agreed to act as evaluators of such a system.
3. Mr. Donlan indicated the initial phase includes a twelve month study with an objective of creating a demonstration module by 1 March 97. He plans to impanel an advisory committee to guide the endeavor and make certain the latest technology is melded with the current needs of the security community. Security constraints will be a function of the participants and their requirements.
4. Mr. Donlon indicated the concept promises increased productivity and reduced long term costs associated with the security effort.
ADVISORY BOARD COMMENT
SUITABILITY VS. SECURITY IN BACKGROUND INVESTIGATIONS
1. Mr. Peter Nelson, Deputy Director for Personnel Security, Department of Defense Command, Control, Communications and Intelligence unit and Mr John Crandell, Chief Marketing and Evaluation Division, Office of Personnel Management then addressed the group on the issue of background investigations done solely for a determination of suitability for employment vs. those done with the objective of granting a clearance. Mr. Nelson indicated that DIS is chartered to conduct suitability investigations and that the number conducted approximates a few thousand per annum-- out of a total of 600,000. These positions usually involve civilian or contractor personnel employed as auditors, in AIS positions, child care workers, those individuals permitted unescorted access to sensitive areas or materials, and certain other positions of a fiduciary nature. While some of the more sensitive positions require the conduct of a single scope background investigation, the vast majority require only a national agency check (NAC). NACS are low in cost and do not usually require any costly field investigation.
2. All DOD civilian employees are subject to an OPM conducted National Agency Check with Inquiries (NACI) which is the minimum investigation required for government employment under E.O. 10450. These are reimbursable investigations conducted at a cost of between $75 and $100.
3. All military personnel undergo a similar suitability screening process with the conducting of an Entrance National Agency Check for enlisted soldiers and a NACI for officers. While both investigations can serve as a basis for up to a SECRET clearance, their primary purpose is to ensure that the soldier is l) free of felony convictions and 2) loyal. Approximately 300,000 such investigations are conducted each year by DIS.
4. All investigations conducted for a suitability or trustworthiness determination can also serve as the basis for issuance of a security clearance if subsequently required. While such suitability investigations constitute only a relatively small percentage of the DIS workload, they are important for ensuring the integrity, trustworthiness and safety of DOD personnel, missions and material.
5. DOD regulations govern this issue and describe the responsibilities of the cognizant authorities.
6 Mr Crandell indicated that, since 1983, OPM has been chartered to conduct suitability investigations and, since 1954, has been conducting investigations for clearances for the Civilian, Competitive Service. OPM has well over one hundred customers, many of whom have no interest in obtaining a clearance for their subject. Mr. Crandell estimated that approximately 80% of OPM's investigative workload falls into the area of suitability and 20% into the security arena. OPM not only has the usual National Security levels ( i.e. special-sensitive, critical-sensitive, and non-critical sensitive) but they also have designations according to the level of public trust (i.e. low, moderate and high risk). OPM, which has privatized its investigative arm, now offers case completions in 30, 60 and 90 days with appropriate fees associated with each.
ADVISORY BOARD COMMENT
AUTOMATED ACCESS TO CLEARANCE DATA
l. Mr. Crandell and Mr. Nelson then addressed the issue of linking security databases to provide streamlined access to security data. DOD and OPM have been working on linking the DOD database (Defense Clearance Investigation Index, DCII) and the OPM database (Security/Suitability Index of Investigations, SII). The former contains more than 20 million dossier segments and 6 million clearance segments. The latter contains about 6 million dossier segments but does not currently contain clearance information. OPM is working with the non-DOD community to input clearance data (e.g. Justice, Treasury, Commerce, DOE, etc.) in a format similar to the DOD clearance tracings. Once the remaining technical interface, file layout and privacy/disclosure issues axe resolved, it is anticipated that the "virtual" central data base will be up and running by July or August 1997.
2. A remaining obstacle to linkage is the requirement that a user of DCII must have a completed Single Scope Background Investigation (SSBI); the same requirement does not exist for OPM users. This issue is yet to be resolved but the granting of a waiver is a likely solution.
3. At this point, the board asked why the requirement for an SSBI was levied on a user who merely needed to determine if an individual has a clearance? Mr. Nelson indicated that, because DCII contains codes which designate issue cases and also contains information on criminal activity, privacy is a concern. Mr. Crandell stated that, while the SII was in the construction stage, the National Security Agency mandated certain restrictions be employed without which they would not bestow a favorable rating on the database. OPM is still constrained by this dictum. In addition, investigative reports are also maintained in the same mainframe.
4. While the linked databases will cover about 90% - 95% of government/military personnel, it will not include employees or contractors from such agencies as CIA where there are classification issues regarding cover or classified association with the agency. Such information can only be made available over a classified network.
ADVISORY BOARD COMMENT
1. Mr. Thompson then addressed the group on financial disclosure. He reviewed the events germane to the history of the issue and then concentrated on recent developments.
2. He first pointed out that the Central Intelligence Agency has its own financial disclosure program which is moving forward under the authority of the DCI. This effort is separate and distinct from the endeavor which is supported by the Security Policy Board Staff. Mr. Thompson indicated the Staff will liase with the cognizant CIA officers and glean what might be useful from the CIA program.
3. The use of some sort of financial disclosure form was initially mandated by EO 12958 and the implementation of a form was later delegated to the Security Policy Board Staff. In September 1996, a conference of government wide experts in the area of financial investigation was convened to construct a financial disclosure form. The final product of three days of deliberations was a form with seventy-three data points and several pages of instructions.
4. At the November 1996 Security Policy Forum meeting the form and three options for action were presented and discussed. In addition to the presentation of the form, three options were presented. The form could be adopted as is and forwarded to the Security Policy Board, the form could be simplified, or an enhanced financial investigation with or without a financial disclosure form could be explored. The Forum selected option three and remanded the issue back to the Personnel Security Committee to pursue methodologies for bolstering the financial aspects of our investigations. To that end, the Financial Disclosure Working Group has been reconstituted and will convene on 6 February 1997.
5. The Board questioned whether it is wise to collect volumes of financial data and deliver it to adjudicators who are not equipped to manage it. Mr. Thompson indicated that a great deal of training and re-orientation for both investigators and adjudicators will be necessary and, presumably, will be an element of any implementation plan.
6. One attendee stated that, given the EO definition of who should complete the form, resistance to completion of the it in the industrial arena has diminished. The Board, all of whom are members of the private sector, did not have that same sense nor was any support voiced for that position by other attendees. In general, those in attendance did not favor the use of a financial disclosure form.
ADVISORY BOARD COMMENT
CHAPTER EIGHT OF THE NISPOM
1. Mr. Dan Jacobson then updated the group on the status of the re-write of Chapter eight of the NISPOM. The re-write was initially accomplished by industry and presented to the NISPAC in May 1996. In addition to the staff effort to draft an Information Assurance Document, the SPB Staff is aware of at least three similar efforts in this area: ASSIM-300 sponsored by the NRO, the OSD-Directed Defense Investigative Service-Industry NISPOM Chapter Eight Re-Write effort and the DOD Directive 5200.28, Security Requirements for Automated Information Systems. The SPB Staff embraces the IAD effort as it includes the MOUs and government representatives.
2. Mr. David Kendrick of E-Systems asked whether we aren't relying too heavily on the IAD. Mr. Jacobson responded in the negative indicating the all the players need to come together and work toward a mutually agreeable outcome. He advised he expects that to occur in the near future.
1. At the last SPAB meeting, the topic of Staff Like Ascess was discussed. The Board requested a current definition of the term. Mr. Thompson indicated the definition now used is: "Staff-Like Access is unescorted access to installations, information systems or access to classified information as designated by an agency head or his authorized representative." Mr. Thompson indicated this designator is used primarily by CIA and NSA.
There was no further comment and Mr. Thompson closed the meeting at 1140 hours.