Pentagon Sets New Framework for Security Policy

The Department of Defense this week established a new Defense Security Enterprise that is intended to unify and standardize the Department’s multiple, inconsistent security policies.

The new security framework “shall provide an integrated, risk-managed structure to guide DSE policy implementation and investment decisions, and to provide a sound basis for oversight and evolution.”

The Defense Security Enterprise, launched October 1 by DoD Directive 5200.43, is a response to the often incoherent and internally contradictory state of DoD security policy.

An Inspector General report earlier this year said that there were at least 43 distinct DoD policies on security that could not all be implemented together.

“The sheer volume of security policies that are not coordinated or integrated makes it difficult for those at the field level to ensure consistent and comprehensive policy implementation,” the DoD IG wrote.  (“DoD Security Policy is Incoherent and Unmanageable, IG Says,” Secrecy News, September 4, 2012.)

But under the new Defense Security Enterprise, “Standardized security processes shall be implemented, to the maximum extent possible and with appropriate provisions for unique missions and security environments,” the DoD directive said.

The new structure is supposed to “ensure that security policies and programs are designed and managed to improve standards of performance, economy, and efficiency.”

But the directive does not explain how to proceed if “performance, economy, and efficiency” prove to be incompatible objectives.

Nor does it provide a working definition for the crucial concept of “risk management.”  This term, often contrasted with “risk avoidance,” implies an increased tolerance for risk (i.e. risk of failure).  But the practical meaning (or the limit) of this tolerance is nowhere made explicit.

The Defense Security Enterprise will be managed by “a core of highly qualified security professionals,” the DoD directive said.