Industrial Security:

DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

GAO-04-332: Published: Mar 3, 2004. Publicly Released: Mar 3, 2004.

Additional Materials:

Contact:

Anne Marie F. Lasowski
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Department of Defense (DOD) contractors perform numerous services that require access to classified information. With access comes the possibility of compromise, particularly as foreign entities increasingly seek U.S. military technologies. To ensure the protection of classified information, the National Industrial Security Program (NISP) establishes requirements that contractors must meet. In administering the NISP for DOD and 24 other government agencies, DOD's Defense Security Service (DSS) monitors whether 11,000- plus contractor facilities' security programs meet NISP requirements. In response to a Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004, GAO assessed DSS's oversight and examined DSS's actions after possible compromises of classified information.

DSS cannot provide adequate assurances to government agencies that its oversight of contractor facilities reduces the risk of information compromise. DSS is unable to provide this assurance because its performance goals and measures do not relate directly to the protection of classified information. While DSS maintains files on contractor facilities' security programs and their security violations, it does not analyze this information. Further, the manner in which this information is maintained--geographically dispersed paper-based files--does not lend itself to analysis. By not analyzing information on security violations and how well classified information is being protected across all facilities, DSS cannot identify systemic vulnerabilities and make corrective changes to reduce the risk of information compromise. When a contractor facility reports a violation and the possible compromise of classified information, DSS does not always follow established procedures. After receiving a report of a possible information compromise, DSS is required to determine whether compromise occurred and to notify the affected government agency so it can assess any damage and take actions to mitigate the effects of the suspected compromise, compromise, or loss. However, DSS failed to make determinations in many of the 93 violations GAO reviewed and made inappropriate determinations in others. In 39 of the 93 violations, DSS made no determinations regarding compromise. For 30 of the remaining 54 violations, DSS's determinations were not consistent with established criteria. As a result, government agencies are not being kept informed of possible compromises of their information. In addition, weeks or months can pass before government agencies are notified by DSS of possible information compromises because of difficulties in identifying the affected agencies. In 11 out of 16 instances GAO reviewed, it took DSS more than 30 days to notify the affected agency that its information had been lost or compromised. DSS relies on contractor facilities to identify the affected government agencies, but some facilities cannot readily provide DSS with this information because they are subcontractors that have to obtain the identity of the government agency from the prime contractors. In one case, 5 months passed before a subcontractor facility could provide DSS with the identity of the government agency whose information was suspected of being compromised. Such delays limit the government agencies' opportunity to assess and mitigate any damage from loss or compromise.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: Although the Defense Security Service (DSS) previously stated it would make the prime contract number a mandatory data element of the new automated information system, no final action has been taken. Data elements from the Contract Security Specification (including the contract number for the prime contract) are being included in the requirements definition phase for the future version of industrial security automation. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to establish mechanisms that create accountability for knowing the identity of government customers so that industrial security representatives can readily notify those customers of any loss or compromise. This could be accomplished by requiring representatives to maintain such information in their file folders or ensuring that contractors, particularly when they are subcontractors, know the identity of their government customers before an incident resulting in compromise or loss occurs.

    Agency Affected: Department of Defense

  2. Status: Closed - Not Implemented

    Comments: Although Defense Security Service (DSS) previously stated it would establish time-based criteria during the review of the Industrial Security Operating Manual (ISOM), no action has been taken. According to DOD, as the ISOM is reviewed by DSS for updates and changes, time-based criteria will be considered. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to explore the effects of establishing specific time-based criteria in the Industrial Security Operating Manual for representatives to make determinations and notify government customers.

    Agency Affected: Department of Defense

  3. Status: Closed - Not Implemented

    Comments: Defense Security Service (DSS) previously stated it would make necessary changes to the Industrial Security Operating Manual (ISOM). According to DOD, changes to the ISOM to clarify procedures for processing contractor reported violations were drafted, and the ISOM changes were expected to be completed by the end of August 2006. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to revise Industrial Security Operating Manual requirements to emphasize the need to apply the established determinations regarding the compromise or loss of classified information.

    Agency Affected: Department of Defense

  4. Status: Closed - Not Implemented

    Comments: The Defense Security Service (DSS) previously stated it will review the process used by field offices and conduct informal training sessions, however, no action has been taken. DSS intends to make the review of the process used by field personnel to review and process security violations an area of interest during management assistance visits as they occur. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to evaluate industrial security representatives and field office chiefs' understanding of the criteria for making determinations regarding the compromise of classified information and revise training and guidance for representatives and chiefs based on the results of that evaluation.

    Agency Affected: Department of Defense

  5. Status: Closed - Not Implemented

    Comments: No action has yet been taken on this recommendation. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to regularly analyze that information to make informed management decisions about the use of resources for its oversight activities and make any needed changes to those activities or procedures to reduce the risk of information compromise.

    Agency Affected: Department of Defense

  6. Status: Closed - Not Implemented

    Comments: Defense Security Service (DSS) previously stated it was developing requirements for an automated information system that would facilitate the ability to identify and analyze trends. The web based Industrial Security Facility Database (ISFD version 3) was on schedule for deployment by the end of calendar year 2006. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to identify the information that needs to be analyzed to detect systemic vulnerabilities and identify trends regarding how contractor facilities protect classified information.

    Agency Affected: Department of Defense

  7. Status: Closed - Not Implemented

    Comments: Defense Security Service (DSS) previously stated it was developing a strategic plan and balanced scorecard to measure results. According to DOD, action was taken to revise the drafts of the balanced score card, the industrial security strategic plan, and the cascading strategy map. The industrial security metrics have not yet been developed. However, a DSS panel was to have met in the fall of 2008. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to establish results-oriented performance goals and measures that would enable DSS to assess the extent to which it is achieving its industrial security mission.

    Agency Affected: Department of Defense

  8. Status: Closed - Not Implemented

    Comments: Although DSS previously stated it would incorporate this requirement in the Industrial Security Operating Manual when it is revised, no action has been taken. A DSS panel was to have met 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: To improve contractors' understanding of which security violations must be reported to DSS, the Secretary of Defense should direct the Director of DSS to revise the Industrial Security Operating Manual to require industrial security representatives to inform facilities of the official determinations regarding the loss or compromise of classified information.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Looking for more? Browse all our products here