Skip to main content

Industrial Security: DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

GAO-04-332 Published: Mar 03, 2004. Publicly Released: Mar 03, 2004.
Jump To:
Skip to Highlights

Highlights

Department of Defense (DOD) contractors perform numerous services that require access to classified information. With access comes the possibility of compromise, particularly as foreign entities increasingly seek U.S. military technologies. To ensure the protection of classified information, the National Industrial Security Program (NISP) establishes requirements that contractors must meet. In administering the NISP for DOD and 24 other government agencies, DOD's Defense Security Service (DSS) monitors whether 11,000- plus contractor facilities' security programs meet NISP requirements. In response to a Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004, GAO assessed DSS's oversight and examined DSS's actions after possible compromises of classified information.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to establish results-oriented performance goals and measures that would enable DSS to assess the extent to which it is achieving its industrial security mission.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had developed a strategic plan that contains results-oriented performance goals and measures that are tied to its mission. In addition, DSS has been reporting information on trends in how contractor facilities protect classified information in its biennial report to Congress.
Department of Defense To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to identify the information that needs to be analyzed to detect systemic vulnerabilities and identify trends regarding how contractor facilities protect classified information.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had established the Industrial Security Facilities Database (ISFD) as the system of record for information about cleared facilities, including the results of security reviews to help identify systemic vulnerabilities. As of June 2018, DSS officials reported that it is finalizing the National Industrial Security System, which will eventually replace ISFD as the system of record. DSS headquarters, including a division focused on issues of foreign ownership, control, or influence, also collects and reports information on trends in how contractor facilities protect classified information in its biennial report to Congress. The last report was issued in August 2017.
Department of Defense To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to regularly analyze that information to make informed management decisions about the use of resources for its oversight activities and make any needed changes to those activities or procedures to reduce the risk of information compromise.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS headquarters, including a division focused on issues of foreign ownership, control, or influence, collects and reports information on trends in how contractor facilities protect classified information in its biennial report to Congress. The last biennial report was issued in August 2017. In addition, DSS has developed a strategic plan that contains results-oriented performance goals and measures that are tied to its mission and may inform its management and oversight activities. Currently, DSS is piloting a new approach to overseeing contractors, DSS in Transition.
Department of Defense The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to evaluate industrial security representatives and field office chiefs' understanding of the criteria for making determinations regarding the compromise of classified information and revise training and guidance for representatives and chiefs based on the results of that evaluation.
Closed – Not Implemented
The Defense Security Service (DSS) previously stated it will review the process used by field offices and conduct informal training sessions, however, no action has been taken. DSS intends to make the review of the process used by field personnel to review and process security violations an area of interest during management assistance visits as they occur. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.
Department of Defense The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to revise Industrial Security Operating Manual requirements to emphasize the need to apply the established determinations regarding the compromise or loss of classified information.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. However, by the time we conducted our review in 2017, DSS had updated its internal Industrial Security Operating Manual (dated May 2015) to establish requirements related to making determinations about the compromise or loss of classified information.
Department of Defense The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to explore the effects of establishing specific time-based criteria in the Industrial Security Operating Manual for representatives to make determinations and notify government customers.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had updated its internal Industrial Security Operating Manual (dated May 2015) to provide time frames for conducting initial screening interviews and notifying government customers of facility clearance determinations.
Department of Defense The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to establish mechanisms that create accountability for knowing the identity of government customers so that industrial security representatives can readily notify those customers of any loss or compromise. This could be accomplished by requiring representatives to maintain such information in their file folders or ensuring that contractors, particularly when they are subcontractors, know the identity of their government customers before an incident resulting in compromise or loss occurs.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had established the Industrial Security Facilities Database (ISFD) as the system of record for information about cleared facilities, including recording the prime contract number. As of June 2018, the National Industrial Security System is being finalized, which will eventually replace ISFD as the system of record for information, according to DSS officials.
Department of Defense To improve contractors' understanding of which security violations must be reported to DSS, the Secretary of Defense should direct the Director of DSS to revise the Industrial Security Operating Manual to require industrial security representatives to inform facilities of the official determinations regarding the loss or compromise of classified information.
Closed – Implemented
DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had updated its internal Industrial Security Operating Manual (dated May 2015) and identified a process for industrial security representatives to follow when informing facilities of the official determinations regarding the loss or compromise of classified information, including the stakeholders involved in the process and the time frames and methods for communicating this information.

Full Report

GAO Contacts

Anne-Marie Fennell
Director
Natural Resources and Environment

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Classified defense informationDepartment of Defense contractorsFacility securityInformation disclosureInformation resources managementInteragency relationsPerformance measuresInformation classificationSecurity clearancesPolicies and procedures