Industrial Security: DOD Cannot Ensure Its Oversight of Contractors under Foreign Influence Is Sufficient
GAO-05-681
Published: Jul 15, 2005. Publicly Released: Jul 15, 2005.
Skip to Highlights
Highlights
The Department of Defense (DOD) is responsible for ensuring that U.S. contractors safeguard classified information in their possession. DOD delegates this responsibility to its Defense Security Service (DSS), which oversees more than 11,000 contractor facilities that are cleared to access classified information. Some U.S. contractors have foreign connections that may require measures to be put into place to reduce the risk of foreign interests gaining unauthorized access to classified information. In response to a Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004, GAO assessed the extent to which DSS has assurance that its approach provides sufficient oversight of contractors under foreign ownership, control, or influence (FOCI).
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To improve knowledge of the timing of foreign business transactions and reduce the risk of unauthorized foreign access to classified information, the Secretary of Defense should direct the director of DSS to clarify when contractors need to report foreign business transactions to DSS. |
DOD, in response to our report, said it was not going to implement the recommendation because the National Industrial Security Program Operating Manual (NISPOM) was clear about the contractor-reporting requirement. However, in conducting our 2017 review we found that DSS had updated its internal Industrial Security Operating Manual in May 2015 to clarify when contractors are to report foreign business transactions to DSS and DSS's role in evaluating these transactions .
|
| Department of Defense | To improve knowledge of the timing of foreign business transactions and reduce the risk of unauthorized foreign access to classified information, the Secretary of Defense should direct the director of DSS to determine how contractors should report and communicate dates of specific foreign business transactions to DSS. |
DOD, in response to our report, said it was not going to implement the recommendation because the NISPOM provided the contractors with the relevant reporting requirements. However, in conducting our 2017 review we found that DSS had updated its internal Industrial Security Operating Manual in May 2015 to clarify how contractors are to report foreign business transactions to DSS and DSS's role in evaluating these transactions.
|
| Department of Defense | To improve knowledge of the timing of foreign business transactions and reduce the risk of unauthorized foreign access to classified information, the Secretary of Defense should direct the director of DSS to collect and analyze when foreign business transactions occurred at contractor facilities and when protective measures were implemented to mitigate FOCI. |
DOD, in response to our report, said it was not going to implement the recommendation because the length of time involved in putting a mitigating instrument in place is not directly related to unauthorized disclosure of classified information. The DSS role is to oversee the protection of classified information and DSS works with the contractor to ensure that, regardless of the length of time involved, classified information is protected while the status of a contractor's foreign ownership, control, or influence (FOCI) is analyzed and the appropriate mitigating instrument determined and put in place. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. While the strategy includes tracking of all pending adjudication actions and status reports of FOCI actions, it does not yet include actions to collect and analyze when foreign business transactions occurred at contractor facilities and when protective measures were implemented to mitigate FOCI. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in fall 2008. Based on subsequent follow-up, the panel did not specifically address the need to analyze foreign business transactions that occurred at contractor facilities.
|
| Department of Defense | To assess overall effectiveness of DSS oversight of contractors under FOCI, the Secretary of Defense should direct the director of DSS to collect and analyze data on contractors operating under all protective measures as well as changes in types and prevalence of foreign business transactions reported by contractors. |
DOD, in response to our report, said it was not going to implement the recommendation because an analysis of protective measures and changes in the types of protective measures and prevalence of foreign business transactions reported by contractors does not appear to provide value in assessing DSS's effectiveness in ensuring the protection of classified information in industry. However, in our 2017 review we found that DSS had created a headquarters group comprised of subject matter experts to assist with analysis of matters related to foreign influence. DSS now issues a weekly publication to its field offices, NISP in the News, to inform them of recent business transactions that might affect cleared facilities, including those involving foreign businesses. In addition, DSS regularly convenes its headquarters subject matter experts and staff in the field who are responsible for conducting security reviews at cleared facilities that are operating under mitigation agreements for foreign influence.
|
| Department of Defense | To assess overall effectiveness of DSS oversight of contractors under FOCI, the Secretary of Defense should direct the director of DSS to collect, aggregate, and analyze the results of annual FOCI meetings, contractors' compliance reports, and data from the counterintelligence community. |
DOD, in response to our report, said it was not going to implement the recommendation because of the 12,000 cleared contractors, fewer than 3 percent are under any type of FOCI mitigating mechanisms. Analysis of the results of annual compliance meetings and reports as well as CI data does not appear to provide value in assessing DSS effectiveness for ensuring the protection of classified information. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. The strategy does not yet include actions to collect and analyze the results of annual FOCI meetings, contractors' compliance reports, and data from the counterintelligence community. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in the fall 2008. Based on subsequent followup the panel did not specifically address the need to collect and analyze the data as recommended.
|
| Department of Defense | To assess overall effectiveness of DSS oversight of contractors under FOCI, the Secretary of Defense should direct the director of DSS to develop a plan to systematically review and evaluate the effectiveness of the FOCI process. |
DOD, in response to our report, said it was not going to implement the recommendation. However, since 2008, DSS has released strategic plans that address how it is performing its mission and issued biannual reports to Congress that includes performance metrics related to how it addresses foreign influence. DSS has also issued annual reports about counterintelligence trends across cleared facilities, including targeted technologies and methods of collection used by foreign collectors. By the time we conducted our review in 2017, DSS had created a headquarters group comprised of subject matter experts to assist with analysis of matters related to foreign influence.
|
| Department of Defense | To better support industrial security representatives in overseeing contractors under FOCI, the Secretary of Defense should direct the director of DSS to formulate a human capital strategy and plan that would encompass evaluating the needs of representatives in carrying out their FOCI responsibilities. |
Based on our report, the newly appointed DSS Deputy Director of Industrial Security has developed a strategy that will address our recommendation. The strategy included actions to assess the skill sets and training required by representatives to carry out the industrial security mission, including FOCI responsibilities, as well as a career path for the industrial security representative that may aid in the recruitment and retention of skilled personnel. The industrial security representatives were surveyed to determine additional training needs.
|
| Department of Defense | To better support industrial security representatives in overseeing contractors under FOCI, the Secretary of Defense should direct the director of DSS to formulate a human capital strategy and plan that would encompass determining and implementing changes needed to job requirements, guidance, and training to meet FOCI responsibilities and exploring options for improving resource tools and knowledge-sharing efforts among representatives. |
DOD partially concurred with our recommendation and said it realizes there is always room for improvement. DOD said DSS has undergone a transformation in the last two years with significant changes in leadership and mission and a new strategic direction for program operations. A new industrial security information management system is nearing the final stages of development, which will improve the ability of DSS to centrally manage data and enhance the ability to share information. DSS has deployed the first phase of the industrial security database and is planning to fund and deploy the second phase in 2007. Once deployed, the database will provide the transferring and management of some FOCI information that can be used as a resource tool to improve knowledge sharing among the industrial security representatives. In April 2007, the second phase of the industrial security database was deployed. The second phase provides tracking and management of all pending FOCI adjudication actions and includes the capability to run status reports on FOCI actions.
|
Full Report
GAO Contacts
Office of Public Affairs
Topics
Classified defense informationContract oversightDepartment of Defense contractorsInformation disclosureInformation resources managementPerformance measuresUnauthorized accessPolicy evaluationForeign corporationsInformation securityInformation security managementInformation security regulations