This is the accessible text file for GAO report number GAO-05-681 
entitled 'Industrial Security: DOD Cannot Ensure Its Oversight of 
Contractors under Foreign Influence Is Sufficient' which was released 
on July 15, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Committee on Armed Services, U.S. Senate: 

United States Government Accountability Office: 

GAO: 

July 2005: 

Industrial Security: 

DOD Cannot Ensure Its Oversight of Contractors under Foreign Influence 
Is Sufficient: 

GAO-05-681: 

GAO Highlights: 

Highlights of GAO-05-681, a report to Committee on Armed Services, U.S. 
Senate: 

Why GAO Did This Study: 

The Department of Defense (DOD) is responsible for ensuring that U.S. 
contractors safeguard classified information in their possession. DOD 
delegates this responsibility to its Defense Security Service (DSS), 
which oversees more than 11,000 contractor facilities that are cleared 
to access classified information. Some U.S. contractors have foreign 
connections that may require measures to be put into place to reduce 
the risk of foreign interests gaining unauthorized access to classified 
information. 

In response to a Senate report accompanying the National Defense 
Authorization Act for Fiscal Year 2004, GAO assessed the extent to 
which DSS has assurance that its approach provides sufficient oversight 
of contractors under foreign ownership, control, or influence (FOCI). 

What GAO Found: 

DSS’s oversight of contractors under FOCI depends on contractors self--
reporting foreign business transactions such as foreign acquisitions. 
As part of its oversight responsibilities, DSS verifies the extent of 
the foreign relationship, works with the contractor to establish 
protective measures to insulate foreign interests, and monitors 
contractor compliance with these measures. In summary, GAO found that 
DSS cannot ensure that its approach to overseeing contractors under 
FOCI is sufficient to reduce the risk of foreign interests gaining 
unauthorized access to U.S. classified information. 

First, DSS does not systematically ask for, collect, or analyze 
information on foreign business transactions in a manner that helps it 
properly oversee contractors entrusted with U.S. classified 
information. In addition, DSS does not collect and track the extent to 
which classified information is left in the hands of a contractor under 
FOCI before measures are taken to reduce the risk of unauthorized 
foreign access. During our review, we found instances in which 
contractors did not report foreign business transactions to DSS for 
several months. We also found a contractor under foreign ownership that 
appeared to operate for at least 6 months with access to U.S. 
classified information before a protective measure was implemented to 
mitigate foreign ownership. 

Second, DSS does not centrally collect and analyze information to 
assess its effectiveness and determine what corrective actions are 
needed to improve oversight of contractors under FOCI. For example, DSS 
does not know the universe of all contractors operating under 
protective measures, the degree to which contractors are complying 
overall with measures, or how its oversight could be strengthened by 
using information such as counterintelligence data to bolster its 
measures. 

Third, DSS field staff face a number of challenges that significantly 
limit their ability to sufficiently oversee contractors under FOCI. 
Field staff told us they lack research tools and training to fully 
understand the significance of corporate structures, legal ownership, 
and complex financial relationships when foreign entities are involved. 
Staff turnover and inconsistencies over how guidance is to be 
implemented also detract from field staff’s ability to effectively 
carry out FOCI responsibilities. 

What GAO Recommends: 

GAO recommends that DOD direct DSS to improve data collection and 
analysis of FOCI transactions and protective measures and direct DSS to 
systematically assess the effectiveness of the FOCI process to reduce 
risk of foreign interests gaining unauthorized access to classified 
information. DSS should formulate a human capital strategy and plan to 
evaluate whether its staff need better information, training, and tools 
to perform FOCI responsibilities. DOD did not concur with our 
recommendations and stated the process is sufficient. 

www.gao.gov/cgi-bin/getrpt?GAO-05-681. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Ann Calvaresi-Barr at 
(202) 512-4841 or calvaresibarra@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

DSS's Approach to Overseeing FOCI Contractors Is Insufficient: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Scope and Methodology: 

Appendix II: Comments from the Department of Defense: 

Table: 

Table 1: Types of Protective Measures: 

Figures: 

Figure 1: Overview of DSS's FOCI Process: 

Figure 2: Knowledge Gaps in DSS's FOCI Process: 

Abbreviations: 

DOD: Department of Defense: 

DSS: Defense Security Service: 

FOCI: foreign ownership, control, or influence: 

United States Government Accountability Office: 

Washington, DC 20548: 

July 15, 2005: 

The Honorable John W. Warner: 
Chairman: 
Committee on Armed Services: 
United States Senate: 

The Honorable Carl Levin: 
Ranking Minority Member: 
Committee on Armed Services: 
United States Senate: 

The Department of Defense (DOD) depends on numerous U.S. contractor 
facilities to develop and produce military technologies, such as those 
used in tactical aircraft and military satellites, that require access 
to classified information. DOD's Defense Security Service (DSS) on 
behalf of DOD and 23 other federal departments administers the National 
Industrial Security Program, which was established to ensure that 
contractors appropriately safeguard classified information in their 
possession while performing work for the U.S. government. DSS is 
responsible for providing oversight and assistance to U.S. contractors 
that are cleared for access to classified information. Among these 
contractors are those under foreign ownership, control, or influence 
(FOCI)--that is, a situation in which a foreign interest has the power 
to decide matters affecting a contractor's operations and that could 
result in unauthorized access to U.S. classified information or 
adversely affect the performance of classified contracts.[Footnote 1] 
The policy of the U.S. government is to allow foreign interests to 
invest in U.S. contractors as long as those investments do not pose a 
threat to U.S. national security interests. 

DSS depends on the contractor to self-report information about certain 
business transactions with foreign entities such as foreign ownership 
of a contractor's stock. Once it becomes aware that a contractor has 
come under foreign influence through such transactions, DSS is 
responsible for verifying the extent of the foreign relationship. DSS 
and the contractor then work together to decide what appropriate action 
or measure is to be taken to protect U.S. classified information from 
unauthorized disclosure to foreign interests. DSS relies on a number of 
protective measures to reduce the risk of foreign entities having 
unauthorized access to classified information, including requiring a 
foreign owner to transfer title of company stock to U.S. citizen 
trustees approved by DOD. DSS is also responsible for monitoring the 
contractors' implementation of the protective measures put in place to 
mitigate FOCI and relies on contractors to report instances of 
noncompliance with its protective measures. 

In a report accompanying the National Defense Authorization Act for 
Fiscal Year 2004, the Senate Armed Services Committee directed us to 
review DSS's oversight of contractors with foreign business 
relationships. In response, we examined the extent to which DSS has 
assurance that its approach provides sufficient oversight of 
contractors under foreign ownership, control, or influence.[Footnote 2]

To assess DSS's oversight of U.S. contractors involved in foreign 
business transactions, we interviewed and obtained documentation from 
DSS headquarters, DSS field offices, and selected contractors operating 
under various protective measures. We reviewed DSS's guidance and 
procedures for overseeing contractors that operate under FOCI and for 
monitoring contractors' compliance with protective measures. We 
examined and analyzed 27 case files for contractors that had various 
types of foreign business transactions reviewed by DSS, which we 
discussed with DSS headquarters and field officials. We performed our 
work from June 2004 to May 2005 in accordance with generally accepted 
government auditing standards. Details on our scope and methodology can 
be found in appendix I. 

Results in Brief: 

DSS cannot ensure that its oversight of contractors under FOCI is 
sufficient to reduce the risk of foreign interests gaining unauthorized 
access to U.S. classified information. First, DSS does not 
systematically ask for information that would allow it to know if 
contractors are reporting foreign business transactions when they 
occur. DSS also does not collect and track the extent to which 
classified information is accessible to a contractor under FOCI before 
measures are taken to reduce the risk of unauthorized foreign access. 
Without this information, DSS is limited in its ability to effectively 
oversee contractors under FOCI and take actions when needed to protect 
classified information from undue foreign access. During our review, we 
found instances in which contractors did not report foreign business 
transactions to DSS for several months. In addition, we found a 
contractor under foreign ownership that appeared to have had access to 
U.S. classified information for at least 6 months before a protective 
measure was implemented. Second, DSS does not centrally collect and 
analyze information to assess its effectiveness and determine what 
corrective actions are needed to improve oversight of contractors under 
FOCI. For example, DSS does not know the total number of contractors 
operating under all protective measures and the degree to which 
contractors are complying overall with protective measures. Third, DSS 
field staff face a number of challenges in carrying out their 
responsibilities in overseeing contractors under FOCI. Field staff told 
us they lack research tools and training to fully understand the 
significance of corporate structures, legal ownership, and complex 
financial relationships when foreign entities are involved. Field staff 
also informed us that staff turnover further compounded these 
challenges. In addition, we found inconsistencies in how field staff 
understand and implement FOCI guidance. These challenges combined 
significantly limit DSS field staff's ability to sufficiently oversee 
contractors under FOCI to minimize the risk of unauthorized foreign 
access to U.S. classified information. 

In light of our findings, we are recommending that the Secretary of 
Defense take certain actions to (1) improve DDS's knowledge of the 
timing of foreign business transactions, (2) assess the overall 
effectiveness of DSS's oversight of contractors under FOCI, and (3) 
develop a human capital strategy that would provide the appropriate 
support for industrial security representatives. DOD did not concur 
with our recommendations. In commenting on a draft of our report, DOD 
indicated that it believes the FOCI process is adequate to ensure the 
protection of classified information. However, DOD did not provide 
evidence to support this belief. Given the vulnerabilities we 
identified in our report, our recommendations stand. 

Background: 

The National Industrial Security Program was established in 1993 for 
the protection of classified information. DSS administers the National 
Industrial Security Program on behalf of DOD and 23 other federal 
departments and agencies. DSS is responsible for providing oversight, 
advice, and assistance to more than 11,000 U.S. contractor facilities 
that are cleared for access to classified information. Contractor 
facilities can range in size, be located anywhere in the United States, 
and include manufacturing plants, laboratories, and universities. About 
221 industrial security representatives work out of 25 DSS field 
offices across the United States and serve as the primary points of 
contact for these facilities. DSS is responsible for ensuring that 
these contractors meet requirements to safeguard classified information 
under the National Industrial Security Program. Contractors must have 
facility security clearances under this program before they can work on 
classified contracts. 

To obtain a facility security clearance, contractors are required to 
self-report foreign business transactions on a Certificate Pertaining 
to Foreign Interests form.[Footnote 3] Examples of such transactions 
include foreign ownership of a contractor's stock, a contractor's 
agreements or contracts with foreign persons, and whether non-U.S. 
citizens sit on a contractor's board of directors. DSS's industrial 
security representatives provide guidance to contractors on filling out 
the certificate. If a contractor declares no foreign business 
transactions on the certificate, DSS places the certificate in the 
contractor's file located in the field. When U.S. contractors with 
facility security clearances have changes in foreign business 
transactions to report, they are required to complete the certificate 
again and resubmit it every 5 years, even if no foreign transactions 
take place. Because a U.S. company can own a number of contractor 
facilities, the corporate headquarters or another legal entity within 
that company is required to complete the certificate.[Footnote 4]

When contractors declare foreign transactions on their certificates and 
notify DSS, industrial security representatives are responsible for 
ensuring that contractors properly identify all relevant foreign 
business transactions. They are also required to collect, analyze, and 
verify pertinent information about these transactions. For example, by 
examining various corporate documents, the industrial security 
representatives can determine corporate structures and ownership and 
identify key management officials. The representatives may consult with 
DSS counterintelligence officials, who can provide information about 
threats to U.S. classified information. If contractors' answers on the 
certificates indicate that foreign transactions meet certain DSS 
criteria or exceed thresholds, such as the percentage of company stock 
owned by foreign persons, the representatives forward these FOCI cases 
to DSS headquarters. DSS headquarters works with contractors to 
determine what, if any, protective measures are needed to reduce the 
risk of foreign interests gaining unauthorized access to U.S. 
classified information. DSS field staff are then responsible for 
monitoring contractor compliance with these measures. Figure 1 shows 
highlights of the FOCI process. 

Figure 1: Overview of DSS's FOCI Process: 

[See PDF for image]

[End of figure]

On a case-by-case basis, DSS headquarters can approve the use by 
contractors of one of six types of protective measures: voting trust 
agreements, proxy agreements, special security agreements, security 
control agreements, board resolutions, and limited facility clearances. 
These protective measures are intended to insulate contractor 
facilities from undue foreign control and influence and to reduce the 
risk of unauthorized foreign access to classified information. 
Protective measures vary in the degree to which foreign entities are 
insulated from classified information and are not intended to deny 
foreign owners the opportunity to pursue business relationships with 
their U.S.-based contractor facilities working on classified contracts. 
Table 1 provides a general description of each of these protective 
measures. In addition to these measures, DSS can also require 
contractors to take certain actions to mitigate specific FOCI 
situations such as termination of loan agreements or elimination of 
debt owed to a foreign entity. 

Table 1: Types of Protective Measures: 

Protective measure: Voting trust agreement; 
General description: 
* Foreign owners transfer legal title to the stock of the foreign-owned 
U.S. company to U.S. citizen trustees that are approved by DOD. 

Protective measure: Proxy agreement; 
General description: 
* Similar to a voting trust, except foreign owners retain legal title 
to the stock and transfer voting rights of stock to U.S. citizen proxy 
holders that are approved by DOD. 

Protective measure: Special security agreement; 
General description: 
* Allows representatives of the foreign owner to be on the U.S. 
contractor's board of directors but requires U.S. citizen outside 
directors that are approved by DOD; 
* Contractors under a special security agreement are denied access to 
classified information such as Top Secret, special access, and other 
sensitive information unless DOD determines it is in the U.S. national 
interest and grants an exception. 

Protective measure: Security control agreement; 
General description: 
* Similar to a special security agreement and used when contractor is 
not effectively owned or controlled by foreign person(s); 
* Unlike contractors under a special security agreement, contractors 
under a security control agreement are not denied access to classified 
information such as Top Secret, special access, and other sensitive 
information. 

Protective measure: Board resolution; 
General description: 
* Resolution by contractor's board of directors certifying that foreign 
shareholder(s) shall not have access to classified information or be 
permitted to hold positions that enable them to influence the 
performance of classified contracts. 

Protective measure: Limited facility clearance; 
General description: 
* Requires industrial security agreement with the foreign government of 
the country from which foreign ownership is derived; 
* Access to classified information is restricted to performance on a 
specific contract as defined by the government customer, but there is 
no restriction on foreign management control and influence. 

Source: DSS (data); GAO (analysis and presentation). 

[End of table]

For contractors operating under voting trust, proxy, special security, 
or security control agreements, industrial security representatives are 
supposed to conduct annual FOCI meetings with contractor staff who are 
responsible for ensuring compliance with these protective measures. In 
preparation for these annual meetings, contractors are required to 
produce and submit to DSS annual FOCI compliance reports that can 
describe specific acts of noncompliance with protective measures, 
changes in organizational structure or changes in security procedures 
at the contractor, and other issues that have occurred over the course 
of a year. Industrial security representatives should then review the 
reports to determine how contractors are fulfilling their obligations 
under the protective measures. In addition, DSS generally conducts 
security reviews annually for facilities that store classified 
information or every 18 months for facilities that do not have 
classified information on site. However, for contractors operating 
under voting trust, proxy, special security, or security control 
agreements, industrial security representatives are required to conduct 
a security review every 12 months whether the contractor has classified 
information on site or not. These reviews are designed to determine 
security vulnerabilities and contractor compliance with National 
Industrial Security Program requirements and to evaluate the overall 
quality of the facility's security program, including compliance with 
protective measures to mitigate FOCI. 

DSS will not grant a new facility security clearance to a contractor 
until all relevant FOCI have been mitigated. In addition, DSS shall 
suspend an existing clearance if FOCI at a contractor facility has not 
been mitigated. A contractor with a suspended facility clearance can 
continue to work on an existing classified contract unless the 
government contracting office denies access to the existing contract. 
In addition, the contractor cannot be awarded a new classified contract 
until the clearance is restored. 

DSS's Approach to Overseeing FOCI Contractors Is Insufficient: 

DSS does not systematically ask for, collect, or analyze foreign 
business transactions in a manner that helps it properly oversee 
contractors entrusted with U.S. classified information, nor does DSS 
aggregate and analyze information to determine the overall 
effectiveness of its oversight of FOCI contractors. Notably, DSS does 
not know if contractors are reporting foreign business transactions as 
they occur and lacks knowledge about how much time a contractor 
facility with unmitigated FOCI has access to classified 
information.[Footnote 5] Figure 2 shows a general description of gaps 
in DSS knowledge about the FOCI process. Furthermore, DSS field staff 
said they lack research tools and sufficient training regarding the 
subject of foreign transactions and have indicated challenges with 
regard to staff turnover. 

Figure 2: Knowledge Gaps in DSS's FOCI Process: 

[See PDF for image]

Note: Per the National Industrial Security Program Operating Manual, 
DSS shall suspend the facility clearance of a contractor with 
unmitigated FOCI. 

[End of figure]

DSS Cannot Ensure Timely Reporting from FOCI Contractors or Determine 
the Extent to Which FOCI Is Unmitigated: 

DSS does not systematically ask for information that would allow it to 
know if contractors are reporting certain foreign business transactions 
when they occur, which begins the process for reducing FOCI-related 
security risks. DSS industrial security representatives are responsible 
for advising contractors that timely notification of foreign business 
transactions is essential. The National Industrial Security Program 
Operating Manual requires contractors with security clearances to 
report any material changes of foreign business transactions previously 
notified to DSS but does not specify a time frame for doing so. DSS is 
dependent on contractors to self-report transactions by filling out the 
Certificate Pertaining to Foreign Interests form, but this form does 
not ask contractors to provide specific dates for when foreign 
transactions took place. In addition, DSS does not compile or analyze 
how much time passes before DSS becomes aware of foreign business 
transactions. DSS field staff told us that some contractors report 
foreign business transactions as they occur, while others report 
transactions months later, if at all. During our review, we found a few 
instances in which contractors were not reporting foreign business 
transactions when they occurred. One contractor did not report FOCI 
until 21 months after awarding a subcontract to a foreign entity. 
Another contractor hired a foreign national as its corporate president 
but did not report this transaction to DSS, and DSS did not know about 
the FOCI change until 9 months later, when the industrial security 
representative came across the information on the contractor's Web 
site. In another example, DSS was not aware that a foreign national sat 
on a contractor's board of directors for 15 months until we discovered 
it in the process of conducting our audit work. Without timely 
notification from contractors, DSS cannot track when specific foreign 
business transactions took place and therefore is not in a position to 
take immediate action so that FOCI is mitigated, if necessary. 

In addition, DSS does not determine the time elapsed from reporting of 
foreign business transactions by contractors with facility clearances 
to the implementation of protective measures or when suspensions of 
facility clearances occur. Without protective measures in place, 
unmitigated FOCI at a cleared contractor increases the risk that 
foreign interests can gain unauthorized access to U.S. classified 
information. During our review, we found two cases in which contractors 
appeared to have operated with unmitigated FOCI before protective 
measures were implemented. For example, officials at one contractor 
stated they reported to DSS that their company had been acquired by a 
foreign entity. However, the contractor continued operating with 
unmitigated FOCI for at least 6 months. In the other example, a foreign-
purchased contractor continued operating for 2 months with unmitigated 
FOCI. Contractor officials in both examples told us that their facility 
clearances were not suspended. According to the National Industrial 
Security Program Operating Manual, DSS shall suspend the facility 
clearance of a contractor with unmitigated FOCI. DSS relies on field 
office staff to make this determination. Because information on 
suspended contractors with unmitigated FOCI is maintained in the field, 
DSS headquarters does not determine at an aggregate level the extent to 
which and under what conditions it suspends contractors' facility 
clearances due to unmitigated FOCI. 

DSS Does Not Maintain Aggregate Information to Assess Overall 
Effectiveness of the FOCI Process: 

DSS does not centrally collect and analyze information to determine the 
magnitude of contractors under FOCI and assess the effectiveness of its 
oversight of those contractors. For example, DSS does not know how many 
contractors under FOCI are operating under all types of protective 
measures and, therefore, does not know the extent of potential FOCI- 
related security risks. Although DSS tracks information on contractors 
operating under some types of protective measures, it does not 
centrally compile data on contractors operating under all types of 
protective measures.[Footnote 6] Specifically, DSS headquarters 
maintains a central repository of data on contractors under voting 
trust agreements, proxy agreements, and special security agreements-- 
protective measures intended to mitigate majority foreign ownership. 
However, information on contractors under three other protective 
measures--security control agreements, limited facility clearances, and 
board resolutions--are maintained in paper files in the field 
offices.[Footnote 7] DSS does not aggregate data on contractors for all 
six types of protective measures and does not track and analyze overall 
numbers. In addition, DSS does not conduct overall analysis of foreign 
business transactions reported by contractors on their Certificate 
Pertaining to Foreign Interests forms or maintain aggregate information 
for contractors' responses. Consequently, DSS does not know the 
universe of FOCI contractors operating under protective measures, and 
DSS cannot determine the extent to which contractors under FOCI are 
increasing or if particular types of foreign business transactions are 
becoming more prevalent. This information would help DSS target areas 
for improved oversight. According to DSS officials, centralizing and 
tracking information on contractors under all types of measures would 
require more resources because information is dispersed in paper files 
in DSS field offices around the country. 

DSS does not systematically compile and analyze trends from its 
oversight functions to identify overall compliance trends or concerns 
with implementation of protective measures by contractors. DSS 
industrial security representatives are responsible for ensuring 
compliance of FOCI contractors under certain protective measures 
through annual FOCI meetings where they discuss contractors' compliance 
reports.[Footnote 8] Industrial security representatives notify 
headquarters of the results of the meetings and place compliance 
reports and their own assessments in paper files located in field 
offices. However, DSS headquarters does not use annual compliance 
reports to assess trends to evaluate overall effectiveness of the FOCI 
process. 

Finally, the use of protective measures at FOCI contractor facilities 
was designed in part to counter attempts to gather classified 
information through unauthorized means. DSS does not assess trends from 
its own counterintelligence data or information gathered by other 
intelligence agencies to evaluate whether protective measures are 
effectively mitigating FOCI risk across the board. For example, a 2004 
DSS counterintelligence report states that foreign information 
targeting through e-mail and Internet communication and collection 
methods is on the rise. However, according to DSS officials, not all 
protective measures at FOCI contractors include provisions to monitor e-
mail or other Internet traffic. By assessing counterintelligence trends 
to analyze the effectiveness of protective measures in countering 
foreign information collection attempts, DSS could identify weaknesses 
in its protective measures and adjust them accordingly. 

DSS Industrial Security Representatives Face Challenges in Carrying Out 
FOCI Responsibilities: 

DSS's field staff face numerous challenges: complexities in verifying 
FOCI cases, limited tools to research FOCI transactions, insufficient 
FOCI training, staff turnover, and inconsistencies in implementing 
guidance on FOCI cases. 

For industrial security representatives, verifying if a contractor is 
under FOCI is complex. Industrial security representatives cited 
various difficulties verifying FOCI information. To verify if a 
contractor is under FOCI, industrial security representatives are 
required to understand the corporate structure of the legal entity 
completing the Certificate Pertaining to Foreign Interests form and 
evaluate the types of foreign control or influence that exist for each 
entity within a corporate family. DSS officials informed us that 
tracing strategic company relationships, country of ownership, and 
foreign affiliations and suppliers, or reviewing corporate 
documentation--such as loan agreements, financial reports, or 
Securities and Exchange Commission filings--is complicated. For 
example, representatives are required to verify information on stock 
ownership by determining the distribution of the stock among the 
stockholders and the influence or control the stockholders may have 
within the corporation. This entails identifying the type of stock and 
the number of shares owned by the foreign person(s) to determine their 
authority and management prerogatives, which DSS guidance indicates may 
be difficult to ascertain in certain cases. According to DSS field 
officials, verifying information is especially difficult when 
industrial security representatives have limited exposure to FOCI 
cases. In some field offices we visited, industrial security 
representatives had few or no FOCI cases and, therefore, had limited 
knowledge about how to verify foreign business transactions. 

Some industrial security representatives in one field office told us 
they do not always have the tools needed to verify if contractors are 
under FOCI. As part of their review process, industrial security 
representatives are responsible for verifying what a contractor reports 
on its Certificate Pertaining to Foreign Interests form and determining 
the extent of foreign interests in the company. Industrial security 
representatives conduct independent research using the Internet or 
return to the contractor for more information to evaluate the FOCI 
relationships and hold discussions with management officials, such as 
the chief financial officer, treasurer, and legal counsel. DSS 
headquarters officials told us additional information sources, such as 
the Dun and Bradstreet database of millions of private and public 
companies are currently not available in the field. However, some 
industrial security representatives stated that such additional 
resource tools would be beneficial for verifying complex FOCI 
information. 

In addition, industrial security representatives stated they lacked the 
training and knowledge needed to better verify and oversee contractors 
under FOCI. For example, DSS does not require its representatives to 
have financial or legal training. While some FOCI training is provided, 
representatives largely depend on DSS guidance and on-the-job training 
to oversee a FOCI contractor. In so doing, representatives work with 
more experienced staff or seek guidance, when needed, from DSS 
headquarters. In a 1999 review, DSS recognized that recurring training 
was necessary to ensure industrial security representatives remain 
current on complex FOCI issues and other aspects of the FOCI process. 
DSS headquarters officials said that they have held regionwide meetings 
where they discussed FOCI case scenarios and responded to questions 
about the FOCI process. However, we found that the training needs on 
complex FOCI issues are still a concern to representatives. In fact, 
many said they needed more training to help with their responsibility 
of verifying FOCI information, including how to review corporate 
documents, strategic company relationships, and financial reports. DSS 
field officials said the DSS training institute currently offers a 
brief training unit on FOCI covering basic information.[Footnote 9] DSS 
established a working group of DSS field and headquarters staff to look 
at ways to improve the training program, including more specific FOCI 
training. The group submitted recommendations in March 2005 to field 
managers for their review.[Footnote 10] DSS is also planning to work 
with its training institute to develop additional FOCI courses to 
better meet the needs of the industrial security representatives. 

According to field staff, industrial security representatives operate 
in an environment of staff turnover, which can affect their in-depth 
knowledge of FOCI contractors. Officials from one-third of the field 
offices we reviewed noted staff retention problems. DSS officials at 
two of these field offices said that in particular they have problems 
retaining more experienced industrial security representatives. Field 
officials said that when an industrial security representative retires 
or leaves, the staff member's entire workload is divided among the 
remaining representatives, who already have a substantial workload. In 
addition, DSS guidance advises field office officials to rotate 
contractor facilities among industrial security representative every 3 
years, if possible, as a means of retaining DSS independence from the 
contractors. DSS officials told us the rotation can actually occur more 
frequently because of staff turnover. DSS headquarters officials said 
they are formulating a working group to help improve staff retention in 
the field. 

Compounding these challenges are inconsistencies among field offices in 
how industrial security representatives said they understood and 
implemented DSS guidance for reviewing contractors under FOCI. For 
example, per DSS guidance, security reviews and FOCI meetings should be 
performed every 12 months for contractors operating under special 
security agreements, security control agreements, voting trust 
agreements, and proxy agreements. However, we found that some 
industrial security representatives were inconsistent in implementing 
the guidance. For example, one representative said a contractor under a 
special security agreement was subject to a security review every 18 
months because the contractor did not store classified information on- 
site.[Footnote 11] In addition, two industrial security representatives 
told us they did not conduct annual FOCI meetings for contractors that 
were operating under a proxy agreement and security control agreement, 
respectively. We also found that industrial security representatives 
varied in their understanding or application of DSS guidance for when 
they should suspend a contractor's facility clearance when FOCI is 
unmitigated. The guidance indicates that when a contractor with a 
facility clearance is determined to be under FOCI that requires 
mitigation by DSS headquarters, the facility security clearance shall 
be suspended until a protective measure is implemented. However, we 
were told by officials in some field offices that they rarely suspend 
clearances when a contractor has unmitigated FOCI as long as the 
contractor is demonstrating good faith in an effort to provide 
documentation to DSS to identify the extent of FOCI and submits a FOCI 
mitigation plan to DSS. Officials in other field offices said they 
would suspend a contractor's facility clearance once they learned the 
contractor had unmitigated FOCI. 

Conclusions: 

The protection of classified information has become increasingly 
important in light of the internationalization of multibillion-dollar 
cooperative development programs, such as a new-generation fighter 
aircraft, and a growing number of complex cross-border industrial 
arrangements. Although such developments offer various economic and 
technological benefits, there can be national security risks when 
foreign companies control or influence U.S. contractors with access to 
classified information. Given the growing number of DOD contractors 
with connections to foreign countries, it is critical for DSS to ensure 
that classified information is protected from unauthorized foreign 
access. In carrying out its responsibilities, DSS is dependent on self- 
reported information from the contractors about their foreign 
activities, creating vulnerabilities outside of DSS's control. Within 
this environment, unless DSS improves the collection and analysis of 
key information and provides its field staff with the training and 
tools they need to perform FOCI responsibilities, DSS will continue to 
operate without knowing how effective its oversight is at reducing the 
risk of foreign interests gaining unauthorized access to U.S. 
classified information. 

Recommendations for Executive Action: 

To improve knowledge of the timing of foreign business transactions and 
reduce the risk of unauthorized foreign access to classified 
information, we recommend that the Secretary of Defense direct the 
director of DSS to take the following three actions: 

* clarify when contractors need to report foreign business transactions 
to DSS,

* determine how contractors should report and communicate dates of 
specific foreign business transactions to DSS, and: 

* collect and analyze when foreign business transactions occurred at 
contractor facilities and when protective measures were implemented to 
mitigate FOCI. 

To assess overall effectiveness of DSS oversight of contractors under 
FOCI, we recommend that the Secretary of Defense direct the director of 
DSS to take the following three actions: 

* collect and analyze data on contractors operating under all 
protective measures as well as changes in types and prevalence of 
foreign business transactions reported by contractors;

* collect, aggregate, and analyze the results of annual FOCI meetings, 
contractors' compliance reports, and data from the counterintelligence 
community; and: 

* develop a plan to systematically review and evaluate the 
effectiveness of the FOCI process. 

To better support industrial security representatives in overseeing 
contractors under FOCI, we recommend the Secretary of Defense direct 
the director of DSS to formulate a human capital strategy and plan that 
would encompass the following two actions: 

* evaluate the needs of representatives in carrying out their FOCI 
responsibilities and: 

* determine and implement changes needed to job requirements, guidance, 
and training to meet FOCI responsibilities and explore options for 
improving resource tools and knowledge-sharing efforts among 
representatives. 

Agency Comments and Our Evaluation: 

In commenting on a draft of our report, DOD disagreed with our 
conclusions that improvements are needed to ensure sufficient oversight 
of contractors under FOCI, and it also disagreed with our 
recommendations to improve oversight. Overall, DOD's comments indicate 
that it believes that the actions DSS takes when it learns of FOCI at 
contractors is sufficient. However, DOD has not provided evidence 
necessary to support its assertions. In fact, we found two cases in 
which contractors appeared to have operated with unmitigated FOCI 
before protective measures were put into place. Unmitigated FOCI at 
contractors increases the risk that foreign interests can gain 
unauthorized access to U.S. classified information. Further, DOD states 
that we did not establish a link between collecting and analyzing FOCI 
data and the effectiveness of DSS's oversight or the protection of 
classified information. We found that DSS lacks fundamental FOCI 
information--including information on the universe of FOCI contractors 
and trends in overall contractor compliance with protective measures-- 
that is needed to determine the effectiveness of the FOCI process and 
the sufficiency of oversight. Ultimately, without making this 
determination, DSS cannot adequately ensure it is taking necessary 
steps to reduce the risk of foreign interests gaining unauthorized 
access to classified information. Unless our recommendations are 
implemented, we are concerned that DSS will continue to operate on 
blind faith that its FOCI process is effective and its oversight is 
sufficient. 

DOD did not concur with seven of our recommendations and only partially 
concurred with the eighth. Regarding our first three recommendations, 
which aim to improve DSS's knowledge of the timing of foreign business 
transactions and reduce the risk of unauthorized foreign access to 
classified information, DOD argues that having such information will 
not help protect classified information. However, as we noted in our 
report, without this information, DSS is not in a position to know when 
FOCI transactions occur so that timely protective measures can be 
implemented to mitigate FOCI as needed--the purpose of the FOCI 
process. 

Regarding our next three recommendations, which aim to enable DSS to 
assess the overall effectiveness of its oversight of contractors under 
FOCI, DOD argues that it does not need to collect and analyze 
information on the universe of contractors under FOCI and trends in 
foreign business transactions, or aggregate compliance and 
counterintelligence information. However, without this information, DSS 
limits its ability to identify vulnerabilities in the FOCI process and 
to target areas for improving oversight of contractors, including 
potential changes to protective measures. DOD also argues that it has 
three mechanisms to systematically evaluate DSS's processes: DSS's 
Inspector General, a management review process for industrial security 
field office oversight, and a standards and quality program. However, 
DOD has not provided evidence in its comments that these mechanisms are 
focused on systematically reviewing and evaluating the effectiveness of 
the FOCI process. 

Regarding our last two recommendations--to formulate a human capital 
strategy and plan that would better support industrial security 
representatives in overseeing FOCI contractors--DOD does not believe 
that its industrial security representatives need additional support. 
DOD supports this belief with two points. First, DOD states that 
because less than 3 percent of the approximately 12,000 cleared 
companies overseen by DSS have any FOCI mitigation, most DSS industrial 
security representatives do not oversee such contractors. Yet it is 
unclear how DOD arrived at these figures because DSS does not collect 
and analyze information on all contactors operating under protective 
measures. Regardless of the number of these contractors, industrial 
security representatives must have adequate support--including training 
and guidance--to verify if contractors are under FOCI and to ensure 
contractors comply with any protective measures put in place. In the 
course of our review, we found that industrial security representatives 
are not sufficiently equipped to fulfill their FOCI responsibilities. 
Second, DOD noted that DSS is under new leadership and is exploring 
operational improvements as well as implementing a new industrial 
security information management system. While it is too early to assess 
the effect of these proposals, it is also unclear how these efforts 
will bring about any needed changes to industrial security 
representatives' job requirements, guidance, tools, and training. 

As we concluded in our report, DSS's dependence on self-reported 
information from contractors about their foreign activities creates 
vulnerabilities outside of DSS's control. Given these vulnerabilities, 
it is imperative that DSS improve the collection and analysis of key 
information on the FOCI process and provide its industrial security 
representatives with the training and tools they need to perform their 
FOCI responsibilities. If DSS continues to operate without knowing how 
effective its oversight is and does not support the representatives in 
carrying out their FOCI responsibilities, then the value of DSS's 
management and the FOCI process should be open for further examination. 
Therefore, we did not modify our recommendations. 

DOD also provided technical comments, which we addressed. DOD's letter 
is reprinted in appendix II, along with our evaluation of its comments. 

We are sending copies of this report to interested congressional 
committees; the Secretary of Defense; the Director, Defense Security 
Service; the Assistant to the President for National Security Affairs; 
and the Director, Office of Management and Budget. We will make copies 
available to others upon request. In addition, this report will be 
available at no charge on the GAO Web site at http://www.gao.gov. 

If you have any questions about this report, please contact me at (202) 
512-4841. Major contributors to this report are Anne-Marie Lasowski, 
Maria Durant, Ian A. Ferguson, Suzanne Sterling, Kenneth E. Patton, 
Lily J. Chin, and Karen Sloan. 

Sincerely yours,

Signed by: 

Ann Calvaresi-Barr: 
Director: 
Acquisition and Sourcing Management: 

[End of section]

Appendix I: Scope and Methodology: 

To assess the Defense Security Service's (DSS) process for determining 
and overseeing contractors under foreign ownership, control, or 
influence (FOCI), we reviewed Department of Defense (DOD) regulations 
and guidance on FOCI protective measures included in the National 
Industrial Security Program Operating Manual, and the Industrial 
Security Operating Manual, as well as DSS policies, procedures, and 
guidance for verifying contractors under FOCI and for overseeing them. 
We discussed with DSS officials at headquarters and field locations how 
they use DSS guidance to oversee FOCI contractors. We also discussed 
DSS roles and responsibilities for headquarters and field staff and 
challenges in overseeing contractors that report FOCI and the use of 
FOCI information to evaluate effectiveness of the process. We reviewed 
DSS training materials to learn about the type of training DSS offers 
industrial security representatives in meeting their FOCI 
responsibilities. We also examined FOCI studies conducted by DSS to 
determine the results of earlier DSS reviews of the FOCI process. 

We visited nine field offices that varied in how many FOCI contractors 
they monitored and in their geographic location. Through discussions 
with DSS officials at headquarters in Alexandria, Virginia, and from 
nine field offices, we identified FOCI contractors operating under 
various protective measures and examined DSS actions to verify FOCI and 
oversee the implementation of protective measures at contractor 
facilities. We collected information on a nonrepresentative sample of 
27 contractor facility case files reviewed by DSS for FOCI. In 
addition, we visited 8 of the 27 contractor facilities and spoke with 
security officials, corporate officers, and board members to obtain 
additional clarification on the types of protective measures and the 
FOCI process. 

We spoke with DSS headquarters and field staff regarding actions taken 
to implement protective measures and reviewed supporting documentation 
maintained by DSS and contractor facilities. During our visits to nine 
field offices, we discussed the contents of selected contractor 
facility file folders to understand how DSS oversees contractors' 
implementation of protective measures, determines unmitigated FOCI, and 
assesses the effectiveness of the FOCI process. Because we did not take 
a statistical sample of case files, the results of our analyses cannot 
be generalized. However, we confirmed that the data used to select the 
files that we reviewed were consistent with the information in the 
facility files that we reviewed. 

[End of section]

Appendix II: Comments from the Department of Defense: 

GAO's comments supplementing those in the report text appear at the end 
of this appendix. 

OFFICE OF THE UNDER SECRETARY OF DEFENSE:
INTELLIGENCE: 
5000 DEFENSE PENTAGON: 
WASHINGTON, DC 20301-5000: 

JUN 29 2005: 

Ms. Ann Calvaresi-Barn, Director: 
Acquisition and Sourcing Management: 
U.S. Government Accountability Office: 
Washington, D.C. 20548: 

Dear Ms. Calvaresi-Barr: 

This is the Department of Defense (DoD) response to the GAO draft 
report (05-681), "INDUSTRIAL SECURITY: DOD Cannot Ensure Its Oversight 
of Contractors under Foreign Influence Is Sufficient," dated June 10, 
2005 (GAO Code 120348). 

In response to a Senate report accompanying the National Defense 
Authorization Act for Fiscal 2004, your organization was tasked to 
assess the extent to which the Defense Security Service (DSS) "has 
assurance that its approach provides sufficient oversight of 
contractors under foreign ownership, control or influence (FOCI)." 
While you found that DSS does not have a process for collecting and 
analyzing certain FOCI data, the report never made the nexus between 
collecting and analyzing data and protection of classified information 
or the effectiveness of DSS oversight. 

The report demonstrates a lack of understanding of the national policy 
governing access to classified information by our contractor population 
and the evaluation process used by DSS to ensure that classified 
information is properly protected. FOCI is handled on a case-by-case 
basis in accordance with national policy approved by all Federal 
Agencies that participate in the National Industrial Security Program 
(NISP). When DSS becomes aware of FOCI, an assessment is made regarding 
the risk to classified information in the specific situation. The 
nature and source of the foreign ownership, the sensitivity of the 
information, the relationship of the foreign source's government with 
our government, and the nature of agreements between the governments 
involved, all are taken into account to determine the risk. If there is 
any indication of risk to classified information the government 
customer is notified and appropriate action is taken to protect the 
classified information. All companies that have a facility security 
clearance have cleared United States citizens responsible for 
protecting that classified information. For it to be at risk, even by 
FOCI, cleared United States citizens have to break the law by providing 
it to unauthorized individuals. 

Specific responses to the report's recommendations are attached, as are 
some technical comments. While there is always room for improvement in 
any process, I find little in this report that would improve the FOCI 
process or justify the cost of implementation. 

Thank you for the opportunity to comment on the report. 

Sincerely,

Signed for: 

Carol A. Haave: 
Deputy Under Secretary of Defense (Counterintelligence and Security): 

Attachment: 

DoD Comments to the GAO Recommendations on the GAO Draft Report dated 
June 10, 2005: 

GAO DRAFT REPORT DATED JUNE 10, 2005 GAO-05-681 (GAO CODE 120348): 

"INDUSTRIAL SECURITY: DOD Cannot Ensure Its Oversight of Contractors 
under Foreign Influence Is Sufficient,"

DEPARTMENT OF DEFENSE COMMENTS TO THE GAO RECOMMENDATIONS: 

RECOMMENDATION 1: The GAO recommended that the Secretary of Defense 
direct the director of Defense Security Service (DSS), to clarify when 
contractors need to report foreign business transactions to DSS. (p. 16 
GAO Draft Report): 

DOD RESPONSE: 

Non-concur. 

The National Industrial Security Program Operating Manual (NISPOM), 
which promulgates national industrial security policy to the contractor 
community, is very clear about the contractor-reporting requirement. 
NISPOM paragraph 1-302.h (5): 

"Any material change concerning the information previously reported by 
the contractor concerning foreign ownership, control or influence 
(FOCI). This report shall be made by the submission of a CSA-designated 
form. When submitting this form, it is not necessary to repeat answers 
that have not changed. When entering into discussions, consultations or 
agreements that may reasonable lead to effective ownership or control 
of a foreign interest, the contractor shall report the details by 
letter."

The report states that contractors self-report "foreign business 
transactions." There is no NISPOM requirement to report "foreign 
business transactions" nor is there any utility in contractors 
reporting every transaction with a foreign source. Contractors are 
required to report material changes to information already reported and 
that information is then reviewed to determine if further action is 
required. In addition, as part of a facility's annual security review, 
DSS routinely asks company management about changes to the facility's 
reported FOCI. Self-reporting is the only mechanism we can rely on to 
gather the information and since all other Federal Agencies, to include 
Internal Revenue and Social Security, depend on companies to self- 
report, we do not see a concern. If information comes to DSS' attention 
through other means they follow-up and take appropriate action. The 
NISPOM is contractually imposed. Failure to report is a compliance 
issue. 

RECOMMENDATION 2: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to determine how contractors should report 
and communicate dates of specific foreign business transactions to DSS. 
(p. 16 GAO Draft Report): 

DOD RESPONSE: 

Non-concur. 

See response to Recommendation #1. The NISPOM provides requirements to 
contractors on reporting requirements. The policy direction is that at 
the time that a material change occurs concerning the FOCI information 
previously reported by the contractor, the reporting requirement 
applies. The policy applies to all contractors of Executive Branch 
agencies under the National Industrial Security Program (NISP), in 
accordance with Executive Order (EO) 12829. Any change to the 
contractor reporting requirements requires a change to national policy. 
DSS is not responsible for developing or promulgating national policy. 

DSS responsibility under the NISP specifically pertains to the national 
security and oversight of contractor access to classified information. 
Having information on the dates of foreign business transactions does 
not contribute to ensuring that classified information is protected. 
The length of time between a "foreign business transaction" occurring, 
the reporting of that event if it needs to be reported, the decision 
that a mitigating instrument should be put in place, and the actual 
imposition of a mitigating instrument does not directly relate to 
unauthorized disclosure of classified information. 

RECOMMENDATION 3: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to collect and analyze when foreign 
business transactions occurred at contractor facilities and when 
protective measures were implemented to mitigate FOCI. (p. 16 GAO Draft 
Report): 

DOD RESPONSE: 

Nonconcur. 

See response to Recommendations #1 and #2. The length of time involved 
in putting a mitigating instrument in place does not directly relate to 
unauthorized disclosure of classified information. 

The DSS role is overseeing the protection of classified information. 
From the time that DSS receives a report from a contractor that 
involves FOCI, DSS works with the contractor to ensure that, regardless 
of the length of time involved, classified information is protected 
while the FOCI is analyzed and an appropriate mitigating instrument is 
determined and put in place. Every effort is made to ensure that the 
contractor can continue to work so long as the contractor is 
negotiating FOCI negation or mitigation in good faith. If DSS has 
reason to believe that classified information cannot be adequately 
protected as a result of a FOCI-related change, DSS has the option of 
invalidating the facility clearance until all issues are resolved. If 
FOCI cannot be negated or mitigated, DSS revokes the facility 
clearance. 

RECOMMENDATION 4: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to collect and analyze data on contractors 
operating under all protective measures as well as changes in types and 
prevalence of foreign business transactions reported by contractors. 
(p. 16 GAO Draft Report): 

DOD RESPONSE: 

Nonconcur. 

This recommendation was indicated in the report as a way for the 
Secretary of Defense to assess DSS oversight. An analysis of protective 
measures and changes in the types and prevalence of foreign business 
transactions reported by contractors does not appear to provide value 
in assessing DSS's effectiveness in ensuring the protection of 
classified information in industry. 

There is no requirement for contractors to report all "foreign business 
transactions" to DSS. The reporting requirement for contractors 
pertains only to those FOCI-related events that may impact the 
contractor's ability to maintain their facility clearance and perform 
on classified contracts. There is no basis for DSS to be able to 
analyze changes in the types and prevalence of foreign business 
transactions. 

RECOMMENDATION 5: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to collect, aggregate, and analyze the 
results of annual foreign ownership, control or influence (FOCI) 
meetings, contractors' compliance reports, and data from the 
counterintelligence community. (p. 16 GAO Draft Report): 

DOD RESPONSE: 

Nonconcur. 

This recommendation was indicated in the report as a way for the 
Secretary of Defense to assess DSS oversight. Of the approximately 
12,000 cleared contractors, fewer than 3% are under any type of FOCI 
mitigating mechanisms; i.e., board resolutions, limited facility 
clearances, voting trusts, proxies, Special Security Arrangements, or 
Security Control Agreements. Analysis of an aggregation of the results 
of annual meetings, compliance reports, and CI data does not appear to 
provide value in assessing DSS effectiveness in ensuring the protection 
of classified information in industry. The DSS Industrial Security 
Representative (IS Rep) uses the results of the annual meetings, 
compliance reports, and CI data to assess an individual contractor's 
ability to protect classified information. 

RECOMMENDATION 6: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to develop a plan to systemically review 
and evaluate the effectiveness of the FOCI process. (p. 16 GAO Draft 
Report): 

DOD RESPONSE: 

Nonconcur. 

The Director of DSS already has three separate processes in place to 
systematically review and evaluate the effectiveness of the agency's 
processes. DSS has an Inspector General, a management review process 
for industrial security field office oversight and a standards and 
quality program. 

RECOMMENDATION 7: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to evaluate the needs of representatives in 
carrying out their FOCI responsibilities. (p. 16 GAO Draft Report): 

DOD RESPONSE: 

Nonconcur. 

Since the Defense Industrial Security Program has been in place since 
the early 1950's, superseded by the National Industrial Security 
Program in 1993, the needs of representatives in carrying out their 
FOCI responsibilities are well known. 

The report indicates that DSS Industrial Security personnel lacked the 
training and knowledge to identify complex business structures and to 
oversee contractors with FOCI. As less than 3% of the approximately 
12,000 cleared companies overseen by DSS have any FOCI mitigation, most 
DSS industrial security personnel do not oversee such contractors. The 
report does not differentiate between DSS personnel whose duties 
actually require them to oversee complex FOCI and personnel whose 
duties do not. The four-week on site training for industrial security 
personnel includes one week on the facility clearance process to 
include FOCI. On site training is preceded by 12 weeks of on the job 
training and mentoring by senior industrial security personnel. The DSS 
Industrial Security Operating Manual also contains extensive coverage 
on business structures and FOCI processing. The DSS facility clearance 
and FOCI process requires the industrial security representative to 
gather information and do a cursory analysis. When a specific threshold 
is reached the case is referred to a specialist who has the expertise 
to review the documentation and reach an appropriate conclusion. While 
personnel can always have additional training and DSS leadership is 
reviewing the training requirements for their personnel, it is our 
position that the DSS personnel who have the responsibility to handle 
complex FOCI situations are properly trained. 

RECOMMENDATION 8: The GAO recommended that the Secretary of Defense 
direct the director of DSS, to determine and implement changes needed 
to job requirements, guidance, and training to meet FOCI 
responsibilities and explore options for improving resource tools and 
knowledge-sharing efforts among representatives. (p. 16 GAO Draft 
Report): 

DOD RESPONSE: 

Partially concur. 

DSS continually assesses its conduct of the industrial security 
program, as does OSD in its oversight role. We recognize, however, that 
there is always room for improvement. DSS has undergone a 
transformation in the last two years with significant changes in 
leadership and mission. With a new Deputy Director of Industrial 
Security in place at DSS, a new strategic direction for program 
operations is being formulated. New management provides the opportunity 
to explore options for operational improvements. Some initiatives are 
already underway, including an assessment of the skill sets and 
training required to effectively carry out the industrial security 
mission, as well as a career path for the industrial security 
professional that should aid in recruitment and retention of skilled 
personnel. 

A new industrial security information management system is nearing the 
final stages of requirements definition and development, which will 
improve the ability to centrally manage data, while enhancing the 
ability to share information and ideas across geographic boundaries. 
This will allow geographically dispersed IS Reps to more effectively 
assess classified government programs with multiple contracts and 
subcontracts and provide assurances to the government customers that 
classified information is protected across programs. 

The following are GAO's comments on the Department of Defense's letter 
dated June 29, 2005. 

GAO's Comments: 

1. It is unclear how DOD came to the conclusion that our report lacks 
an understanding of the national policy governing contractors' access 
to classified information, given that our description of the policy and 
process in the background of our report is taken directly from 
documentation provided by DSS. Further, DOD did not provide in its 
technical comments any suggested amendments to remove perceived 
misunderstandings from our report. 

2. Cleared U.S. citizens need not break the law for foreign interests 
to gain unauthorized access to classified information or adversely 
affect performance of classified contracts. Classified information can 
be at risk when foreign nationals at a cleared FOCI contractor facility 
are not identified and timely protective measures are not established 
to mitigate their influence. 

3. DOD's position that there is little in our report that would enable 
DSS to improve the FOCI process or justify the cost of implementing our 
recommendations underscores the department's failure to grasp the 
gravity of our findings. DOD has neither systematically evaluated the 
effectiveness of its FOCI process nor identified opportunities to 
strengthen its oversight for contractors under FOCI. Our 
recommendations specifically target correcting these weaknesses. 
Further, raising concerns about cost without evaluating the 
effectiveness of its FOCI process is shortsighted. 

4. According to the National Industrial Security Program Operating 
Manual, contractors are required to report material changes to FOCI 
information previously reported and every 5 years, even if no change 
occurs. We added a footnote to further clarify the definition of 
foreign business transactions used in our report. 

5. DOD's response concerning self-reporting underscores the 
department's complacency regarding its responsibility to take actions 
needed to prevent foreign interests from gaining unauthorized access to 
U.S. classified information. While we recognize that DSS is dependent 
on self-reporting and that some vulnerabilities are outside of DSS's 
control, there are numerous steps DOD could take to mitigate these 
vulnerabilities. For example, if DSS implemented our recommendation to 
clarify when reporting should occur and require reporting dates when 
specific foreign business transactions took place, then DSS could 
monitor whether contractors are reporting foreign transactions on time 
and put mitigation measures in place, as appropriate. 

6. While DOD maintains that contractors are to report material changes 
concerning FOCI information as they occur, we found that the National 
Industrial Security Program Operating Manual does not state this. As we 
reported, DSS field staff told us that while some contractors report 
transactions as they occur, some do not report transactions until 
months later, if at all. Specifying a time frame for contractors could 
result in more timely reporting of these transactions. 

7. As we reported, the FOCI process begins when a contractor reports 
FOCI information. Having information on when foreign transactions occur 
would enable DSS to take timely action to impose safeguards or 
restrictions authorized by the National Industrial Security Program 
Operating Manual. 

8. Unmitigated FOCI at a cleared contractor increases the risk that 
foreign interests can gain unauthorized access to U.S. classified 
information. During our review, we found two cases in which contractors 
appeared to have operated with unmitigated FOCI before protective 
measures were put in place. Therefore, it is important to know the 
length of time between when a foreign transaction occurs and when 
protective measures are put in place to mitigate FOCI. 

9. According to the National Industrial Security Program Operating 
Manual, a contractor under FOCI with an existing facility clearance 
shall have its clearance suspended or revoked unless protective 
measures are established to remove the possibility of unauthorized 
access to classified information or adversely affect performance on 
classified contracts. DOD's characterization of DSS having the option 
to suspend the clearance of contractors with unmitigated FOCI seems to 
differ from what is stated in the manual. 

10. It is unclear why DOD does not see the value in collecting 
information on contractors operating under all six protective measures, 
when DSS already centrally collects information on contractors 
operating under three measures. DSS cannot assess the overall 
effectiveness of its FOCI process unless it has a complete and accurate 
account of contractors operating under all types of protective 
measures. 

11. It is unclear how DOD determined that less than 3 percent of its 
cleared contractors are operating under all six protective measures 
because DSS does not centrally collect and analyze this information for 
all six measures. In addition, the most recent information provided to 
us by DSS indicated that there are about 11,000 contractor facilities 
participating in the National Industrial Security Program, rather than 
the 12,000 cited in DOD's comments. Further, DOD did not provide 
technical comments to revise the number of contractor facilities stated 
in our report. 

12. Industrial security representatives may use the results of annual 
meetings, compliance reports, and counterintelligence data to assess an 
individual contractor's security posture. However, as stated in our 
report, DSS does not systematically compile and analyze trends from 
these oversight activities. Aggregating overall compliance and 
counterintelligence trends is valuable because it would allow DSS to 
identify actual or potential weaknesses, evaluate effectiveness, and 
take actions as needed to improve its FOCI process. 

13. Citing how long the program has been in existence misses the point, 
and DOD does not provide evidence that the needs of representatives are 
well known. As we reported, industrial security representatives face 
numerous challenges in carrying out their FOCI responsibilities, which 
formulates the basis of our recommendation to evaluate the needs of the 
representatives. Assessing their needs is particularly important given 
the increasingly complex environment--characterized by international 
cooperative defense programs and a growing number of cross-border 
defense industrial relationships--in which industrial security 
representatives work. 

14. As stated in our report, industrial security representatives told 
us they lacked the training and knowledge they needed to verify complex 
FOCI cases and oversee contractors under FOCI. 

FOOTNOTES

[1] FOCI is defined in the National Industrial Security Program 
Operating Manual, which prescribes the requirements, restrictions, and 
safeguards that contractors are to follow to prevent the unauthorized 
disclosure of classified information. 

[2] As part of its report accompanying the National Defense 
Authorization Act for Fiscal Year 2004 (S. Rep. No. 108-46, at 345-346 
(2003)), the Senate Committee on Armed Services also directed us to 
review DOD's National Industrial Security Program. In response to that 
request, we assessed (1) DSS's oversight of U.S. contractor facilities' 
implementation of the National Industrial Security Program and (2) 
DSS's adherence to required procedures after a security violation and 
possible compromise of classified information. Our assessment was 
detailed in the following report: GAO, Industrial Security: DOD Cannot 
Provide Adequate Assurance That Its Oversight Ensures the Protection of 
Classified Information, GAO-04-332 (Washington, D.C.: Mar. 3, 2004). 

[3] Throughout our report, we refer to information reported by 
contractors on the Certificate Pertaining to Foreign Interests form, or 
the changes afterwards, as foreign business transactions. 

[4] Each business structure has its own set of legal requirements. 
Within the National Industrial Security Program, the most common type 
of business structure is the corporation. A corporation may be 
organized as a single corporate entity, a multiple facility 
organization with divisions, or a parent-subsidiary relationship. Under 
a multiple facility organization, the home office is the legal entity, 
while the divisions are extensions of the legal entity. In a parent- 
subsidiary relationship, the parent and the subsidiary are separate 
legal entities. 

[5] "Unmitigated FOCI" refers to situations in which contractors with 
facility security clearances are under FOCI and protective measures are 
needed but not yet implemented. 

[6] There may be multiple contractor locations under a particular 
protective measure, but the legal parent signs the measure that covers 
its divisions. 

[7] The field office files are the official record for documenting 
information on contractor facilities' security programs and industrial 
security representatives' interactions with those contractors, 
including those under FOCI. The paper folders contain such information 
as the identity of the facility owner, contractor-submitted Certificate 
Pertaining to Foreign Interests forms, and the results of the 
contractor's last two security reviews. In addition to the file 
folders, DSS has a facilities database that contains information on 
facilities' security programs. DSS officials acknowledged that the 
database is prone to data integrity and data loss problems that need to 
be addressed. 

[8] The protective measures include voting trust, proxy, special 
security, and security control agreements. 

[9] DSS officials told us that new industrial security representatives 
participate in a 12-week mentoring program prior to attending a 4-week 
course at the DSS training institute. The mentoring program consists of 
separate units that contain activities that must be completed before an 
industrial security representative is approved to attend the 4-week 
course. In either the program or the course, only one unit or section 
of training pertains to general FOCI information. 

[10] According to DSS, the overall goal for this working group was to 
connect professional development to the individual employee, the 
budget, and DSS's mission. 

[11] DSS reported in a 1999 review of its FOCI process that the 
oversight by industrial security representatives was not always 
consistent, and at that time DSS recommended that FOCI companies should 
be assessed annually rather than on an 18-month schedule. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: