Skip to main content

Protecting Classified Information: Defense Security Service Should Address Challenges as New Approach Is Piloted

GAO-18-407 Published: May 14, 2018. Publicly Released: May 14, 2018.
Jump To:

Fast Facts

DOD's Defense Security Service determines government contractors' eligibility to access classified information and monitors over 12,000 contractor facilities. It is facing new challenges as adversaries try to steal national security information and technology at unprecedented rates.

DSS is piloting a new approach that requires collaboration with stakeholders such as other federal agencies and contractors. However, we found that it has not established how it will do this.

We recommended that DSS work with stakeholders to determine roles and responsibilities as it pilots its new approach.

Elements of Industrial Security

Graphic shows three images representing aspects of industrial security--physical facilities, personnel, and information.

Graphic shows three images representing aspects of industrial security--physical facilities, personnel, and information.

Skip to Highlights

Highlights

What GAO Found

The Defense Security Service (DSS) has upgraded its capabilities but also faces challenges in administering the National Industrial Security Program, which applies to all executive branch departments and agencies, and was established to safeguard federal government classified information that current or prospective contractors may access. Since we last reported on this program in 2005, DSS has:

  • streamlined facility clearance and monitoring processes, and
  • strengthened the process for identifying contractors with potential foreign influence.

However, under its current approach, DSS officials indicated that they face resource constraints, such as an inability to manage workloads and complete training necessary to stay informed on current threats and technologies. In its most recent report to Congress, DSS stated that it was unable to conduct security reviews at about 60 percent of cleared facilities in fiscal year 2016. Further, DSS recently declared that the United States is facing the most significant foreign intelligence threat it has ever encountered. As a result, in 2017, DSS announced plans to transition to a new monitoring approach to address emerging threats at facilities in the program. For a comparison of the current and new approaches, see below.

 

Comparison of the Defense Security Service's (DSS) Current and New Approaches for Monitoring Cleared Facilities

Current Monitoring Approach

New Approach – DSS in Transition

Schedules security reviews on a 90-day work plan starting with specific facilities, such as those with mitigation agreements for foreign influence or classified information systems.

Will use national intelligence and Department of Defense's list of critical technologies and programs to prioritize security reviews at facilities based on their assets and the threats to those assets.

Conducts security reviews that focus on a contractor's adherence with National Industrial Security Program Operating Manual requirements.

Will conduct security reviews to develop customized security plans and assess implementation of such plans to ensure contractors protect assets.

Source: GAO analysis of DSS documentation and interviews with DSS officials. | GAO-18-407

DSS has not addressed immediate challenges that are critical to piloting this new approach. For example, GAO found it is unclear how DSS will determine what resources it needs as it has not identified roles and responsibilities. Moreover, DSS has not established how it will collaborate with stakeholders—government contracting activities, the government intelligence community, other government agencies, and contractors—under the new approach. Federal Internal Control Standards establish the importance of coordinating with stakeholders, including clearly defining roles and responsibilities. In addition, GAO's leading practices for interagency collaboration state that it is important for organizations to identify the resources necessary to accomplish objectives. Until DSS identifies roles and responsibilities and determines how it will collaborate with stakeholders for the piloting effort, it will be difficult to assess whether the new approach is effective in protecting classified information.

Why GAO Did This Study

Industrial security addresses the information systems, personnel, and physical security of facilities and their cleared employees who have access to or handle classified information. The National Industrial Security Program was established in 1993 to safeguard federal government classified information that may be or has been released to contractors, among others. GAO last reported on this program in 2005 and the Department of Defense has since implemented 13 of the 16 related recommendations.

GAO was asked to examine how DSS administers the program. This report assesses to what extent DSS: 1) changed how it administers the program since GAO's last report; and 2) addressed challenges as it pilots a new approach to monitoring contractors with access to classified information.

GAO reviewed guidance and regulations since 2005, including the program's operating manual. GAO analyzed data from DSS's electronic databases and also selected a non-generalizable sample of contractor facilities based on clearance level, geographic location, and type of agreement to address foreign influence. We also reviewed documents and interviewed relevant government and contractor officials.

Recommendations

GAO recommends DSS determine how it will collaborate with stakeholders, including identifying roles and responsibilities and related resources, as it pilots a new approach. DSS concurred with the recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Defense Security Service The Director of the Defense Security Service should determine how it will collaborate with stakeholders as it pilots a new approach to overseeing contractors with cleared facilities (DSS in Transition), including identifying roles and responsibilities and the related resources needed. (Recommendation 1)
Closed – Implemented
DOD agreed with this recommendation. In January 2019, the Defense Counterintelligence and Security Agency (DCSA) completed Defense Security Service in Transition (DIT) . In July 2020, DSCA developed and implemented a stakeholder communication strategy which includes the roles, responsibilities, and resources needed to oversee contractors with cleared facilities as well as contractors with access to classified information. These roles and responsibilities are institutionalized in the agency's Industrial Security Operating Manual (ISOM). Finally, DCSA developed and institutionalized the National Access Elsewhere Security Oversight Center (NAESOC) to better help with Industrial Security Representatives (ISRs) workload and resource allocation to further implement a risk-based approach to oversight. Initially stood up in late 2018, the NAESOC was designed to support communications and operations for DIT by identifying and aggregating facilities with specific lower risk profiles and creating a more focused communications and oversight approach for them. This approach provides both DCSA and Facility Security Officers (FSOs) with a risk-based methodology to identify critical technologies that require the most protection, as well as assess threats, consider vulnerabilities, and apply appropriate security measures.

Full Report

GAO Contacts

Topics

Background investigationsClassified informationClassified matter protectionCompliance oversightCritical infrastructure vulnerabilitiesFederal contractorsGovernment contractingInformation securityInformation systemsInternal controlsMilitary intelligenceMonitoringNational securityPersonnel security clearancesPolicies and proceduresSafeguardsSecurity investigationsUnauthorized access