Industrial Security:

DOD Cannot Ensure Its Oversight of Contractors under Foreign Influence Is Sufficient

GAO-05-681: Published: Jul 15, 2005. Publicly Released: Jul 15, 2005.

Additional Materials:

Contact:

Anne Marie F. Lasowski
(202) 512-6986
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Defense (DOD) is responsible for ensuring that U.S. contractors safeguard classified information in their possession. DOD delegates this responsibility to its Defense Security Service (DSS), which oversees more than 11,000 contractor facilities that are cleared to access classified information. Some U.S. contractors have foreign connections that may require measures to be put into place to reduce the risk of foreign interests gaining unauthorized access to classified information. In response to a Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004, GAO assessed the extent to which DSS has assurance that its approach provides sufficient oversight of contractors under foreign ownership, control, or influence (FOCI).

DSS's oversight of contractors under FOCI depends on contractors self-- reporting foreign business transactions such as foreign acquisitions. As part of its oversight responsibilities, DSS verifies the extent of the foreign relationship, works with the contractor to establish protective measures to insulate foreign interests, and monitors contractor compliance with these measures. In summary, GAO found that DSS cannot ensure that its approach to overseeing contractors under FOCI is sufficient to reduce the risk of foreign interests gaining unauthorized access to U.S. classified information. First, DSS does not systematically ask for, collect, or analyze information on foreign business transactions in a manner that helps it properly oversee contractors entrusted with U.S. classified information. In addition, DSS does not collect and track the extent to which classified information is left in the hands of a contractor under FOCI before measures are taken to reduce the risk of unauthorized foreign access. During our review, we found instances in which contractors did not report foreign business transactions to DSS for several months. We also found a contractor under foreign ownership that appeared to operate for at least 6 months with access to U.S. classified information before a protective measure was implemented to mitigate foreign ownership. Second, DSS does not centrally collect and analyze information to assess its effectiveness and determine what corrective actions are needed to improve oversight of contractors under FOCI. For example, DSS does not know the universe of all contractors operating under protective measures, the degree to which contractors are complying overall with measures, or how its oversight could be strengthened by using information such as counterintelligence data to bolster its measures. Third, DSS field staff face a number of challenges that significantly limit their ability to sufficiently oversee contractors under FOCI. Field staff told us they lack research tools and training to fully understand the significance of corporate structures, legal ownership, and complex financial relationships when foreign entities are involved. Staff turnover and inconsistencies over how guidance is to be implemented also detract from field staff's ability to effectively carry out FOCI responsibilities.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Based on our report, the newly appointed DSS Deputy Director of Industrial Security has developed a strategy that will address our recommendation. The strategy included actions to assess the skill sets and training required by representatives to carry out the industrial security mission, including FOCI responsibilities, as well as a career path for the industrial security representative that may aid in the recruitment and retention of skilled personnel. The industrial security representatives were surveyed to determine additional training needs.

    Recommendation: To better support industrial security representatives in overseeing contractors under FOCI, the Secretary of Defense should direct the director of DSS to formulate a human capital strategy and plan that would encompass evaluating the needs of representatives in carrying out their FOCI responsibilities.

    Agency Affected: Department of Defense

  2. Status: Closed - Not Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation because the Director of DSS already has three separate processes in place to systematically review and evaluate the effectiveness of the agency's processes. DSS has an Inspector General, a management review process of industrial security field office oversight, and a standards and quality program. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. Despite various DSS initiatives, DSS has not yet developed a plan to systematically review and evaluate the effectiveness of the FOCI process. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in the fall 2008. Based on subsequent followup, the panel did not specifically address the need to develop a plan to systematically review and evaluate the effectiveness of the FOCI process.

    Recommendation: To assess overall effectiveness of DSS oversight of contractors under FOCI, the Secretary of Defense should direct the director of DSS to develop a plan to systematically review and evaluate the effectiveness of the FOCI process.

    Agency Affected: Department of Defense

  3. Status: Closed - Not Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation because of the 12,000 cleared contractors, fewer than 3 percent are under any type of FOCI mitigating mechanisms. Analysis of the results of annual compliance meetings and reports as well as CI data does not appear to provide value in assessing DSS effectiveness for ensuring the protection of classified information. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. The strategy does not yet include actions to collect and analyze the results of annual FOCI meetings, contractors' compliance reports, and data from the counterintelligence community. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in the fall 2008. Based on subsequent followup the panel did not specifically address the need to collect and analyze the data as recommended.

    Recommendation: To assess overall effectiveness of DSS oversight of contractors under FOCI, the Secretary of Defense should direct the director of DSS to collect, aggregate, and analyze the results of annual FOCI meetings, contractors' compliance reports, and data from the counterintelligence community.

    Agency Affected: Department of Defense

  4. Status: Closed - Not Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation because an analysis of protective measures and changes in the types of protective measures and prevalence of foreign business transactions reported by contractors does not appear to provide value in assessing DSS's effectiveness in ensuring the protection of classified information in industry. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. DSS has not yet undertaken an evaluation of contractors operating under all protective measures as well as changes in the types and prevalence of foreign business transactions reported by contractors. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in the fall 2008. Based on subsequent followup the panel did not specifically address the need for an analysis of protective measures and changes in the types of protective measures and prevalence of foreign business transactions reported by contractors.

    Recommendation: To assess overall effectiveness of DSS oversight of contractors under FOCI, the Secretary of Defense should direct the director of DSS to collect and analyze data on contractors operating under all protective measures as well as changes in types and prevalence of foreign business transactions reported by contractors.

    Agency Affected: Department of Defense

  5. Status: Closed - Not Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation because the length of time involved in putting a mitigating instrument in place is not directly related to unauthorized disclosure of classified information. The DSS role is to oversee the protection of classified and DSS works with the contractor to ensure that, regardless of the length of time involved, classified information is protected while the status of a contractor's foreign ownership, control, or influence (FOCI) is analyzed and the appropriate mitigating instrument is determined and put in place. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. While the strategy includes tracking of all pending adjudication actions and status reports of FOCI actions, it does not yet include actions to collect and analyze when foreign business transactions occurred at contractor facilities and when protective measures were implemented to mitigate FOCI. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in the fall 2008. Based on subsequent followup the panel did not specifically address the need to analyze when foreign business occurred at contractor facilities.

    Recommendation: To improve knowledge of the timing of foreign business transactions and reduce the risk of unauthorized foreign access to classified information, the Secretary of Defense should direct the director of DSS to collect and analyze when foreign business transactions occurred at contractor facilities and when protective measures were implemented to mitigate FOCI.

    Agency Affected: Department of Defense

  6. Status: Closed - Not Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation because the NISPOM currently provides the requirements to contractors on the reporting requirements. Any change to the contractor reporting requirements requires a change to national policy, and the Defense Security Service is not responsible for developing or promulgating national policy. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that will likely address our findings and recommendations. The strategy does not yet include actions to determine how contractors should report and communicate dates of specific foreign business transactions to DSS. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel's review/report is released in the fall 2008. Based on subsequent followup the panel did not specifically address the updating of the NISPOM.

    Recommendation: To improve knowledge of the timing of foreign business transactions and reduce the risk of unauthorized foreign access to classified information, the Secretary of Defense should direct the director of DSS to determine how contractors should report and communicate dates of specific foreign business transactions to DSS.

    Agency Affected: Department of Defense

  7. Status: Closed - Not Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation because the National Industrial Security Program Operating Manual (NISPOM) is currently very clear about the contractor-reporting requirement. Subsequently, based on our report, the newly appointed DSS Deputy Director of Industrial Security is developing a strategy that may address our findings and recommendations. The strategy does not yet include actions to clarify when contractors need to report foreign business transactions to DSS. However, a DSS panel is meeting to review the current operations of DSS, including oversight of contractors under foreign ownership. GAO will follow-up with DSS after the panel review is released in the fall 2008. Based on subsequent followup the panel did not specifically address the updating of the NISPOM.

    Recommendation: To improve knowledge of the timing of foreign business transactions and reduce the risk of unauthorized foreign access to classified information, the Secretary of Defense should direct the director of DSS to clarify when contractors need to report foreign business transactions to DSS.

    Agency Affected: Department of Defense

  8. Status: Closed - Implemented

    Comments: DOD partially concurred with our recommendation and said it realizes there is always room for improvement. DOD said DSS has undergone a transformation in the last two years with significant changes in leadership and mission and a new strategic direction for program operations. A new industrial security information management system is nearing the final stages of development, which will improve the ability of DSS to centrally manage data and enhance the ability to share information. DSS has deployed the first phase of the industrial security database and is planning to fund and deploy the second phase in 2007. Once deployed, the database will provide the transferring and management of some FOCI information that can be used as a resource tool to improve knowledge sharing among the industrial security representatives. In April 2007, the second phase of the industrial security database was deployed. The second phase provides tracking and management of all pending FOCI adjudication actions and includes the capability to run status reports on FOCI actions.

    Recommendation: To better support industrial security representatives in overseeing contractors under FOCI, the Secretary of Defense should direct the director of DSS to formulate a human capital strategy and plan that would encompass determining and implementing changes needed to job requirements, guidance, and training to meet FOCI responsibilities and exploring options for improving resource tools and knowledge-sharing efforts among representatives.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 18, 2014

Sep 10, 2014

Sep 9, 2014

Sep 8, 2014

Jul 31, 2014

Looking for more? Browse all our products here