DOD Tempest Protection:

Better Evaluations Needed To Determine Required Countermeasures

NSIAD-86-132, Jun 27, 1986

Contact:

Donna M. Heivilin
(202) 512-8430
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the Department of Defense's (DOD) and military services' adherence to national TEMPEST policy. TEMPEST refers to technical investigations and studies of compromising emanations from electronic data processing equipment. National security policy requires federal agencies to protect classified information from such emanations.

GAO found that: (1) TEMPEST countermeasures are very costly to implement; (2) while total DOD TEMPEST-related costs are unknown, they are estimated at hundreds of millions of dollars annually; (3) DOD has not issued an implementing regulation in connection with the national TEMPEST policy directive; (4) DOD has issued conflicting TEMPEST policy memoranda and, as a result, the services are interpreting and implementing TEMPEST policy in different ways; (5) the services sometimes acquire TEMPEST countermeasures without determining whether they are needed; (6) the services and defense contractors are sometimes processing classified information without performing TEMPEST evaluations; (7) the services do not always conduct follow-up evaluations at contractor facilities to ensure that TEMPEST countermeasures are being implemented as needed; and (8) the Defense Investigative Service, which performs many TEMPEST evaluations for other DOD components, believes that its personnel are not adequately trained to perform TEMPEST evaluations or compliance inspections.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To minimize delay in implementing national security policy, the Secretary of Defense should promptly implement a new security policy, on an interim basis if necessary, and ensure that the services promulgate implementing instructions to the field in a timely manner.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: The Directive, C-5200.19 (classified), "Control of Compromising Emanations" was issued February 23, 1990. It does not address the recommendation concerning notification of changes in security policy on an interim basis. However, it does assign program responsibilities and addresses the type of deficiencies that this recommendation was intended to correct.

    Recommendation: To minimize unnecessary TEMPEST-related expenditures, the Secretary of Defense should require all DOD components to conduct TEMPEST evaluations before implementing TEMPEST countermeasures. Such evaluations are also needed to ensure proper protection of classified information.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: The new directive was issued February 23, 1990. It provides for evaluations to be made before countermeasures are implemented. There is a dollar threshold for such evaluations. No estimate can be made of potential savings.

    Recommendation: To reduce varying requirements placed on industry and duplicative efforts on the part of the services, the Secretary of Defense should consider assigning to the Defense Investigative Service (DIS), or some other DOD component, the responsibility for ensuring that TEMPEST countermeasures are effectively implemented within industry. Implementation of this recommendation may require additional training for the designated component's staff.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: DOD does not agree that DIS is the appropriate single organization to do this and will refine its current team approach to the problem. Since DOD components' requirements could vary under C-5200.19, there could still be inconsistencies and unnecessary costs. However, the new directive does make the Director, DIS, responsible for monitoring the industrial TEMPEST program and overseeing inspection.