Industrial Security:

DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

GAO-04-332: Published: Mar 3, 2004. Publicly Released: Mar 3, 2004.

Additional Materials:

Contact:

Anne Marie F. Lasowski
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Department of Defense (DOD) contractors perform numerous services that require access to classified information. With access comes the possibility of compromise, particularly as foreign entities increasingly seek U.S. military technologies. To ensure the protection of classified information, the National Industrial Security Program (NISP) establishes requirements that contractors must meet. In administering the NISP for DOD and 24 other government agencies, DOD's Defense Security Service (DSS) monitors whether 11,000- plus contractor facilities' security programs meet NISP requirements. In response to a Senate report accompanying the National Defense Authorization Act for Fiscal Year 2004, GAO assessed DSS's oversight and examined DSS's actions after possible compromises of classified information.

DSS cannot provide adequate assurances to government agencies that its oversight of contractor facilities reduces the risk of information compromise. DSS is unable to provide this assurance because its performance goals and measures do not relate directly to the protection of classified information. While DSS maintains files on contractor facilities' security programs and their security violations, it does not analyze this information. Further, the manner in which this information is maintained--geographically dispersed paper-based files--does not lend itself to analysis. By not analyzing information on security violations and how well classified information is being protected across all facilities, DSS cannot identify systemic vulnerabilities and make corrective changes to reduce the risk of information compromise. When a contractor facility reports a violation and the possible compromise of classified information, DSS does not always follow established procedures. After receiving a report of a possible information compromise, DSS is required to determine whether compromise occurred and to notify the affected government agency so it can assess any damage and take actions to mitigate the effects of the suspected compromise, compromise, or loss. However, DSS failed to make determinations in many of the 93 violations GAO reviewed and made inappropriate determinations in others. In 39 of the 93 violations, DSS made no determinations regarding compromise. For 30 of the remaining 54 violations, DSS's determinations were not consistent with established criteria. As a result, government agencies are not being kept informed of possible compromises of their information. In addition, weeks or months can pass before government agencies are notified by DSS of possible information compromises because of difficulties in identifying the affected agencies. In 11 out of 16 instances GAO reviewed, it took DSS more than 30 days to notify the affected agency that its information had been lost or compromised. DSS relies on contractor facilities to identify the affected government agencies, but some facilities cannot readily provide DSS with this information because they are subcontractors that have to obtain the identity of the government agency from the prime contractors. In one case, 5 months passed before a subcontractor facility could provide DSS with the identity of the government agency whose information was suspected of being compromised. Such delays limit the government agencies' opportunity to assess and mitigate any damage from loss or compromise.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had developed a strategic plan that contains results-oriented performance goals and measures that are tied to its mission. In addition, DSS has been reporting information on trends in how contractor facilities protect classified information in its biennial report to Congress.

    Recommendation: To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to establish results-oriented performance goals and measures that would enable DSS to assess the extent to which it is achieving its industrial security mission.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had established the Industrial Security Facilities Database (ISFD) as the system of record for information about cleared facilities, including the results of security reviews to help identify systemic vulnerabilities. As of June 2018, DSS officials reported that it is finalizing the National Industrial Security System, which will eventually replace ISFD as the system of record. DSS headquarters, including a division focused on issues of foreign ownership, control, or influence, also collects and reports information on trends in how contractor facilities protect classified information in its biennial report to Congress. The last report was issued in August 2017.

    Recommendation: To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to identify the information that needs to be analyzed to detect systemic vulnerabilities and identify trends regarding how contractor facilities protect classified information.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS headquarters, including a division focused on issues of foreign ownership, control, or influence, collects and reports information on trends in how contractor facilities protect classified information in its biennial report to Congress. The last biennial report was issued in August 2017. In addition, DSS has developed a strategic plan that contains results-oriented performance goals and measures that are tied to its mission and may inform its management and oversight activities. Currently, DSS is piloting a new approach to overseeing contractors, DSS in Transition.

    Recommendation: To enable DSS to evaluate whether its oversight reduces the risk of information compromise, the Secretary of Defense should direct the Director, Defense Security Service, to regularly analyze that information to make informed management decisions about the use of resources for its oversight activities and make any needed changes to those activities or procedures to reduce the risk of information compromise.

    Agency Affected: Department of Defense

  4. Status: Closed - Not Implemented

    Comments: The Defense Security Service (DSS) previously stated it will review the process used by field offices and conduct informal training sessions, however, no action has been taken. DSS intends to make the review of the process used by field personnel to review and process security violations an area of interest during management assistance visits as they occur. A DSS panel was to have met in 2008 to review the current operations of DSS. However, as of October 2009 action had not been taken concerning this recommendation. As a result we are closing it as not implemented.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to evaluate industrial security representatives and field office chiefs' understanding of the criteria for making determinations regarding the compromise of classified information and revise training and guidance for representatives and chiefs based on the results of that evaluation.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. However, by the time we conducted our review in 2017, DSS had updated its internal Industrial Security Operating Manual (dated May 2015) to establish requirements related to making determinations about the compromise or loss of classified information.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to revise Industrial Security Operating Manual requirements to emphasize the need to apply the established determinations regarding the compromise or loss of classified information.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had updated its internal Industrial Security Operating Manual (dated May 2015) to provide time frames for conducting initial screening interviews and notifying government customers of facility clearance determinations.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to explore the effects of establishing specific time-based criteria in the Industrial Security Operating Manual for representatives to make determinations and notify government customers.

    Agency Affected: Department of Defense

  7. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had established the Industrial Security Facilities Database (ISFD) as the system of record for information about cleared facilities, including recording the prime contract number. As of June 2018, the National Industrial Security System is being finalized, which will eventually replace ISFD as the system of record for information, according to DSS officials.

    Recommendation: The Secretary of Defense, to ensure that appropriate determinations are made regarding possible information compromises and that government customers are notified of such situations in a timely manner, should direct the Director of DSS to establish mechanisms that create accountability for knowing the identity of government customers so that industrial security representatives can readily notify those customers of any loss or compromise. This could be accomplished by requiring representatives to maintain such information in their file folders or ensuring that contractors, particularly when they are subcontractors, know the identity of their government customers before an incident resulting in compromise or loss occurs.

    Agency Affected: Department of Defense

  8. Status: Closed - Implemented

    Comments: DOD, in response to our report, said it was not going to implement the recommendation. By the time we conducted our review in 2017, DSS had updated its internal Industrial Security Operating Manual (dated May 2015) and identified a process for industrial security representatives to follow when informing facilities of the official determinations regarding the loss or compromise of classified information, including the stakeholders involved in the process and the time frames and methods for communicating this information.

    Recommendation: To improve contractors' understanding of which security violations must be reported to DSS, the Secretary of Defense should direct the Director of DSS to revise the Industrial Security Operating Manual to require industrial security representatives to inform facilities of the official determinations regarding the loss or compromise of classified information.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Dec 20, 2018

Dec 18, 2018

Dec 6, 2018

Nov 13, 2018

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Jul 31, 2018

Jul 25, 2018

Jul 12, 2018

Looking for more? Browse all our products here