Skip to Highlights
Highlights

Pursuant to a congressional request, GAO reviewed the Department of Defense's (DOD) and military services' adherence to national TEMPEST policy. TEMPEST refers to technical investigations and studies of compromising emanations from electronic data processing equipment. National security policy requires federal agencies to protect classified information from such emanations.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To minimize delay in implementing national security policy, the Secretary of Defense should promptly implement a new security policy, on an interim basis if necessary, and ensure that the services promulgate implementing instructions to the field in a timely manner.
Closed - Implemented
The Directive, C-5200.19 (classified), "Control of Compromising Emanations" was issued February 23, 1990. It does not address the recommendation concerning notification of changes in security policy on an interim basis. However, it does assign program responsibilities and addresses the type of deficiencies that this recommendation was intended to correct.
Department of Defense To minimize unnecessary TEMPEST-related expenditures, the Secretary of Defense should require all DOD components to conduct TEMPEST evaluations before implementing TEMPEST countermeasures. Such evaluations are also needed to ensure proper protection of classified information.
Closed - Implemented
The new directive was issued February 23, 1990. It provides for evaluations to be made before countermeasures are implemented. There is a dollar threshold for such evaluations. No estimate can be made of potential savings.
Department of Defense To reduce varying requirements placed on industry and duplicative efforts on the part of the services, the Secretary of Defense should consider assigning to the Defense Investigative Service (DIS), or some other DOD component, the responsibility for ensuring that TEMPEST countermeasures are effectively implemented within industry. Implementation of this recommendation may require additional training for the designated component's staff.
Closed - Implemented
DOD does not agree that DIS is the appropriate single organization to do this and will refine its current team approach to the problem. Since DOD components' requirements could vary under C-5200.19, there could still be inconsistencies and unnecessary costs. However, the new directive does make the Director, DIS, responsible for monitoring the industrial TEMPEST program and overseeing inspection.

Full Report