Defense Industrial Security: Weaknesses in U.S. Security Arrangements With Foreign-Owned Defense Contractors
NSIAD-96-64
Published: Feb 20, 1996. Publicly Released: Feb 20, 1996.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed security arrangements used to protect sensitive information from foreign-owned U.S. defense contractors that perform on classified Department of Defense (DOD) contracts.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Department of Defense | The Secretary of Defense should ensure that the trustees of foreign-owned U.S. defense contractors ensure that contractor personnel document and report the substance of the discussions they hold with personnel of the foreign parent firm. The trustees should review these reports and ensure that the information provided is sufficient to determine what information passed between parties during the contact. The trustees should also select at least a sample of contacts and interview the participants of the foreign-owned firm to ensure that the post-contact reports accurately reflect what transpired. |
Closed – Implemented
According to DOD, trustees are now required to review contact reports to ensure that the scope and purpose of the foreign visit was not exceeded. Trustees are encouraged to randomly select a sample of contacts to interview the participants. In addition, e-mail messages are now being maintained by the companies for review by the trustees.
|
| Department of Defense | The Secretary of Defense should ensure that the trustees of foreign-owned U.S. defense contractors annually supervise an information security inspection of each of the cleared facilities to more directly involve trustees in information security monitoring. The results of these inspections should be included in the annual report to the Defense Investigative Service (DIS). |
Closed – Implemented
Defense Investigative Service now requires that the results of each security self inspection be reported in the company's annual report. However, DOD considered it unnecessary for the trustees to supervise a security inspection at each facility annually.
|
| Department of Defense | The Secretary of Defense should ensure that the trustees of foreign-owned U.S. defense contractors are empowered and required to review and approve or disapprove the selection of the facility service officer and all decisions regarding the officer's pay and continued employment, in order to insulate the officer from influence by the foreign-owned firm and its owners. The trustees should also supervise the facility service officer to ensure an acceptable level of job performance, since trustees are charged with monitoring information security at the U.S. defense contractor. |
Closed – Implemented
For all new trustee, special security and proxy agreements, DOD is incorporating language saying that trustees will review the performance of the facility service officer and that a dismissal of the facility service officer must be approved by the trustees. However, the new language does not give trustees the authority to set the salary of the facility service officer.
|
| Department of Defense | The Secretary of Defense should develop and implement a plan to improve trustee oversight and involvement in foreign-owned companies and to ensure the independence of foreign-owned U.S. defense contractors and their trustees from improper influence from the foreign owners. |
Closed – Implemented
Defense Investigative Service has taken some actions to improve trustee involvement. For example, on December 5, 1995, it held a training workshop for all trustees.
|
| Department of Defense | The Secretary of Defense should ensure that the trustees of foreign-owned U.S. defense contractors strictly adhere to the Industrial Security Regulation visitation agreement provision that requires them to approve requests for visits between the U.S. defense contractor and representatives of its foreign owners. This duty should not be delegated to officers or employees of the foreign-owned firm. |
Closed – Not Implemented
DOD does not agree that all visit requests should be approved by a trustee. It maintains that delegation is warranted in many instances.
|
| Department of Defense | The Secretary of Defense should ensure that the annual report to DIS include a statement on any financial support, loans, loan guarantees, or debt relief from or through the foreign owners or the government of the foreign owners that have occurred during the year, in order to monitor the financial independence of the foreign-owned firm. |
Closed – Not Implemented
DOD stated that any change in foreign-sourced loan arrangements, financial obligations, or income be reported on the DD Form 441s. DOD felt that inclusion of such information in the annual report would be a redundant disclosure. However, the 441s reporting requirement has always existed, and has often been ignored. That is why GAO recommended that the foreign-owned companies be required to specifically readdress this issue on an annual basis in the context of the annual report.
|
| Department of Defense | The Secretary of Defense should require the trustees of foreign-owned U.S. defense contractors to certify at the time of their selection, and then annually, that they have no prior or current involvement with the foreign-owned firm or its owners other than their trustee position, to help avoid conflicts of interest. This certification should include a statement that they are not holding and will not hold positions within the foreign-owned company other than their trustee position. It should be expressly stated that these independence standards apply equally to voting trustees, proxy holders, and outside directors of firms under special security agreements. |
Closed – Not Implemented
DOD did not agree that an annual certification of trustee independence from the foreign owners is necessary.
|
| Department of Defense | The Secretary of Defense should require selected trustees of foreign-owned U.S. defense contractors to sign agreements acknowledging their responsibilities and specific duties required to carry out those responsibilities. The agreement should provide that DOD can require the resignation of any trustees failing to perform any of their duties. This agreement should ensure that the trustees and the government clearly understand what is expected of the trustees to perform their security roles. |
Closed – Not Implemented
DOD points out that trustees are required to sign a certificate acknowledging the terms and conditions of the security agreement and agree to be bound by, and accept their responsibilities under the agreement. However, GAO believes the "Acknowledgement of Obligations" portion of the agreements is too broad and general to clearly identify the trustees' responsibilities in carrying out their security role.
|
Full Report
Office of Public Affairs
Topics
Best practicesClassified informationComputer securityConflict of interestsSecurity policiesDepartment of Defense contractorsFacility securityForeign corporationsTechnology transferInformation security