Saturday, May 3, 2008

How Security Classification is Assigned

Original Classification Authority-

For over 18 years John A. Walker, Jr. had sold secrets during and after his career in the Navy. Though entrusted with a security clearance and a “need-to know”, he did not demonstrate the trustworthiness of which his thorough background investigation deemed him worthy. When the opportunity revealed itself, he took advantage of his position and responsibilities to smuggle classified information to his Russian connections.

During the investigation into his arrest, authorities discovered a complex spy ring consisting of family members and other recruited operatives. Walker had earned the trust and cooperation of his family to commit one of the most notorious of all espionage cases. As a result of his crimes, he received two life terms plus 10 year, his son received 25 years and the damage to the U.S. national security was tremendous. According to the NY Times, “It has been estimated by some intelligence experts that Mr. Walker provided enough code-data information to alter significantly the balance of power between Russia and the United States”.
This is not meant to be a study into the mind of our traitors and foreign espionage operatives. Though important, what is more vital is understanding the responsibilities those who possess access to classified information have in protecting our Nation’s secrets. This protection includes proper accountability and documentation that should adequately prevent espionage and unauthorized disclosure in the early stages.

More enlightening in the case of Walker and others who have been involved in espionage are the ignored indicators of such activities. Studying the after action reviews, reports and publicly accessible information on these cases reveals that others could have stopped the spying in the beginning. The safeguarding procedures, security awareness training and documenting required in the National Industrial Security Program (NISP) should be applied to protect assets and recognize and prevent future instances of costly espionage.

The NISP is designed to protect classified government information. At first glance information in this article may seem to address items out of the scope of the security manager’s day-to-day focus; however that assumption would be wrong. Such a high-level view of the National Industrial Security Program equips the user with the fundamental knowledge necessary to better understand and protect our nation’s secrets.

On Friday January 8, 1993, the President of the United States signed Executive Order (EO) 12829, establishing the National Industrial Security Program. The program is commonly referred to as the NISP and is an acronym with which those working with classified contracts should become familiar. The NISP gives excellent guidance, training and directives that Industrial Security professionals can better protect classified materials. It also creates agencies that have oversight of contractors performing on classified contracts.

According to the EO, the program’s purpose is to safeguard classified information that has been or may be released to… “current, prospective, or former contractors, licensees, or grantees of United States agencies”. It is also designed to provide for the protection of classified material as outlined in EO 12356 and the Atomic Energy Act of 1954, as amended.

Under EO 12356, eventually superseded by 12958, the implementing and monitoring of the NISP is granted to the Director of the Information Security Oversight Office (ISOO). The ISOO has many responsibilities include working with other agencies to develop directives for implementation; review and modify agency regulations, rules or guidelines affecting directives; oversee compliance with directives; inspect and conduct on-site review of users that have access to or stores classified information; report violations to the head of agency or the senior official designated; address issues and complaints concerning the NISP and report annually to the President through the National Security Council.

The NISP also establishes the National Industrial Security Program Policy Advisory Committee (NISPAC). This NISPAC is designed to represent the departments and agencies affected by the NISP and is chaired by the Director of ISOO. Together they work to advise departments and the President on matters concerning the NISP, recommend changes to policies in the EO, and discuss policy issues in dispute.
The members of the NISPAC serve as an additional duty if government or on voluntary status if presenting industry. However, the EO gives provisions for non-governmental members to collect reimbursement for travel and per diem. The Administrator of General Services supports the committee with resources to include facilities and staff.

The President also requires that the Secretary of Defense consult with agencies and works with the Secretary of Energy, the Nuclear Regulatory Commission and the Director of Central Intelligence to issue and maintain the National Industrial Security Program Manual (NISPOM).

The agencies have specific guidelines and sections included in the NISPOM. For example, the Secretary of Energy and the Nuclear Regulatory Commission will have the lead in detailing requirements for protecting classified information identified in the Atomic Energy Act of 1954. The Director of Central Intelligence will provide a section for intelligence sources and methods, to include Sensitive Compartmented Information (SCI). However, in this coordination each agency maintains its authority. We will see more specific examples as we discuss this in future chapters.

The NISPOM provides restrictions, rules, guidelines and procedures for preventing unauthorized disclosure of classified material; it is the primary regulatory reference for performing industrial security. The NISPOM applies to authorized users of classified information and equips those working on classified contracts with critical instruction on how to implement the NISP in their organizations. It is up to the contractor and the oversight agency to work together to provide accurate interpretation of the guidelines to the specific classified contract requirements. It is this interpretation that the oversight agency will use while conducting annual security reviews.

The Secretary of Defense and the other identified agencies apply the concept of Risk Management while implementing the NISPOM. There are three factors necessary in determining risk. The first is the damage to national security that could be reasonably expected to result from unauthorized disclosure of classified material. We will discuss later the levels of classification and other identifiers that are used to designate and recognize the severity of damage. At this point it’s important to know that the NISPOM provides explicit guidance to user agencies on how to identify and protect classified items at all levels.

The second factor is the existing or anticipated threat to disclosure of information. The third factor is the short and long term costs of the requirements, restrictions, and other safeguards. The second and third factors aren’t spelled out in the NISPOM, but are recognized as legitimate concerns to prevent the NISP from becoming a burden to industry. Astute Industrial Security managers develop risk management analysis to better interpret the risk and discover the potential impact. They will also develop solutions to reduce the risk and the predicted damage. The
bottom line is to reduce the probability of unauthorized disclosure of classified information.

The Secretary of Defense has operational oversight of those who access classified material. This office inspects, monitors, and determines who has access to classified material. The Director of Central Intelligence serves the same purpose for matters of intelligence and will have oversight. The same goes for the Secretary of Energy and the Nuclear Regulatory Commission. The Director of Central Intelligence, the Secretary of Energy and the Nuclear Regulatory Commission can enter into written agreements giving the Secretary of Defense authorization to inspect or monitor programs or facilities. Otherwise they are carved out and not inspected or monitored by the Secretary of Defense.

The Secretary of Defense has oversight over the National Industrial Security Program. DoD chairs an executive committee composed of the Director of Central Intelligence, the Secretary of Energy, and the Nuclear Regulatory Commission.
As the executive agent, the Secretary of Defense can work with the other agencies to standardize procedures to help promote and implement the NISP. Without this standardization, the implementation of the program would prove difficult and an undue burden on those who work within the NISP. The Executive Order directs the Secretary of Defense and agencies involved to document and account for all costs associate with the program. These costs will be reported through the Director of Information Security Oversight Office to the President.

No comments: