Imperatives for Meeting Risk Management and Efficiencies Goals for Industry Classified Facilities and Information Technology
Protecting national security information is a critically important element of the Department of Defense and intelligence community Industrial Security Program. The overall guidance is provided by 32 CFR 117—National Industrial Security Program, commonly referred to as the NISPOM. However, a recent look at how the Defense Department and the intelligence agencies practice security reciprocity across sensitive compartmented information facilities (SCIFs), reveals significant shortfalls in the full implementation of the risk management goals set out in the Intelligence Community Directive (ICD) 705.
Facilities that process and handle special compartmented information are required to meet industrial security hardening dictated by the U.S. Director of National Intelligence in ICD 705 and the NISPOM. The directive, published almost 14 years ago, delegates approval of these SCIFs to the respective agencies holding contracts with the industrial partners that perform the work. Protecting these facilities and their information is essential to U.S. national security and a key element of the United States’ industrial security program. ICD 705 sets up a series of standardized controls to be accessed with the goal of managing overall risk from espionage and cyber attack. However, implementation appears to have devolved far from the goal of overall risk management to one of pure compliance, significantly driving up cost and complexity for both government and industry.
The gaps in implementation cause delays and add cost to government contracts with industry. This friction creates entry barriers for small to medium-sized companies and ultimately can deny some of the most critical and sensitive government programs access to the nation’s leading-edge technologies and expert support.
Correcting these gaps is vital to national security programs.
According to ICD 705,
The Accrediting Official (AO) and the Site Security Manager (SSM) should evaluate each proposed SCIF for threats, vulnerabilities, and assets to determine the most efficient countermeasures required for physical and technical security. In some cases, based upon that risk assessment, it may be determined that it is more practical or efficient to mitigate a standard. In other cases, it may be determined that additional security measures should be employed due to a significant risk factor.
This paragraph from the ICD sets up the procedure that is supposed to underpin the approval of these facilities, clearly outlining a risk management evaluation process. The intent is a process with risk-based assessments leading to practical and efficient risk mitigation. That is not what is currently in practice across the intelligence community. Instead, a purely compliance-based model without comprehensive risk analysis appears to be standard practice. This implementation is driving significant cost—ultimately to the taxpayer.
The facility security enhancement costs alone across the 16 intelligence agencies and Defense Department could be hundreds of millions, if not billions, of taxpayer dollars. Without the risk-managed approach called out in the ICD, facility enhancements are not vetted thoroughly to determine if the spending is supported by the results of a comprehensive assessment of appropriate threats, vulnerabilities, asset value and impact of compromise.
Opportunities: Supervision, Stewardship, Risk Management
Supervision
A stronger DNI supervision model may help prevent individual intelligence agencies from creating cottage industries “owning and managing their SCIFs.” The ICD states:
“... they shall satisfy the standards outlined in ICS 705-1 to enable uniform and reciprocal use across all IC elements and to assure information sharing to the greatest extent possible.”
Extensive management processes currently exist to control approval, oversight and co-utilization of these facilities. These procedures have assumed that a sponsoring agency owns each facility and other intelligence community members must request special permission to co-use it. In fact, the facilities are not owned by any agency. They, and the required enhancements to be designated a SCIF, are owned by the industry partner who passes the costs back to their customers. Since all these facilities are technically approved under the authority of the DNI, co-utilization should be the default and not something that requires a process to “allow.” This added layer—one that defaults to must request, pending approval—wastes time and resources that are passed back to the government, raising the cost to taxpayers.
Stewardship
Government has a fiscal stewardship responsibility called out by the Office of Management and Budget to safeguard tax resources from fraud, waste and abuse. That responsibility flows down to each decision-maker responsible for expending taxpayer resources and appropriated funds. Stewardship responsibilities need to be reinforced throughout the SCIF approval and management process, and each evaluation should address the efficiency goals in ICD 705. The Office of Management and Budget can support the DNI in capitalizing on efficiency goals.
Risk Management
Chasing vulnerabilities is driving valueless and exponential cost growth in SCIF construction. The ICD mandates that countermeasures and facility enhancements be assessed on a site-specific basis underpinned with comprehensive risk management. It appears that the writers of 705 wanted to provide latitude for approving officials to make sound, effective and risk-based decisions. Compliance-based approaches do not align with the goals of ICD 705 and have an equal chance of under-protecting some facilities while overprotecting others. A comprehensive understanding and review of the risk management objectives between ICD 705 and NSA 94-106 - Measuring the Effectiveness of Electromagnetic Shielding Enclosures, would be one step toward improved stewardship goals.
Co-Use and Reciprocity: The ideals set out in the ICD clearly speak to an intelligence community that acts as a collaborative unit, one that shares resources and manages enterprise risk. This ideal is not occurring across all disciplines. Although the correct words were put into the document to enable efficient use of these costly facilities, the reality is far from ideal. Each agency has its respective staff who default to suspicion and distrust of their intelligence community partners. The DNI must reinforce that these facilities are built as community assets and not exclusively controlled by the delegated approving organization, and industry must be able to support multiple agencies and contracts without adding delays and costs. This one improvement has the potential to realize hundreds of millions of dollars in efficiencies across the defense industrial base.
Education: Comprehensive risk assessment requires extensive understanding of the threat, vulnerabilities and exposure. Focusing only on vulnerabilities often produces gold plating of certain segments of the process and starves others. The lack of comprehensive risk assessments is inconsistent with the fundamental structure of the ICD and is currently driving practices that are a liability to good stewardship and mission assurance.
Leaders at all levels must shift from blindly “complying” and challenge their respective supporting security professionals to clearly present arguments for enhancing security, considering not only the vulnerability but also describing how an adversary would have the “means, motives and opportunity” to exploit it successfully. Then, a decision can be made that properly addresses risk without undue cost.
Our new DNI must make it a priority to mandate changes in implementation across the community. Doing business as usual will continue the wasteful and inconsistent implementation that has become a threat to the mission equal to that of any adversary.
As the global threat landscape evolves, continuous adaptation, education and innovation will be essential in the efficacy of SCIFs in protecting national security. It will be critical for the national intelligence director’s protection programs to be effective and efficient in safeguarding critical national security challenges in the decades ahead.
Rick Adler’s career spans more than 40 years. He served as an Air Force Office of Special Investigations special agent conducting technical and counterintelligence investigations and retired as the Technical Services program manager. Since retiring, he has provided multiple intelligence community agencies and the Defense Department with information assurance, IT and security policy support.
Mark Spangler’s 40+ years of experience across IT and cybersecurity provides a unique depth and breadth of expertise and perspective. Spangler developed the Information Assurance and Cybersecurity program for the National Reconnaissance Office and served as its chief information security officer and director of cyber operations. He continues to provide cyber advisory services to government and industry. He currently serves on AFCEA International’s Cyber Committee.
