Executive Office of the President: Procedures for Acquiring Access to and
Safeguarding Intelligence Information (Letter Report, 09/30/98,
GAO/NSIAD-98-245).
Pursuant to a congressional request, GAO reviewed whether the Executive
Office of the President (EOP) has established procedures for: (1)
acquiring personnel access to classified intelligence information,
specifically sensitive compartmented information (SCI); and (2)
safeguarding such information.
GAO noted that: (1) the EOP Security Officer told GAO that, for the
period January 1993 until June 1996: (a) he could not find any EOP-wide
procedures for acquiring access to SCI for the White House Office, the
Office of Policy Development, the Office of the Vice President, the
National Security Council, and the President's Foreign Intelligence
Advisory Board for which the former White House Security Office provided
security Support; and (b) there were no EOP-wide procedures for
acquiring access to SCI for the Office of Science and Technology Policy,
the Office of the United States Trade Representative, the Office of
National Drug Control Policy, and the Office of Administration for which
the EOP security office provides security support; (2) the EOP-wide
security procedures issued in March 1998 do not set forth security
practices EOP offices are to follow in safeguarding classified
information; (3) in contrast, the Office of Science and Technology
Policy and the Office of the Vice President had issued office-specific
security procedures that deal with safeguarding SCI material; (4) the
remaining seven EOP offices that did not have office-specific procedures
for safeguarding SCI and other classified information stated that they
rely on Director of Central Intelligence Directive 1/19 for direction on
such matters; (5) neither the EOP Security Office nor the security staff
of the nine EOP offices GAO reviewed have conducted security
self-inspections as described in Executive Order 12958; (6) EOP
officials pointed out that security personnel routinely conduct daily
desk, safe, and other security checks to ensure that SCI and other
classified information is properly safeguarded; (7) these same officials
also emphasized the importance and security value in having within each
EOP office experienced security staff responsible for safeguarding
classified information; (8) Executive Order 12958 gives the Director,
Information Security Oversight Office, authority to conduct on-site
reviews of each agency's classified programs; and (9) the Director of
the Information Security Oversight Office said his office has never
conducted an on-site security inspection of EOP classified programs.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: NSIAD-98-245
TITLE: Executive Office of the President: Procedures for Acquiring
Access to and Safeguarding Intelligence
Information
DATE: 09/30/98
SUBJECT: Security clearances
Classified information
Federal intelligence agencies
Federal records management
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** <info@www.gao.gov> **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
Report to the Chairman, Committee on Rules, House of Representatives
September 1998
EXECUTIVE OFFICE OF THE PRESIDENT
- PROCEDURES FOR ACQUIRING ACCESS
TO AND SAFEGUARDING INTELLIGENCE
INFORMATION
GAO/NSIAD-98-245
Executive Office of the President
(701128)
Abbreviations
=============================================================== ABBREV
CIA - Central Intelligence Agency
EOP - Executive Office of the President
SCI - Sensitive Compartmented Information
Letter
=============================================================== LETTER
B-279583
September 30, 1998
The Honorable Gerald B. H. Solomon
Chairman, Committee on Rules
House of Representatives
Dear Mr. Chairman:
This report responds to your request of November 6, 1997, asking us
to determine whether the Executive Office of the President (EOP) has
established procedures for (1) acquiring personnel access to
classified intelligence information, specifically Sensitive
Compartmented Information (SCI) and (2) safeguarding such
information. You asked that our review include the following offices
for which the EOP Security Office provides security support:
-- White House Office,
-- Office of Policy Development,
-- Office of the Vice President,
-- National Security Council,
-- President's Foreign Intelligence Advisory Board,
-- Office of Science and Technology Policy,
-- Office of the United States Trade Representative,
-- Office of National Drug Control Policy, and
-- Office of Administration.
BACKGROUND
------------------------------------------------------------ Letter :1
SCI refers to classified information concerning or derived from
intelligence sources, methods, or analytical processes requiring
exclusive handling within formal access control systems established
by the Director of Central Intelligence. The Central Intelligence
Agency (CIA) is responsible for adjudicating and granting all EOP
requests for SCI access. According to the EOP Security Office,
between January 1993 and May 1998, the CIA granted about 840 EOP
employees access to SCI.
Executive Order 12958, Classified National Security Information,
prescribes a uniform system for classifying, safeguarding, and
declassifying national security information and requires agency heads
to
-- promulgate procedures to ensure that the policies established by
the order are properly implemented,
-- ensure that classified material is properly safeguarded, and
-- establish and maintain a security self-inspection program of
their classified activities.
The order also gives the Director, Information Security Oversight
Office (an organization under the National Archives and Records
Administration), the authority to conduct on-site security
inspections of EOP's and other executive branch agencies' classified
programs. Office of Management and Budget Circular Number A-123,
Management Accountability and Control, emphasizes the importance of
having clearly documented and readily available procedures as a means
to ensure that programs achieve their intended results.
Director of Central Intelligence Directive 1/14, Personnel Security
Standards and Procedures Governing Eligibility for Access to
Sensitive Compartmented Information, lays out the governmentwide
eligibility standards and procedures for access to SCI by all U.S.
citizens, including government civilian and military personnel,
contractors, and employees of contractors. The directive requires
(1) the employing agency to determine that the individual has a need
to know;\1
(2) the cognizant Senior Official of the Intelligence Community to
review the individual's background investigation and reach a
favorable suitability determination; and (3) the individual, once
approved by the Senior Official of the Intelligence Community for SCI
access, to sign a SCI nondisclosure agreement.\2 Additional guidance
concerning SCI eligibility is contained in Executive Order 12968,\3
the U.S. Security Policy Board investigative standards and
adjudicative guidelines implementing Executive Order 12968,\4 and
Director of Central Intelligence Directive 1/19.
Governmentwide standards and procedures for safeguarding SCI material
are contained in Director of Central Intelligence Directive 1/19,
Security Policy for Sensitive Compartmented Information and Security
Policy Manual.
The EOP Security Office is part of the Office of Administration. The
Director of the Office of Administration reports to the Assistant to
the President for Management and Administration. The EOP Security
Officer is responsible for formulating and directing the execution of
security policy, reviewing and evaluating EOP security programs, and
conducting security indoctrinations and debriefings for agencies of
the EOP. Additionally, each of the nine EOP offices we reviewed has
a security officer who is responsible for that specific office's
security program.
As discussed with your office, we reviewed EOP procedures but did not
verify whether the procedures were followed in granting SCI access to
EOP employees, review EOP physical security practices for
safeguarding classified material, conduct classified document control
and accountability inspections, or perform other control tests of
classified material over which the EOP has custody. (See pp. 8 and
9 for a description of our scope and methodology.)
--------------------
\1 The "need-to-know" principle is a determination made by an
authorized holder of classified information that a prospective
recipient requires access to specific classified information in order
to perform a lawful and authorized function. The prospective
recipient shall possess an appropriate security clearance and access
approval in accordance with Director of Central Intelligence
Directive 1/14.
\2 The SCI nondisclosure agreement establishes explicit obligations
on the government and the individual to protect SCI.
\3 Executive Order 12968, Access to Classified Information (Aug. 2,
1995).
\4 U.S. Security Policy Board, Adjudicative Guidelines for
Determining Eligibility for Access to Classified Information,
Investigative Standards for Background Investigations for Access to
Classified Information, and Investigative Standards for Temporary
Eligibility for Access (Mar. 24, 1997).
EOP-WIDE PROCEDURES FOR
ACQUIRING SCI ACCESS SHOULD BE
MORE SPECIFIC
------------------------------------------------------------ Letter :2
The EOP Security Officer told us that, for the period January 1993
until June 1996, (1) he could not find any EOP-wide procedures for
acquiring access to SCI for the White House Office, the Office of
Policy Development, the Office of the Vice President, the National
Security Council, and the President's Foreign Intelligence Advisory
Board for which the former White House Security Office\5
provided security support and (2) there were no EOP-wide procedures
for acquiring access to SCI for the Office of Science and Technology
Policy, the Office of the United States Trade Representative, the
Office of National Drug Control Policy, and the Office of
Administration for which the EOP Security Office provides security
support. He added that there had been no written procedures for
acquiring SCI access within the EOP since he became the EOP Security
Officer in 1986. In contrast, we noted that two of the nine EOP
offices we reviewed issued office-specific procedures that make
reference to acquiring access to SCI--the Office of Science and
Technology Policy in July 1996 and the Office of the Vice President
in February 1997.
According to the EOP Security Officer, draft EOP-wide written
procedures for acquiring access to SCI were completed in June 1996 at
the time the White House and EOP Security Offices merged. These
draft procedures, entitled Security Procedures for the EOP Security
Office, were not finalized until March 1998. While the procedures
discuss the issuance of EOP building passes, they do not describe in
detail the procedures EOP offices must follow to acquire SCI access;
the roles and responsibilities of the EOP Security Office, security
staffs of the individual EOP offices, and the CIA and others in the
process; or the forms and essential documentation required before the
CIA can adjudicate a request for SCI access. Moreover, the
procedures do not address the practices that National Security
Council security personnel follow to acquire SCI access for their
personnel. For example, unlike the process for acquiring SCI access
in the other eight EOP offices we reviewed, National Security Council
security personnel (rather than the personnel in the EOP Security
Office) conduct the employee pre-employment security interview; deal
directly with the CIA to request SCI access; and, once the CIA
approves an employee for access, conduct the SCI security
indoctrination and oversee the individual's signing of the SCI
nondisclosure agreement.
Director of Central Intelligence Directives 1/14 and 1/19 require
that access to SCI be controlled under the strictest application of
the need-to-know principle and in accordance with applicable
personnel security standards and procedures. In exceptional cases,
the Senior Official of the Intelligence Community or his designee
(the CIA in the case of EOP employees) may, when it is in the
national interest, authorize an individual access to SCI prior to
completion of the individual's security background investigation.
At least since July 1996, according to the National Security
Council's security officer, his office has granted temporary SCI
access to government employees and individuals from private industry
and academia--before completion of the individual's security
background investigation and without notifying the CIA. He added,
however, that this practice has occurred only on rare occasions to
meet urgent needs. He said that this practice was also followed
prior to July 1996 but that no records exist documenting the number
of instances and the parties the National Security Council may have
granted temporary SCI access to prior to this date. CIA officials
responsible for adjudicating and granting EOP requests for SCI access
told us that the CIA did not know about the National Security
Council's practice of granting temporary SCI access until our review.
A senior EOP official told us that from July 1996 through July 1998,
the National Security Council security officer granted 35 temporary
SCI clearances. This official also added that, after recent
consultations with the CIA, the National Security Council decided in
August 1998 to refer temporary SCI clearance determinations to the
CIA.
--------------------
\5 The White House Security Office was abolished on June 19, 1996.
On this date, the EOP Security Office assumed responsibility for
security support for the EOP offices previously supported by the
White House Security Office.
EOP HAS NOT ESTABLISHED
PROCEDURES FOR SAFEGUARDING SCI
MATERIAL
------------------------------------------------------------ Letter :3
The EOP-wide security procedures issued in March 1998 do not set
forth security practices EOP offices are to follow in safeguarding
classified information. In contrast, the Office of Science and
Technology Policy and the Office of the Vice President had issued
office-specific security procedures that deal with safeguarding SCI
material. The Office of Science and Technology Policy procedures,
issued in July 1996, were very comprehensive. They require that new
employees be thoroughly briefed on their security responsibilities,
advise staff on their responsibilities for implementing the security
aspects of Executive Order 12958, and provide staff specific guidance
on document accountability and other safeguard practices involving
classified information. The remaining seven EOP offices that did not
have office-specific procedures for safeguarding SCI and other
classified information stated that they rely on Director of Central
Intelligence Directive 1/19 for direction on such matters.
EOP HAS NOT ESTABLISHED A
SECURITY SELF-INSPECTION
PROGRAM
------------------------------------------------------------ Letter :4
Executive Order 12958 requires the head of agencies that handle
classified information to establish and maintain a security
self-inspection program. The order contains guidelines (which agency
security personnel may use in conducting such inspections) on
reviewing relevant security directives and classified material access
and control records and procedures, monitoring agency adherence to
established safeguard standards, assessing compliance with controls
for access to classified information, verifying whether agency
special access programs provide for the conduct of internal
oversight, and assessing whether controls to prevent unauthorized
access to classified information are effective. Neither the EOP
Security Office nor the security staff of the nine EOP offices we
reviewed have conducted security self-inspections as described in the
order.
EOP officials pointed out that security personnel routinely conduct
daily desk, safe, and other security checks to ensure that SCI and
other classified information is properly safeguarded. These same
officials also emphasized the importance and security value in having
within each EOP office experienced security staff responsible for
safeguarding classified information. While these EOP security
practices are important, the security self-inspection program as
described in Executive Order 12958 provides for a review of security
procedures and an assessment of security controls beyond EOP daily
security practices.
INFORMATION SECURITY OVERSIGHT
OFFICE HAS NOT CONDUCTED
SECURITY INSPECTIONS OF EOP
ACTIVITIES
------------------------------------------------------------ Letter :5
Executive Order 12958 gives the Director, Information Security
Oversight Office, authority to conduct on-site reviews of each
agency's classified programs. The Director of the Information
Security Oversight Office said his office has never conducted an
on-site security inspection of EOP classified programs. He cited a
lack of sufficient personnel as the reason for not doing so and added
that primary responsibility for oversight should rest internally with
the EOP and other government agencies having custody of classified
material.
The Director's concern with having adequate inspection staff and his
view on the primacy of internal oversight do not diminish the need
for an objective and systematic examination of EOP classified
programs by an independent party. An independent assessment of EOP
security practices by the Information Security Oversight Office could
have brought to light the security concerns raised in this report.
RECOMMENDATIONS
------------------------------------------------------------ Letter :6
To improve EOP security practices, we recommend that the Assistant to
the President for Management and Administration direct the EOP
Security Officer to
-- revise the March 1998 Security Procedures for the EOP Security
Office to include comprehensive guidance on the procedures EOP
offices must follow in (1) acquiring SCI access for its
employees and (2) safeguarding SCI material and
-- establish and maintain a self-inspection program of EOP
classified programs, including SCI in accordance with provisions
in Executive
Order 12958.
We recommend further that, to properly provide for external
oversight, the Director, Information Security Oversight Office,
develop and implement a plan for conducting periodic on-site security
inspections of EOP classified programs.
AGENCY COMMENTS AND OUR
EVALUATION
------------------------------------------------------------ Letter :7
We provided the EOP, the Information Security Oversight Office, and
the CIA a copy of the draft report for their review and comment. The
EOP and the Information Security Oversight Office provided written
comments, which are reprinted in their entirety as appendixes I and
II, respectively. The CIA did not provide comments.
In responding for the EOP, the Assistant to the President for
Management and Administration stated that our report creates a false
impression that the security procedures the EOP employs are lax and
inconsistent with established standards. This official added that
the procedures for regulating personnel access to classified
information are Executive
Order 12968 and applicable Security Policy Board guidelines and
Executive Order 12968 and Executive Order 12958 for safeguarding such
information. The Assistant to the President also stated that the
report suggests that the EOP operated in a vacuum because the EOP
written security procedures implementing Executive Order 12968 were
not issued until March 1998. The official noted that EOP carefully
followed the President's executive orders, Security Policy Board
guidelines and applicable Director of Central Intelligence Directives
during this time period. While the EOP disagreed with the basis for
our recommendation, the Assistant to the President stated that EOP
plans to supplement its security procedures with additional guidance.
We agree that the executive orders, Security Policy Board guidelines,
and applicable Director of Central Intelligence Directives clearly
lay out governmentwide standards and procedures for access to and
safeguarding of SCI. However, they are not a substitute for local
operating procedures that provide agency personnel guidance on how to
implement the governmentwide procedures. We believe that EOP's plan
to issue supplemental guidance could strengthen existing procedures.
The Assistant to the President also stated that it is not accurate to
say that the EOP has not conducted security self-inspections. This
official stated that our draft report acknowledges that ¹security
personnel conduct daily desk, safe, and other security checks to
ensure that SCI and other classified material is properly
safeguarded." The Assistant to the President is correct to point out
the importance of daily physical security checks as an effective
means to help ensure that classified material is properly
safeguarded. However, such self-inspection practices are not meant
to substitute for a security self-inspection program as described in
Executive Order 12958. Self-inspections as discussed in the order
are much broader in scope than routine daily safe checks. The
order's guidelines discuss reviewing relevant security directives and
classified material access and control records and procedures,
monitoring agency adherence to established safeguard standards,
assessing compliance with controls for access to classified
information, verifying whether agency special access programs (such
as SCI) provide for the conduct of internal oversight, and assessing
whether controls to prevent unauthorized access to classified
information are effective. Our report recommends that the EOP
establish a self-inspection program.
In commenting on our recommendation, the Assistant to the President
said that to enhance EOP security practices, the skilled assistance
of the EOP Security Office staff are being made available to all EOP
organizations to coordinate and assist where appropriate in agency
efforts to enhance self-inspection. We believe EOP security
practices would be enhanced if this action were part of a security
self-inspection program as described in Executive Order 12958.
The Director, Information Security Oversight Office noted that our
report addresses important elements of the SCI program in place
within the EOP and provides helpful insights for the security
community as a whole. The Director believes that we overemphasize
the need to create EOP specific procedures for handling SCI programs.
He observed that the Director of Central Intelligence has issued
governmentwide procedures on these matters and that for the EOP to
prepare local procedures would result in unnecessary additional rules
and expenditure of resources and could result in local procedures
contrary to Director of Central Intelligence Directives. As we
discussed above, we agree that the executive orders, Security Policy
Board guidelines, and applicable Director of Central Intelligence
Directives clearly lay out governmentwide standards and procedures
for access to and safeguarding of SCI. However, they are not a
substitute for local operating procedures that provide agency
personnel guidance on how to implement the governmentwide procedures.
The Director agreed that his office needs to conduct on-site security
inspections and hopes to begin the inspections during fiscal year
1999. The Director also noted that the primary focus of the
inspections would be classification management and not inspections of
the SCI program.
SCOPE AND METHODOLOGY
------------------------------------------------------------ Letter :8
To identify EOP procedures for acquiring access to SCI and
safeguarding such information, we met with EOP officials responsible
for security program management and discussed their programs. We
obtained and reviewed pertinent documents concerning EOP procedures
for acquiring SCI access and safeguarding such information.
In addition, we obtained and reviewed various executive orders,
Director of Central Intelligence Directives, and other documents
pertaining to acquiring access to and safeguarding SCI material. We
also discussed U.S. government security policies pertinent to our
review with officials of the Information Security Oversight Office
and the U.S. Security Policy Board. Additionally, we met with
officials of the CIA responsible for adjudicating and granting EOP
employees SCI access and discussed the CIA procedures for determining
whether an individual meets Director of Central Intelligence
Directive eligibility standards.
As discussed with your office, we did not verify whether proper
procedures were followed in granting SCI access to the approximately
840 EOP employees identified by the EOP Security Officer. Also, we
did not review EOP physical security practices for safeguarding SCI
and other classified material, conduct classified document control
and accountability inspections, or perform other control tests of SCI
material over which the EOP has custody.
We performed our review from January 1998 until August 1998 in
accordance with generally accepted government auditing standards.
---------------------------------------------------------- Letter :8.1
At your request, we plan no further distribution of this report until
30 days after its issue date. At that time, we will provide copies
to appropriate congressional committees; the Chief of Staff to the
President; the Assistant to the President for Management and
Administration; the Director, Information Security Oversight Office;
the Director of Central Intelligence; Central Intelligence Agency;
the U.S. Security Policy Board; the Director of the Office of
Management and Budget; and other interested parties.
Please contact me at (202) 512-3504 if you or your staff have any
questions concerning this report. Major contributors to this report
were
Gary K. Weeter, Assistant Director and Tim F. Stone,
Evaluator-in-Charge.
Sincerely yours,
Richard Davis
Director, National Security
Analysis
(See figure in printed edition.)Appendix I
COMMENTS FROM THE ASSISTANT TO THE
PRESIDENT FOR MANAGEMENT AND
ADMINISTRATION
============================================================== Letter
at the end of this appendix.
See comment 1.
(See figure in printed edition.)
(See figure in printed edition.)
The following is GAO's comment to the Assistant to the President for
Management and Administration's letter dated September 23, 1998.
GAO COMMENT
1. A representative of the Executive Office of the President (EOP)
told us that the errors referred, for example, to statements in ours
draft report that the EOP does not conduct self-inspections and that
the EOP lacks written procedures.
(See figure in printed edition.)Appendix II
COMMENTS FROM THE INFORMATION
SECURITY OVERSIGHT OFFICE
============================================================== Letter
(See figure in printed edition.)
*** End of document. ***