TRANSFORMING THE FBI SECURITY PROGRAM

Building Strong Management, Policy, Training, and Infrastructure Support
Accomplished

• Elevated the role of security within the FBI.
• Brought security expertise to the FBI from other Intelligence Community partners.
• Established a Security Division, which for the first time in FBI history, will serve as a point of integration for all Bureau security matters.
  • Moved the programmatic responsibility for facility protection and police services to Security Division, as well as the operational responsibility for protecting FBI headquarters and the Washington Field Office.
    
  • Moved the Polygraph Unit to the Security Division.
  • Started the development of a joint "business plan" with the Laboratory Division to ensure technical security resources are properly directed against Security Division requirements.
• Appointed a Director of Security, at the Assistant Director level, who serves as the senior security executive. This AD has the full support of and access to Director Mueller who has communicated his support for the Security Program to all FBI employees.
• Provided needed infrastructure support to the Security Program by:
• Shifting internal resources to the Security Division as part of the on-going FBI restructuring plan.
• Establishing additional "detail" assignments to the Security Division from the Central Intelligence Agency (CIA) and the National Security Agency (NSA).
• Applying resources received in the fiscal year 2002 budget process to security requirements.
• Submitting a fiscal year 2003 budget request that includes significant resources for the Security Division.
• Initiated a comprehensive review of national, Director of Central Intelligence, Department of Justice, and FBI policy directives to establish a traceability matrix that will be used to establish the effectiveness of existing security policy.
• Initiated the development of a comprehensive security education, awareness, and training program. The initial objective of this program will be to address information systems security issues followed by an expansion to all other elements of the Security Program.

Planned

• Developing a professional Security Officer cadre through the establishment of a comprehensive career program that identifies and hires candidates with appropriate skills, successfully retains them via a competitive pay and reward structure, builds expertise through appropriate training and assignment opportunities, and prepares them to assume program and management roles of increasing responsibility. Elements of this initiative will include:
  • Establishment of a Security Career Service Board that focuses executive attention on all elements of the professional Security Officer career track.
  • Certification of proficiency for security professionals and key non-security personnel, such as system administrators, in critical job-related skills.
    
• Re-designing the field Security Officer program to:
  • Rely less on agents and more on the professional Security Officer cadre we intend to build over time.
  • Restructure the field offices so that all security responsibilities fall under the control of the Security Officer.
  • Direct more resources to the field to support the Security Program.
    
• Modifying the operation of the FBI Security Council to ensure it is appropriately staffed by senior executives and addresses security policy issues of significance to the Bureau.

Establishing an Effective Information Assurance Program
Accomplished

• Instituted a policy requiring regular access reviews of the FBI's most sensitive cases.
• Initiated the development of a formal Information Assurance Program.
• Implemented an aggressive certification and accreditation effort to discover and address vulnerabilities within existing and proposed FBI IT systems.
• Collaborated with the Trilogy Program and the Virtual Case File team to deliver, upon deployment, enhanced security measures and to provide the framework for improved information systems security measures in the future.
• Initiated the modernization of cryptographic key management to improve the security of FBI information and to facilitate the immediate deployment of Trilogy infrastructure.

Planned

• Assigning an experienced IA professional from the Intelligence Community to run the FBI's IA Program and adding strategic "consulting" resources from the IC, as appropriate.
• Designing a comprehensive IT security architecture for FBI systems. As part of this architecture, identifying the baseline for IA tools or techniques, such as PKI, virtual private networks and LANs, single sign-on, intrusion detection, network scanning, auditing, and other methods to identify anomalous activity and system vulnerabilities.
• Establishing an Enterprise Security Operations Center to centrally manage the security of FBI IT systems and networks.
• Re-evaluating and improving the certification and accreditation process so that it mirrors best practices and is tied to the IT system development life cycle.
• Establishing a number of experienced Information Systems Security Managers as customer focal points for expeditious handling of IT security questions and issues.
• Continuing the close collaboration between IA and Trilogy Program personnel to implement improved IT system security as part of the on-going Trilogy effort.

Improving the Vetting Used to Establish Trustworthiness
Accomplished

• Expanded the use of the polygraph for personnel security processing.
• Moved Polygraph Unit from the Laboratory to the Security Division.
• Enhanced the analytical capability afforded to those persons with access to the most sensitive FBI information.
• Implemented a written case summary format for reviewing security adjudication recommendations.

Planned

• Defining the requirements for an integrated security information management system and data integration efforts, as well as, executing a limited number of "pilot" efforts using funds received in the fiscal year 2002 appropriation.
• Working with the Records Management Division to improve control of FBI security files and ensure they contain the necessary information. Eventually, as part of the effort to develop an integrated security management system, transitioning to an electronic security file.
• Automating security data collection processes in a web-enabled environment.
• Identifying new sources of information that add value to the vetting process and assist in the determination of trustworthiness.
• Establishing a Financial Disclosure Program and developing the capability to conduct security-related financial analysis.
• Exploring the use of a specific-issue polygraph examination to address the issue of deliberate unauthorized disclosure of FBI information.

Ensuring Against the Compromise of Information
Accomplished

• Reassessed access procedures for FBI facilities eliminating special exemptions afforded executives with "Gold Badges".
• Established the position of Special Security Officer for the FBI and selected an Intelligence Community officer to serve in this role as a detailee.
• Completed a review of handling procedures for sensitive information.
• Conducted a comprehensive review of sensitive accesses resulting in a net decrease of FBI employees with such access.
• Conducted a "Back-to-Basics" day for all employees where security was one of the key areas of focus.

Planned

• Establishing a Security Incident Reporting Program that includes management of all potential information compromises through a central, Security Division component. This component will ensure the security incidents are properly investigated; assessments are conducted of potential damage to the national security or FBI operations; remedial action is taken, as necessary, to ensure the compromise does not happen again; and personal accountability is assigned, if appropriate.
• Establishing a capability to resolve security anomalies, no matter their source, and to integrate information resulting from the investigation of these anomalies into the FBI CI Division.
• Developing an enhanced capability to securely process sensitive information electronically.
• Developing an appropriate accountability and tracking system for sensitive hard copy documents.
• Investigating technology to better account for and track sensitive information and the media, paper or magnetic, on which it is stored.
• Developing and conducting training on the proper classification of, accounting for, and control of classified information.