A Review of FBI Security Programs

More documents

Recommendations

Info

V. The Office Of Security Should Develop A Centralized Security Violation Reporting Program Unlike other intelligence agencies, the FBI does not have a viable program for reporting security incidents to Headquarters. There is no Bureau-wide definition of what constitutes a security violation, and there is no standard process for investigating potential security incidents. Currently, security incidents and violations need not be documented. Typically, Security Officers report violations to local Special Agents-in-Charge, resulting in disparate responses throughout the field and in Headquarters. Egregious violations are sometimes referred to the FBI’s Office of Professional Responsibility; less severe violations are often overlooked. Department of Justice regulations require that the Bureau report to the Department Security Officer (DSO) information about employee eligibility for access to classified information and the possible loss or compromise of that information. Department regulations also require that the FBI Security Program Manager (SPM) report to the DSO when employees knowingly or willfully violate security policies covering national security information. Upon receiving a report of a security violation, the SPM must initiate an inquiry, the results of which, if the violation is confirmed, are to be forwarded to the Department’s DSO for action. With the exception of violations involving Legal Attachés in U.S. embassies, few FBI security violations are reported to security, in spite of the fact that the FBI’s Manual of Investigative Operations and Guidelines provides that employees who know about the loss or possible compromise of classified information “shall immediately report the circumstances” to the Headquarters SPM and the field Security Officer, who must initiate an investigation and a damage assessment and forward the results to Headquarters. 38 38 At FBI offices overseas, Marine security guards ensure that classified information is properly stored. Reports of security violations are made to State Department Regional Security Officers, who forward the results of investigations to State for adjudication. The adjudicated report is forwarded to DOJ for resolution. Although security violations have resulted in the removal of Legal Attachés, the FBI does not maintain permanent records of these violations. -101-
Unfortunately, reporting to security is inconsistent. Security Officers also report that minor violations have no consequences. Few are even aware that an FBI manual mandates discipline for security lapses: losing or mishandling classified or sensitive information can result in sanctions ranging from oral reprimand to termination of employment. The FBI does not track employee security violations or report them to a security clearance adjudication authority. As a result, the Office of Security is unable to monitor violations or search for patterns. Thus, the Counterintelligence Division, security clearance adjudicators, and the SPM do not have a clear picture of the state of security at Headquarters or in the field; employees who habitually violate security regulations can still receive favorable assignments and promotions and pass reinvestigations for security clearances. Other federal agencies have implemented rigorous programs for reporting, investigating, and disciplining security violators. Those programs are reinforced by centralized automated tracking of security violations and by robust security education and awareness training to advise employees of their security responsibilities and the consequences of noncompliance. Many programs encourage collaboration between human resources staff and security personnel. Most important, security violation programs at other agencies receive the support of senior management. As a result of several embarrassing security incidents, notably, a missing laptop containing classified information, missing classified information from the Secretary’s office, and discovery of a listening device planted in a conference room, the Department of State re-structured its security program in 2000 to include mandatory reporting of violations and increased penalties. 39 Security Officers are now required to report security incidents to Headquarters for adjudication and inclusion in security files so that the human resources unit has complete personnel records. State has adopted a point system for security incidents, 39 Former Secretary Albright set the stage for change in an address to Foreign Service officers: “I don’t care how skilled you are as a diplomat, how brilliant you may be at meetings, or how creative you are as an administrator; if you are not a professional about security, you are a failure.” -102-
Page 1 and 2:
U.S. Department of Justice A Review
Page 3 and 4:
Commission for the Review of FBI Se
Page 5 and 6:
Contents Executive Summary ........
Page 7 and 8:
The Commission for the Review of FB
Page 9 and 10:
in FBI security programs that will
Page 11 and 12:
Unlike other Intelligence Community
Page 13 and 14:
INTRODUCTION I could have been a de
Page 15 and 16:
un by an officer in the Soviet mili
Page 17 and 18:
establishment, U.S. penetration of
Page 19 and 20:
operatives he had exposed as double
Page 21 and 22:
Hanssen was indicted on twenty-one
Page 23 and 24:
een transferred to FBI Headquarters
Page 25 and 26:
Gardens. The rebellious colonies di
Page 27 and 28:
Furthermore, in spite of Hanssen’
Page 29 and 30:
others.” In calling for the estab
Page 31 and 32:
have discovered in FBI security pro
Page 33 and 34:
The following is a compressed compi
Page 35 and 36:
I. Security Investigations And Adju
Page 37 and 38:
DOCUMENT SECURITY I. Classified Na
Page 39 and 40:
of Central Intelligence Directives
Page 41 and 42:
II. The Office of Security Should D
Page 43 and 44:
INFORMATION SYSTEMS SECURITY (INFOS
Page 45 and 46:
Robert Hanssen’s espionage demons
Page 47 and 48:
een filled, the persons assigned of
Page 49 and 50:
with the preliminary damage assessm
Page 51 and 52:
FBI was investigating him. 13 While
Page 53 and 54:
focus. 14 As a result of inadequate
Page 55 and 56:
in unrestricted administrative case
Page 57 and 58:
On October 3, 2001, an Electronic C
Page 59 and 60:
senior FBI officials responsible fo
Page 61 and 62:
percent of the amount sought. 16 Th
Page 63 and 64:
information security policies that
Page 65 and 66: PERSONNEL SECURITY I think that [my
Page 67 and 68: The Commission conducted a detailed
Page 69 and 70: The PSU is also responsible for adm
Page 71 and 72: Unit for new applicants, the Person
Page 73 and 74: various elements is spread througho
Page 75 and 76: addressed. These interviews are ess
Page 77 and 78: identified, these individuals can b
Page 79 and 80: overextended and potentially at ris
Page 81 and 82: The FBI’s polygraph program was i
Page 83 and 84: awareness programs relating to poly
Page 85 and 86: DOCUMENT SECURITY Security was lax
Page 87 and 88: Much of Robert Hanssen’s espionag
Page 89 and 90: Room. In the same year, the FBI Mai
Page 91 and 92: Given the ubiquity of ACS, Headquar
Page 93 and 94: (SCI). Before being given access to
Page 95 and 96: eceived in the wake of recent terro
Page 97 and 98: under minimum security controls. Th
Page 99 and 100: carriers receive timely security cl
Page 101 and 102: with the true scope of improper act
Page 103 and 104: SECURITY STRUCTURE . . . [I]f I had
Page 105 and 106: In general, we found serious weakne
Page 107 and 108: executive will ensure constant focu
Page 109 and 110: technical security countermeasures.
Page 111 and 112: Eighty-five percent of those office
Page 113 and 114: months training in investigations,
Page 115: accounts cancelled. A six-hour secu
Page 119 and 120: security violations should be subje
Page 121 and 122: and training. -106-
Page 123 and 124: Robert Hanssen’s treachery is hei
Page 125 and 126: Glossary of Acronyms Acronym ACS AD
Page 127 and 128: Acronym GSR HERU HIT HCS HQ HUMINT
Page 129 and 130: Acronym OPM OPR OPSEC ORCON OSI OST
Page 131 and 132: COMMISSION CHARTER
Page 133 and 134: time equivalent government personne
Page 135 and 136: WILLIAM H. WEBSTER, the Commission
show all

A Review of FBI Security Programs

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?