You are on page 1of 5

Redefining Security

A Report to the
Secretary of Defense
and the
Director of Central Intelligence

February 28, 1994

Joint Security Commission

Washington, D.C. 20505

Joint Security Commission

Washington, D.C. 20505

February 28, 1994

The Honorable William J. Perry

Secretary of Defense
Washington, D. C. 20301

The Honorable R. James Woolsey

Director of Central Intelligence
Washington, D. C. 20505

Dear Sirs:

1. Pursuant to your request, the Joint Security Commission was convened on June 11,
1993. The Commission was guided by your direction to develop a new approach to
security that would "assure the adequacy of protection within the contours of a security
system that is simplified, more uniform, and more cost effective."

2. This report presents the recommendations of the Joint Security Commission to achieve
these objectives and to redefine security policies, practices and procedures. The report
describes the threats to our nation's security and lays out a vision the Commission
believes will shift the course of security philosophy. We also propose a new policy
structure and a classification system designed to manage risks better, and we outline
methods of improving government and industry personnel security policies. We offer
recommendations on developing new strategies for achieving security within our
information systems, including protecting the integrity and availability of both classified
and unclassified information assets, and we call for a new approach to capture security
costs. We provide recommendations for linking traditional physical and technical
countermeasures to threat. We believe that implementation of these recommendations
will result in a security system that will meet the evolving threat while being fairer, more
coherent, and more cost effective.

3. In reaching its conclusions and recommendations, the Commission drew upon the
perspectives of policymakers, Congress, the military, industry, and public interest groups.
Although our charter was limited to a review of the Intelligence and Defense
Communities, we found that many of the problems and solutions have government-wide
implications. In those instances where we believe that a government-wide solution is the
best answer, we have offered recommendations to that effect.

4. This report represents months of work by the Commissioners, our staff, and a vast
number of citizens both in and out of government, who graciously gave us their time and
comments. On behalf of the Commission, I would like to thank all who contributed to
this effort and to give special recognition to our superb staff, headed so ably by Dan
Ryan. Ultimately, of course, the Commissioners bear full responsibility for the analysis
and recommendations contained herein.

5. As you have directed, the Commission will remain in place until June 1, to assist in the
implementation of our recommendations. We look forward to working with you to
achieve the objectives you have laid before us.

Very respectfully,

Jeffrey H. Smith


Executive Summary

Chapter 1. Approaching the Next Century

• Implementing the New Paradigm-- Risk Management

Chapter 2. Classification Management

• Classification-- Driving Security

• The Current Classification System-Cumbersome and Confusing
• Special Access Programs-Lacking Faith in the System
• A New System-Streamlined and Straightforward
• A Simplified Controlled Access System
• Limiting Use of Special Access Controls
• Uniform Risk Criteria for Secret Controlled Access Information
• Increasing the Flow of Data
• Special Cover Measures
• Security Oversight of Compartmented Access Programs
• Classification Management Practices
• Dissemination Controls-Impediments to Getting Intelligence into the Hands of
• Sharing Classified Information
• Billet and Access Control Policies
• Secrecy Agreements
• Declassification
• Making the Classification System Really Work-An Integrated Approach
• with Appropriate Oversight
• Dealing with Sensitive but Unclassified Information

Chapter 3. Threat Assessments-The Basis of Smart Security Decisions

• Asleep at the Wheel

• A Wake-Up Call

Chapter 4. Personnel Security-The First and Best Defense

• The Process Begins

• Requesting a Clearance
• Prescreening and Fairness
• Forms and Automation-Ending the Paper Trail
• Investigations-Assessing Trustworthiness
• Investigative Requirements-Streamlining the Process
• Continuing Evaluation-Reinvestigations and Safety Nets
• Clearance Processing-Time Is Money
• Adjudication
• Adjudicative Standards and Criteria
• DoD Adjudicative Facilities
• Reciprocity
• Procedural Safeguards
• DoD Contractor Personnel
• DoD Civilian Personnel
• Differences and Comparative Advantages
• Military Personnel
• Special Access Approvals
• The Polygraph
• Background
• Applications of the Polygraph
• Recommendations
• Oversight
• Standardization
• Training, Research, and Development

Chapter 5. Physical, Technical, and Procedural Security

• Physical Security Standards
• Facility Certification
• Facilities, Containers, and Locks
• Industrial Security Inspections
• Technical Surveillance Countermeasures (TSCM)
• Procedural Security
• Central Clearance Verification
• Certification of Contractor Visits
• Communitywide Badge Systems
• Document Tracking and Control
• Document Destruction
• Document Transmittal
• Operations Security

Chapter 6. Protecting Advanced Technology

• Foreign Ownership, Control, and Influence

• Foreign Exchange Agreements-The Status Quo
• Threat Analysis-Vital to Protecting Advanced Technology
• The National Disclosure Policy
• Recording Foreign Disclosure Decisions

Chapter 7. A Joint Investigative Service

• Personnel Security Investigations

• Industrial Security
• Establishment of a Joint Investigative Service

Chapter 8. Information Systems Security

• The Threat to Information and Information Systems

• Dated Policies
• Failed Strategies
• The New Information Systems Security Reality
• Information Systems Security Policy for Tomorrow
• The Investment Strategy for Information Systems Security
• Research and Development-A Need to Consolidate
• Infrastructure Security Management
• Auditing Infrastructure Utilization
• Managing the Risk to Information Systems
• Emergency Response-The Need for Help
• Information Systems Security Professionals

Chapter 9. The Cost of Security-An Elusive Target

• Understanding Security Costs
• Costs in Black and White
• Visible and Invisible Security Costs
• "There's No Way to Know How Much We're Spending on Security!"
• Work to Date in the DoD
• Intelligence Community Efforts
• Capturing Security Costs in Industry
• Moving Towards Consistency
• Getting to the Bottom Line-The Payoff Is Long Term…
• …With Up-Front Costs in the Near Term
• The Bottom Line

Chapter 10. Security Awareness, Training, and Education

• The Present
• Training for the Future

Chapter 11. A Security Architecture for the Future

• The Present
• The Future



• A. Statement of Commissioner Lapham on Secrecy Agreements

• B. Statement of Commissioner Chayes on Procedural Safeguards
• C. Statement of Commissioner Lapham on Polygraph
• D. Acronyms
• E. Acknowledgments