Arms Control And Disarmament Agency: More Corrective Actions Needed to Control Classified Codeword Documents

Published by the Government Accountability Office on 1990-06-22.

Below is a raw (and likely hideous) rendition of the original report. (PDF)


             ARMS CONTROL
             AND DISARMAMENT
             More Corrective
             Actions Needed to
             Control Classified
             Codeword Documents

          RE!3TRICTED--     Not to be relea!~!&k&&ke
      I   General Accounting Office unless speci.fkaUy
          approved by the Office of Congressional
          Relations.                          c--t *-“*y
             United States
GAO          General Accounting Office
             Washiugton, D.C. 20648

             National Security and
             International Affairs Division


             June 22,199O

             The Honorable Dante B. Fascell
             Chairman, Committee on Foreign Affairs
             House of Representatives

             The Honorable William S. Broomfield
             Ranking Minority Member
             Committee on Foreign Affairs
             House of Representatives

             On October 24, 1989, your staff asked that we determine what actions
             had been taken on our recommendations in two reports concerning the
             safeguarding of classified documents at the Arms Control and Disarma-
             ment Agency (ACDA).’ In this report, we describe the actions taken by
             ACDA and the State Department in response to our recommendations to
             improve the control, protection, and accountability of sensitive compart-
             mented information (SCI)at ACDA’Ssensitive compartmented information
             facility (SCIF) in Washington, DC. We will report separately on actions
             taken in response to our later report on ACDA’S safeguarding of national
             security information in Washington, DC., and Geneva, Switzerland.

             ACDA is the central organization in the U.S. government for the formula-
Background   tion and implementation of arms control policy. As part of its mission,
             ACDA handles classified material, including sensitive intelligence infor-
             mation, both internally generated and received from external sources.

             Sensitive intelligence information, known as SCIor codeword, requires
             extra control and storage in a vault called a SCIF. ACDA has access to cer-
             tain compartments of SCI and is responsible for controlling and storing
             this information in accordance with standards and directives estab-
             lished by the Director of Central Intelligence.

             The Assistant Secretary of State for the Intelligence and Research
             Bureau is responsible for providing security oversight, including
             ensuring that an SCI facility is properly accredited, and other support for
             ACDA regarding SCI. Accordingly, State provided a facility for ACDAto
             store its SCI, a separate secure area located within the perimeter of the
             Bureau’s SCIF.

             ‘Arms Control: Improvements Needed to Protect Compartmented Information (GAO/NSIAD-88216,
             Aug. 24,19$8) and Arms Control and Dissrmsment Agency: Better Controls Are Needed to Protect
             Classified Information (G-D       -89 _26 , Nov. 10,19f38).

             Page 1                             GAO/NSIAD-90-175    Arnu Control   and Disarmam ent Agency

                   Our August 1988 report described security weaknesses in the handling
                   and protection of SCI in ACDA'S facility and recommended that ACDA and
                   the State Department correct these deficiencies. We reported that
                   (1) ACDA could not locate over one-fourth of the documents from our
                   sample of log entries and that it should account for these and other doc-
                   uments under its control2 and (2) ACDA'S document control records were
                   not organized in a way that would facilitate locating documents in the
                   files. In commenting on our report, ACDAstated that the noted deficien-
                   cies resulted from a lack of trained staff dedicated to document control.

                   We also reported that the State Department had not adequately fulfilled
                   its assigned responsibility of providing ACDA the security oversight and
                   administrative support needed to ensure that SCIwas properly protected
                   and accounted for.

                   To ensure that all SCI would be adequately accounted for, we recom-
                   mended that ACDA (1) establish formal, written procedures requiring
                   notations regarding a document’s specific location and (2) conduct an
                   inventory of all SCI in its possession to determine what ACDAshould be
                   accountable for and identify what other documents on its control logs
                   might be missing. We also recommended that an assessment be made to
                   determine the likelihood that a breach of national security had occurred
                   because of those documents that could not be accounted for, which
                   would require ACDA to notify the originating agencies of the missing

                   In addition, we recommended that the State Department correct the
                   deficiencies identified in a 1987 Central Intelligence Agency (CIA)
                   report,3 including obtaining proper accreditation for the SCIF and pro-
                   viding ACDA the necessary security oversight and support.

                         has initiated actions, including new written procedures, which, if
Results in Brief   ACDA
                   fully implemented, should improve ACDA’Shandling and protection of SCI.
                   Until ACDA’S recent notification to CIA concerning 3,000 missing docu-
                   ments, it was not in compliance with the applicable directive, and it
                   delayed the originating agencies’ ability to conduct damage assessments.

                   ‘At the time of our 198S review, ACDA had responsibility for an estimated 7,600 SC1documents.
                   During our review, ACDA could not locate 66 (28 percent) of our sample of 236 SC1documents.
                   “This report was based on a survey conducted by security officials from the CIA, the National
                   Security Agency, and State and was done because of allegations of possible security problems at

                   Page 2                               GAO/NSIAD-90475      Arms Control   and Die armament    Agency

                     In addition, because ACDA does not maintain records of copies of elec-
                     tronically transmitted sexmessages received through the State Depart-
                     ment, it has not complied with accountability and control procedures
                     prescribed in the applicable Director of Central Intelligence directive.

                     Adequate oversight and testing by State of ACM security controls would
                     help to ensure that ACDA adheres to directives, regulations, and other
                     procedures. To date, State’s reviews have been too limited in scope to
                     provide such assurance. In addition, because all the security upgrades
                     have not been completed, the SCIF is still not accredited to store all the
                     various compartments of sci.

                     In December 1988, ACI)Aestablished formal, written procedures to imple-
Procedures for SC1   ment applicable Director of Central Intelligence directives and ACM
Document Control     security regulations. These procedures prescribe methods for control-
                     ling, filing, storing, and destroying certain documents provided by other
                     agencies or originated by ACM. The new procedures require prominently
                     marking SCIdocuments and logging accountable documents in an auto-
                     mated data base by compartment, document and copy number, title, file
                     number or temporary file name, date, originating agency, location (safe
                     and drawer number), and the date received.

                     In October 1989, ACDAfilled one of two full-time positions established for
                     overall SCIF security and document accountability and control, but as of
                     April 1990 the other position remained unfilled.

                     From late 1989 through early 1990, ACDA attempted to account for SCI
Document             listed on its records prior to March 19884 and could not account for
Accountability and   approximately 3,000 documents. On March l&1990, ACILAsent CLAa
Control Problems     listing of all the missing documents. These documents originated from
                     six different agencies. ACDA anticipates that CIA will notify the other
                     originating agencies of the missing documents to permit them to conduct
                     a damage assessment to minimize any adverse effect.

Inventories Were     According to ACDA, the former Director requested that the Defense Intel-
                     ligence Agency assist ACM’S staff in implementing an improved docu-
Conducted            ment control system in the SCIF. Based on the Defense Intelligence
            Y        Agency’s inventories of SCI in ACM’S facility and ACM’S decision on what

                     40ur previous SC1document review in ACDA’s facility was completed in February 1988.

                     Page 8                             GAO/NSIAJh9O-176    Arms Control   and Dlaarmam ent Agency
                                                                                                                 ,           I,


                      material it should be accountable for, in November 1988, MDA estab-
                      lished a new register of SCIdocuments.

                      ACDA determined that it would control all SCI except copies of electroni-
                      cally transmitted message traffic. ACDA told us it is common practice in
                      intelligence community organizations not to control message traffic.
                      According to the ACDA officer in charge of SCXFoperations, approximately
                      60 to 100 SCImessages are received each day. Some of these are immedi-
                      ately destroyed after reading and others are placed in a temporary
                      reading file and then destroyed.

                      According to the Director of Central Intelligence directive, with the
                      exception of raw intelligence data under the control of a single intelli-
                      gence community organization, control records are required for all
                      incoming SCI, The directive notes that for electronically received mes-
                      sage traffic, the requirement to control incoming SCI may be fulfilled
                      through retention of standard telecommunication center records for at
                      least 6 months. Because ACDA is not a member of the intelligence commu-
                      nity, it receives copies of such messages through the State Department
                      and does not have access to a standard telecommunications center to
                      control such documents.

                      CIA officials told us that ACDA could easily control all incoming SCI
                      because the number of messages ACDA receives is not considered volumi-
                      nous and ACDAnow has a dedicated document control person in its SCIF.
                      When we brought this to their attention, ACDA officials told us that they
                      did not believe regulations required them to control message traffic;
                      however, they would reconsider present ACDA policy.

Documen.ts Reported   The notification requirements for the loss or possible compromise of
Missing               classified information, including SCI,are contained in the Information
                      Security Oversight Office’s6 Directive 1. It states that “the agency that
                      originated the information shall be notified of the loss or possible com-
                      promise so that a damage assessment may be conducted and appropriate
                      measures taken to negate or minimize any adverse effect of the

                      “Under Executive Order 12366, “National Security Information,” the Information Security Overnight
                      Office is responsible for overseeing the information security programs of all executive branch agen-
                      cies. The Office is an administrative component of the General Services Administration and receives
                      its policy direction from the National Security Council.

                      Page 4                               GAO/NSIADBO-176 Arma Control and Dimrmament Agency

                     According to an ACDA official, the decision not to notify the originating
                     agencies concerning missing documents was made by the former AC;DA
                     Director at a December 1988 meeting. This official told us that the
                     former Director based his decision on the assumption that there was no                 .
                     indication of a compromise in national security (that is, no SCIhad been
                     taken from the SCIF). However, our November 1988 report and a mid-
                      1988 ACDA inventory of Top Secret and other sensitive documents had
                     identified a number of SCIdocuments stored outside the SCIF. The CIA
                     official responsible for accrediting the SCIF told us that this could be a
                     serious security problem. He said that ACDA is accountable for all those
                     documents and that the originating agencies should therefore be

                     In the fall 1989, ACDA'S Director of Security said that he would propose
                     that ACDA reconsider the previous decision not to notify the originating
                     agencies. In December 1989, the current ACDA Director told us that he
                     was under the impression he did not have to notify originating agencies
                     concerning missing SCI.However, in March 1990, ACDAofficials provided
                     CIA a comprehensive list of 2,991 missing SCIfrom six different
                     originating agencies that has not been accounted for.

                     ACDA knew for more than 2 years that at least 66 documents were
                     missing before ACDA officials decided to report the missing documents to
                     the CIA, ACDA delayed the initiation of corrective action to identify other
                     missing SCI for 16 months. Then it took 3 months to complete the work
                     and report the missing documents to CIA.

                     ACDA told us that because of the large number of missing documents and
                     the numerous originating agencies involved, CIA had agreed to act as the
                     central point for ACDA'S report of missing documents. According to the
                     Security Director, ACDA anticipates that CIA will notify the other
                     originating agencies.

                     The CIA'S Office of Security is the overall accrediting authority for
Status of State      ACDA'S SCIF. However, State has authority to accredit a facility for
Department’s         storing one compartment of SCI.
Corrective Actions   The State Department has taken action on some of the recommendations
                     in the March 1987 CIA report. The general thrust of the recommenda-
           ”         tions to State was that it should provide ACDAthe necessary administra-
                     tive support and security oversight, including obtaining the proper SCIF

                     Page 6                      GAO/NSIAD-90475   Arma Control   and Dimumunent   Agency

                          accreditation, to ensure that SCI is protected and accounted for in accor-
                          dance with regulations.

                          In addressing CIA’S recommendations, State (1) accredited ~0~‘s SCIF for
                          one compartment of SCI used by ACDA, (‘2) entered into a formal agree-
                          ment with ACDAdefining State’s responsibilities for the ACDA !XIF’s
                          security oversight and support, and (3) provided ACDA additional space
                          for SCI. State also initiated, but has not completed, other improvements
                          in the facility, including providing secure voice communications.

                          However, State has not completed all physical and technical security
                          upgrades required to obtain CIA accreditation for other compartments of
                          scr and has not provided adequate oversight of ACDA’S facility.

SCIF Accreditation        The CIA requires additional security upgrades before it will certify
                          State’s SCIF and the ACDA facility within this perimeter to store all of the
                          compartments of information it handles. Interim (6-month) accredita-
                          tions covering all compartments of information in the State SCIF were
                          granted in September 1988 by CIA’s Office of Security and the Assistant
                          Secretary of State for Intelligence and Research. In a letter to State, CIA
                          stated that although the facility did not meet the security standards
                          established in its directives, it was granting interim approval based on
                          the temporary security features in place and the planned security
                          upgrades. State said it would request final accreditation upon comple-
                          tion of the ongoing renovations, then estimated to be the end of Feb-
                          ruary 1989. However, the interim accreditations expired in March 1989,
                          and the renovations necessary for final certification had not been

                          In November 1989, State determined that the AC~Afacility met the phys-
                          ical requirements for storing one compartment of SCI and granted a sepa-
                          rate accreditation for this one compartment for which it has authority.
                          In March 1990, State told us that CIA requires additional security
                          upgrades before it will grant final accreditation for State’s SCIF and the
                          ACDA facility within the perimeter. These upgrades were recently
                          funded, and State estimates a July 1,1990, completion date.

Limited State Oversight   According to a Director of Central Intelligence directive, State’s Senior
             Y            Official of the Intelligence Community shall conduct periodic reviews of
                          SCIheld by organizations under his cognizance, which may require an

                          Page 6                      GAO/NSIAD-90475   Arms Control   and Dbrmament   Agency


    inventory of      SCI,   to ensure that proper accountability is being

    The October 1988 State and ACDA memorandum of agreement states, in
    part, that the Intelligence and Research Bureau’s Security Office will
    periodically inventory ACDA’S SCI, conduct periodic physical security
    inspections, and arrange for other technical inspections. Other responsi-
    bilities include providing SCI security guidance on procedures and opera-
    tion, maintaining official records of ACDA personnel with SCI access,
    providing access authority certifications on incoming visitors, and pro-
    viding materials and assistance, as requested, for use in indoctrinations
    and debriefings.

    Our review indicated that State’s oversight has been limited because its
    Security Branch was not fully staffed. Although State had said that it
    planned to conduct monthly inspections of a sample of documents, only
    two inspections had been conducted (in February and July 1989) during
    the 17 months since the agreement was signed.

    In April 1990, State officials said that they had recently filled a full-time
    position. State officials believe that they now have the resources needed
    to perform the required oversight of ACDA’S facility and will expand
    their oversight to include conducting inspections of all ACDA’S SCI

    In the two inspections that were conducted, State did not comply with
    the inspection criteria to inventory all SCI. For example, of the thousands
    of SCIdocuments on ACDA’S records,” State randomly selected 22 and 50,
    respectively, of these for review. Its reports on these inspections stated
    that all of the sample documents were found (although some were mis-
    filed), and only one discrepancy was noted-one document found was
    shown as having been destroyed.

    According to State’s Office of the Inspector General, the Intelligence and
    Research Bureau’s inspections were also not of sufficient scope to
    ensure compliance with the Director of Central Intelligence directive
    regarding physical security standards for SCI. The Inspector General
    asked that the Bureau provide a plan showing what will be covered
    during future reviews and a schedule for future inspections. In July

    “Because MDA’s SC1holdings vary from day to day and many documents have been destroyed,
    ACDA officials could not provide an accurate number of the quantity of SC1held at the time of State’s
    reviews. However, ACDA said that its holdings were much lower than the 7,600 it had during our
    previous audit.

    Page 7                               GAO/NSLADM-176       Arnw Control   and Disarmament     Agency

                           1989, the Bureau provided information on the scope of future inspec-
                           tions. In December 1989, the Bureau said it would conduct biannual
                           reviews to ensure compliance with applicable directives. In March 1990,
                           the Bureau’s Security Branch Chief said the next inspection of ACDA'S
                           facility is planned for June 1990.

Improvements to ACDA’s     In response to other CIA recommendations, ACDA'S SCIF has been enlarged
SCIF                       and State plans to provide secure telephones. State’s Office of the
                           Inspector General recommended that an acoustical telephone booth be
                           installed in the ACDA facility for sensitive telephone conversations.
                           Implementation of this recommendation was initially the responsibility
                           of State. However, because ACDA was responsible for completing addi-
                           tional wiring and other modifications before the booth could be
                           installed, in early 1990 the Office of the Inspector General redirected the
                           recommendation to ACDA. In April 1990, ACDA officials told us that they
                           do not plan to install a booth because they believe the renovated ACDA
                           facility will provide adequate security for sensitive telephone

                           We recommend that the Secretary of State ensure that
                         . the required security upgrades are promptly completed to obtain full
                           accreditation of the Intelligence and Research Bureau’s SCIF and
                         . the Assistant Secretary of State for Intelligence and Research provide
                           adequate oversight of the ACDA facility and the SCIholdings, as required
                           by applicable directives and the memorandum of agreement. This over-
                           sight should include, at a minimum, an annual inventory of all SCIheld
                           by ACDA to ensure that all SCI is being appropriately accounted for and

                           We also recommend that the Director, ACDA, implement procedures to
                           control all incoming SCI,including copies of electronic message traffic, to
                           ensure compliance with accountability and control procedures pre-
                           scribed in the Director of Central Intelligence directive.

                           As agreed with your office, we did not obtain formal agency comments.
Agency Comments            However, we discussed the information in this report with ACDA and
            w              State Department officials and incorporated their comments as appro-
                           priate. State officials concurred with our conclusions and recommenda-
                           tions. ACDA officials provided additional information on their notification

                           Page 8                      GAO/NSIAD-90-176   Arms Control   and Disarmament   Agency

              to CIA concerning the 3,000 missing SC1and stated that they would recon-
              sider the present ACDA policy not to control incoming SCI message traffic.

              To assess the status of implementation of our recommendations, we held
Scopeand      discussions with and obtained records from ACDA and State officials and
Methodology   visited the SCIF. We also discussed accreditation issues and SCIcontrol
              procedures with CIA. We ascertained the nature and extent of ACDA'S SCIF
              procedures and reviewed internal and external reports on security pro-
              cedures at ACDA, including a report by the Office of Inspector General.
              Our work was conducted from October 1989 through April 1990 in
              accordance with generally accepted government auditing standards.

              As arranged with your office, we plan no further distribution of this
              report until 30 days from its issue date. At that time we will send copies
              to the appropriate congressional committees; the Director of the Arms
              Control and Disarmament Agency; the Secretary of State; the Director of
              Central Intelligence; the Director, Information Security Oversight Office,
              General Services Administration; the Director, Office of Management
              and Budget; and other interested parties.

              Major contributors to this report were Louis H. Zanardi, Assistant
              Director, and Mary K. Quinlan, Evaluator-in-Charge. If you or your staff
              have any questions concerning this report, please call me on
              (202) 275-4128.

              Joseph E. Kelley
              Director, Security and International
                Relations Issues

(467848)      Page 9                     GAO/NSIAD-90476   Arms Control   and Disarmament   Agency
I~      .------                                                 -         --

                  Ilt~qnt~sts for c:opic% of (;A0 wports   should be sent, to:

                  lJ.S. Gwwral Accounting      Office
                  I’ost. Offiw Box 0015
                  (;ait,hwsburg, Maryland     20877

                  ‘I’hew is a 25% discoout, on orders for 100 or more copiw       mailed t.0 a
                  single addwss.

                  Ordthrs must, be prepaid by cash         or by check or money ordthr made
                  out, t,o the Su;)tAritlt,ttnd~I~t~ of T)ocunwuts,
_-...- ...__.-.__ ._.__.-.._.._
                             .“. .”   I