GAO ARMS CONTROL AND DISARMAMENT AGENCY More Corrective Actions Needed to Control Classified Codeword Documents RE!3TRICTED-- Not to be relea!~!&k&&ke I General Accounting Office unless speci.fkaUy approved by the Office of Congressional Relations. c--t *-“*y United States GAO General Accounting Office Washiugton, D.C. 20648 National Security and International Affairs Division B-237177 June 22,199O The Honorable Dante B. Fascell Chairman, Committee on Foreign Affairs House of Representatives The Honorable William S. Broomfield Ranking Minority Member Committee on Foreign Affairs House of Representatives On October 24, 1989, your staff asked that we determine what actions had been taken on our recommendations in two reports concerning the safeguarding of classified documents at the Arms Control and Disarma- ment Agency (ACDA).’ In this report, we describe the actions taken by ACDA and the State Department in response to our recommendations to improve the control, protection, and accountability of sensitive compart- mented information (SCI)at ACDA’Ssensitive compartmented information facility (SCIF) in Washington, DC. We will report separately on actions taken in response to our later report on ACDA’S safeguarding of national security information in Washington, DC., and Geneva, Switzerland. ACDA is the central organization in the U.S. government for the formula- Background tion and implementation of arms control policy. As part of its mission, ACDA handles classified material, including sensitive intelligence infor- mation, both internally generated and received from external sources. Sensitive intelligence information, known as SCIor codeword, requires extra control and storage in a vault called a SCIF. ACDA has access to cer- tain compartments of SCI and is responsible for controlling and storing this information in accordance with standards and directives estab- lished by the Director of Central Intelligence. The Assistant Secretary of State for the Intelligence and Research Bureau is responsible for providing security oversight, including ensuring that an SCI facility is properly accredited, and other support for ACDA regarding SCI. Accordingly, State provided a facility for ACDAto store its SCI, a separate secure area located within the perimeter of the Bureau’s SCIF. ‘Arms Control: Improvements Needed to Protect Compartmented Information (GAO/NSIAD-88216, Aug. 24,19$8) and Arms Control and Dissrmsment Agency: Better Controls Are Needed to Protect Classified Information (G-D -89 _26 , Nov. 10,19f38). Page 1 GAO/NSIAD-90-175 Arnu Control and Disarmam ent Agency B-237177 Our August 1988 report described security weaknesses in the handling and protection of SCI in ACDA'S facility and recommended that ACDA and the State Department correct these deficiencies. We reported that (1) ACDA could not locate over one-fourth of the documents from our sample of log entries and that it should account for these and other doc- uments under its control2 and (2) ACDA'S document control records were not organized in a way that would facilitate locating documents in the files. In commenting on our report, ACDAstated that the noted deficien- cies resulted from a lack of trained staff dedicated to document control. We also reported that the State Department had not adequately fulfilled its assigned responsibility of providing ACDA the security oversight and administrative support needed to ensure that SCIwas properly protected and accounted for. To ensure that all SCI would be adequately accounted for, we recom- mended that ACDA (1) establish formal, written procedures requiring notations regarding a document’s specific location and (2) conduct an inventory of all SCI in its possession to determine what ACDAshould be accountable for and identify what other documents on its control logs might be missing. We also recommended that an assessment be made to determine the likelihood that a breach of national security had occurred because of those documents that could not be accounted for, which would require ACDA to notify the originating agencies of the missing documents. In addition, we recommended that the State Department correct the deficiencies identified in a 1987 Central Intelligence Agency (CIA) report,3 including obtaining proper accreditation for the SCIF and pro- viding ACDA the necessary security oversight and support. has initiated actions, including new written procedures, which, if Results in Brief ACDA fully implemented, should improve ACDA’Shandling and protection of SCI. Until ACDA’S recent notification to CIA concerning 3,000 missing docu- ments, it was not in compliance with the applicable directive, and it delayed the originating agencies’ ability to conduct damage assessments. ‘At the time of our 198S review, ACDA had responsibility for an estimated 7,600 SC1documents. During our review, ACDA could not locate 66 (28 percent) of our sample of 236 SC1documents. “This report was based on a survey conducted by security officials from the CIA, the National Security Agency, and State and was done because of allegations of possible security problems at ACDA. Page 2 GAO/NSIAD-90475 Arms Control and Die armament Agency 0227177 In addition, because ACDA does not maintain records of copies of elec- tronically transmitted sexmessages received through the State Depart- ment, it has not complied with accountability and control procedures prescribed in the applicable Director of Central Intelligence directive. Adequate oversight and testing by State of ACM security controls would help to ensure that ACDA adheres to directives, regulations, and other procedures. To date, State’s reviews have been too limited in scope to provide such assurance. In addition, because all the security upgrades have not been completed, the SCIF is still not accredited to store all the various compartments of sci. In December 1988, ACI)Aestablished formal, written procedures to imple- Procedures for SC1 ment applicable Director of Central Intelligence directives and ACM Document Control security regulations. These procedures prescribe methods for control- ling, filing, storing, and destroying certain documents provided by other agencies or originated by ACM. The new procedures require prominently marking SCIdocuments and logging accountable documents in an auto- mated data base by compartment, document and copy number, title, file number or temporary file name, date, originating agency, location (safe and drawer number), and the date received. In October 1989, ACDAfilled one of two full-time positions established for overall SCIF security and document accountability and control, but as of April 1990 the other position remained unfilled. From late 1989 through early 1990, ACDA attempted to account for SCI Document listed on its records prior to March 19884 and could not account for Accountability and approximately 3,000 documents. On March l&1990, ACILAsent CLAa Control Problems listing of all the missing documents. These documents originated from six different agencies. ACDA anticipates that CIA will notify the other originating agencies of the missing documents to permit them to conduct a damage assessment to minimize any adverse effect. Inventories Were According to ACDA, the former Director requested that the Defense Intel- ligence Agency assist ACM’S staff in implementing an improved docu- Conducted ment control system in the SCIF. Based on the Defense Intelligence Y Agency’s inventories of SCI in ACM’S facility and ACM’S decision on what 40ur previous SC1document review in ACDA’s facility was completed in February 1988. Page 8 GAO/NSIAJh9O-176 Arms Control and Dlaarmam ent Agency , I, ‘V B-237177 material it should be accountable for, in November 1988, MDA estab- lished a new register of SCIdocuments. ACDA determined that it would control all SCI except copies of electroni- cally transmitted message traffic. ACDA told us it is common practice in intelligence community organizations not to control message traffic. According to the ACDA officer in charge of SCXFoperations, approximately 60 to 100 SCImessages are received each day. Some of these are immedi- ately destroyed after reading and others are placed in a temporary reading file and then destroyed. According to the Director of Central Intelligence directive, with the exception of raw intelligence data under the control of a single intelli- gence community organization, control records are required for all incoming SCI, The directive notes that for electronically received mes- sage traffic, the requirement to control incoming SCI may be fulfilled through retention of standard telecommunication center records for at least 6 months. Because ACDA is not a member of the intelligence commu- nity, it receives copies of such messages through the State Department and does not have access to a standard telecommunications center to control such documents. CIA officials told us that ACDA could easily control all incoming SCI because the number of messages ACDA receives is not considered volumi- nous and ACDAnow has a dedicated document control person in its SCIF. When we brought this to their attention, ACDA officials told us that they did not believe regulations required them to control message traffic; however, they would reconsider present ACDA policy. Documen.ts Reported The notification requirements for the loss or possible compromise of Missing classified information, including SCI,are contained in the Information Security Oversight Office’s6 Directive 1. It states that “the agency that originated the information shall be notified of the loss or possible com- promise so that a damage assessment may be conducted and appropriate measures taken to negate or minimize any adverse effect of the compromise.” “Under Executive Order 12366, “National Security Information,” the Information Security Overnight Office is responsible for overseeing the information security programs of all executive branch agen- cies. The Office is an administrative component of the General Services Administration and receives its policy direction from the National Security Council. Page 4 GAO/NSIADBO-176 Arma Control and Dimrmament Agency B-237177 According to an ACDA official, the decision not to notify the originating agencies concerning missing documents was made by the former AC;DA Director at a December 1988 meeting. This official told us that the former Director based his decision on the assumption that there was no . indication of a compromise in national security (that is, no SCIhad been taken from the SCIF). However, our November 1988 report and a mid- 1988 ACDA inventory of Top Secret and other sensitive documents had identified a number of SCIdocuments stored outside the SCIF. The CIA official responsible for accrediting the SCIF told us that this could be a serious security problem. He said that ACDA is accountable for all those documents and that the originating agencies should therefore be notified. In the fall 1989, ACDA'S Director of Security said that he would propose that ACDA reconsider the previous decision not to notify the originating agencies. In December 1989, the current ACDA Director told us that he was under the impression he did not have to notify originating agencies concerning missing SCI.However, in March 1990, ACDAofficials provided CIA a comprehensive list of 2,991 missing SCIfrom six different originating agencies that has not been accounted for. ACDA knew for more than 2 years that at least 66 documents were missing before ACDA officials decided to report the missing documents to the CIA, ACDA delayed the initiation of corrective action to identify other missing SCI for 16 months. Then it took 3 months to complete the work and report the missing documents to CIA. ACDA told us that because of the large number of missing documents and the numerous originating agencies involved, CIA had agreed to act as the central point for ACDA'S report of missing documents. According to the Security Director, ACDA anticipates that CIA will notify the other originating agencies. The CIA'S Office of Security is the overall accrediting authority for Status of State ACDA'S SCIF. However, State has authority to accredit a facility for Department’s storing one compartment of SCI. Corrective Actions The State Department has taken action on some of the recommendations in the March 1987 CIA report. The general thrust of the recommenda- ” tions to State was that it should provide ACDAthe necessary administra- tive support and security oversight, including obtaining the proper SCIF Page 6 GAO/NSIAD-90475 Arma Control and Dimumunent Agency B-237177 accreditation, to ensure that SCI is protected and accounted for in accor- dance with regulations. In addressing CIA’S recommendations, State (1) accredited ~0~‘s SCIF for one compartment of SCI used by ACDA, (‘2) entered into a formal agree- ment with ACDAdefining State’s responsibilities for the ACDA !XIF’s security oversight and support, and (3) provided ACDA additional space for SCI. State also initiated, but has not completed, other improvements in the facility, including providing secure voice communications. However, State has not completed all physical and technical security upgrades required to obtain CIA accreditation for other compartments of scr and has not provided adequate oversight of ACDA’S facility. SCIF Accreditation The CIA requires additional security upgrades before it will certify State’s SCIF and the ACDA facility within this perimeter to store all of the compartments of information it handles. Interim (6-month) accredita- tions covering all compartments of information in the State SCIF were granted in September 1988 by CIA’s Office of Security and the Assistant Secretary of State for Intelligence and Research. In a letter to State, CIA stated that although the facility did not meet the security standards established in its directives, it was granting interim approval based on the temporary security features in place and the planned security upgrades. State said it would request final accreditation upon comple- tion of the ongoing renovations, then estimated to be the end of Feb- ruary 1989. However, the interim accreditations expired in March 1989, and the renovations necessary for final certification had not been completed. In November 1989, State determined that the AC~Afacility met the phys- ical requirements for storing one compartment of SCI and granted a sepa- rate accreditation for this one compartment for which it has authority. In March 1990, State told us that CIA requires additional security upgrades before it will grant final accreditation for State’s SCIF and the ACDA facility within the perimeter. These upgrades were recently funded, and State estimates a July 1,1990, completion date. Limited State Oversight According to a Director of Central Intelligence directive, State’s Senior Y Official of the Intelligence Community shall conduct periodic reviews of SCIheld by organizations under his cognizance, which may require an Page 6 GAO/NSIAD-90475 Arms Control and Dbrmament Agency , B-287177 inventory of SCI, to ensure that proper accountability is being maintained. The October 1988 State and ACDA memorandum of agreement states, in part, that the Intelligence and Research Bureau’s Security Office will periodically inventory ACDA’S SCI, conduct periodic physical security inspections, and arrange for other technical inspections. Other responsi- bilities include providing SCI security guidance on procedures and opera- tion, maintaining official records of ACDA personnel with SCI access, providing access authority certifications on incoming visitors, and pro- viding materials and assistance, as requested, for use in indoctrinations and debriefings. Our review indicated that State’s oversight has been limited because its Security Branch was not fully staffed. Although State had said that it planned to conduct monthly inspections of a sample of documents, only two inspections had been conducted (in February and July 1989) during the 17 months since the agreement was signed. In April 1990, State officials said that they had recently filled a full-time position. State officials believe that they now have the resources needed to perform the required oversight of ACDA’S facility and will expand their oversight to include conducting inspections of all ACDA’S SCI holdings. In the two inspections that were conducted, State did not comply with the inspection criteria to inventory all SCI. For example, of the thousands of SCIdocuments on ACDA’S records,” State randomly selected 22 and 50, respectively, of these for review. Its reports on these inspections stated that all of the sample documents were found (although some were mis- filed), and only one discrepancy was noted-one document found was shown as having been destroyed. According to State’s Office of the Inspector General, the Intelligence and Research Bureau’s inspections were also not of sufficient scope to ensure compliance with the Director of Central Intelligence directive regarding physical security standards for SCI. The Inspector General asked that the Bureau provide a plan showing what will be covered during future reviews and a schedule for future inspections. In July “Because MDA’s SC1holdings vary from day to day and many documents have been destroyed, ACDA officials could not provide an accurate number of the quantity of SC1held at the time of State’s reviews. However, ACDA said that its holdings were much lower than the 7,600 it had during our previous audit. Page 7 GAO/NSLADM-176 Arnw Control and Disarmament Agency B-237177 1989, the Bureau provided information on the scope of future inspec- tions. In December 1989, the Bureau said it would conduct biannual reviews to ensure compliance with applicable directives. In March 1990, the Bureau’s Security Branch Chief said the next inspection of ACDA'S facility is planned for June 1990. Improvements to ACDA’s In response to other CIA recommendations, ACDA'S SCIF has been enlarged SCIF and State plans to provide secure telephones. State’s Office of the Inspector General recommended that an acoustical telephone booth be installed in the ACDA facility for sensitive telephone conversations. Implementation of this recommendation was initially the responsibility of State. However, because ACDA was responsible for completing addi- tional wiring and other modifications before the booth could be installed, in early 1990 the Office of the Inspector General redirected the recommendation to ACDA. In April 1990, ACDA officials told us that they do not plan to install a booth because they believe the renovated ACDA facility will provide adequate security for sensitive telephone conversations. We recommend that the Secretary of State ensure that Recommendations . the required security upgrades are promptly completed to obtain full accreditation of the Intelligence and Research Bureau’s SCIF and . the Assistant Secretary of State for Intelligence and Research provide adequate oversight of the ACDA facility and the SCIholdings, as required by applicable directives and the memorandum of agreement. This over- sight should include, at a minimum, an annual inventory of all SCIheld by ACDA to ensure that all SCI is being appropriately accounted for and stored. We also recommend that the Director, ACDA, implement procedures to control all incoming SCI,including copies of electronic message traffic, to ensure compliance with accountability and control procedures pre- scribed in the Director of Central Intelligence directive. As agreed with your office, we did not obtain formal agency comments. Agency Comments However, we discussed the information in this report with ACDA and w State Department officials and incorporated their comments as appro- priate. State officials concurred with our conclusions and recommenda- tions. ACDA officials provided additional information on their notification Page 8 GAO/NSIAD-90-176 Arms Control and Disarmament Agency B-237177 to CIA concerning the 3,000 missing SC1and stated that they would recon- sider the present ACDA policy not to control incoming SCI message traffic. To assess the status of implementation of our recommendations, we held Scopeand discussions with and obtained records from ACDA and State officials and Methodology visited the SCIF. We also discussed accreditation issues and SCIcontrol procedures with CIA. We ascertained the nature and extent of ACDA'S SCIF procedures and reviewed internal and external reports on security pro- cedures at ACDA, including a report by the Office of Inspector General. Our work was conducted from October 1989 through April 1990 in accordance with generally accepted government auditing standards. As arranged with your office, we plan no further distribution of this report until 30 days from its issue date. At that time we will send copies to the appropriate congressional committees; the Director of the Arms Control and Disarmament Agency; the Secretary of State; the Director of Central Intelligence; the Director, Information Security Oversight Office, General Services Administration; the Director, Office of Management and Budget; and other interested parties. Major contributors to this report were Louis H. Zanardi, Assistant Director, and Mary K. Quinlan, Evaluator-in-Charge. If you or your staff have any questions concerning this report, please call me on (202) 275-4128. Joseph E. Kelley Director, Security and International Relations Issues (467848) Page 9 GAO/NSIAD-90476 Arms Control and Disarmament Agency I~ .------ - -- ----- Ilt~qnt~sts for c:opic% of (;A0 wports should be sent, to: lJ.S. Gwwral Accounting Office I’ost. Offiw Box 0015 (;ait,hwsburg, Maryland 20877 ‘I’hew is a 25% discoout, on orders for 100 or more copiw mailed t.0 a single addwss. Ordthrs must, be prepaid by cash or by check or money ordthr made out, t,o the Su;)tAritlt,ttnd~I~t~ of T)ocunwuts, _-...- ...__.-.__ ._.__.-.._.._ .“. .” I
Arms Control And Disarmament Agency: More Corrective Actions Needed to Control Classified Codeword Documents
Published by the Government Accountability Office on 1990-06-22.
Below is a raw (and likely hideous) rendition of the original report. (PDF)