Think Progress has a clip of Fox News Sunday where William Kristol is defending Dick Cheney’s exemption of the Vice President’s office from inspections by the Information Security Oversight Office. In the clip, Mr. Kristol says “it’s a pain in the neck having some bureaucrat from the archives come in and inspect your safe to see if you’re locking it up properly.”
Based on my research into this area, the ISOO “bureaucrats” are far more likely to be highly trained security experts than your stereotypical paper-pusher.
Executiver Order (EO) 13292 defined clearly what the responsibilities of the Information Security Oversight Office (ISOO) are in section 5.2. I’ve pulled out the salient sections below:
…the Director of the Information Security Oversight Office shall:
- (1) develop directives for the implementation of this order;
- (2) oversee agency actions to ensure compliance with this order and its implementing directives;
- (7) have the authority to prescribe, after consultation with affected agencies, standardization of forms or procedures that will promote the implementation of the program established under this order;
- (8) report at least annually to the President on the implementation of this order; and
Section 1 says that the the ISOO developed the procedures to ensure the safety of classified information. Section 2 says that the ISOO is responsible for implementing and ensuring the implementation of the procedures developed per section 1. Section 7 says that the ISOO should standardize as much as possible the security procedures within each office, agency, etc. following consultation with the agencies involved (such as the Pentagon, the State Department, the CIA, etc.). And section 8 says that the ISOO is required to report to the President at least annually just how well the procedures are being followed.
Combined, this means that the ISOO has to have a lot of people who know every single security procedure inside and out and has to audit every single procedure at every single office or agency that handles classified information every year. So let’s look at some of those procedures.
As I found when I first started covering this issue, there is a document that defines some of the minimum requirements for Physical Security Standards for Sensitive Compartmented Information Facilities, aka SCIFs. Some of the many, many requirements are listed below:
- Cognizant Security Authorities (CSAs) must review preconstruction plans (2.2)
- Security Compartmented Information (SCI) “shall never be handled, processed, discussed, or stored in any facility other than a properly accredited SCIF unless written authorization is granted by the CSA.” (2.3.2)
- “When the CSA determines that there is a danger of classified information being compromised or that security conditions in a SCIF are unsatisfactory, SCI accreditation will be suspended or revoked.” (188.8.131.52)
- “Access rosters listing all persons authorized access to the facility shall be maintained at the SCIF point of entry.” (2.5.1)
- “SCI must be stored in GSA approved security containers.” (184.108.40.206.c)
- “The SCIF perimeter walls, doors, windows, floors and ceiling, including all openings, shall provide sufficient sound attenuation to preclude inadvertent disclosure of conversation. The requirement for sound attenuation are contained within Annex E.” (3.3.2)
- “Use of Sound Groups: The current edition of Architectural Graphics Standards (AGS) describes various types of sound control, isolation requirements and office planning. The AGS established Sound Groups I through 4, of which Groups 3 and 4 are considered adequate for specific acoustical security requirements for SCIF construction.” (Annex E, 1.2)
- Based on the TEMPEST accreditation, it may be required that all vents, ducts, and pipes must have a non-conductive section (a piece of dissimilar material e.g., canvas, rubber) which is unable to carry electric current, installed at the interior perimeter of the SCIF. (220.127.116.11)
This is but a small sampling of the requirements that the ISOO is responsible for auditing. If you dive into some of the Annexes to DCID 6/9, you find entire sections on Intrusion Detection Systems (Annex B), airborne and shipborne SCIFs (Annex C), the use of electronics (like computers and printers) in SCIFs (Annex D), sound isolation (Annex E), personal access controls (Annex F), and telecommunications equipment including cell phones (Annex G). In fact, Annex G mentions something called TEMPEST that sets the maximum allowable emisisons of radio waves out of a SCIF, and from what little snooping around Google I’m able to do on this subject, it looks like the emissions levels themselves are classified, and the equipment used to verify them is very specialized and highly technical in nature.
In addition, Section 1.1.2 of DCID 6/9 says that the requirements above are the minimum physical security. As such, the ISOO-empowered individuals inspecting these may have to have highly location-specific information of the information protection methods they’re auditing.
In the process of Googling for a “GSA approved security container,” I found this file on some of the procedures that NOAA has to follow for their classified information: NATIONAL SECURITY INFORMATION ANNUAL CONTAINER INSPECTION. Look through it – you’ll be amazed at the number of unpleasant things someone with a clearance has to deal with. And the ISOO is responsible for auditing every executive office, agency, and department every year to make sure every individual is following every procedure correctly.
All of this information leads me to one conclusion – the ISOO bureaucrats don’t have to be TEMPEST experts to perform their audits, but they can’t be your stereotypical paper-pushing-check-the-box bureaucrat either. There is just too much they need to know, and they have to have at least enough knowledge about security to understand the results of the audits they’re performing.
So, is it a “pain in the ass” to do all the stuff that is described in the NOAA presentation? Based on the descriptions of everything you have to keep track of, I’m sure it is a “pain in the ass.” But the White House and the Office of the Vice President have access to the highest possible levels of classified information, so it strikes me as perfectly reasonable to permit a security expert who happens to represent the ISOO to come in every night to double-check that you put everything away in your safe and locked it up correctly.
William Kristol is wrong. The security of the United States’ highest level secrets is too important to prevent security experts from doing their jobs just because they’re “a pain in the ass.”