CI Centre DICE Briefings
CI Centre Home Training DICE Briefings Speakers Bureau Podcasts SpyTrek CI Centre Store
Spy Cases Articles Books Videos News Archive Resources CI Timeline

Site Map

About Us

FAQs

Staff

Contact Us

Mailing List

Required Reading

 

Robert Hanssen Case

 

The Webster Commission Report:

A Review of FBI Security Programs - Recommendations

 

 

 

WEBSTER REPORT

 RECOMMENDATIONS

 

 

The following is a compressed compilation of the recommendations in our Report. Because the recommendations addressing security weaknesses in the Bureau's information systems are often arcane, we placed them in the technical appendices and have limited the INFOSEC portions of this summary to broad policy recommendations.

 

GENERAL

 

I.   A System Should Be Established So That Significant Security Lapses In An Entity Within The Intelligence Community Lead To Improved Security Measures Across The Community

 

II.  The Bureau Should Within Six Months Submit To Congressional Intelligence Oversight Committees, Through The Attorney General, A Plan Addressing Weaknesses In Its Security Programs, And It Should Submit Annual Reports On Its Efforts To Implement That Plan

 

INFORMATION SECURITY

 

I.   Comprehensive, Consistent, And Centrally Coordinated INFOSEC Policies Should Be Adopted

 

The FBI does not have a well-defined, comprehensive INFOSEC policy or clearly written guidance explaining how current policy is to be implemented. Responsibility for curing this problem should be vested in a new Office of Security. Having established an INFOSEC policy, the Bureau must also create security guidelines and system specific plans.

 

II.   INFOSEC Education And Training Must Be Implemented

 

The FBI lacks adequate INFOSEC education and training programs.    

 

Classified information stored on some of the Bureau's most widely utilized systems is not sufficiently protected because users lack training on critical security features. Implementation of a general INFOSEC education and training program may take some time, but the Bureau must immediately train users on the security features of the Automated Case Support system because this system poses a tremendous risk to national security information.

 

III.  Key INFOSEC Positions Must Be Filled And Supported

 

Many key INFOSEC positions have not been filled, and some have been filled by persons lacking essential experience and training. Persons assigned to these positions must be given the time, authority, and support necessary to perform their duties.

 

IV.  The FBI Must Institutionalize A Formal, Tailored Process To Certify And Accredit Computer Systems

 

The FBI must define a certification and accreditation process that comports with governing directives and is tailored to meet Bureau needs. This process must consider the security implications of interfaces among connected systems and between systems and other components, such as workstations. Persons tasked to certify FBI systems should have the requisite expertise; they should not review their own work product or report to system builders and operators.

 

V.   The FBI Should Develop A Comprehensive, Prioritized Plan To Address Security Shortcomings

 

The Bureau must define the security environment it wants to create to protect information by identifying relevant policies, specific threats, and secure usage assumptions. The Bureau must determine threats that existing security countermeasures do not counter and information protection policies that are not being enforced, and it must select programs, tools, and technologies to sustain its security environment.

 

PERSONNEL SECURITY

 

I.    Security Investigations And Adjudications Should Be Consolidated In A New Office Of Security

 

The process by which the FBI currently conducts background investigations, adjudicates cases, and grants security clearances is fragmented, resulting in duplicative efforts, wasted resources, and unaddressed security issues.

 

I.    The Personnel Security Process Should Be Automated

 

The Bureau's system for processing and tracking investigations, reinvestigations, adjudications, and clearances is paper-driven and inadequate. The FBI should create a system to track personnel so that they are identified for reinvestigations and their clearances are up-to-date.

 

II.   BICS Investigations Should Be Thorough

 

The Background Investigation Contract Service (BICS) should ensure that its Special Investigators (SIs) are skilled and conduct thorough investigations. BICS should avoid a checklist approach to investigations. SI reports should be detailed, highlighting and explaining potential security problems. The SI reporting process should be automated. Responsibility for Personal Security Interviews should be removed from field offices and given to BICS SIs.

 

III.    Adjudicator Training Should Be Improved

 

The Bureau should give adjudicators extensive training to ensure that they comply with Director of Central Intelligence Directives and internal mandates. Adjudicators should be trained to recognize incomplete background investigations, and they should request additional coverage when necessary.

 

I.    Stricter Controls Should Be Placed On Interim Clearances

 

The interim clearance process for contract employees lacks adequate controls, resulting in interim clearances granted without full-scope investigations, a practice that can lead to high-risk personnel cleared with insufficient vetting. The Bureau should implement tighter controls on personnel granted interim clearance, limiting facility access and minimizing contact with FBI employees and assets.

 

VI.   The FBI Should Adopt A Financial Disclosure Program And Develop A Technical Structure To Support Financial Monitoring

 

The FBI should comply with Executive Order 12968 by requiring employees and contractors to complete financial disclosure forms. The Bureau should also develop a personnel and technical infrastructure to support financial monitoring. Information from financial disclosure forms and an automated analysis should be available in employee reinvestigations and security investigations.

 

VII.   The FBI Should Implement A Counterintelligence Polygraph Program And Create An Infrastructure To Support The Program

 

The FBI should adopt a counterintelligence polygraph examination, focused on espionage and restricted to reinvestigations of personnel with access to Sensitive Compartmented Information and special programs. The Bureau should develop a quality control program and educate personnel about the polygraph's security function and the limited nature of the counterintelligence examination.

 

DOCUMENT SECURITY

 

 

I.    Classified National Security Documents Should Be Handled And Stored In SCIFs And Secure Areas And Available Only To Those With A Need To Know

 

The Bureau should train its personnel to recognize that compartmentation and need to-know principles apply even in Secure Areas and SCIFs.

 

II.    The Security Access Control Badge System And The FBI Police Program Should Be Strengthened

 

Employees should be required to "badge into" SACS areas on hardware that requires a PIN number and records the passage of every badge, including all car-pool passengers. Gold badges and executive-escorted-visitor badges should be eliminated. FBI police should match the photograph on every SACS badge entering Headquarters with the bearer of the badge and conduct aperiodic checks of vehicles and persons leaving Headquarters to emphasize the gravity of document security. The police force should be brought to full strength and given an enhanced security role.

 

III.   The Bureau Should Enhance Protections On The Handling, Copying, And Disposing Of Classified Material

 

The FBI should bring its written policy statements on these matters into compliance with Director of Central Intelligence Directives and Executive Orders. The revised policy should eliminate confusion about "working documents" and copies of classified documents obtained through electronic systems. Headquarters employees should receive detailed guidance about moving classified information around the building and should be prohibited from leaving classified material unattended, except in approved Secure Areas or Sensitive Compartmented Information Facilities (SCIFs). After-hours protocols for securing computers and classified material should be established. Bureau photocopiers, particularly in SCIFs and Secure Areas, should not be operable without PIN numbers. Photocopying classified material should be held to a minimum, and copies should be subject to the same controls as originals. A time limit for maintaining copies of classified documents should be established. Security risks in the destruction of Secret waste off-site should be eliminated.

 

IV.   Written Guidance On Top Secret And Sensitive Compartmented Information Should Be Current, Clear, And In Compliance With Director Of Central Intelligence Directives And Executive Orders

 

FBI manuals and policy statements should incorporate changes made over time by Bureau Electronic Communications and should comply with Director of Central Intelligence Directives, especially in describing SCIF operations. Written policies should provide clear and specific guidance to Security Officers, who are sometimes unaware of policy because they do not know how to locate it.

 

V.   The Operations Of The Special File Room Should Be Improved By Eliminating Unnecessary Classified Material And Enhancing Staffing, Training, And Equipment

 

The Bureau should destroy all documents within the Special File Room (SFR) eligible for destruction. Profiles should be adopted to control the amount of information intelligence agencies send the Bureau. SFR employees should receive improved, recurring formal training, in addition to on-the-job mentoring, and Headquarters personnel should be trained to take advantage of SFR document indexing services.

 

VI.   SCIF Operations Must Be Improved By Promulgating Clear, Enforceable Rules And Providing Training For SCIF Tenants

 

The operation of Bureau SCFs across the country is inconsistent and sometimes improper. SCIF operations should be controlled by clearly written guidelines, as Director of Central Intelligence Directives require, and training for SCIF personnel should be improved. SCIF accreditation, daily operations, and periodic reviews require much greater resources than are currently allotted.

 

VII.  The FBI Should Consider Adopting The Human Intelligence Control System The Bureau should consider adopting the Human Intelligence Control System, a system of compartmenting human source information developed by the CIA. If it does adopt this approach, it should publish clear, written policies effecting those controls, and it should train personnel who will use them.

 

I.    The FISA Process Should Be Simplified, And Access To FISA Information In ACS Should Be Restricted

 

The process implementing the Foreign Intelligence Surveillance Act (FISA) should be streamlined to reduce the number of persons involved and the complexity of the process. The Bureau should implement a system of electronic links with the Department of Justice to enhance the security of the FISA process and allow simultaneous review. Responsibility for FISA packages should be centralized in an FBI FISA Unit. The training of field security officers who monitor FISA carrier security should be improved, and trust receipts should be used whenever possible. Personnel handling FISA on the Automated Case Support system should be trained in the use of access restrictions. The ability to print and download FISA information on ACS should be restricted.

 

I.    A Central Security Authority Must Coordinate And Oversee All Document And Physical Security Violations And Compliance Activity

 

A central security authority with the ability to profile and identify individuals and components engaging in patterns of security violations will make it easier for the Bureau to detect habitual violators. Currently, several components play uncoordinated roles in detecting, investigating, and assessing security violations; no single entity has authority to coordinate, track, and oversee security violations and enforce compliance. A central authority responsible for coordinating security issues among all FBI entities, with the authority to rescind security clearances, will create a powerful incentive for employees to comply with good security practices. A database should be developed so that patterns of security violations by individuals or components can be detected.

 

I.    FBI Policy Manuals Should Require Security Coordination

 

To bolster this central security authority, manuals addressing physical security violations should be updated and reconciled. The manuals should require that suspected, possible, and actual losses and compromises of classified information be reported to appropriate components. The manuals should explain categories of security violations and levels of punishment and specify how the Bureau components that respond to possible security violations should coordinate their efforts.

 

SECURITY STRUCTURE

 

 

I.  FBI Security Programs Should Be Integrated In An Office Of Security That Reports To The Director

 

The Bureau's security programs are weak and fragmented. The Bureau should restructure an integrated security program within an independent Office of Security, reporting to the Director. All security functions should be consolidated within that Office, including security policy making. Security policies should be reviewed and implemented through a senior executive security policy board, chaired by the head of the Office, that includes DOJ's Security Officer.

 

II. The Office of Security Should Develop A Professional Security Staff Through Enhanced Selection, Retention, And Training Programs

 

The FBI does not have a professional security staff or a career-enhancing training program for security specialists. In addition to developing and training a security staff, the Bureau should introduce professional career tracks for security professionals and for information technology security specialists.

 

III.  The Office Of Security Should Implement Comprehensive Employee Security Education And Awareness Programs

 

The Office should maintain a full-time professional training staff to develop and implement security education and awareness programs for all employees. The staff should disseminate information on security responsibilities and create user-friendly computer sites for security information. Security should be an integral part of the curriculum at the FBI Academy. The Office of Security and the Information Resources Division should jointly develop training programs in information-system security. Mandatory executive management training programs should be conducted. Compliance with security policies and programs should be a component of annual performance appraisals of all managers and Security Officers.

 

IV.  The Office Of Security Should Develop A Centralized Security Violation Reporting Program

 

The FBI's review of security violations is fragmented and inadequate. The Bureau should develop a reporting program, which describes security violations and establishes clear procedures for investigating security violations. The program should be accompanied by recurring notice to employees and recurring security education. The program should require written documentation of security violations and mandatory reporting of all violations to the Office of Security, where they should be tracked on a secure centralized database. Automated analytical functions for collected data should be installed.

 

V.  The Office Of Security Should Audit Security Programs.

The FBI does not adequately review its fragmented security programs. The Office of Security should periodically review and audit all security programs and systems. Office personnel should be detailed to the Inspection Division as needed to ensure meaningful audits of security programs.

 

©Copyright 2008 The Centre for Counterintelligence and Security Studies (CI Centre)®

Premier Education and Training in Counterintelligence, Counterterrorism and Security since 1997

A David G. Major Associates, Inc. Company

Alexandria, VA  |  703-642-7450  |  1-800-779-4007  |  Contact Us

 

The CI Centre provides dynamic, in-depth and relevant education, training and products on counterintelligence, counterterrorism and security. Our programs are designed to enhance your organization's mission and to protect your information, facilities and personnel from global terrorists, foreign intelligence collectors and competitor threats. The CI Centre teaches courses on Counterintelligence Strategy and Tactics, Security/OPSEC Awareness, Understanding Terrorism, Economic Espionage Protection, and International Travel and Safety. See the complete list of our 42 CI, CT and Security training courses.