Tuesday, March 13, 2012

Classified Information Sharing with the Private Sector

One of the standard complaints that security managers in the private sector routinely have with DHS is the near complete failure to provide real intelligence information about the various threats that may face high-risk chemical facilities or other critical infrastructure installations. The response of DHS and the rest of the federal security community has always been that this is due to the classified nature of the information. Unless they have worked in a position in the Federal government where routine access to classified information is required, most people have little idea how seriously the professionals (as opposed to the politicians and most political appointees) take their responsibility to protect classified information.

In a small way that was changed last week when DHS published the implementing directive for their “Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities”. This is the DHS implementation of the new program under Executive Order 13549 and provides direction for their formal program for sharing classified information with people outside of the Federal government (and its contractors). As we have come to expect with DHS programs the 180-day time limit for setting up this program was missed by a huge amount, but since this had to be vetted with the DNI and DOD, that is hardly surprising.

While this document does not specifically deal with how private sector entities will handle and store classified information we can expect that the detailed requirements in this document for State, local and tribal programs will be closely mirrored by the DOD requirements under their expanded National Industrial Security Program. All private sector entities not directly contracting with the Federal government will now fall under that program when it comes to routine dealing with classified information.

What is clear from this document that there will be relatively few private sector organizations that will be willing to spend the time, money and effort necessary to set up areas and programs for the storage of classified information or establish facilities for handling classified communications with the Federal government. I would urge anyone considering the establishment of such a capability to seriously review this DHS publication.

Individual Security Clearances


Having said that, I think that every high-risk chemical facility under CFATS (or that would be under CFATS if it weren’t covered under MTSA regulations) should have at least one person that has gone through the paperwork and training requirements for receiving a security clearance. That way if/when DHS fnally gets around to providing classified intelligence briefings for such organizations there will be someone cleared to attend such a briefing.

Before submitting that application, however, that individual applying for a Personnel Security Clearance (PCL; okay that is the DHS acronym; it is not my typo) and all of the people above him in the corporate hierarchy need to pay special attention to paragraph 2-102b2(a), in particular where it says:

“PS [Private Sector] personnel to whom a security clearance is issued under the SLTPS Program shall execute a “Statement of Understanding Relative to the Protection of Classified National Security Information.” The purpose of the form is to inform and impress upon the signatory that the protection of classified information takes precedence over corporate loyalty and influence [emphasis added]. As such they are legally obligated to abide by Federal standards for the safeguarding of and access to classified information and must resist and report any undue influence on the part of uncleared personnel [emphasis added], regardless of their position, to gain knowledge of classified information to which the signatory has been given access.”

Oh yes, the document clearly states that PCLs will only be given to US citizens {paragraph 2-101e5} and implies that personnel working for foreign owned companies may have additional difficulties obtaining a security clearance.

Exigent Circumstances


One of the things that the Executive Order did was make clear that there could be exigent circumstance where access to classified material could allowed for personnel without a PCL. This is briefly addressed in para 2-101e2 where it states:

“Agencies shall take into consideration that pursuant to Executive Order 13526, under exigent circumstances classified information may be released by designated Federal officials to personnel who are not otherwise cleared for access. Therefore, the granting of a security clearance strictly in support of potential contingencies is not necessarily justified or warranted.”

It is disappointing that this document does not provide more details about the how, when and who of the establishing of ‘exigent circumstances’. This is particularly true when that exception is intended to be used to deny PCL’s for otherwise eligible individuals. Hopefully that will not affect the PCL awards to security managers at high-risk chemical facilities or other critical infrastructure installations.

No comments:

 
/* Use this with templates/template-twocol.html */