Wednesday, May 24, 2006

Security Clearance Story Continues

Apparently the Defense Security Service has resumed "processing initial Secret requests." That is "security officer"-speak meaning DSS is again working on requests for Secret clearances from people who have not held them before.

The notice continues: "DISCO [Defense Industrial Security Clearance Office] will begin processing initial Top Secret requests and periodic reinvestigation requests for both Secret and Top Secret upon receipt of additional funding." That means those who have not held a Top Secret clearance but require one will still wait. Also in the queue are those needing a periodic reinvestigation for their Secret or TS clearance.

The Washington Post noted that Congressman Davis planned to hold a hearing a week ago on the affair, but I can't find any transcripts.

I thought the comments in the SANS Newsbites Vol 8 Issue 41 (link will work shortly) were astute:

Editor's Note (Pescatore): What is really needed is a review to determine if the clearance process actually provides any security value, and if security clearances are being required for positions that really don't need them. A knee jerk reaction to just throw more money to pay for more background investigations just perpetuates long time problems in the entire process.

I agree with the first point, but the second would require a huge overheaul of the Federal information classification system. This is definitely needed (see a recent Schneier post) but wouldn't affect the clearance issue for years.

(Weatherford): I wonder if this temporary shutdown was simply a way for DSS to cry for help and get the government's attention. This has been a problem for years. Maybe now they will get the funding required to eliminate the backlog.

Wonderful comment. It's funny that DSS "identified funding" right before a Congressional hearing.

(Shpantzer): The situation is so bad that some technical staffing companies providing cleared employees to the government actually put the cart before the horse: They find cleared people first, then train them up to technical requirements... If that's not scary, I don't know what
is.


Here's a scarier thought: that is standard practice. Everyone does it.

(Paller): The "clearance first" policies of many agencies has led them to make people who have never secured a system responsible for telling people how to secure systems. In other agencies, contractors with abominable delivery records are being kept on, over the objections of those who take security seriously, because the ineffective contractors have people with clearances.

Another scary thought: these same clearance-holding contractors are exchanged between employers when the employee decides to switch jobs.

Incidentally, I put security officer in quotes when I mentioned the term earlier. I did that because it reminded me of the different sorts of people who perform work under the "security" umbrella. Far too many "security officers" are just paper-pushers. They are experts in the arcane world of passing clearance information when people visit remote locations. They read people into programs and out of programs. The maintain a lot of paperwork. They hold a lot of clearances but generally do not use the information in a productive manner.

These sorts of people can be in demand due to the clearances they hold, but they bring absolutely no expertise to technical problems. In some ways they remind me of "security auditors" who understand checklists but have no real idea if the checklist corresponds to any true security value.

If you thought I disliked the CISSP as a worthless indicator of practical security knowledge, imagine my attitude towards security clearances.

3 comments:

Tim Bilbro said...

I think placing security clearances at the same level of worth as a certification is a mistake.

While the clearance process is far from perfect, it is important to ensure that folks working on work that is classified in nature be subjected to background investigations. I am confident that background investigations are an effective premptive security measure. Follow up investigations have proven to be an effective security measure as well.

No, just because someone is cleared does not mean that they are a better security officer than an uncleared individual, but let's not throw the baby out with the bath water. If someone who is a ISSO cannot obtain a security clearance, they should not be one.

John Ward said...

Security clearances are as effective as drug tests. They keep the honest people honest, and keep the stupid people out. The skilled drug users will always get around it. If someone has a clearance, it just means their record is clean, it sure as heck doesn't prove trustworthyness.

Anonymous said...

Security clearances and the process used to determine who gets them and who does not is egregiously flawed.
How do I know? I held a clearance for over 17 years, working in and around nuclear reactors.... yes I said in nuclear reactors... for the government.
My clearance was revoked almost 5 years after credit problems due to a divorce.
Why do I say it's flawed. It took years to determine that I had credit difficulties and it was only discovered after I followed the rules and self reported it. Yes, it gets even better, I enrolled in a command sponsored debt counselling program and was just months away from becoming debt free (without filing bankruptcy) when they revoked the clearance!