Building
Strong Management, Policy, Training, and Infrastructure Support
Accomplished
- Elevated
the role of security within the FBI.
- Brought
security expertise to the FBI from other Intelligence Community
partners.
- Established
a Security Division, which for the first time in FBI history,
will serve as a point of integration for all Bureau security matters.
- Moved
the programmatic responsibility for facility protection and
police services to Security Division, as well as the operational
responsibility for protecting FBI headquarters and the Washington
Field Office.
- Moved
the Polygraph Unit to the Security Division.
- Started
the development of a joint "business plan" with
the Laboratory Division to ensure technical security resources
are properly directed against Security Division requirements.
- Appointed
a Director of Security, at the Assistant Director level, who serves
as the senior security executive. This AD has the full support
of and access to Director Mueller who has communicated his support
for the Security Program to all FBI employees.
- Provided
needed infrastructure support to the Security Program by:
- Shifting
internal resources to the Security Division as part of the on-going
FBI restructuring plan.
- Establishing
additional "detail" assignments to the Security Division
from the Central Intelligence Agency (CIA) and the National
Security Agency (NSA).
- Applying
resources received in the fiscal year 2002 budget process to
security requirements.
- Submitting
a fiscal year 2003 budget request that includes significant
resources for the Security Division.
- Initiated
a comprehensive review of national, Director of Central Intelligence,
Department of Justice, and FBI policy directives to establish
a traceability matrix that will be used to establish the effectiveness
of existing security policy.
- Initiated
the development of a comprehensive security education, awareness,
and training program. The initial objective of this program will
be to address information systems security issues followed by
an expansion to all other elements of the Security Program.
Planned
- Developing
a professional Security Officer cadre through the establishment
of a comprehensive career program that identifies and hires candidates
with appropriate skills, successfully retains them via a competitive
pay and reward structure, builds expertise through appropriate
training and assignment opportunities, and prepares them to assume
program and management roles of increasing responsibility. Elements
of this initiative will include:
- Establishment
of a Security Career Service Board that focuses executive
attention on all elements of the professional Security Officer
career track.
- Certification
of proficiency for security professionals and key non-security
personnel, such as system administrators, in critical job-related
skills.
- Re-designing
the field Security Officer program to:
- Rely
less on agents and more on the professional Security Officer
cadre we intend to build over time.
- Restructure
the field offices so that all security responsibilities fall
under the control of the Security Officer.
- Direct
more resources to the field to support the Security Program.
- Modifying
the operation of the FBI Security Council to ensure it is appropriately
staffed by senior executives and addresses security policy issues
of significance to the Bureau.
Establishing
an Effective Information Assurance Program
Accomplished
- Instituted
a policy requiring regular access reviews of the FBI's most sensitive
cases.
- Initiated
the development of a formal Information Assurance Program.
- Implemented
an aggressive certification and accreditation effort to discover
and address vulnerabilities within existing and proposed FBI IT
systems.
- Collaborated
with the Trilogy Program and the Virtual Case File team to deliver,
upon deployment, enhanced security measures and to provide the
framework for improved information systems security measures in
the future.
- Initiated
the modernization of cryptographic key management to improve the
security of FBI information and to facilitate the immediate deployment
of Trilogy infrastructure.
Planned
- Assigning
an experienced IA professional from the Intelligence Community
to run the FBI's IA Program and adding strategic "consulting"
resources from the IC, as appropriate.
- Designing
a comprehensive IT security architecture for FBI systems. As part
of this architecture, identifying the baseline for IA tools or
techniques, such as PKI, virtual private networks and LANs, single
sign-on, intrusion detection, network scanning, auditing, and
other methods to identify anomalous activity and system vulnerabilities.
- Establishing
an Enterprise Security Operations Center to centrally manage the
security of FBI IT systems and networks.
- Re-evaluating
and improving the certification and accreditation process so that
it mirrors best practices and is tied to the IT system development
life cycle.
- Establishing
a number of experienced Information Systems Security Managers
as customer focal points for expeditious handling of IT security
questions and issues.
- Continuing
the close collaboration between IA and Trilogy Program personnel
to implement improved IT system security as part of the on-going
Trilogy effort.
Improving
the Vetting Used to Establish Trustworthiness
Accomplished
- Expanded
the use of the polygraph for personnel security processing.
- Moved Polygraph
Unit from the Laboratory to the Security Division.
- Enhanced
the analytical capability afforded to those persons with access
to the most sensitive FBI information.
- Implemented
a written case summary format for reviewing security adjudication
recommendations.
Planned
- Defining
the requirements for an integrated security information management
system and data integration efforts, as well as, executing a limited
number of "pilot" efforts using funds received in the
fiscal year 2002 appropriation.
- Working
with the Records Management Division to improve control of FBI
security files and ensure they contain the necessary information.
Eventually, as part of the effort to develop an integrated security
management system, transitioning to an electronic security file.
- Automating
security data collection processes in a web-enabled environment.
- Identifying
new sources of information that add value to the vetting process
and assist in the determination of trustworthiness.
- Establishing
a Financial Disclosure Program and developing the capability to
conduct security-related financial analysis.
- Exploring
the use of a specific-issue polygraph examination to address the
issue of deliberate unauthorized disclosure of FBI information.
Ensuring
Against the Compromise of Information
Accomplished
- Reassessed
access procedures for FBI facilities eliminating special exemptions
afforded executives with "Gold Badges".
- Established
the position of Special Security Officer for the FBI and selected
an Intelligence Community officer to serve in this role as a detailee.
- Completed
a review of handling procedures for sensitive information.
- Conducted
a comprehensive review of sensitive accesses resulting in a net
decrease of FBI employees with such access.
- Conducted
a "Back-to-Basics" day for all employees where security
was one of the key areas of focus.
Planned
- Establishing
a Security Incident Reporting Program that includes management
of all potential information compromises through a central, Security
Division component. This component will ensure the security incidents
are properly investigated; assessments are conducted of potential
damage to the national security or FBI operations; remedial action
is taken, as necessary, to ensure the compromise does not happen
again; and personal accountability is assigned, if appropriate.
- Establishing
a capability to resolve security anomalies, no matter their source,
and to integrate information resulting from the investigation
of these anomalies into the FBI CI Division.
- Developing
an enhanced capability to securely process sensitive information
electronically.
- Developing
an appropriate accountability and tracking system for sensitive
hard copy documents.
- Investigating
technology to better account for and track sensitive information
and the media, paper or magnetic, on which it is stored.
- Developing
and conducting training on the proper classification of, accounting
for, and control of classified information.
|