Kenneth
Senser, Assistant Director, Security Division,
FBI
Washington,
DC
April 3, 2002
"Transforming
the FBI Security Program"
|
Building
Strong Management, Policy, Training, and Infrastructure
Support
Accomplished
- Elevated
the role of security within the FBI.
- Brought
security expertise to the FBI from other Intelligence
Community partners.
- Established
a Security Division, which for the first time
in FBI history, will serve as a point of integration
for all Bureau security matters.
- Moved
the programmatic responsibility for facility
protection and police services to Security
Division, as well as the operational responsibility
for protecting FBI headquarters and the Washington
Field Office.
- Moved
the Polygraph Unit to the Security Division.
- Started
the development of a joint "business
plan" with the Laboratory Division to
ensure technical security resources are properly
directed against Security Division requirements.
- Appointed
a Director of Security, at the Assistant Director
level, who serves as the senior security executive.
This AD has the full support of and access to
Director Mueller who has communicated his support
for the Security Program to all FBI employees.
- Provided
needed infrastructure support to the Security
Program by:
- Shifting
internal resources to the Security Division
as part of the on-going FBI restructuring plan.
- Establishing
additional "detail" assignments to
the Security Division from the Central Intelligence
Agency (CIA) and the National Security Agency
(NSA).
- Applying
resources received in the fiscal year 2002 budget
process to security requirements.
- Submitting
a fiscal year 2003 budget request that includes
significant resources for the Security Division.
- Initiated
a comprehensive review of national, Director of
Central Intelligence, Department of Justice, and
FBI policy directives to establish a traceability
matrix that will be used to establish the effectiveness
of existing security policy.
- Initiated
the development of a comprehensive security education,
awareness, and training program. The initial objective
of this program will be to address information
systems security issues followed by an expansion
to all other elements of the Security Program.
Planned
- Developing
a professional Security Officer cadre through
the establishment of a comprehensive career program
that identifies and hires candidates with appropriate
skills, successfully retains them via a competitive
pay and reward structure, builds expertise through
appropriate training and assignment opportunities,
and prepares them to assume program and management
roles of increasing responsibility. Elements of
this initiative will include:
- Establishment
of a Security Career Service Board that focuses
executive attention on all elements of the
professional Security Officer career track.
- Certification
of proficiency for security professionals
and key non-security personnel, such as system
administrators, in critical job-related skills.
- Re-designing
the field Security Officer program to:
- Rely
less on agents and more on the professional
Security Officer cadre we intend to build
over time.
- Restructure
the field offices so that all security responsibilities
fall under the control of the Security Officer.
- Direct
more resources to the field to support the
Security Program.
- Modifying
the operation of the FBI Security Council to ensure
it is appropriately staffed by senior executives
and addresses security policy issues of significance
to the Bureau.
Establishing
an Effective Information Assurance Program
Accomplished
- Instituted
a policy requiring regular access reviews of the
FBI's most sensitive cases.
- Initiated
the development of a formal Information Assurance
Program.
- Implemented
an aggressive certification and accreditation
effort to discover and address vulnerabilities
within existing and proposed FBI IT systems.
- Collaborated
with the Trilogy Program and the Virtual Case
File team to deliver, upon deployment, enhanced
security measures and to provide the framework
for improved information systems security measures
in the future.
- Initiated
the modernization of cryptographic key management
to improve the security of FBI information and
to facilitate the immediate deployment of Trilogy
infrastructure.
Planned
-
Assigning an experienced IA professional from
the Intelligence Community to run the FBI's IA
Program and adding strategic "consulting"
resources from the IC, as appropriate.
- Designing
a comprehensive IT security architecture for FBI
systems. As part of this architecture, identifying
the baseline for IA tools or techniques, such
as PKI, virtual private networks and LANs, single
sign-on, intrusion detection, network scanning,
auditing, and other methods to identify anomalous
activity and system vulnerabilities.
- Establishing
an Enterprise Security Operations Center to centrally
manage the security of FBI IT systems and networks.
- Re-evaluating
and improving the certification and accreditation
process so that it mirrors best practices and
is tied to the IT system development life cycle.
- Establishing
a number of experienced Information Systems Security
Managers as customer focal points for expeditious
handling of IT security questions and issues.
- Continuing
the close collaboration between IA and Trilogy
Program personnel to implement improved IT system
security as part of the on-going Trilogy effort.
Improving
the Vetting Used to Establish Trustworthiness
Accomplished
- Expanded
the use of the polygraph for personnel security
processing.
- Moved
Polygraph Unit from the Laboratory to the Security
Division.
- Enhanced
the analytical capability afforded to those persons
with access to the most sensitive FBI information.
- Implemented
a written case summary format for reviewing security
adjudication recommendations.
Planned
- Defining
the requirements for an integrated security information
management system and data integration efforts,
as well as, executing a limited number of "pilot"
efforts using funds received in the fiscal year
2002 appropriation.
- Working
with the Records Management Division to improve
control of FBI security files and ensure they
contain the necessary information. Eventually,
as part of the effort to develop an integrated
security management system, transitioning to an
electronic security file.
- Automating
security data collection processes in a web-enabled
environment.
- Identifying
new sources of information that add value to the
vetting process and assist in the determination
of trustworthiness.
- Establishing
a Financial Disclosure Program and developing
the capability to conduct security-related financial
analysis.
- Exploring
the use of a specific-issue polygraph examination
to address the issue of deliberate unauthorized
disclosure of FBI information.
Ensuring
Against the Compromise of Information
Accomplished
- Reassessed
access procedures for FBI facilities eliminating
special exemptions afforded executives with "Gold
Badges".
- Established
the position of Special Security Officer for the
FBI and selected an Intelligence Community officer
to serve in this role as a detailee.
- Completed
a review of handling procedures for sensitive
information.
-
Conducted a comprehensive review of sensitive
accesses resulting in a net decrease of FBI employees
with such access.
- Conducted
a "Back-to-Basics" day for all employees
where security was one of the key areas of focus.
Planned
- Establishing
a Security Incident Reporting Program that includes
management of all potential information compromises
through a central, Security Division component.
This component will ensure the security incidents
are properly investigated; assessments are conducted
of potential damage to the national security or
FBI operations; remedial action is taken, as necessary,
to ensure the compromise does not happen again;
and personal accountability is assigned, if appropriate.
- Establishing
a capability to resolve security anomalies, no
matter their source, and to integrate information
resulting from the investigation of these anomalies
into the FBI CI Division.
- Developing
an enhanced capability to securely process sensitive
information electronically.
- Developing
an appropriate accountability and tracking system
for sensitive hard copy documents.
- Investigating
technology to better account for and track sensitive
information and the media, paper or magnetic,
on which it is stored.
- Developing
and conducting training on the proper classification
of, accounting for, and control of classified
information.
|
|
|