Rabu, 24 Mei 2006

Security Clearance Story Continues

Apparently the Defense Security Service has resumed "processing initial Secret requests." That is "security officer"-speak meaning DSS is again working on requests for Secret clearances from people who have not held them before.

The notice continues: "DISCO [Defense Industrial Security Clearance Office] will begin processing initial Top Secret requests and periodic reinvestigation requests for both Secret and Top Secret upon receipt of additional funding." That means those who have not held a Top Secret clearance but require one will still wait. Also in the queue are those needing a periodic reinvestigation for their Secret or TS clearance.

The Washington Post noted that Congressman Davis planned to hold a hearing a week ago on the affair, but I can't find any transcripts.

I thought the comments in the SANS Newsbites Vol 8 Issue 41 (link will work shortly) were astute:

Editor's Note (Pescatore): What is really needed is a review to determine if the clearance process actually provides any security value, and if security clearances are being required for positions that really don't need them. A knee jerk reaction to just throw more money to pay for more background investigations just perpetuates long time problems in the entire process.

I agree with the first point, but the second would require a huge overheaul of the Federal information classification system. This is definitely needed (see a recent Schneier post) but wouldn't affect the clearance issue for years.

(Weatherford): I wonder if this temporary shutdown was simply a way for DSS to cry for help and get the government's attention. This has been a problem for years. Maybe now they will get the funding required to eliminate the backlog.

Wonderful comment. It's funny that DSS "identified funding" right before a Congressional hearing.

(Shpantzer): The situation is so bad that some technical staffing companies providing cleared employees to the government actually put the cart before the horse: They find cleared people first, then train them up to technical requirements... If that's not scary, I don't know what
is.


Here's a scarier thought: that is standard practice. Everyone does it.

(Paller): The "clearance first" policies of many agencies has led them to make people who have never secured a system responsible for telling people how to secure systems. In other agencies, contractors with abominable delivery records are being kept on, over the objections of those who take security seriously, because the ineffective contractors have people with clearances.

Another scary thought: these same clearance-holding contractors are exchanged between employers when the employee decides to switch jobs.

Incidentally, I put security officer in quotes when I mentioned the term earlier. I did that because it reminded me of the different sorts of people who perform work under the "security" umbrella. Far too many "security officers" are just paper-pushers. They are experts in the arcane world of passing clearance information when people visit remote locations. They read people into programs and out of programs. The maintain a lot of paperwork. They hold a lot of clearances but generally do not use the information in a productive manner.

These sorts of people can be in demand due to the clearances they hold, but they bring absolutely no expertise to technical problems. In some ways they remind me of "security auditors" who understand checklists but have no real idea if the checklist corresponds to any true security value.

If you thought I disliked the CISSP as a worthless indicator of practical security knowledge, imagine my attitude towards security clearances.

0 komentar:

Posting Komentar