NARA weighs standardizing access rules for foreign vendors seeking secret data
A government office that oversees the policy behind a federal program to secure classified national security information held by contractors has proposed additional guidelines for how some highly sensitive data could be released to government contractors under foreign ownership or control
The National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) has proposed a rule that would standardize the process through which some categories of classified information can be released to non-U.S. contractors under a Special Security Agreement (SSA). SSAs are arrangements used by the government to mitigate the foreign ownership or control of contractors that require access to sensitive data.
The proposed rule focuses on “proscribed information” that includes Top Secret, Communications Security, Restricted Data, Special Access Program, or Sensitive Compartmented Information. Currently, there isn't a governmentwide standard for the release of those types of data to foreign controlled or owned contractors under SSAs, according to the proposed rule published in the Federal Register Nov. 30.
By executive order, the ISOO is responsible for policy oversight of the National Industrial Security Program (NISP), a partnership between the government and industry to safeguard classified information.
“The NISP was established with the goal of a single, integrated, cohesive industrial security program to both protect classified information and to preserve our nation's economic and technological interests,” William Bosanko, director of ISOO, said in an e-mail message.
Bosanko said,“While the NISP has resulted in significant improvements, the truth is that both government and industry can — and must — do better. The proposed rule was developed with input from agencies as well as industry via the National Industrial Security Program Policy Advisory Panel. This represents just one small step in our efforts to seek a more efficient and effective NISP.”
The proposal would amend current federal regulations related to the NISP program. Under the proposal, departments and agencies would be required to assess whether releasing proscribed information to contractors with or in the process of getting an SSA is consistent with national security interests before authorizing access. The evaluation would be named a National Interest Determination (NID).
The NID requirement would apply to new contracts and to existing contracts when companies seek an SSA after being bought by non-U.S. organizations. Decisions would ordinarily be made within 30 or 60 days depending on the situation, according to the proposed rule.
Comments on the proposed rule are being accepted until Jan. 29, 2010.
Ben Bain is a reporter for Federal Computer Week.