The Defense Department (DoD) said it plans to take a lengthy list of actions to improve internal data security protocols – including some “immediate” improvements on physical security and data sharing – following a 45-day review launched in April to examine how secret information is handled and managed by the military.
That review was sparked by the leak of dozens of highly sensitive Pentagon documents apparently at the hands of a low-level Massachusetts Air National Guard airman, who allegedly shared them on the Discord hosting platform.
DoD did not elaborate on the nature of the “immediate” actions it has already taken, or plans to take.
Among the many near-term actions ordered by Defense Secretary Lloyd Austin is implementation of a phased approach “to increase accountability, manage access, and increase security to classified data by August 28.”
DoD, in coordination with the agency’s CIO Office, also will have 90 days to develop plans for a Joint Management Office for Insider Threat and Cyber Capabilities “to oversee user activity monitoring and improve threat monitoring across all DoD networks.”
Austin ordered the review by the Under Secretary of Defense for Intelligence and Security (USD(I&S)) – in coordination with the DoD CIO and the Director of Administration and Management (DA&M) – with the aim of creating new policies on how secret materials are distributed, and who has access to them.
The Pentagon released the findings of its review on July 5.
While DoD said the review found that “the overwhelming majority” of military personnel with access to classified national security information (CNSI) are following the rules for handling that data securely, it also “identified areas where the department should improve its security posture and accountability measures.”
“These areas include improving individual and collective accountability for CNSI; security posture at facilities used to develop, process, and store CNSI; and information sharing to ensure both appropriate security clearance eligibility determination by the Defense Counterintelligence and Security Agency and appropriate access management by unit commanders, supervisors, and their personnel,” DoD said.
Austin gave DoD leaders the following list of improvements to tackle in the “near- and medium-term”:
- Institute immediate improvements to personnel and physical security data management and information sharing practices;
- Reinforce existing security policies and practices to ensure compliance and accountability down to the lowest levels of the department;
- Review and update security processes and procedures to reduce any ambiguity and ensure consistency and clarity across the department;
- Develop and implement new security policies, processes, and procedures to address any identified gaps;
- Introduce or expand the use of existing technical tools and systems to improve security clearance processes and the safeguarding of CNSI;
- Examine opportunities to tailor training, education, and policies to better address current and evolving security needs;
- Pursue modifications to security training policies and material to measure their effectiveness and tailor the training to unit needs rather than simply comply with requirements on an annual basis; and
- Assess and review policies, processes, and procedures for the accreditation, administration and management of facilities used to process and store classified information.
DoD said it based the review on results from a 50-question survey of Pentagon components who were asked to self-assess “the current state of their personnel security, information safeguarding and accountability, physical security, and education and training posture.”
The Pentagon added it would give “careful consideration” to guard against “overcorrection” of policies “which may impede progress on information sharing and operating models that better enable DoD to execute the National Defense Strategy and its overall mission.”
A separate memo from Austin requires all DoD component heads to work with the Defense Counterintelligence and Security Agency (DCSA) to issue a “plan of actions and milestones” by August 31 “that ensures all DoD components are included and accounted for in designated security information technology systems,” and that those plans and milestones are assigned to a security management office.
The memo features additional deadlines in September for reporting Sensitive Compartmented Information Facilities (SCIFs) to the Office of the Director of National Intelligence, and December for maintaining centralized tracking systems for SCIFs and similar facilities.