Some snips from the: Policy and Oversight Report Intelligence Review Directorate Final Report on the Verification Inspection of the National Security Agency Report Number IR 96-03 February 13, 1996 National Security Agency COMPUTER SYSTEMS The NSA does not comply with DoD security requirements for accreditation of systems and networks and periodic training of personnel, thus permitting security vulnerabilities and potential compromise of national security data... Through interviews we learned that the key components are reluctant to use their personnel assets to do the AIS accreditations. The key components believe AIS accreditation is a primary responsibility of the Office of Operational Computer Security. EQUIPMENT ACCOUNTABILITY The NSA failure to meet DoD equipment management and accountability standards has resulted in equipment losses worth millions of dollars and wasted warehousing space... The NSA Property Accountability Office has made significant improvement in its processes for controlling NSA assets since our 1991 inspection. However, additional corrective action is required to ensure accountability of the NSA assets. The IG, NSA Audit Report, "Advisory Report Personal Property Accountability Audit," July 21, 1994, confirmed this issue. This report stated that the key components property accountability efforts have not been effective as evidenced by continuing requests for large write-offs for unreconciled assets ($82 million from Fiscal Years 1991 and 1992). The physical protection of NSA assets is hampered by a procedural shortfall. Applicable NSA logistics directives describe how packaging and storing requirements will be prescribed by the key component wishing to store items. However, at the time of our inspection, we found that the key components were not providing proper directions for the storage of NSA assets. During our inspection, we did not physically inspect the warehouses used to store equipment because two warehouses with the worst conditions were no longer in use. We are highlighting this concern to ensure that the NSA continues to protect Government assets from deterioration or damage. Disposition of TEMPEST Equipment Last, we found that the National Security Telecommunications and Information Systems Security Advisory Memorandum (NSTISSAM), TEMPEST/3-91, "Maintenance and Disposition of TEMPEST Equipment," December 20, 1991, provides guidance to personnel responsible for the maintenance and disposition of TEMPEST equipment. Basically, this memorandum corrected the shortcoming identified in our 1991 inspection. The NSA no longer destroys TEMPEST hardware. However, another procedural shortcoming was identified during our inspection. The NSTISSAM TEMPEST/3-91 states, "Disposition/resale should be consistent with established export control/technology transfer policy." The NSA could not provide evidence that it alerts the recipients of excess TEMPEST hardware of current technology transfer policy. REVOKING SECURITY CLEARANCES The NSA is lax in disciplining and revoking security clearances for its employees and contractor affiliates.
All content COPYRIGHT SOFTWAR (C) 2000. Any reproduction or use of content herein must be approved by SOFTWAR.