DOD reviews systems access

As part of an ongoing effort to protect its systems, the Defense Department is considering a policy that could prohibit foreign nationals from working in sensitive information technology positions.

If the guidelines are adopted, some foreign nationals in the "most sensitive positions may not be permitted to remain in those positions," said Pete Nelson, DOD's deputy director for personnel security, March 7.

However, the draft policy is broader than that. It requires that "all persons, including contractors and foreign nationals, employed in specified IT sensitive-but- unclassified positions, be subject to an appropriate investigation, depending on their position," Nelson said. It is unclear how many people could be affected.

"It is in the interest of the department to ensure that any person accessing unclassified-but-sensitive DOD IT systems be reliable and trustworthy," Nelson said. The draft policy, which DOD would not release, could be approved in 60 to 90 days, he added.

Imposing a citizen-only provision for nonclassified IT work would have a "significant, but not wide-reaching, impact," said Ray Bjorklund, a vice president at market research firm Federal Sources Inc. He noted that the Justice Department imposed similar restrictions before the Sept. 11 terrorist attacks.

Most DOD contractors are U.S.-based companies that employ people from the defense community, Bjorklund said. "These are people and companies who have held or do hold clearances and, therefore, are likely to be made up of U.S. citizens," he said. He noted, however, that it is possible for a foreign national to hold a U.S. security clearance.

Vendors who do classified work, especially for intelligence organizations, in general already meet security requirements, said Anthony Valletta, former acting assistant secretary of Defense for command, control, communications and intelligence (C3I) and currently vice president and director of SRA International Inc.'s C3I systems division.

However, what shouldn't be overlooked, Valletta said, is that only a small number of U.S. students pursue science and technology careers, which means that there are fewer and fewer qualified U.S. candidates each year. If the situation doesn't change, he said, it will make it more difficult for the government to hire the required staff.

More analysis is needed, some say. "I think it is something that needs much more public discussion," said Harris Miller, president of the Information Technology Association of America, an industry group. All IT companies have foreign workers woven throughout their staff, he said, and adhering to such a policy could be a logistical nightmare.

And such a policy is no guarantee. Miller noted that U.S. citizens also have committed serious offenses, including Oklahoma City bomber Timothy McVeigh and accused FBI spy Robert Hanssen.

The policy could also increase IT costs because workers with security credentials already demand premium pay, analysts say.

Paul Brubaker, chief executive officer of Aquilent and former DOD deputy chief information officer, said it would be better to create policies that would ensure the trustworthiness of staff working on sensitive issues. Those could include background checks and security clearances, he said.

But if the policy is taken too far, he said, it could prevent vendors that produce software overseas from selling to DOD. Many software vendors use overseas software developers to write code.

Meanwhile, the Navy has set out to determine its dependence on foreign national personnel in IT positions and to "better gauge any future cost of impact of the policy on them when it is implemented," Nelson said.

However, one Navy official, who spoke on condition of anonymity, was unaware of any Navy risk assessment of the DOD draft policy. It "typically doesn't work that way," the official said. Such assessments are usually associated with security certification and accreditation efforts.

***

What's the impact?

According to Pete Nelson, the Defense Department's deputy director for personnel security, DOD's draft policy applies to U.S. citizens and non-U.S. citizens working on sensitive-but-unclassified information technology systems anywhere in the world.

Some foreign nationals in the most sensitive positions may not be permitted to remain in those positions. DOD does not know the number of foreign nationals involved in the different types of sensitive jobs. Also, DOD does not have a baseline number for the military, civilian and contractor personnel working with unclassified-but- sensitive information, Nelson said.

The draft policy is based on more than three years of study and effort, has been extensively coordinated within DOD and has been provided to other executive branch agencies for their consideration or use.