THE APEX SPECIAL ACCESS CONTROL SYSTEM: A SECURITY MANUAL FOR INDUSTRY; CONTROL OF

-~#Appryvud For I~1Et4O -ANDUM FOR: Bob, Director of Security John asked that I get a copy of Date 21 June 1979 25X1 25X1  25X1 25X1 25X1 ,25X1 25X1 25X1 25X1 25X1 ~M leS .. :.a 7 4a _:J4S:.i 21 June 19.79 MEMORANDUM FOR THE RECORD SUBJECT: The APEX Special Access Control System: A Security Manual for Industry; control of FILE 1. As part of the learning phase for the Industrial Contracting/ Industrial Security Team, Special Assistant to the DCI for Compartmentation, briefed us on the proposed new security system. He emphasized the sensitivity of the program and the. fact that it was still in staffing. Accordingly, no.disclosure of the infor- mation provided would be permitted. 2 On 13 June 1979, as part of a contractors, and I inspected thel survey of 25X1 rogram ecurity Officer, stated that "the new system wou give them problems with the two person rule plus- other ricti.ons." He indicated that he had the manual and that Mr. had been briefed on it. I neither confirmed nor denied the existence of the manual but rather turned the discussion to other matters. 3. Upon return tol office, he put a xerox draft copy of subject manual on the table.. I.ihspected'it'.and'noted' several comments in the. margins indicating both a close perusal by 0 as well as substantial dissatisfaction on his part with the two-man rule and other requirements of the APEX system. He volunteered the information that (.Securi.ty Officer for the had sent the draft xeroxed manual to him. He opined that "now he had gotten 0 in trouble." I again did not continue the discussion--which. he clearly wanted to do--but turned to a discussion of document control and other subjects of concern to us. 4. Upon return to Headquarters at 0820, 21 June 1979, I advised the Deputy Inspector General of the situation, asked him to brief the Inspector General and suggested that I advise 0 about the 'disclosure of the APEX Manual. He agreed and I subsequently briefed Mr. 0 He will discuss the situation with ~ n 3 15 8 Approved For Release 2U~34/' CIA-RDP85T00788R000100060011-6 Approved For Release 2004/05/12: CIA-RDP85TOO788R000 . 0R ISTRY 25X1 25X1  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6 DCI Security. I noted that I would do nothing further unless otherwise directed by my superiors and left the matter in his hands. Distribution: 25X1 Mr. Mr. D/S C/SS/OD&E Approved For Release 2004/05/12 :9IA-RDP85T00788R000100060011-6  So ofl EG1S TRY FILE APEX CONTROL SYSTEM MANUAL INDUSTRIAL SECURITY BRANCH COMMENTS GENERAL COMMENTS 1. Inasmuch as the APEX Control. Manual sets forth policy standards and procedures to protect Sensitive Compartmented Information, it is recommended that the manual itself be classified since it, in itself, is an intelligence method. If it is not classified, it will be available to anyone under the Freedom of Information Act. 2. It should be recognized that if the 1973 USIB Standards for setting forth the physical security requirements for the protection of Sensitive Compartmented Information are utilized as intended for the protection of Sensitive Compartmented Information controlled by the APEX Security Control System, then that protection is weak and is not compatible with the statement in Section 2 of the APEX Control System Manual, which states that EO 12065 recognized the need to establish special access programs to control access, distribution, and protection of particularly sensitive classified information, etc. SPECIFIC COMMENTS Cover Memorandum dated 25X1 26 January 1979 from 25X1 Approved Foo Release 2004/05/12: CIA-RDP85T00788R0001 -Paragraph 7 of this memorandum indicates that guidance regarding. Sections VII e, f, and g would not be part of the Manual. We have included comments on these items (changes in personal status, contacts or association with foreign nationals, alien marriages and travel and duty assignment restrictions) in our drafts of the Industrial Security Manuals. For the sake of uniformity, should the Government manual not also include such instructions? Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6 /8  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6 Page 1, last line Page 4, line 1 Page 5, line 5 -Suggest the insertion of the word "control" between "individual" and "system." -Suggest this sentence begin as follows: "In order to protect highly..." etc. -Suggest the phrase "within 30 days" be replaced by the phrase "30 days before." Page 10, first four -Will there be any written evidence paragraphs in the security files of an individual which attests to the operational or product compartments within the Apex Control System, to which he had had access? .Page 10, paragraph'C -Do the words "as appropriate" modify the persons named in the first sentence, or do they modify hol e s eme h fi ....v a.a 111, 111 e rs 4 sentence, so that annual rejustification would not be required until that were considered appropriate? Page 13, paragraph i -Shouldn't these individuals be bound by an Apex Secrecy Agreement? If not, there are no limitations on these'individuals not to disclose Apex Control Information. Page 14, paragraph VI b -Since this is such sensitive information, would it not be a good idea to limit the knowledge, o even within the Central Access `~ Approval Registry, of the names of tpeople who are accessed to data? Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6 Page 15, lines 2, 3, and 4 -Should not this sentence read, "Status, rank, and position are not in themselves sufficient reasons to establish the clearly demonstrated needs to see 0 data?" 25 Page 15, Section c, second -Should not the Two-Person Rule paragraph be exercised when it is necessary to transmit information .,4,i..25) outside the control office area? If not, an individual would have the opportunity to copy this very sensitive information if he chose to. Page 16, first paragraph Page 17, paragraph VII a.l items. It could, or course, be amended to include them. -Will 0 material be open-shelf 25 stored or should it not be always 1 secured in a GSA-approved security container or in a drawer with a.. V"., separate control drawer head in' a GSA-approved security .container? -DCID 1/19 is appropriate as far as it.goes. But is doesn't include the Two-Person Rule and other various Page 18, Paragraph VII b.5 -This paragraph requires reb'riefing on at least a bi-annual basis. The DCI and Director of Security have asked for annual rebriefings,. at least in industry. Is this consistent with their intent? Page 19, line 10 -What is a'.timely basis? The problem with CIB records now-is that they are always out of date. Page 20, line 8 -Same comment as on page 16, first paragraph. Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6 Page 20, paragraph 6 -See comment regarding page 15, Section c, second paragraph. Page 23, Section c -Suggest first sentence begin as follows: "Security approval for access to..." -Suggest the title of DCID 1/14 be capitalized, since it is a formal title. Page 23, Section d, lines 6 -Suggest phrase "for inclusion in the and 7 Central APEX Registry" be changed to read "in order to update the information maintained in the Central APEX Registry." Page 24, Section e -This section does not make it clear that casual contacts with hostile country nationals should ? or should not be reported. Should. they? What is a casual contact? -Also, since Section VII e, f, and g will apparently not be in the APEX Manual, where will they appear? Will each Agency issue its own instructions or will these be a Uniform sect of instructions issued y~ SECOM? Page 25, line 4 -Suggest the phrase "are accessed" be struck and replaced with the phrase "who have been approved and briefed for access..." Pages 32 and 33, section c -The common badge.system appears to be a poor method to be utilized for establishing prima facie evidence of the approval status of an individual's access to various APEX compartments. It seems that it would be difficult to keep this badge up to date and problems would be encountered in attempting to continuously revalidate the badges. Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6  Approved Fo'r Release 2004/05/12 : CIA-RDP85T00788R000100060011-6 Page 41, Section c, line 3 ,,,-Will the two couriers be required to be approved and briefed for access to APEX-General? -OD&E uses two staff type contract Page 42, lines 3, 4, and 5 Page 45, Section f and on overseas runs sometimes. They do not generally use two couriers on -courier only on local runs -Does the prohibition to transmit ;APEX material via commercial air- dcraft preclude the use of OD&E couriers who now use commercial air- ~craft? Also, how can there be an exception to something that is prohibited? It appears that the wording should be changed. -It is recognized that approved destruction methods must be used. But who really approves the methods? o The destruction devices themselves receive technical approval from a different source, and each Agency seems to have different criteria. Page 52, Section XV a -Should this paragraph not also include specific reference to DCID 1/14 requirements? Page 53, Section b, line 6 -The Department of Defense, in DOD 5220.22-M, paragraph 21c (Foreign Ownership, Control or Influence) requires notification by b any investor who as aquired direct or indirect beneficial interest of five percent or more, not six percent 25. 25. 25 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6  I Approved Fo Release 2004/05/12 : CIA-RDP85T00768R000100060011-6 Page 57, paragraph 3 -How does the "anyone other than elected members of the House and Senate" jibe with the statement on Page 54, paragraph.XVI a.l,. which states that members of. Congress will be granted APEX access provided need-to-known require- ments hive been established? Page 57, paragraph.4 Will the Two-Person Rule be used? Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060011-6