COMMENTS TO UDIS ISSUE PAPER ON DAMAGE ASSESSMEMTS

Approved For Release 2007/11/01 : CIA-RDP87B01034R000500060020-3 U N C L A b 5.Lr .L J# NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE FORT GEORGE G. MEADE. MARYLAND 20755 Serial! M5/0081/82 NSA review completed MEMORANDUM FOR THE CHAIRMAN., DCI SECURITY COMMITTEE SUBJECT: Comments to UDIS Issue Paper on Damage Assessments 1. This responds to your memorandum, Subject: Policy on Unauthorized Disclosures and on Damage Assessments, dated 28 October 1982, in which you asked for.comments on the UDIS issue paper regarding damage assessments. 2. The use of the IS00 Directive #1 policy on possible compromises of classified information is an excellent source of direction in that it identifies three separate actions required by three distinct entities: the responsibility of the individual to report possible compromises; the responsi-- bility.of:_the originating agency to assess the' damage and initiate countermeasures to negate or minimize the adverse impact: the responsibility of, the agency under whose cognizance the compromise occurred to determine cause, place responsibility and-administer appropriate disciplinary action. We suggest that only the second action is relevant to the national policy on.damage assessments, i.e., the evaluation of the adverse impact on the national security and the countermeasures required to. negate or minimize that impact. 3. With regard to the specific issues,-we offer the following: a. Trigger Mechanism: The provisions of DoD 5200.1-R, paragraph 6--143 provides for a damage assessment only when there is an actual compromise and damage to the national security cannot be discounted.. This may provide a viable" trigger mechanism conforming to the intent of the ISOO policy but which avoids unnecessary actions. b. Quality Control: This issue is assured by the program manager/originator based on the unique program factors involved. Minimum elements, such as suggested in the paper involving technical/analytic expertise, and security audits, and counterintelligence, should be developed for consideration as guidelines by program managers/originators. ,. " , t A Q C T F TV. "n Approved For Release 2007/11/01: CIA-RDP87BO 1034R000500060020-3  Approved For Release 2007/11/01: CIA-RDP87BO1034R000500060020-3 U N C L A S S I F I E D Serial= M5/0081/82 C. Assessment Implementation: The most significant aspect of a damage assessment is the forward looking aspects;. what countermeasures are necessary to negate or minimize the impact on the national security and what remedial actions are necessary to prevent additional similar compromises. Imple- mentation of these aspects is program-wide by the program manager/originator through specific instructions or program modifications. Individual agency latitude on implementation of countermeasures and remedial actions is to be avoided. 4. Finally, we must emphasize that consideration of the disciplinary actions and the investigations leading to such actions digresses from the purpose of this paper. As indicated in the ISOO policy, this is a separate action governed by other statutory and regulatory authorities. PHILIP T NSA Member Approved For Release 2007/11/01 : CIA-RDP87BO1034R000500060020-3