b"<html>\n<title> - NATIONAL INDUSTRIAL SECURITY PROGRAM: ADDRESSING THE IMPLICATIONS OF GLOBALIZATION AND FOREIGN OWNERSHIP FOR THE DEFENSE INDUSTRIAL BASE</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n                                     \n\n                         [H.A.S.C. No. 110-148]\n \n NATIONAL INDUSTRIAL SECURITY PROGRAM: ADDRESSING THE IMPLICATIONS OF \n  GLOBALIZATION AND FOREIGN OWNERSHIP FOR THE DEFENSE INDUSTRIAL BASE\n\n                               __________\n\n                      COMMITTEE ON ARMED SERVICES\n\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n\n                             APRIL 16, 2008\n\n\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n45-132                    WASHINGTON : 2009\n-----------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd090001\n\n                                     \n                   HOUSE COMMITTEE ON ARMED SERVICES\n                       One Hundred Tenth Congress\n\n                    IKE SKELTON, Missouri, Chairman\nJOHN SPRATT, South Carolina          DUNCAN HUNTER, California\nSOLOMON P. ORTIZ, Texas              JIM SAXTON, New Jersey\nGENE TAYLOR, Mississippi             JOHN M. McHUGH, New York\nNEIL ABERCROMBIE, Hawaii             TERRY EVERETT, Alabama\nSILVESTRE REYES, Texas               ROSCOE G. BARTLETT, Maryland\nVIC SNYDER, Arkansas                 HOWARD P. ``BUCK'' McKEON, \nADAM SMITH, Washington                   California\nLORETTA SANCHEZ, California          MAC THORNBERRY, Texas\nMIKE McINTYRE, North Carolina        WALTER B. JONES, North Carolina\nELLEN O. TAUSCHER, California        ROBIN HAYES, North Carolina\nROBERT A. BRADY, Pennsylvania        W. TODD AKIN, Missouri\nROBERT ANDREWS, New Jersey           J. RANDY FORBES, Virginia\nSUSAN A. DAVIS, California           JEFF MILLER, Florida\nRICK LARSEN, Washington              JOE WILSON, South Carolina\nJIM COOPER, Tennessee                FRANK A. LoBIONDO, New Jersey\nJIM MARSHALL, Georgia                TOM COLE, Oklahoma\nMADELEINE Z. BORDALLO, Guam          ROB BISHOP, Utah\nMARK E. UDALL, Colorado              MICHAEL TURNER, Ohio\nDAN BOREN, Oklahoma                  JOHN KLINE, Minnesota\nBRAD ELLSWORTH, Indiana              PHIL GINGREY, Georgia\nNANCY BOYDA, Kansas                  MIKE ROGERS, Alabama\nPATRICK J. MURPHY, Pennsylvania      TRENT FRANKS, Arizona\nHANK JOHNSON, Georgia                BILL SHUSTER, Pennsylvania\nCAROL SHEA-PORTER, New Hampshire     THELMA DRAKE, Virginia\nJOE COURTNEY, Connecticut            CATHY McMORRIS RODGERS, Washington\nDAVID LOEBSACK, Iowa                 K. MICHAEL CONAWAY, Texas\nKIRSTEN E. GILLIBRAND, New York      GEOFF DAVIS, Kentucky\nJOE SESTAK, Pennsylvania             DOUG LAMBORN, Colorado\nGABRIELLE GIFFORDS, Arizona          ROB WITTMAN, Virginia\nNIKI TSONGAS, Massachusetts\nELIJAH E. CUMMINGS, Maryland\nKENDRICK B. MEEK, Florida\nKATHY CASTOR, Florida\n                    Erin C. Conaton, Staff Director\n                Andrew Hunter, Professional Staff Member\n               Stephanie Sanok, Professional Staff Member\n                    Caterina Dutto, Staff Assistant\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                     CHRONOLOGICAL LIST OF HEARINGS\n                                  2008\n\n                                                                   Page\n\nHearing:\n\nWednesday, April 16, 2008, National Industrial Security Program: \n  Addressing the Implications of Globalization and Foreign \n  Ownership for the Defense Industrial Base......................     1\n\nAppendix:\n\nWednesday, April 16, 2008........................................    39\n                              ----------                              \n\n                       WEDNESDAY, APRIL 16, 2008\n NATIONAL INDUSTRIAL SECURITY PROGRAM: ADDRESSING THE IMPLICATIONS OF \n  GLOBALIZATION AND FOREIGN OWNERSHIP FOR THE DEFENSE INDUSTRIAL BASE\n              STATEMENTS PRESENTED BY MEMBERS OF CONGRESS\n\nHunter, Hon. Duncan, a Representative from California, Ranking \n  Member, Committee on Armed Services............................     2\nSkelton, Hon. Ike, a Representative from Missouri, Chairman, \n  Committee on Armed Services....................................     1\n\n                               WITNESSES\n\nBarr, Ann Calvaresi, Director, Acquisition and Sourcing \n  Management, Government Accountability Office...................    11\nSchneider, Dr. William, Jr., Chairman, Defense Science Board.....     9\nSullivan, Troy, Acting Deputy Under Secretary of Defense for \n  Counterintelligence and Security...............................     5\nWatson, Kathleen, Director, Defense Security Service.............     7\n\n                                APPENDIX\n\nPrepared Statements:\n\n    Barr, Ann Calvaresi..........................................    60\n    Schneider, Dr. William, Jr...................................    51\n    Sullivan, Troy, joint with Kathleen Watson...................    43\n\nDocuments Submitted for the Record:\n\n    [There were no Documents submitted.]\n\nWitness Responses to Questions Asked During the Hearing:\n\n    Mr. Bartlett.................................................    77\n    Mrs. Boyda...................................................    77\n\nQuestions Submitted by Members Post Hearing:\n\n    Mr. Loebsack.................................................    82\n    Mr. Saxton...................................................    81\n NATIONAL INDUSTRIAL SECURITY PROGRAM: ADDRESSING THE IMPLICATIONS OF \n  GLOBALIZATION AND FOREIGN OWNERSHIP FOR THE DEFENSE INDUSTRIAL BASE\n\n                              ----------                              \n\n                          House of Representatives,\n                               Committee on Armed Services,\n                         Washington, DC, Wednesday, April 16, 2008.\n    The committee met, pursuant to call, at 10:05 a.m., in room \n2118, Rayburn House Office Building, Hon. Ike Skelton (chairman \nof the committee) presiding.\n\n OPENING STATEMENT OF HON. IKE SKELTON, A REPRESENTATIVE FROM \n        MISSOURI, CHAIRMAN, COMMITTEE ON ARMED SERVICES\n\n    The Chairman. Ladies and gentlemen, we welcome you to \ntoday's hearing on the ``National Industrial Security Program: \nAddressing the Implications of Globalization and Foreign \nOwnership for the Defense Industrial Base.''\n    I am pleased that we are able to focus on this all-\nimportant topic. And, too often, the pace of events and the \ndemands of the war consume us so much that we have a hard time \nstepping back and looking at the defense industrial base and \nhow, over the years, it is changing.\n    Today's hearing does just that, by exploring how the \nDepartment of Defense (DOD) works to protect the classified \ninformation in the hands of the private-sector companies who \ndevelop and build and maintain defense systems. These companies \nare home to the vast majority of our classified information. \nThe National Industrial Security Program is the primary means \nfor ensuring that this information is truly protected.\n    It has long been this Nation's official policy to be open \nto the rest of the world. We open our markets to goods from all \ncountries. We are open to foreign investment. And closer to \nhome for this committee, we have sought to be interoperable \nwith the North Atlantic Treaty Organization (NATO) allies, \nsharing standards, technology, information on both our tactics \nas well as our procedures.\n    We provide exceptions to various domestic source \nrestrictions for companies located in NATO allies. The story \nfor our defense industry is no different. We have allowed \nforeign investment in our defense industry and developed \nmechanisms like government security committees on corporate \nboards to ensure the national security is protected.\n    All of these policy choices are predicated on two \nfundamental assumptions: that, in working more closely \ntogether, we are all made stronger and that reasonable measures \ncan be taken to protect that which must be protected while \nremaining open to most things.\n    Today we examine in greater depth what reasonable measures \nneed to be taken to protect American national security. \nIndustry is changing as the economy globalizes. How rapidly are \nissues of foreign ownership, control, influence impacting the \ndefense industry? Will new investment vehicles like hedge funds \nand sovereign wealth funds require us to change how we \ndetermine what constitutes foreign ownership? How can the \nNational Industrial Security Program keep up with the scope and \npace of these changes? Is the Defense Security Service staffed, \nis it trained, is it equipped well enough to implement the \npolicy?\n    Here today to help us answer these questions is a very \ndistinguished group: Troy Sullivan, Deputy Under Secretary for \nDefense for Counterintelligence and Security; Kathleen Watson, \nDirector of the Defense Security Service; Dr. Bill Schneider, \nChairman of the Defense Science Board; Ann Calvaresi Barr, \nDirector of Acquisition and Sourcing Management at the U.S. \nGovernment Accountability Office (GAO); and also at the table \nis Mr. Greg Torres of the Department of Defense, who is here to \nanswer questions.\n    We welcome you. And before we ask you for your testimony, \nlet me turn to my friend, my colleague from California, Duncan \nHunter.\n\n    STATEMENT OF HON. DUNCAN HUNTER, A REPRESENTATIVE FROM \n    CALIFORNIA, RANKING MEMBER, COMMITTEE ON ARMED SERVICES\n\n    Mr. Hunter. Mr. Chairman, thank you for holding this very \nimportant hearing.\n    And I think this is an issue that has received little \ncongressional attention but addresses a subject that goes to \nthe heart of an issue that this committee cares very deeply \nabout. In the era of globalization, where international firms \nregularly compete for U.S. Government contracts, the subject of \nhow the Department of Defense manages the risks associated with \nforeign ownership, control or influence is of paramount \nimportance, particularly in classified contracts.\n    This challenge confronts the Department on two fronts. \nFirst, consolidation within the defense industry and a weakened \nU.S. dollar has resulted in an increase of foreign interests \nacquiring U.S. companies that generate and support what I call \nmilitarily critical technology. Second, U.S. defense \ncontractors increasingly rely upon foreign-owned subcontractors \nto support their contracts and almost always utilize hardware \nand software that is produced or manufactured overseas.\n    My overarching concern and issue that I would like this \nhearing to address today is how we ensure that these trends and \ndevelopments do not lead to the deterioration of our \nqualitative edge over potential adversaries.\n    This is not an irrational fear or veiled protectionism. \nThis is a real national security concern. We are in a period \nwhere industrial espionage is on the rise and where cyber \nattacks on U.S. Government networks are the rule, not the \nexception. Dr. Schneider's testimony aptly captures this issue \nwhen he argues that the success the defense industry has \nenjoyed in exploiting modern technology must be, and I quote, \n``tempered with recognition of the risks and vulnerabilities \ncreated by using these cutting-edge systems.''\n    As we manage these risks and vulnerabilities, our initial \nfocus should prioritize the most sensitive national security \ninformation and programs: classified contracts. Currently there \nare over 8,000 companies cleared to conduct classified work for \nthe Department of Defense. They are all governed by the \nNational Industrial Security Program, or NISP, a program which \nessentially imposes a set of requirements upon a contractor in \nexchange for a facility security clearance that allows a \ncontractor's facility to access and hold classified \ninformation.\n    The most important feature of the NISP is that contractors \nare obligated to comply. Unlike the Committee on Foreign \nInvestment in the United States, or CFIUS, the NISP framework \nis mandatory in nature. All Department contractors holding a \nfacility security clearance are obtained to ensure that \nclassified information is handled in accordance with the NISP.\n    This raises two primary concerns. The first is a policy \nquestion: How do we know that the policies of the NISP \nadequately manage the risks and vulnerabilities generated by \nthe ever-evolving defense industrial base? My sense is that \nbetween the concerns raised in Defense Science Board reports \nand industrial espionage developments raised by the Department, \nwe face challenges that our current policy is not tailored to \naddress.\n    A second area of concern is whether the policy presently in \nplace is being implemented properly. In other words, does the \npool of 8,000 contractors cleared to conduct classified work \nfor the Department vigilantly follow the requirements in the \nNational Industrial Security Program? Both the GAO report and \nmy own impression are that the culture of compliance varies \nwidely among the population of cleared contractor companies.\n    I emphasize compliance because the NISP rests on a paradigm \nthat depends upon the self-reporting of cleared contractor \ncompanies and their commitment to adopting business and \nmanagement practices that do not result in the compromise of \nclassified information or adversely affect the performance of \nclassified contracts. In the current climate of industrial \nespionage and cyber attacks that I have described, we need to \nensure that best practices are applied across the board, and \nvigilant compliance is the only acceptable standard.\n    One practice that incentivizes contractors to vigilantly \ncomply with the NISP is making a corporation's board of \ndirectors serve as fiduciaries for the corporation's \nfulfillment of NISP obligations. This practice ensures that the \nmost senior corporate officers are attentive to the company's \nadherence to the NISP. In other words, making the corporation's \ndirectors apply the same rigor to NISP compliance as they do \nwith complying with the tax code is a proven way to affect \ncorporate behavior. If these schemes work to ensure that \ncorporations do not run afoul of the U.S. Tax Code, they should \nprobably be adopted in an arena of at least equal importance: \nnational security.\n    Cleared contractor corporations clearly create this culture \nof compliance on their own. These companies need the support \nand guidance of the Department. It is not reasonable to have a \npolicy of, ``If you see something, say something,'' if our \ngovernment is not educating these companies on what exactly \nthey should be looking for. My understanding is that the \nDefense Security Service, the DSS, has struggled in recent \nyears in this regard, and I am curious to hear from DSS on the \nsteps that they are taking to ensure that industry has a \npartner in government that aids and supports industry as they \ncarry out their NISP obligations.\n    And, finally, Mr. Chairman, I would like to take this \ncommittee back to a hearing we held in this room March 2, 2006. \nOn that day over two years ago, we examined the national \nsecurity implication of the Dubai Ports World deal to take over \nport terminal operations in six U.S. cities and the ensuing \nCFIUS review. At the heart of that high-profile crisis were \nissues that we are talking about today. How does the U.S. \nGovernment manage the national security risks related to \nforeign ownership, control and influence, or FOCI?\n    In my view, that case was an easier problem to solve than \nthe one before us today, because with Dubai Ports we knew that \na foreign entity was making an acquisition. That is not always \nthe case. The tougher problems are the types of cases the NISP \nis tasked to manage where the FOCI is more subtle and less \nconspicuous. This is truly a complicated and difficult task \nand, in my view, requires no less attention by the Congress \nthan what was given to Dubai Ports in the subsequent CFIUS \nlegislation.\n    So I want to thank you, Mr. Chairman, for holding this \nhearing. I want to thank our witnesses.\n    And last, Mr. Chairman, Business Week this week has on its \nfront cover, ``E-spionage,'' a Business Week investigation \nentitled, ``The U.S. military created the Internet. Now the Web \nmay be turning against its maker.'' ``As America fights to \nprotect itself, we uncover startling new instances of cyber \nspies targeting the government, and traced a path of a \npernicious attack aimed at a defense consultant.''\n    The fact that this is in the news, and, Mr. Chairman, we \nhave seen a number of other cases, industrial espionage is now \nthe order of the day and is receiving national attention. And \nif we are going to maintain this qualitative edge over \npotential adversaries for the next 5 to 10 to 20 years, we have \nto ensure that we are not accommodating their industrial bases \nwith a less-than-adequate security arrangement for our own \nprivate contractors in this country.\n    And with the wave of fresh money coming in and acquiring \nAmerican defense interests and American defense contractors, it \nhas become clear to me that there is only one entity which is \ntruly responsible for making sure that our industrial base is \nsecure, and that is us. And I hope that this hearing lays a \nbase for this committee taking action that will ensure that we \nhave, indeed, a secure technological system in the defense \nindustrial base.\n    So thanks a lot, Mr. Chairman, for holding this hearing.\n    I thank our witnesses, and I look forward to your \ntestimony.\n    The Chairman. Thank you, Mr. Hunter.\n    I first call on Troy Sullivan, the Deputy Under Secretary \nof Defense for Counterintelligence and Security.\n    Mr. Sullivan, welcome.\n\n STATEMENT OF TROY SULLIVAN, ACTING DEPUTY UNDER SECRETARY OF \n          DEFENSE FOR COUNTERINTELLIGENCE AND SECURITY\n\n    Mr. Sullivan. Thank you, sir.\n    Good morning, Mr. Chairman, Ranking Member Hunter, members \nof the committee. I am Troy Sullivan, Acting Deputy Under \nSecretary of Defense for Counterintelligence and Security. I am \npleased to be here today to talk to you about the Department of \nDefense's role in the Industrial Security Program.\n    First I would like to introduce two key players on the \nDepartment of Defense team who are here today: Ms. Kathleen \nWatson, the Director of the Defense Security Service; Mr. Greg \nTorres, down at the end of the table, who is our Director of \nSecurity for the Department of Defense.\n    Ms. Watson's organization administers the National \nIndustrial Security Program on behalf of the Department and 23 \nother federal agencies within the executive branch.\n    Mr. Torres, among other things, is responsible for working \nwith Ms. Watson and others to develop security policy. His \noffice writes and staffs the National Industrial Security \nProgram Operating Manual.\n    They work closely with the Director of the Information \nSecurity Oversight Office and its staff, who are responsible \nfor implementing and monitoring the National Industrial \nSecurity Program.\n    The National Industrial Security Program was created to \nprotect classified information in industry. The Department of \nDefense has a unique partnership with industry to produce the \nsystems that provide our country with military advantages over \ncurrent and future adversaries. We have a crucial interest in \nprotecting classified information from compromise, and we take \nour role as the executive agent for the National Industrial \nSecurity Program very seriously.\n    Globalization and foreign ownership have created a number \nof serious challenges to the protection of classified \ninformation as we process an increasing number of foreign \nownership, control or influence actions in defense industry. \nOur policies must take into consideration this ever-changing \ndynamic.\n    In addition to the challenges posed by globalization, the \nDefense Security Service workforce must be well-trained in \nthese complex areas and be sufficiently sized to address \nsituations in a timely manner. We are not yet where we want to \nbe, but since the arrival of the new leadership in 2006 at the \nDefense Security Service and in the Security Directorate, we \nare moving forward smartly.\n    For example, years of very intense work culminated in the \npublication of a new National Industrial Security Program \nOperating Manual in 2006. Based on experience to date with the \nnew manual, we have identified several areas that, if clarified \nor strengthened, would improve the effectiveness of the Defense \nSecurity Service. These issues are being addressed by the \nDepartment with the goal of ensuring the Defense Security \nService can accomplish its mission.\n    The other key document, the Industrial Security Regulation, \nis 22 years old. Portions are out of date and in conflict with \nthe newer National Industrial Security Program Operating \nManual. To address these concerns, we drafted a revised version \nof the regulation that complements the newer manual. This draft \nwill enter the coordination process later this month.\n    The National Industrial Security Program is a cornerstone \nin the Department's efforts to protect classified research and \ntechnology from compromise, but it is not the only arrow in our \nquiver. Our first line of defense is a personnel security \nclearance program and the granting of security clearances to \nindustry workers who require access to classified information.\n    The Department is proud to be working with the Office of \nManagement and Budget, Office of the Director of National \nIntelligence, and the Office of Personnel Management to develop \na new and more effective and timely personnel security and \ninvestigative system. The transformation team working this \nproject has a status report due to the President at the end of \nthis month.\n    While the National Industrial Security Program focuses on \nclassified information, we must not forget the threats to and \nimpact of the loss of unclassified information. The Department \nhas an effort under way to help the defense industrial base \nbetter secure defense information on their unclassified \nnetworks.\n    We also work with other federal criminal investigative and \ncounterintelligence agencies on a wide range of defense and \nproactive programs to identify, neutralize and exploit the \nthreats to our most critical technologies. We work closely with \nthe Federal Bureau of Investigation (FBI) in its program to \nprotect technology and industry, identified by DOD to the FBI \nas critical.\n    Defense security and counterintelligence organizations, \ncoupled with the Defense Security Service, provide a formidable \ncapability to assist in protecting our most important research \nand technologies. But when the FBI joins us in a focused \nprotection program, our capabilities are significantly \nenhanced.\n    We must not overlook our partnership with industry. Its \nvery dedicated and talented cadre of security officers is on \nthe front lines of this battle.\n    Finally, defense counterintelligence and security partner \nwith the scientific, acquisition and defense industry \ncommunities to protect from compromise the critical information \nand technologies from the time the scientist has a ``eureka'' \nmoment through the decommissioning or demilitarization of a \nsystem.\n    I am sure you are aware of the 2005 GAO report that was \ncritical of the Department's program that addresses security \nconcerns with companies under foreign ownership, control or \ninfluence. Although the Department nonconcurred with almost all \nof the GAO recommendations, the current Defense Security \nService Director recognized areas within that program that \nneeded improvement, and she has incorporated the \nrecommendations into her agency's transformation plan. She is \nalso keeping the GAO informed of her progress.\n    The dramatic changes in the Defense Security Service during \nthe last two years, under the very aggressive and tireless \nleadership of Ms. Watson, have turned a broken organization \ninto a more robust, fully funded and aggressive agency that is \nbetter suited to protect our Nation's secrets.\n    My boss, the Under Secretary of Defense for Intelligence, \nJim Clapper, asked me to relay his personal support for this \nimportant program.\n    In conclusion, the Department works closely with industry \nin many ways to protect critical technology and infrastructure. \nThe cornerstone of our efforts to protect our classified \ninformation and programs is the National Industrial Security \nProgram. We take our community responsibility as the National \nIndustrial Security Program executive agent very seriously.\n    We understand that globalization and the active efforts of \nour friends and adversaries to acquire restricted technologies \nhave not abated. With the ongoing revitalization and \ntransformation of the Defense Security Service, we will be even \nbetter postured to accomplish this mission.\n    Mr. Chairman, this concludes my prepared remarks, and I \nwould be happy to respond to any questions.\n    [The joint prepared statement of Mr. Sullivan and Ms. \nWatson can be found in the Appendix on page 43.]\n    The Chairman. Thank you very much, Mr. Sullivan.\n    Kathleen Watson, who is the Director of the Defense \nSecurity Service.\n    Ms. Watson.\n\n   STATEMENT OF KATHLEEN WATSON, DIRECTOR, DEFENSE SECURITY \n                            SERVICE\n\n    Ms. Watson. Good morning, Mr. Chairman, Ranking Member \nHunter and members of the committee. I am pleased to appear \nbefore you today. I am Kathy Watson, Director of the Defense \nSecurity Service.\n    As Mr. Sullivan indicated in his remarks, the Security \nDirectorate of the Deputy Under Secretary of Defense for \nCounterintelligence and Security provides security policy for \nthe Department of Defense, to include industrial security \npolicy. The Defense Security Service implements those policies \non behalf of the Department of Defense and 23 other federal \nagencies through the National Industrial Security Program. \nThrough the National Industrial Security Program, the Defense \nSecurity Service provides security oversight of cleared \ncompanies to ensure they are properly protecting the classified \ninformation in their possession.\n    When I arrived at the Defense Security Service two years \nago, I found an agency that was underfunded and understaffed. I \nthink everyone, including the members of this committee, know \nof our funding shortfalls in the personnel security area. What \nis perhaps less well-known but equally critical to national \nsecurity is the National Industrial Security Program and the \noversight role we play in regard to industry.\n    I spent my first year at the Defense Security Service doing \na top-to-bottom review. The result is a transformation plan \nthat affects the entire agency. The plan was approved by the \nDepartment and includes an additional 145 full-time government \npositions for the agency. The majority of these positions are \nin the Industrial Security Program. I am also pleased to report \nthat the Defense Security Service is fully funded in fiscal \nyear 2008 and in the President's budget for fiscal year 2009.\n    In addition to an increase in resources, the Defense \nSecurity Service initiated a number of internal changes in the \nIndustrial Security Program. Most significantly, we developed a \nrisk-based approach to our facility inspections. Of the more \nthan 12,000 facilities we oversee, we identified approximately \n1,400 cleared facilities that we considered to be of special \ninterest.\n    In developing the special interest list, we considered risk \nfactors, such as: poor security ratings in the past; security \nincidents resulting in loss or compromise of security \ninformation; facility size and complexity; performance on \nclassified programs targeted by foreign entities; companies \nunder foreign ownership, control or influence; and other risk \nfactors, such as frequent turnover of facility senior managers \nand financial difficulties. We continue to define our risk \ncriteria.\n    This new approach allows our industrial security \nrepresentatives to better prioritize our reviews, improve \nquality, and to conduct a more thorough inspection. The result \nis better security. As I said, all of our 300-plus companies \nunder foreign ownership, control or influence now receive \nspecial attention. Our goal is to ensure that necessary \ncountermeasures are in place by the closing date of the \ntransaction.\n    The Defense Security Service took to heart the \nrecommendations of the 2005 GAO report and has incorporated \nthem into its transformation plan. For instance, we are \nimproving and increasing training for our personnel working \nforeign ownership, control or influence issues, and we are \ndevoting 11 of our new full-time government positions to this \narea. Three of these positions will be at our headquarters, and \neight new positions will be in the field. Both of these \ninitiatives address the GAO's recommendation that the Defense \nSecurity Service formulate a human capital management strategy \nfor our foreign ownership, control or influence personnel.\n    The Defense Security Service is now contracting for an \nindependent study of the effectiveness of the overall foreign \nownership, control or influence process, to include a review of \nour internal business processes. This study will also evaluate \nwhether we are gathering the proper information to effectively \nanalyze and oversee these companies and we have fully \nintegrated counterintelligence into the foreign ownership, \ncontrol or influence analysis and oversight.\n    Finally, the Defense Security Service has reviewed and \nplans to adopt the Department of Energy's automated foreign \nownership, control or influence management application called \ne-FOCI. We completed a six-month test phase in March of 2008 \nand plan to phase in additional users between now and \nfulfilling of the complete application in September of 2009.\n    After some modification, the application will give us \nvisibility of all such transactions in real-time, from \ninception to final mitigation. e-FOCI will also improve our \ncapability to conduct analysis and improve our ability to \nidentify trends. I believe these initiatives will help us meet \nthe final two GAO recommendations for better data collection \nand a more systematic analysis.\n    There is still much work to be done at the Defense Security \nService. We still rely on antiquated information systems \ninternally and face a serious hiring lag for new positions. But \nnow that we have the appropriate resources, we can fully \nimplement our transformation plan and strategically position \nthe agency for the future.\n    Mr. Chairman, this concludes my statement. I am available \nto answer any questions you may have. Thank you.\n    [The joint prepared statement of Ms. Watson and Mr. \nSullivan can be found in the Appendix on page 43.]\n    The Chairman. I thank the gentlelady.\n    A longtime friend of this committee, Dr. William Schneider, \nChairman of the Defense Science Board, welcome again. Good to \nsee you.\n\n  STATEMENT OF DR. WILLIAM SCHNEIDER, JR., CHAIRMAN, DEFENSE \n                         SCIENCE BOARD\n\n    Dr. Schneider. Thank you, Mr. Chairman. It is a great \nprivilege to be here. I look forward to this opportunity to \npresent my testimony.\n    I have provided the committee with a detailed statement, \nand, with your permission, I would like to just give a brief \noral summary of that statement.\n    The Chairman. Without objection, each of the prepared \nstatements will be put in the record. Thank you.\n    Dr. Schneider. Thank you, Mr. Chairman.\n    The impact of globalization on the Department of Defense \nand its mission has been an important aspect of Defense Science \nBoard studies for more than a decade. The globalization of \ntechnology is no longer a choice for governments planning to \nmodernize their military forces; it is a characteristic of the \nenvironment in which military capabilities will be developed \nand produced for the foreseeable future.\n    Among the most pervasive factors responsible for the vast \nincrease in international trade and investment since the end of \nthe Cold War has been the deregulation of trade in advanced \ntechnology. The globalization of access to advanced technology \nhas meant that users as well as producers of modern technology \nare able to share access to a common global technology base and \nmarkets. This nearly universal access to advanced technology \nhas accelerated its propagation and has revolutionized the \nprocess of innovation in most technology-driven industrial and \nservice industries, including the defense sector.\n    Although legal and regulatory factors in the defense sector \nhave slowed the impact of globalization on its research and \ndevelopment (R&D) and acquisition processes compared to the \nprivate sector, the DOD too has succumbed to its technical, \ncommercial and industrial logic. By exploiting the technologies \ncreated or enhanced by the process of globalization, the \nmilitary capabilities fielded by the Department of Defense have \nbeen swiftly transformed from its industrial-age character that \ndominated its capabilities at the end of the Cold War. The \nprocess of transforming of U.S. military capabilities to highly \nadaptive information-age capabilities appropriate to the 21st-\ncentury threat environment is now at an advanced stage.\n    The globalization process has provided important cost, \nschedule and performance benefits to the DOD and its industrial \nbase. The underlying technologies which create the most \ndecisive modern military capabilities are derived from \ndevelopments in the civil technology sector. The highly \ncompetitive civil technology sector is thoroughly globalized. \nThe pace of its development of technology is very rapid \ncompared to the technologies developed solely within the \ndefense sector and are usually associated with both declining \ncosts and increasing capabilities.\n    The DOD has been very successful in applying the benefits \nof globalization to many of its critical mission areas. For \nexample, substantial improvements in counter-improvised \nexplosive devices (IED) technologies and mine-resistant armor-\nprotected vehicles used in Iraq and Afghanistan are products of \nforeign developments brought to the United States through the \nCFIUS process and managed as foreign owned, controlled or \ninfluenced entities by the Defense Security Service.\n    The success the defense industry has enjoyed in its \nexploitation of the globalization of modern technology must, as \nthe ranking member noted, be tempered with the recognition of \nthe risks and vulnerabilities created by this evolution in the \nmanner in which military capabilities are created.\n    Protecting America's military edge depends in part on the \neffectiveness of the National Industrial Security Program. The \nfact that an increasing fraction of the underlying technologies \nthat are drawn upon by the defense industrial sector to create \nadvanced military capabilities developed in the civil sector--\nand, in many cases, are developed abroad--changes the \nenvironment in which the Industrial Security Program must \noperate.\n    This is so because the core military capabilities we create \nresides not in the technology itself, but in the manner in \nwhich these civil technologies are converted into military \ncapabilities. The details of how these technologies are \nengineered into military systems, especially the software and \nalgorithms used to render the hardware effective in its \nmilitary applications, and the manner in which individual \nsystems interact in a system of systems is at the heart of what \nthe industrial base needs to protect from potential \nadversaries.\n    In the 1990's, the DOD recognized that it was becoming \nincreasingly dependent on the globalization of the technology \nbase. To increase DOD's access to advanced technology, the DOD \nmade some shrewd decisions in the 1990's that have been re-\nenforced by subsequent decisions in recent years. The executive \nbranch took two parallel paths toward improving access to \nadvanced technology in the international market.\n    First, the U.S. Government sought to reform the process by \nwhich the DOD could procure defense products from producers \nabroad. The executive branch sought to liberalize the defense \ntrade process both during the Clinton and the current Bush \nAdministrations. The key elements of the proposed process-\nliberalization initiatives--the Clinton Administration's \nDefense Trade Security Initiative in 2000 and the Bush \nAdministration's NSPD-19 defense trade process reform \ninitiative in 2002--were both rejected by the Congress, \nalthough some of the reforms were subsequently incorporated in \nU.S. Government practice administratively.\n    The other dimension of the reform process has been much \nmore successful. In the early 1990's, the DOD liberalized the \nprocess pertaining to the regulation of foreign investment in \nthe defense sector. The policy change encouraged foreign \ninvestment in the defense sector, but did so by the DOD's \nembracing of mitigation measures known as special security \nagreements, and some variants of those, which mitigates the \nrisk that the presence of a foreign investor might pose to the \nsecurity of U.S. classified and export-controlled technology in \nthe possession of a cleared U.S. company. The mitigation \nprocess focused heavily on industrial security, as established \nin the National Industrial Security Program Operating Manual.\n    The mitigation process I have described is one with which I \nhave considerable personal experience. For more than 15 years, \nI have served as an outside director on the U.S. subsidiary of \nforeign-domiciled firms in the U.S. defense sector. My personal \nexperience with this process is entirely satisfactory from the \nperspective of meeting the aims of the program. The security \ncompliance with both classified and export-controlled \ninformation is of a very high order, reflecting the \npreoccupation with security of the U.S. managers of the \nsubsidiaries. At the same time, the firms are adding value to \nthe U.S. defense program by bringing investment and advanced \ntechnology to the defense market that expands and strengthens \nthe industrial base resident in the United States.\n    The threat posed to the security of information for both \nforeign firms present in the U.S. market as well as U.S. firms, \nincluding classified and export-controlled information, is \nevolving. As I have noted, much of the underlying technology \nthat drives the creation of advanced military capabilities is \nunclassified, and this information resides on computer \nnetworks. These networks are now the focus of attacks by \npotential adversary states and nonstate entities.\n    The President's Cyber Security Initiative addresses a very \nimportant gap in the ability of the industrial base to protect \nits proprietary, unclassified information. The industrial base, \ndomestic- or foreign-owned, lacks the knowledge that only the \nU.S. Government possesses about how to protect their computer \nnetworks that are part of a larger, national information \ninfrastructure from foreign computer network exploitation and \nattack.\n    The area of cyber security appears to be the domain in \nwhich the technology security of the defense industrial base is \nmost at risk for both domestic- and foreign-owned firms \noperating in the U.S.\n    Mr. Chairman, I would be pleased to respond to any question \nyou or members of the committee may have. Thank you very much.\n    [The prepared statement of Dr. Schneider can be found in \nthe Appendix on page 51.]\n    The Chairman. Dr. Schneider, thank you for being with us.\n    Ann Calvaresi Barr, welcome.\n\n  STATEMENT OF ANN CALVARESI BARR, DIRECTOR, ACQUISITION AND \n     SOURCING MANAGEMENT, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Ms. Calvaresi Barr. Thank you.\n    Mr. Chairman, members of the committee, thank you for \ninviting me here today to discuss GAO's work on the National \nIndustrial Security Program and Defense Security Service's \n(DSS) oversight of it.\n    As you know, our body of work on government mechanisms \ndesigned to protect critical technologies while advancing U.S. \ninterests has revealed alarming gaps in our safety net for \nkeeping certain defense-related knowledge out of the wrong \nhands. Systemic vulnerabilities, not only in industrial \nsecurity but also with export controls, foreign military sales \nand foreign acquisitions, were so significant that GAO \ndesignated the effective protection of technologies critical to \nU.S. national security interests as a government-wide high-risk \narea in 2007.\n    Today I will describe how improvements to DSS's Industrial \nSecurity Program could strengthen our protection of critical \ntechnologies. Let me start by briefly summarizing three key \nweaknesses we reported on in 2004 and 2005.\n    First, DSS cannot determine how well facilities are \nprotecting classified information because it lacked overall \ndata on the quality of compliance, the types of violations and \ntheir frequency. Regarding contractors under foreign ownership, \ncontrol or influence, DSS did not know the extent to which \nthese contractors reported foreign involvement in a timely \nmanner or had access to classified information before \nprotective measures were put in place.\n    Second, DSS did not properly identify possible compromises \nto classified information, as required in their operating \nmanual. For roughly 75 percent of the 93 violations we \nreviewed, DSS either made no determination regarding compromise \nor made determinations that were ambiguous and not covered in \nthe manual. As a result, affected agencies were not notified of \nviolations and, therefore, could not take any action to \nmitigate damage that may have occurred. In cases where clear \ndeterminations were made, DSS often did not notify affected \nagencies in a timely manner. In one case, notification was \ndelayed five months.\n    Third, DSS field staff lack the guidance, training and \ntools necessary to effectively carry out their oversight \nresponsibilities. Of particular concern is their lack of \nunderstanding about corporate structures, legal ownership and \ncomplex financial relationships. And this occurs when foreign \nentities are involved. This is knowledge that is basic to \ndetermining and mitigating risk and then effectively overseeing \ncontractors' actions.\n    Addressing these and other weaknesses we found would help \nmitigate the risk of classified information being compromised. \nFor example, identifying patterns of violations based on \nfactors such as the type of work conducted at the facilities, \nthe facility's government customer and the facility's corporate \naffiliations would enable DSS to identify problems and target \nneeded actions. Similarly, timely notification of potential \ncompromises to classified information would allow affected \nagencies to take stock of the damage and promptly take needed \naction to further minimize loss.\n    We made a number of operational recommendations aimed at \nbetter ensuring that classified information entrusted to \ncontractors would not be compromised, many of which DOD did not \ninitially concur with. We are pleased, very pleased, to hear, \nas Ms. Watson pointed out, that DSS is now working to \nstrengthen its Industrial Security Program. Notably, and also \nas Ms. Watson pointed out, DSS implemented a strategy to better \nposition its industrial security representatives, a strategy \nconsistent with our recommendations to provide targeted \ntraining for identified skill gaps and explore options for \nimproving headquarters' support of field operations.\n    While we are certainly encouraged by DSS's initiative, \nother actions, as Ms. Watson also alluded to, are needed to \nfully address our recommendations.\n    Mr. Chairman, I would like to thank you again for giving us \nthe opportunity to be here today. As our designation of ``high-\nrisk'' indicates, the protection of critical technologies \nwarrants a strategic re-examination of existing programs to \nidentify needed changes and ensure the advancement of U.S. \ninterests. I believe this hearing contributes to that strategic \nre-examination.\n    This concludes my statement. I would be happy to answer any \nquestions that you or other members of the committee have. \nThank you.\n    [The prepared statement of Ms. Calvaresi Barr can be found \nin the Appendix on page 60.]\n    The Chairman. Thank you very much.\n    I understand, Mr. Torres, you are here to answer questions. \nAm I correct?\n    Mr. Torres. Yes, sir, that is correct.\n    The Chairman. Thank you.\n    I will just begin with two very quick questions to Ms. \nWatson, if I may.\n    You stated that the Defense Security Service was \nunderfunded and understaffed when you first arrived. That was \ntwo years ago. Is that correct?\n    Ms. Watson. Yes, sir.\n    The Chairman. Do you have enough staff today and are you \nfully funded today to do your job?\n    Ms. Watson. I am fully funded to do my job. We had an \nincrease in our budget in the last year of $80 million, which \nis substantial.\n    We are not properly resourced yet in terms of personnel \nbecause of the hiring process in the Department. I have the \ngovernment positions available. We are hiring at DSS across the \nboard. Almost half of the new hires are going to the Industrial \nSecurity Program, both in headquarters and in the field.\n    The Chairman. How short are you, as we speak, in staff?\n    Ms. Watson. Well over 100.\n    The Chairman. What is your total number of staff members?\n    Ms. Watson. Total DSS is about 750, give or take a few \npositions.\n    The Chairman. Good. Thank you very much.\n    Mr. Hunter.\n    Mr. Hunter. Thank you, Mr. Chairman. And, again, thanks for \nholding this hearing.\n    Let me go to a--I have here one of the certificates that \nare filled out with respect to the degree of foreign ownership. \nAnd I noted that the requirement to update the certificates has \nbeen changed, the reporting requirements have been changed to \nbe updated only when there are, quote, ``material changes'' to \nthe information previously reported.\n    Are any of you folks up to speed on this certificate and \nthe fact that it is now--that the update for the certificate of \nforeign ownership is now basically discretionary and it is only \ntriggered when you, the company, feel that there is a, quote, \n``a material change'' in the ownership, which would seem to be \nvery vague?\n    Are you up to speed on that at all?\n    Mr. Torres. Sir, I will take that question.\n    The requirement was changed in the 2006 National Industrial \nSecurity Program Operating Manual (NISPOM) from a mandatory \nfiling every five years, and that is no longer required. \nHowever, there is a requirement that any time a material change \noccurs, reporting is required. And a material change is defined \nas any change to the answers to the questions on the form.\n    In addition to that, we----\n    Mr. Hunter. Now, say it again. A material change is \nidentified as what?\n    Mr. Torres. Any change to any of the answers on the form. \nSo if you changed an answer to the question from a ``no'' to a \n``yes,'' that now somebody has more than a five percent \ninterest, you need to report that.\n    We have received information that this information, what a \nmaterial change is, may not be sufficiently understood, and we \nare working with the Defense Security Service on a process to \nmake sure that that is clearly understood.\n    But in addition to that requirement to report voluntarily, \nDefense Security Service, in their program of oversight, does \nensure that those questions are asked and that is part of their \ninspection cycle. And Ms. Watson may have additional \ninformation on that.\n    Ms. Watson. Mr. Torres is correct; we do routinely inspect \nthese companies, usually at least once every 12 months.\n    In addition to the formal inspections, we have a robust \nadvice and guidance program at DSS, which takes much of the \ntime of the industrial security representatives in the field. \nWe have a robust relationship with our industry partners, with \nthe facility security officers. So any time they have a \nquestion or are looking for guidance, they contact us as a \nmatter of routine.\n    So there is much more to the DSS oversight than a once-a-\nyear inspection.\n    Mr. Hunter. Okay. Well, the reason I ask that question is, \nI mean, the term ``material'' is in the eyes of the beholder. \nAnd it seems to me, on something this important and in an area \nthat requires clarity and requires accountability, that is \ngenerally tossing the ball to the contractor and letting them \nmake a determination, which may or may not be a timely response \nto something that is very important.\n    Now, with respect to the ownership of a company, you have \nall these new devices now that manifest property ownership--\nhedge funds, for example. How do you tell if a hedge fund has \nnow become part owner of this organization if you don't know \nwho the investors in the hedge fund are?\n    Ms. Watson. Well, you have pointed out how difficult our \njob is at DSS. I want to make a couple of comments about your \nquestion.\n    In terms of the definition of ``material change,'' we agree \nwith you that it needs to be clarified in order for us to \nperform our oversight function. We are issuing, in conjunction \nwith the Security Directorate, an industrial security letter. \nThat is a tool that we have to update policy as a matter of \nroutine. And that will be going out in the near term.\n    DSS, after implementing the new NISPOM for the last two \nyears, has recommended that additional guidance be provided, \nbecause there is confusion in industry on that point.\n    Mr. Hunter. Well, why don't we just go back to the time-\ncertain reporting requirement that you had, where it wasn't \ndiscretionary as to whether or not these companies report in?\n    Ms. Watson. Well, it seems to me that that is one way to \nattack the problem, but with the fast-paced business world that \nwe are living in, I don't know that an update every five years \nis going to give us the information we need.\n    Mr. Hunter. Well, then make it shorter, but make it--you \ncould have both cases. That is, if you have a material change--\nand make sure that they know up front precisely what that \nmeans--that if there is any change in ownership, that it be \nreported. But then also have a time certain when they simply \nhave to submit a new report.\n    But of the 8,000 contractors that you folks are monitoring, \nhow many DSS industrial security personnel do you have \nmonitoring those 8,000 contractors?\n    Ms. Watson. We have approximately--in the agency, about \nhalf of the workforce is dedicated to the Industrial Security \nProgram. We have about 350 full-time equivalents (FTEs) in that \nprogram.\n    Mr. Hunter. So you have about 175 people?\n    Ms. Watson. No, no, 350 on the industrial security----\n    Mr. Hunter. But you said about half of them--okay, about \n350 people monitoring the contracts?\n    Ms. Watson. Yes.\n    Mr. Hunter. Okay. And that is for about 8,000 contractors?\n    Ms. Watson. And 12,000 facilities, yes.\n    Mr. Hunter. Okay.\n    Now, Ms. Calvaresi Barr--did I get that right?\n    Ms. Calvaresi Barr. You did get that right. Thank you.\n    Mr. Hunter. Okay. You said that the GAO's analysis here, \nyou found that you had folks in DSS that didn't understand the \ncomplexity of these ownership vehicles. I think that is \nsomething that we are seeing across the financial world right \nnow, is that things are packaged, repackaged, ownerships are \nless than transparent, you have these funds--I have talked to \ndefense contractors, in an anecdotal sense, who have said, ``My \ngosh, we have this new entity come in, and we say, `Who are the \nowners coming to buy very sophisticated, very sensitive \nstuff?', `It is a fund.' Well, who owns the fund?''\n    So my question is--and this goes back to whether there is a \nmaterial change in ownership. If you have a hedge fund getting \ninto basically an investment pool, getting into ownership of a \nsensitive defense contractor, how do we ascertain who the real \nowners are, who the owners in interest are of this particular \nentity?\n    Ms. Calvaresi Barr. Representative Hunter, you raise a very \ngood issue and one which not only the U.S. is concerned about \nbut many other countries as well. Hedge funds, sovereign wealth \nfunds--this is an issue of great complexity, and it is very \noften difficult to know where the money is coming from and who \nthe rightful players are.\n    I believe that this speaks to the work that we conducted at \nDSS on a couple of fronts. One was that many of the industrial \nsecurity representatives that are out there trying to determine \nthe extent to which there is foreign involvement, ownership and \ninfluence have difficulty navigating their way through these \ncomplex financial relationships, corporate structures.\n    And it was for that very reason that we made a series of \nrecommendations that indicated that there needed to be more \ntraining or guidance in terms of how to review contractors that \nare under foreign ownership. It is a difficult job. The \nindustrial security representatives, many of them, spoke with \nus about the difficulties that they had, that they lacked the \nbasic tools and the knowledge to really do their job well. And \nI think the examples that you bring up with hedge funds and \nsovereign wealth funds point to those difficulties.\n    The other point that I would like to make was earlier about \nwhen a material change has occurred. Our work did point to the \nfact that very long periods had transpired before DSS was aware \nof any material changes. And that was one concern that we had \nregarding the timely notification when changes did occur.\n    So those were some of our findings, and we made some \nrecommendations to address both of those points.\n    Mr. Hunter. Okay. And you made a statement about the \nshortcomings you saw in the security system. Then you stated \nthat DSS has moved to address those shortcomings; you are \npleased in some areas to see the progress.\n    So I think the general question from the committee would be \nevaluating--that you saw a problem, that DSS is moving at least \nin the direction of solving the problem. How would you grade \nthe--where would you put the present state of affairs, with \nrespect to security? On a 1 to 10, where were they when you \nmade your analysis?\n    Ms. Calvaresi Barr. We----\n    Mr. Hunter. And I know it is broad, but we are trying to \nget a bird's-eye view here.\n    Ms. Calvaresi Barr. It is very broad. I can comment back on \nwhen we looked at it. I want to be fair here. We looked in \n2004, and we looked in 2005. So we are not current, given the \nchanges that have occurred.\n    But on a scale of 1 to 10, I think the fact that we made 8 \nrecommendations in one report, 8 recommendations in another, we \nfelt that the program was woefully inadequate to identify when \nthere were risks in place and the fact that they had measures \nto protect unwarranted access to classified information. I \nwould certainly put it below average.\n    Mr. Hunter. Okay. Now that they have undertaken some steps \nthat you have talked about, have you evaluated where they are \nnow, having taken those steps?\n    Ms. Calvaresi Barr. We have not had an opportunity to go \nback and evaluate. As part of GAO's process, every year when we \nmake recommendations, we go back and follow up to document the \nextent to which those recommendations have been implemented. We \nmade a total of 16 recommendations in those 2 reports. We have \ncurrently closed two of those recommendations, but we are \nworking closely with Ms. Watson to gather documentation to \ndetermine what impact they have had.\n    And, again, these are steps in the right direction. The \ninitiatives are good. But, as we all know, guidelines and \ninitiatives are one thing. It comes when you really look at the \nimplementation, what differences are really occurring once the \nnew guidelines and implementation takes place. And we have not \ndone that yet.\n    Mr. Hunter. So you haven't. So that is a work in progress, \nso you can't tell where you would place them right now.\n    Ms. Calvaresi Barr. I could not.\n    Mr. Hunter. Would you agree that this is a critical area to \nnational security and one in which Congress should be involved \nin oversight?\n    Ms. Calvaresi Barr. Absolutely a critical area.\n    And as I mentioned in the beginning, I wanted to put the \nIndustrial Security Program in the context of the larger safety \nnet of those programs that are there to protect what is \ncritical to the U.S. Those include things like, as you \nmentioned, CFIUS, foreign military sales, anti-tamper, the \nexport control process. Industrial security is just one \ncomponent of that.\n    But I think, as we talk about the rapidly growing trends in \nglobalization and the foreign influence that we have, it is \nabsolutely essential that each individual program within that \nsafety net work effectively. And they all rely on each other \nworking effectively.\n    I would say, right now, the larger safety net of programs \nthat we have in place to protect what is critical, that safety \nnet looks like Swiss cheese. It needs to be addressed; it needs \nto be fixed.\n    Mr. Hunter. Okay. Thank you.\n    Mr. Chairman, I would just say to my colleagues, I think \nthis is going to be one of the critical issues of the coming \nyears, because there is a lot of cash money out there in the \nworld now; there are a lot of cash-hungry American companies, \nincluding companies in the defense complex. And the potential \nfor targeting sensitive security areas by these sovereign \nwealth funds and by nefarious participants in these hedge \nfunds, that opportunity is very large right now and will be \nlarge for the coming years.\n    And there is one entity that is responsible for making sure \nthat we keep this security; that is us. And my urging to the \ncommittee is that we exercise strong oversight in this area, \nmuch more than we have done in the past.\n    And I am reminded about the Huawei corporation, this \nChinese corporation which was trying to buy 3Com in partnership \nwith Bain Capital. 3Com does cybersecurity contracting for the \nDepartment of Defense. And the fact that Huawei is a Chinese \ncorporation closely connected with the Chinese military--also \nhappens to be the people that helped Saddam Hussein set up his \nair defense systems against Americans--and the fact that they \ncame close, from the report that I got--we urged CFIUS not to \nsupport this, not to give the okay or the green light to this \nparticular transaction--but they came close to making that \nacquisition with the compliance and participation of a so-\ncalled responsible American investment fund, I think is \nillustrative of this challenge we are going to have over the \nnext 5 to 10 years.\n    We have people with lots of cash, and we have American \ncompanies desperate for cash, and that creates a very difficult \nsituation. So I hope that the committee weighs in in this area.\n    And I will have some other questions at the end. Thank you \nfor letting me take so much time, Mr. Chairman.\n    Mr. Ortiz [presiding]. Thank you. Let me say thank you so \nmuch for the work that you do. This is not an easy job that you \nhave. It is a very sensitive area. Sometimes it is hard to \nunderstand.\n    Like my good friend, Mr. Hunter, was stating, there are \npeople all over the world, a lot of joint ventures going on, \npeople going to different countries to join in the joint \nventures; and sometimes in these joint ventures they might \ndevelop something that, unknown, later becomes a very sensitive \nequipment.\n    So how do we get these people to apply or work with your \noffice and to tell you that they have developed this sensitive \nequipment? How do you police that? Sometimes it might be \nignorance of some people. And some people might be hungry for \nmoney, and they just want to develop that incentive. So at what \npoint do you get some of these companies or joint ventures to \ncome and report to you? Or do you go to them?\n    Any one of you that can try to answer that.\n    Ms. Watson. The role of DSS, sir, is right now confined to \nthe classified arena. So DSS would only be involved if there \nwas a classified contract.\n    Mr. Ortiz. Okay. I know that your problem has been \ncomplicated. As I was looking at the statement by Ms. Calvaresi \nBarr, where you state here that DSS industrial security \nrepresentatives face several challenges in carrying out the \nforeign ownership control responsibilities, largely due to \ncomplexities in cases because of the limited tools that you \nhave, the research, insufficient foreign ownership control, \ntraining, staff turnover, and inconsistencies in implementing \nguidance on these foreign licenses.\n    Now let's talk a little bit about staffing. Are you \nadequately staffed now?\n    Ms. Watson. Not at this moment. I have available positions, \nand I am hiring. I believe we will be adequately staffed once \nwe fill up all of our positions.\n    Mr. Ortiz. How many staff members will you normally have \nwhen you are staffed adequately?\n    Ms. Watson. We are authorized around 750 people now. That \nis an increase of about 150 from a year ago.\n    Mr. Ortiz. Now when you talk about tools that you might not \nhave, what are the tools that you will try to either obtain so \nthat they can make your job easier for you or maybe we are not \ngiving you enough money to buy those tools?\n    Ms. Watson. In the past, we did not have enough money to \nbuy the tools. We have right now an electronic database that we \nuse. It does not provide us with the information we need to \nproperly manage our workload or to perform analysis, so data \nretrieval is still a problem for us. We have analyzed that \nsystem. We are in the process of defining requirements to \nupgrade it so it will get us the information we need.\n    In addition to that, we are adopting the electronic tool \nthat the Department of Energy uses to manage their FOCI cases. \nI believe the Central Intelligence Agency (CIA) will be using \nthe same system. So all the keys agencies that are involved in \nthis process will be on the same electronic system, which will \nallow us to do, again, better data retrieval and provide us \nwith the analytic tools that we are now lacking.\n    In terms of training for our people, I do want to make a \ncomment about that. We recognize how complex the FOCI world is. \nGAO is right to point out that our folks in the field were not \nproperly trained. Training was one of the first things to go at \nDSS over five years ago.\n    Because of the complex workload that we have, what we have \ndone now is singled out a cadre of 12 people that are currently \nemployed in DSS in the field, and we are in the process right \nnow of giving them specialized training so that they understand \nbusiness structures better and are better armed to perform the \nwork. So that we will be funneling FOCI cases to those folks in \nthe field. The more complex cases will still come to \nheadquarters, where we have a very small core. Right now, we \nhave five people, two of whom are leaving. We are in the \nprocess of beefing up the staff, but it is a challenge right \nnow.\n    When I came to this agency two years ago, it was broken \nacross the board, and it took a year to figure out where the \nproblems were and design a transformation plan. We just got our \nresources six months ago. This is an agency in transition. It \nwill be an agency in transition for as long as I am there. We \nhave a lot of work to do; and, in my view, we have just \nstarted.\n    Mr. Ortiz. If you don't mind, we want to help you; and I \nthink this is a very, very important subject we are talking \nabout today. It is a very important issue. We talk about the \nworld getting smaller because of new technology, coming closer \nand closer to each other. We want to help you.\n    If you don't mind, if you can give a list to the chairman, \nwe want to help you with the technology you need, the tools \nthat you need, so that we can help you.\n    Ms. Watson. Okay.\n    Mr. Ortiz. We want to work with you.\n    Let me compliment you on the great job that you do. It is \nnot easy. I know it is very complicated. I don't want to take \ntoo much time because we have got a lot of members who would \nlike to ask a lot of questions.\n    Now to my good friend, Mr. Saxton.\n    Mr. Saxton. Mr. Chairman, thank you.\n    Let me just follow up on a couple of the chairman's points.\n    First of all, Ms. Watson, let me add my thanks to you for \nwhat you are doing. I think all the members of the committee \nappreciate the job that you are doing, because this is such an \nimportant set of issues, and it is important and emerging, I \nguess.\n    Ms. Watson. Yes.\n    Mr. Saxton. The subject of globalization of the economy \ncertainly has ramifications on this topic. In fact, it is \ndriving what it is that we are concerned about here. \nInternational investment, international cross business \ntendencies, and the openness that the chairman talked about \nwhen he was opening this hearing all are issues that are \nhelping to drive our concern and your concern as well. When I \nsay ``your concern,'' I am talking about all of you who are \nhere trying to help us understand this set of issues.\n    Let me just ask this. In terms of our acquisition program, \nthe total universe of issues that we need to be concerned about \nare not just those that are worked by the Defense Security \nService. We also have to have concerns about--while you are \nconcerned about classified programs, we also have to be \nconcerned about nonclassified programs, don't we?\n    Ms. Watson. Yes, sir.\n    Mr. Saxton. So is there anybody watching the nonclassified \nprograms?\n    Mr. Torres. I will take a little bit of that question, if I \ncould.\n    Another responsibility within our office is to write policy \nfor research technology protection. Particularly, that program \nis designed to help research and technology personnel in \nidentifying what their critical information is, specifically, \nCUR, controlled unclassified information, so we can make sure \nthe right protections are put in place for that classified \ninformation. That particular document for research technology \nprotection is drafted and currently in coordination in the \nDepartment.\n    But, to answer your larger question, I am not aware of \nanyone who has an affirmative role or mission over industry to \nactually look at those particular programs similar to the way \nDefense Security Service does for classified programs.\n    Mr. Sullivan may have some additional information.\n    Mr. Sullivan. There is one initiative going on being led by \nMr. John Grimes, Assistant Secretary of Defense for Network \nIntegration; and that is to take a look at unclassified \ncomputers in the defense industry. As we all know, the \nunclassified computers have been subjected to an awful lot of \nattacks by foreign governments, foreign countries, or at least \ncoming from those directions.\n    There is an extremely important program going on right now \nto work with industry to do a couple of things, and I can't \ndiscuss most of them in this forum. But I think it would be \nhandy for either us to point your staff toward Mr. Grimes and \nhis staff or us to give you a little background.\n    Mr. Saxton. Outside of Mr. Grimes, there is no--yes, sir.\n    Dr. Schneider. Mr. Saxton, if I could add a point on this. \nAn important fraction of the unclassified information is \nexport-controlled. Those technologies are managed under the \nInternational Traffic and Arms Regulations, which in turn is \nthe responsibility of the Department of State. The mitigation \nplans required for foreign-owned, controlled or influenced \ncompanies, for example, in their special security agreements, \ninclude provisions relating to the protection of export control \nbut unclassified information.\n    The Department of State has conducted some inspections, I \nknow, of foreign-owned, controlled, and influenced companies. I \nsuspect that if the committee wanted further information on the \nmanagement of the unclassified defense technology that is \nexport controlled, it could be obtained from the Department of \nState.\n    In parallel, the Department of Commerce has the Export \nAdministration Regulations, which it is responsible for \nenforcing.\n    Mr. Saxton. Ms. Calvaresi Barr, I know you want to say \nsomething, but let me just try to put a frame around what I \nthink I am hearing.\n    There are a variety of organizations, computers, Department \nof State, maybe some others, who have some fragmented \nresponsibility of looking at Defense procurement as it relates \nto unclassified programs. But there is nothing like the Defense \nSecurity Service in the Department of Defense looking \nparticularly at unclassified programs.\n    Ms. Calvaresi Barr.\n    Ms. Calvaresi Barr. I think it is correct that there are a \nmyriad of programs and policies that are in place, some of \nwhich deal with unsensitive, unclassified information, \nequipment, know-how components. Export controls plays, as Dr. \nSchneider said, a very, very large part in that.\n    What I wanted to mention is that GAO has conducted a body \nof work on the export control system and has found significant \nweaknesses and vulnerabilities in those systems as well. And I \nthink I would take it back to where I started, that you have \nthis larger safety net of programs with overlapping roles and \nresponsibilities, and it is absolutely critical that each of \nthose programs work hand in hand with one another and \ncoordinate closely in our work, not only within the individual \nsystems but looking at how well they were working in terms of \nsharing information and cooperation was not very good.\n    Mr. Saxton. Thank you.\n    My time has expired, Mr. Chairman. I thank you for having \nthis hearing.\n    I wanted to ask if you could describe--and perhaps some \nother members can pick up, because my time is over--but I \nwanted to ask you if you can describe exactly what an FOCI case \nis. I wanted to delve into this so-called self-reporting issue \na little bit more. Because, obviously, we need help, Ms. \nWatson, and you need help in providing your role as a monitor \non these so-called self-reporting--my word--self-reporting \ncases. Perhaps some other members will pick up on those issues.\n    Thank you.\n    Mr. Ortiz. Thank you.\n    Mr. Snyder.\n    Dr. Snyder. Dr. Schneider, I am over here. You can call me \ndoctor, because I am a medical doctor.\n    Earlier, Mr. Hunter was having a question with the other \npanelists about the hedge funds and the flow of money. Do you \nhave any comments on that issue of investors?\n    Dr. Schneider. Yes. There is, especially in the case of \nadvanced technology industries, a great deal of interest on the \npart of passive investors, including hedge fund and investment \nin this sector. The responsibility, of course, for managing \nthese investors largely falls to the Securities and Exchange \nCommission because of their responsibilities in that segment of \nthe financial services sector. Publicly held companies, the \nownership is changing hour by hour. It is an unusually \ncomplicated arrangement.\n    This is why the Defense Security Service, in the \nimplementation that I am familiar with, with foreign-owned, \ncontrolled, and influenced companies, that when an investor \nbuys it there is a great deal of specific disclosure required \nto understand who is the ultimate owner of the company. But, in \naddition, there are other provisions in the mitigation measures \nto separate the foreign investor from the control technology. \nThe details of that are contained in the agreement between the \nparent company and the Department of Defense that separates \nthem from those matters.\n    So the effectiveness of protecting the information from \nunauthorized disclosure, whatever the ownership situation is, \nis critical. That is those mitigation measures must be in place \nand must be effectively administered in order to maintain this \nbarrier between the foreign investor and the information that \nis managed by American citizens who would be working in the \nsubsidiary in the U.S.\n    Dr. Snyder. Regardless of who is buying in and out of the \nhedge fund or in or out of the investor pool of money.\n    Dr. Schneider. Correct.\n    Dr. Snyder. Ms. Watson, I had a couple of questions I \nwanted to ask you.\n    In the GAO statement, on page two, it talks about your \nfiles on contract or facilities security program and their \nsecurity violations. It says, ``Further, the manner in which \nthis information was maintained, geographically dispersed, \npaper-based files, did not lend itself to this type of \nanalysis.'' Do you all have paper-based files?\n    Ms. Watson. We did.\n    Dr. Snyder. Why?\n    Ms. Watson. The agency has been underresourced for \napproximately 20 years. We now have a database, the industrial \nsecurities facility database we use. It is not a system that I \nwould call the system of the future. It is what we have now. It \nnow houses the information that is collected in the field so \nthat we have a more robust oversight and cross-fertilization \nwithin the agency.\n    Again, that is a system we have just looked at, and we are \nmaking recommendations for upgrades and in the process of \ndefining the requirements for the upgrade so that we have a \nbetter system.\n    Dr. Snyder. Do you even know how many geographically based \ndispersed files are out there? I would think you would be \ntalking thousands.\n    Ms. Watson. In terms of files, exactly, no. We have 71 \nfield locations throughout the United States, and one of the \nresponsibilities of the industrial security representatives who \nare doing this work is to input the data they collect from the \ncompanies into the database.\n    Dr. Snyder. Would all those geographically dispersed files \nbe at one of those 71 sites?\n    Ms. Watson. They all have access to the entire database.\n    Dr. Snyder. But the files would not still be at the \ncompanies. They would have been filed at one of your sites. Is \nthat correct?\n    Ms. Watson. Our files are not at the companies. They are at \nour sites and at our database, yes, sir.\n    Dr. Snyder. You made reference to lack of resources in the \npast and your improvement in resources and you are still \nworking up your staff as far as the security clearances. What \nis your current backlog in terms of how far behind are you in \nnumbers and of time in terms of the security clearances?\n    Ms. Watson. Are you talking personnel security clearances \nor facility clearances?\n    Dr. Snyder. For the facilities.\n    Ms. Watson. Facility, it generally takes us--I don't know \nthe current backlog, but it takes approximately up to 180 days \nto get a facility clearance. The reasons for that are, one, we \nneed to make sure that the company has a facility security \nofficer. They have to have a facility security program.\n    Dr. Snyder. But you don't know right now how many companies \nare waiting?\n    Ms. Watson. No.\n    Dr. Snyder. How much delay there is?\n    Ms. Watson. No.\n    Dr. Snyder. Thank you.\n    Mr. Ortiz. Now we have our own scientist, Mr. Bartlett.\n    Mr. Bartlett. Thank you very much.\n    With the globalization of technology and industry, we are \nincreasingly challenged to maintain the premier military in the \nworld. Essential to that, of course, is our ability to be able \nto tap into the enormous resources represented by our small \nbusiness community.\n    A bit more than half of all the employees in our country \nwork for small businesses. Way more than half of all of the new \ninnovations come from small business. I note that in the little \nsummary given to us by staff it says that private industry or \ncollege or university must have a bona fide contract \nrequirement that necessitates a facility to hold or store \nclassified information before they can get a classified \ncontract. But to get a classified contract, you have got to \nhave a facility that is cleared. Not only that, you have to \nhave employees that are cleared to do classified work.\n    Now we have kind of solved the employee problem by having a \nmentor program where the employees of small business are \ntemporarily moved to a large business which has a classified \ncontract so that they then have a justification for asking for \na security clearance for the individual.\n    How do we work around this catch-22, that in order to get a \nsecurity clearance for your facility you have got to have a \ncontract that requires that, but, to get the contract, you have \nto have the clearance? How are we working around that?\n    Ms. Watson. I would like to take that question for the \nrecord.\n    Mr. Bartlett. You would like to take that question for the \nrecord.\n    [The information referred to can be found in the Appendix \non page 77.]\n    Mr. Bartlett. On almost a daily basis I have \nrepresentatives from small business coming through my office \nwith exciting new technologies, and they are out there waving \ntheir hands. And here I am. I have got this great new \ntechnology, and nobody is noticing.\n    You can't ask for what you don't know exists. When they \nhave the additional hurdle of--many of these things are going \nto end up classified, because they really are cutting-edge \ntechnologies. They have the additional hurdle of not being able \nto get a classified contract because they don't have a facility \nwhich has clearance.\n    So we have got to work around that somehow. How are we \ndoing that?\n    Ms. Watson. One way to work around it is if there is a \ngovernment activity that is interested in contributing with \nthat company on a classified basis, they can sponsor the \ncompany for a facility clearance.\n    Mr. Bartlett. Do what?\n    Ms. Watson. Sponsor the company for a facility clearance.\n    Mr. Bartlett. Before they have the classified contract.\n    Ms. Watson. Yes, sir.\n    Mr. Bartlett. Somehow, Mr. Chairman, there has to be a \nshortcut to this. Because these small businesses have limited \ncapital. They really can't hold on for a year or so while these \nthings happen.\n    And from my personal experience, I know that there is a \ngreat deal of technology out there in the small business world \nthat we are having great difficulty accessing because of the \nbureaucratic hurdles. They are intimidated by all of the red \ntape in getting a contract. Then when they have the additional \nburden that they can't get the classified contract until they \nhave a cleared facility, that they can't get the cleared \nfacility until they have a classified contract----\n    This requires a working relationship that is not easy to \ncreate. Where you have to have the government agency saying, \ngee, I would like this small business to work for me. \nTherefore, won't you give them a security clearance?\n    I don't know the proper procedure for developing a work \naround this. I know we have to have classified facilities, \ncleared facilities. I know that. But, right now, we are having \ngreat difficulty getting access to a lot of really important \ntechnology in the small business world because of this \ndifficulty.\n    What are the recommendations and how do we get there?\n    Ms. Calvaresi Barr. Representative Bartlett, I would like \nto make a comment based upon your question.\n    We also raised sort of on our high-risk list the need for \nthe Department of Defense to recognize what are the key \ntechnologies and what is critical to the U.S. in order to \nmaintain military superiority. We have done some work looking \nat how well informed we are about knowing what is militarily \ncritical, where do those technologies reside. Oftentimes, as \nyou say, some of the more innovative technologies and research \nand development resides at some of the smaller companies that \nare more innovative.\n    What we call for is that the Department of Defense sort of \ntake stock of what is needed, what is critical, where does it \nreside, and then look at all of the programs and policies that \nwe have in place that bring these needed technologies to the \nforefront and look to see what are the barriers, what are the \nchallenges. This needs to be a constant relook and re-\nexamination. Because, as we know, businesses continue to grow. \nThere is rapid advancements in technology. So it calls for that \nkind of continual oversight on behalf of industrial policy to \nrecognize where we need to go and how well equipped those \nentities are to overcome some of the obstacles and barriers \nthat you spoke about.\n    Mr. Bartlett. Mr. Chairman, we have common cause with our \nSmall Business Committee in desiring more access to the skills \nand resources of the small business community, and I would \nsuggest it might be productive to collaborate with them in \nseeing how we can work around this, obviously, catch-22 kind of \na problem that we have.\n    Thank you very much. I yield back.\n    Mr. Ortiz. Thank you.\n    Mrs. Boyda.\n    Mrs. Boyda. Thank you so much, Mr. Chairman, for calling \nthis hearing.\n    Thank you all for your service.\n    I represent Kansas, so there is a little issue about a \ncontract going to Airbus as opposed to Boeing. Knowing it is \ncertainly a complicated issue, but clearly I get asked on a \nregular basis not about so much why are we outsourcing our \njobs, it is why are we outsourcing our national security.\n    What role do you all play or do you play any role when it \ncomes to those contracts? Are you consulted on that? Do you \nweigh in on how well these people have done in the past or what \ntheir expectation is? What role do you play in the contracting \nprocess?\n    Ms. Watson. I would say we play a minor role, but it is \nimportant. Any company that currently has a classified contract \nthat is under the oversight of DSS gets a facility security \nrating every year after we do an inspection. We notify the \ngovernment contracting activities of those ratings. So they are \naware of how well we assess the company is postured to protect \nclassified in their hands.\n    Mrs. Boyda. Would you happen to know on the Airbus \ncontract, what we have finally called the Boeing contract in \nKansas, do you know if they already had a security clearance?\n    Ms. Watson. I don't know.\n    Mrs. Boyda. Could I just ask for the record just some \nbackground? Is it publicly available on what that was, what the \nstanding was? Was it part of your contracting?\n    Ms. Watson. Just for the record, DSS does not get involved \nin the contributing process itself.\n    Mrs. Boyda. Okay. My follow-up question would be to you or \nto any of you on the panel. Because the issue of outsourcing \nour national security, clearly. This was about jobs. But it is \nnot just about jobs. It is about outsourcing our national \nsecurity. What would you have me tell the good people of Kansas \nwhen they ask me what are we doing to safeguard that national \nsecurity?\n    From what I have heard today, we have had our fair share of \nchallenges in this area, and we are doing better. As you have \nsaid, we are going to be in transition for quite a while. What \nam I supposed to tell them about the security of our secrets \nand our classified information?\n    Ms. Watson. I think we have the proper framework in place \nto provide the security that we need. Any company that has \naccess to classified information needs a facility security \nclearance. In order to get that, their key management personnel \nneed a personnel security clearance. Usually, that is the head \nof the company. The facility security officer needs a security \nclearance, and so does anyone in that company that has access \nto classified information. So that is the general framework.\n    There is another comment I want to make about FOCI \ncompanies, to put this in perspective. FOCI companies come to \nus in two ways. One is a new company that is already under FOCI \nis seeking access to classified and needs a facility security \nclearance. So during the course of processing that company for \nthe clearance, we understand what the foreign ownership control \nor influence is in it.\n    There was a question earlier about hedge funds. We do not \napprove companies for access to classified unless we understand \ncompletely the ownership chain. So there is some transparency \nthere.\n    The second class of cases are companies that already have \nfacilities security clearances that are then--there is a \nforeign interest that acquires part of the business or there is \na control element that comes into play. That is when there \nwould be a material change that they need to report to us.\n    There have been lags in reporting. But, again, the \nfacilities security officers, if they are doing their jobs--and \nwe train them on how to do their jobs--report to us information \nlike that on a routine basis.\n    Mrs. Boyda. I am going to run out of time, but thank you.\n    If you would again, for the record, give me some background \nabout what the status of Airbus was, if they were already in \nthe category and they already have some of the clearances, you \nhave already done some of your inspections on that. I \nappreciate that.\n    [The information referred to can be found in the Appendix \non page 77.]\n    Mrs. Boyda. Again, it is very concerning to hear that we \nhave left this very important process pretty unfunded and \nwithout what they need to get the job done. So it is a little \nconcerning. Actually, it is very, very concerning. I appreciate \nthe work that you are doing to clear it up.\n    Thank you. I yield back.\n    Mr. Ortiz. Mr. Thornberry.\n    Mr. Thornberry. Thank you, Mr. Chairman.\n    Thank you all for being here.\n    I start out with a statement in Dr. Schneider's testimony \nthat says, ``Globalization of technology is no longer a choice. \nIt is a characteristic of the environment.'' I am afraid that \nsome people haven't quite realized that there is no going back. \nThe question is, how are we going to deal with this environment \nthat we are in? And that means we have got to sort out the good \nfrom the bad and avoid knee-jerk reactions, which I think we \nhave seen in some past cases.\n    In my mind, I kind of differentiate two sets of issues, \none, what we are looking for, what are the standards; and the \nsecond one is the enforcement of those standards.\n    Dr. Schneider, you were asked by Dr. Snyder a little bit \nearlier about the hedge funds and those kind of ownership \nstandards. But I notice in your testimony you talk about the \nkey thing we want to protect is the software algorithms that \nmake the hardware effective and work. I think about how much \nsoftware is off the shelf, comes from potentially other \ncountries, software providers that may not be a part of the \nsystems we are talking about here at all; and the concern I \nhave is that we are not asking the right questions, that maybe \nwe are not looking in all the places that we ought to look.\n    It even reminds me of the debate we are having now about \nfinancial institution regulation, which has not kept up with \nthe changes in global markets. Isn't that true for technology \nas well?\n    Dr. Schneider. Yes, I think that is a generally accurate \nstatement.\n    The defense establishment, for example, depends on \ncomputers. Computers use microprocessors. The software for \nthose is largely produced in a globalized environment. Indeed, \nthe nature of the industry is such that very little of this \nelement of the business is actually created in the defense \nsector.\n    What the defense sector does is take that information and \nin a classified environment create these algorithms so that a \nmicroprocessor that you might buy from a north shore supplier \nis then put into a system in such a way that it performs a \nmilitary task.\n    What is vital to us is to be able to protect the knowledge \nabout those algorithms. The fact that it uses a commercial \nmicroprocessor illustrates the fact that the underlying \ntechnology is not, per se, the sensitive part of it. It is \nthough algorithms that really create the military capabilities \nthat we need to protect.\n    So I think what the Department of Defense has been trying \nto do is to get some of both worlds, have a very successful \nindustrial security program that protects these algorithms in \nthe example I gave, while being able to take advantage of the \ntechnical advances that exists in the globalized market.\n    The Defense Science Board did two recent studies dealing \nwith the problem you mentioned. One is, how do we produce \nmission-critical software in a secure environment? The other \none was basically the same question with respect to \nmicroprocessors and hardware that is used in information \nsystems. It is a very challenging problem to be able to deal \nwith it and one that I think may interest this committee.\n    Mr. Thornberry. Definitely.\n    Ms. Watson, who sets the standards that you go enforce? It \nis not clear to me if, say, we want to have a different \nstandard or look at different questions, who decides that?\n    Ms. Watson. Right now, I would tell you that it is a policy \nmatter and that DSS provides input into the policy.\n    Mr. Thornberry. Who is the decider?\n    Ms. Watson. The Security Directorate.\n    Mr. Thornberry. That is?\n    Ms. Watson. Mr. Torres at the end of the table.\n    Mr. Thornberry. So it is up to Mr. Torres to say, yes, we \nare going to look for that because that matters or, no, we are \nnot going to look for that.\n    Mr. Torres. If I may interject here, the Security \nDirectorate is responsible for publishing and staffing the \npolicy with regard to two particular documents. One is the \nNISPOM. But the NISPOM, which is the overarching document that \ndictates what we are going to do from a security perspective, \nalso has other signatories to it, including Energy, Nuclear \nRegulatory Commission (NRC) and CIA. So we cannot unilaterally \ndecide what the standards will be on the NISPOM.\n    On the Industrial Security Regulation, which is the old \ndocument that we are now getting ready to restaff, although we \ndo coordinate that with all the interested parties, we have \nmore say in that particular document and we work closely with \nDefense Security Service because their input--they are the ones \non the front lines telling us what is working and what is not, \nand we depend heavily on them to tell us what needs to be \nchanged, as well as working with the National Industrial \nSecurity Program Advisor Committee (NISPAC), which is also an \noversight group for industry.\n    Ms. Watson. May I comment on that as well?\n    Mr. Ortiz. Go right ahead.\n    Ms. Watson. One of the things I mentioned in my oral \nstatement is we are contracting out of DSS for the FOCI \nprocess. We are going to have people look at the forms that are \nfilled out to make sure we are asking the right questions. So \nwe will feed that into the policy.\n    But there is a gray area between the overarching policy and \nthen how we implement it. We do have liberty at DSS in terms of \nhow we are going to implement that policy. If we think there \nare things we need to look at in a company, we will look at \nthem.\n    Mr. Ortiz. Thank you, ma'am.\n    Mr. Sestak.\n    Mr. Sestak. Thanks, Mr. Chairman.\n    First of all, Ms. Watson and the others, for the civilian \nemployees over there in DOD, we often commend the military when \nthey come up before us for their great service. And having \nserved 31 years in the military and worked alongside a lot of \ncivilians over there, given the resources, you are equally \ngreat. It really is a total force over there.\n    My question is--and this may have been asked because I have \nbeen in and out, and I am sorry about that. There is a primary \nin Pennsylvania debate tonight, and I'm----\n    Under the NISPOM, the FOCI chapter section of it--and if \nthis has been asked, I apologize--there is an annual review, \nand an annual certification that is done. Who reads those? Who \ndo they go to? How high up the chain of command? And do they or \nshould they come to Congress?\n    That last one was for excitement.\n    Ms. Watson. We do review the companies annually. We provide \na security rating to the company.\n    Mr. Sestak. Who reads them above you?\n    Ms. Watson. Well, any government contracting activity----\n    Mr. Sestak. I mean within the Department of Defense, within \nthe government. Does the Secretary of Defense get a brief on \nhow well we are doing this?\n    Ms. Watson. No.\n    Mr. Sestak. Sometimes, at least, my thing is, expect what \nyou inspect. Shouldn't we be passing these up further the \nchain?\n    Ms. Watson. They are passed up the chain.\n    Mr. Sestak. Who gets them? That is what I am trying to get \nto.\n    Ms. Watson. I understand that. I am trying to answer this.\n    Say if a company had a classified contract with the Army, \nthe Army is the government contracting activity. We would \nprovide our report and our findings to the Army. So it is their \nclassified information at risk, not DSS's. So they understand \nwhat the security posture is of the company within their \ncontract.\n    Mr. Sestak. So it gets passed to somebody in the Army.\n    Ms. Watson. Yes. If the company had 12 contracts with 12 \ndifferent entities, they would all get that.\n    Mr. Sestak. My next question is, if it doesn't all come \ntogether, are you unable to tell us what the trend analysis is? \nIn other words, what are the violations that are occurring that \nwe are able, with this nice centralized data, being able to say \nthat is a recurring problem. Do we do that?\n    Ms. Watson. We are struggling with trends analysis, \nparticularly in the FOCI world. We do have a \ncounterintelligence element in the industrial security program. \nIt is an integrated part of that program. They publish a \ndocument annually generally called Technology Trends. We have a \nclassified and unclassified version.\n    So the basis for that report is we educate the facility \nsecurity officers and the folks in industry. We gave over 1,000 \nbriefings to industry last year.\n    Mr. Sestak. I only have a few moments, because they always \ntake away an extra minute from a freshman. I have one more \nquestion. I am going to ask you to answer this. The question I \nwould like also, if there is time, are you able to tell in this \ntrend analysis where technology is going?\n    Ms. Watson. Yes.\n    Mr. Sestak. Good. Those reports go to whom?\n    Ms. Watson. That document is available in an unclassified \nand classified version. We do send it out to industry so that \nthey understand what the threats are that they are dealing \nwith.\n    Mr. Sestak. Does it go above you?\n    Ms. Watson. It is disseminated throughout the Department, \nyes, sir.\n    Ms. Calvaresi Barr. Yes, I just wanted to comment that the \nquestions that you asked are where we saw some key \nvulnerabilities. One is that the overall performance ratings at \nthe facilities were not being fed up to DSS headquarters so \nthat they could do the kind of trend analysis that you pointed \nto: numbers of security violations, by what corporate \naffiliation, for what kind of data, which government customers \nor agencies were affected.\n    We raised this pretty significantly in the reports that GAO \ndid so that you could do the trend analysis, target where there \nwere problems, and put corrective actions in place.\n    Mr. Sestak. Could you see there would be value if this \nreport was required to go up further the chain of command or \ncome to Congress or anything?\n    Ms. Calvaresi Barr. Well, I think holding folks accountable \nfor their role and their mission needs leadership, and you need \nleadership at the top. It needs to be a priority. So you need \nto have those that are concerned about it, looking at it, \nasking questions and putting the right things in place.\n    To the extent that that is happening, I think we have great \nleadership here now at DSS. Kathy has done just an amazing job \nsince GAO has looked at really trying to get her arms around \nthis and address it. But I think the support going up the chain \ncould be further advanced.\n    Mr. Sestak. Mr. Chairman, really, the question sometimes, \nif it does go up the chain of command, it can actually get her \nsupport.\n    Thank you very much.\n    Mr. Ortiz. Thank you.\n    The gentleman from Texas, Mr. Conaway.\n    Mr. Conaway. Thank you, Mr. Chairman. I appreciate that.\n    We have had some discussions about ownership of companies. \nHave we had instances where the owner of a company breached the \nagreement, the classified agreement within the company, and \ntook access to classified data that it shouldn't have? Has \nthere been a problem with ownership in terms of violations?\n    Okay. I actually have a copy of the last Technology Trends. \nThe biggest trend is they simply ask for the information.\n    Ms. Watson. Yes, sir.\n    Mr. Conaway. How successful are they at asking and getting \nclassified information by just asking?\n    Ms. Watson. I think they are fairly successful, and it \nwouldn't just be classified information.\n    Mr. Conaway. I think this is just for classified \ninformation. The most successful intelligence-gathering \nfacility--about classified information is people just ask the \nfolks who have it, and they give it to them?\n    Ms. Watson. The reason we know that is because the \ncompanies are reporting that back.\n    Mr. Conaway. Those are the attempts. How successful are \nthose attempts at getting classified information? We know that, \nsay, 50 percent of the attempts were just simply asking for it. \nThe company said that looks like a probe of some sort, and they \nstopped it. Can we tell if they are successful one percent of \nthe time at getting classified information?\n    Ms. Watson. I can't give you a percentage. What I can tell \nyou is when the companies report that information back to us, \nwe don't just hold it at DSS. We disseminate it across the \ncounterintelligence and law enforcement community. The number \nof suspicious contacts reports we are receiving in the last \ncouple of years has exploded.\n    Mr. Conaway. This is 2004 data. When will we get the new \none?\n    Ms. Watson. We are aiming for this fall. We have changed \nthe methodology we use to prepare and coordinate that document. \nIt will be coordinated within DSS and throughout the community.\n    In terms of dissemination of the document, I do want to \nnote that it goes to the National Counterintelligence \nExecutive, and they incorporate much of our annual report in \ntheir annual report to Congress on espionage.\n    Mr. Conaway. But in terms of your dealing with the \ncompanies--and I will get the phraseology wrong. In terms of \nthe cleared, or whatever you call it, you have got an \nindividual who has a security clearance appropriate for the \nlevel of classified information that they have----\n    Ms. Watson. Yes.\n    Mr. Conaway [continuing]. And that is our basic last line \nof defense, is that person watching how the program works \nwithin the company, making sure that new employees don't just \ncome tricky-trotting in and get access to it, to the \ninformation. That is the person that you work the most with?\n    Ms. Watson. The facility security officer, yes, sir.\n    Mr. Conaway. Okay. How good are they?\n    Ms. Watson. They are very good. They are trained. They are \nwell compensated in industry. They have robust programs. We \nhave a robust relationship with them.\n    Most of the bigger companies have annual conferences with \nall their facilities security officers. We are invited to \nparticipate in them. We have ample opportunity to do so.\n    Mr. Conaway. We had a suggested violation from a hedge \nfund, sub-owner in a hedge fund that we talked about this \nmorning. Any instances where one of the facility security \nofficers has said, you know, a hedge fund bought 10 percent of \nthe company and some minion from the hedge fund came tricky-\ntrotting in here one day and asked to see classified \ninformation?\n    You better say no.\n    Ms. Watson. The general comment--I wouldn't know that it \nwould be from a hedge fund, but certainly we have seen \ninstances where the foreign ownership interest is represented \nwith visitors and they do try to seek access. That is one of \nthe guards that are in place in the company.\n    Mr. Conaway. Okay. But the security--facility security \nofficer would know that that is a risk that he or she should be \non guard for.\n    Ms. Watson. Absolutely.\n    Mr. Conaway. Have we had instances where the new owners \nattempted to bully that officer into doing something he or she \nknows that is not right? Where that new owner has feared or \ntried to replace someone in a position that was not letting \nthem get access?\n    Ms. Watson. I cannot today speak to a specific instance \nthat comes to mind. But in a situation like that the government \nsecurity committee, the outside directors, if you will, are in \na position to monitor that type of activity as well.\n    Mr. Conaway. Protect them from undue influence.\n    Ms. Watson. Yes.\n    Mr. Conaway. Thank you, Mr. Chairman. I yield back. Looking \nforward to getting this new report.\n    The Chairman [presiding]. The gentlelady from California, \nMs. Davis.\n    Mrs. Davis of California. Thank you, Mr. Chairman.\n    Thank you to all of you for being here.\n    I wonder if you can clarify for me the role of the National \nSecurity Council (NSC). Mr. Thornberry mentioned the number of \nagencies that are involved. I am trying to get a handle on \nwhether that is policy alone and if in fact you believe that \nperhaps there should even be a greater role. Could you describe \nthat for me? Is that Mr. Torres?\n    Mr. Torres. The role in the National Security Council, as \nit is with most security policy, is that from an oversight \nperspective. So most of the policy is not written there unless \nthere is some reason for that level to decide that things are \nnot working the way they should and take affirmative action. So \nit is an oversight role, but most of the policy is developed at \na lower level with the national security program, with us as \nthe lead, the executive agency with the Information Security \nOversight Office (ISOO). Of course, that would be coordinated \nup through the National Security Council to make sure that they \nare in agreement with what the policy will be.\n    Mrs. Davis of California. There have been a number of \ncomments made basically that the agency was broken across the \nboard, and you said that they might be dealing at the lower \nlevel with policy, but it should be going up the board if \nanything is going poorly. Were they playing a role?\n    Mr. Torres. I can't comment as to whether they were \ninvolved previously, but I can tell you that at this point \nthere really is not a need for their involvement. Because, as \nwe stated previously, Defense Security Service now, in our \nopinion, has leadership that is needed to get this right. The \nworking relationship between Defense Security Service, the \nSecurity Directorate, counterintelligence security, the GAO, I \nthink is going very, very well.\n    I don't think that there is any need to push anything \nfurther, because we really need to, as the folks with boots on \nthe ground at Security Defense Service, need tell us what is \nreally needed, and they are actually doing that.\n    Mrs. Davis of California. Can I ask you, Ms. Watson, would \nit be helpful to have them feel like a stronger partner in this \nat all? Or basically you don't need that kind of oversight or \ncoordination?\n    Ms. Watson. I think there is a partnership here, and there \nis a role for everyone to play. The NSC is involved at a very \ntop level.\n    More importantly is the role of the ISOO in developing \npolicy here. The ISOO, Information Security Oversight Office, \nfrom National Archives Records Administration plays a role \nhere, as does a group called the NISPAC. It is another acronym. \nThat is the industry group that participates as well in the \noversight and policymaking element here.\n    That group, the NISPAC, has a meeting semiannually. It is \nsponsored by ISOO. It has participation from all 23 government \nagencies that participate in the National Industrial Security \nProgram and from DSS as well.\n    Mrs. Davis of California. But the final accountability, and \nI think you covered this earlier, but the final accountability \nis where?\n    Ms. Watson. The accountability in terms of policy?\n    Mrs. Davis of California. Overall, yes.\n    Mr. Sullivan. Ma'am, according to the executive order that \nestablished the National Industrial Security Program, the NSC \nhas overall responsibility for policy. The Information Security \nOversight Office implemented the program on behalf of the NSC \nand establishes the committee that Kathy mentioned, which is an \nentity established to address major policy issues, the \ncoordination of the information that goes into the operating \nmanual. So I think the answer to your question by the executive \norder is the NSC for policy matters.\n    Mrs. Davis of California. And to the GAO, in your report \ndid you locate that as the center of accountability or \nresponsibility?\n    Ms. Calvaresi Barr. We really just focused on DSS and \nnational industrial security and what was happening on the \nground to even first identify that a risk occurred and then the \ntiming of putting protective measures. So we didn't really do \nthe review looking at is the right accountability change. We \njust wanted to know whether they were doing their job as their \nmission called for in the first place, and our recommendations \nwere directed in line with that.\n    Mrs. Davis of California. Thank you. I know that you \nmentioned earlier the importance of the accountability piece. I \njust wanted to be sure I understood that.\n    Ms. Calvaresi Barr. It is important. It is important in any \nprogram, particularly programs that are protecting critical \ntechnologies.\n    Mrs. Davis of California. Thank you.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you very much.\n    The gentleman from Missouri, Mr. Akin.\n    Mr. Akin. Thank you, Mr. Chairman.\n    A couple of different questions. The first is, my \nunderstanding is that there were 16 points that you made \nrecommendations on. Two have been fully implemented, which \nsuggests that there are 14 still being worked on. What is the \nstatus of the 14 other points?\n    Ms. Watson. I can't answer that one by one. I will tell you \nwe are a work in progress. We have taken all of the \nrecommendations of GAO to heart, and we are addressing all of \nthem in our implementation plan. It will take time.\n    I have got a very small cadre of folks who do this work \nright now, and they need training. We are getting them the \ntraining. We are trying to get people in the door at the same \ntime and make our oversight program much more robust.\n    Mr. Akin. So are you actually plussing up the number of \nemployees, so you are actively building an organization at this \ntime?\n    Ms. Watson. We are. When I arrived at DSS not only were we \nunderstaffed but we had 80 vacancies and there was a hiring \nfreeze in place due to lack of resources. The hiring freeze has \nbeen lifted, so we are trying to recover from the 80 vacancies \nwe already had, as well as hire an additional 145 new \nemployees. It takes time. They all need clearances.\n    Mr. Akin. When each of us was first elected to Congress, we \ncame down here and they told us you have got a week or two to \nhire an entire office. In the business world, somebody leaves \nand you replace them with somebody. But when you are going to \ntry to create an organization overnight, I understand what you \nare saying.\n    Ms. Watson. We don't do all of our hiring. We have to work \nthrough the Department. We are dependent on other offices in \nthe Department for our hiring actions.\n    Mr. Akin. So you can't hire the people you want to run your \norganization?\n    Ms. Watson. There are challenges in the hiring process.\n    Mr. Akin. Sounds like you have got the other arm tied \nbehind your back, too.\n    I guess the question I have heard in terms of intelligence, \nthat we have a gap where there is pure research, where the pure \nresearch then starts to get reported, that the Chinese can come \nand basically harvest anything they want, and there is some \nsort of a time period before there is a patent or something \nelse that begins to protect it. Is there some kind of gap from \nthe time of pure research discovery in a lab somewhere along \nthe line where people can just come in and basically help \nthemselves to our information?\n    Mr. Sullivan. Sir, I am not a scientist, by any means, but \nI do know there is a document, National Security Defense \nDirective (NSDD) 189, that establishes the definition and \nparameters of basically research, essentially, in that it \nstates basic research is generally not classified, at least \nwithin the Department, until you move down the spectrum of \nthese different categories of research and get to something \ncalled fundamental research. Then you start getting into the \nclassified area.\n    So in that arena of basic research there is all kinds of \nexchanges of information, publishing of research, interaction \nwith people around the world to encourage scientists to, in \nfact, produce better products.\n    Mr. Akin. My question is, do we have a gap somewhere in \nthere where people can pick off a lot of our research, where we \nshould be classifying things or protecting information?\n    Mr. Sullivan. I would have to defer to the people who own \nthe technologies and are sponsoring the research. It would seem \nthat there is an awful great potential for our adversaries to \nfocus in the area of basic research to get information. But as \nto what we are losing or what there is to lose, that would be \nbeyond our area of expertise.\n    Mr. Akin. Who is in charge of that and who should know the \nanswer to that question?\n    Mr. Sullivan. I would refer--at least at the Office of \nSecretary of Defense, it would be the Office of the Under \nSecretary of Defense for Acquisition Technology and Logistics, \nAT&L.\n    Mr. Akin. They should know that. Doesn't sound like there \nis any one point person that is in charge of protecting our \ninformation security in terms of--is that true? That is kind of \nwhat I am sensing.\n    Ms. Calvaresi Barr. Let me just comment that we had \nmentioned a number of programs and policies that are designed \nto protect not only the systems, the components, the know-how, \nand the information. And I think on some of the basic research \nareas that you talked about, particularly with regards to \nexport controls, the export control system is supposed to \nrecognize, when we do have sensitive information, licenses are \nrequired for that. So that would be the role of State \nDepartment, looking over those things that are sensitive and \nhave military application, and then Commerce Department, in \nterms of its licensing for dual use. We found major \nvulnerabilities in both of those programs.\n    Mr. Akin. Thank you.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you very much.\n    We are going to try to finish the hearing here shortly, \nbecause we have a series of four votes.\n    Mr. Taylor--and if there are other comments, I am sure we \ncan get them in. Mr. Taylor.\n    Mr. Taylor. Thank you, Mr. Chairman.\n    I want to thank the panel for being here.\n    And I apologize for being late. There were some things \ngoing on at the White House this morning.\n    The Hughes-Loral deal strikes me as probably the poster \nchild of ``greed gone wild'' in this town. I distinctly \nremember a member of the California delegation walking the \nfloor, seeking people's signatures, saying it would be okay for \nthe Loral Company to take some satellites over to China because \nthere were huge profits to be made by sending satellites into \nspace. And I remember not signing it, saying, ``That just gives \nme heartburn. I can see all sorts of bad things coming from \nthis, even with my lack of technical knowledge. I just don't \nthink that is a good idea.'' Well, it was amazing that \napparently your office signed off on the deal.\n    And I distinctly remember one employee sending a, what, 60-\nsomething-page fax out in the clear, explaining to the Chinese, \nin effect, kicker technology for launching multiple satellites. \nWhat has happened since then to keep that from happening again?\n    And do things like the European Aeronautic Defense and \nSpace Company (EADS) successful bid on the tanker create more \nopportunities for mischief like that?\n    And I will just give you an example. Let's say, as an \nunintended consequence of refuelling an F-22, we discover that \nsomething on the tanker is jamming the fuel pumps on the F-22, \nsome sort of a signal. So word gets back to the parent company, \nwhen you are fueling an F-22, you can't broadcast in this \nfrequency because you shut off his fuel pumps, because so much \nof that is done by electronics now. How do we keep EADS or \nsomeone like EADS from not going to a potential enemy of the \nUnited States and saying, you know, ``For X number of dollars, \nI will expose you to a vulnerability. Of course, then I am \ngoing to turn around to the United States Air Force and sell \nthem a fix''?\n    To what extent do you get involved in things like that? \nBecause the Hughes-Loral deal happened. It did. Regrettably, it \nhappened. So what steps are being taken so that doesn't happen \nagain and that the scenario that I just outlined doesn't happen \nas well?\n    Ms. Calvaresi Barr. I would just comment that it calls to \nthe heart of these programs, such as industrial security and \nothers, export controls and foreign military sales, all of that \nworking as effectively as it can.\n    And I think, just with regard to the protections that need \nto be in place, you need to know what alliances you are \nbuilding, you need to know what companies you are partnering \nwith.\n    And I would even say, in the case of, as you said, the EADS \ndeal, just because we would go with the U.S. company, it \nwouldn't necessarily preclude us from foreign ownership or \ninfluence, because, as we know, many of these large companies \nare going to have affiliations. So all the more reason for \nprograms like Industrial Security and others to be effective.\n    Mr. Taylor. Walk me and the average American through why \nthat does not somehow become the proprietary knowledge of an \nEADS or any other firm, that broadcasting in a certain \nfrequency is going to shut down the fuel pumps.\n    I am just giving an analogy, because we have discovered a \nnumber of unintended consequences with our jammers in Iraq. And \nthat is what leads me to say this, and I don't need to go any \nfurther than that.\n    So let us just say a unintended consequence is to shut down \nthe fuel pumps on an F-22 if you broadcast at a certain \nfrequency; it suddenly becomes the information of EADS--or, \nheck, that is their company. They are an international \naerospace firm in the business of selling information and \ntechnology.\n    So where do you step in and prevent that from happening?\n    Ms. Calvaresi Barr. There are programs in place in which we \nhave agreements with other host governments that trickle down \nto--flow down to the contractors in the company that is \nsupposed to say that we are supposed to protect certain of our \nclassified information by the same standards as the U.S.\n    We haven't done any recent work looking at how well those \nprograms are working, how current they are.\n    Mr. Taylor. If I may ask, why not? Because that strikes me \nas a very real vulnerability.\n    Ms. Calvaresi Barr. Well, GAO usually does work on the \nbehalf of Congress, and we haven't had a request specifically \naimed looking at some of those agreements for quite some time.\n    Mr. Taylor. Well, could I ask Dr. Schneider then?\n    And, again, let's use the very real analogy of the jammers \nin Iraq and the unintended consequences that they have. I don't \nneed to go into further detail. But let's just say that jammer \nhappened to have been made by a foreign firm. What is to keep \nthem from turning around to the Iraqis or the Iranians or any \nnumber of potential foes and saying, ``Oh, by the way, if you \ncan broadcast a signal in this frequency, you can keep the \nAmericans from talking to each other.''\n    Dr. Schneider. In general, if there is classified \ninformation to that effect, that would only be in the hands of \na U.S. citizen. If the U.S. citizen transferred it to someone \nwho is not cleared and didn't have a need to know, that would \nbe a violation of law, and they would be vulnerable to \nprosecution, whether or not there was a commercial relationship \nor not.\n    And I think the question that you had raised earlier about \nthe effectiveness of circumstances where we do share classified \ninformation with allied countries is something that is \nundoubtedly worth knowing about and staying on top of it.\n    But my impression is that the rules on the protection of \nclassified information bear on all of the holders who are U.S. \ncitizens, and they have obligations which anyone who holds a \nsecurity clearance knows, that they are not allowed to transfer \nclassified information to anyone who does not have a security \nclearance and a need to know that information.\n    The Chairman. I think the gentleman has an excellent line \nof inquiry, but we have a vote.\n    Mr. Saxton. May I just ask a couple of questions for the \nrecord?\n    The Chairman. Real quick.\n    Mr. Saxton. We are flat out of time, as the Chairman said. \nI have two questions for Ms. Watson and Ms. Calvaresi Barr. \nWould you be able to respond in writing? Because we are going \nto have to go.\n    The first question is, recognizing that the information we \nhave indicates that you have 647 FOCI cases, I am not clear on \nprecisely what an FOCI case is, and if you could each clarify \nthat for us.\n    And the second question is, because of the nature of the \nreporting requirements, which I have characterized as self-\nreporting--that may or may not be a good characterization--how \nmuch are we missing because of the current reporting process? \nAnd do we need to make modifications in the reporting process \nin order to help us get a better picture of what it is that we \nare after in the reporting process?\n    If you could get that back to us in short order, we would \nreally appreciate it.\n    Thank you.\n    The Chairman. With that, we thank the gentleman.\n    And I certainly appreciate your being with us today. It has \njust been excellent.\n    And we are adjourned.\n    [Whereupon, at 12:06 p.m., the committee was adjourned.]\n?\n\n      \n=======================================================================\n\n\n\n\n                            A P P E N D I X\n\n                             April 16, 2008\n\n=======================================================================\n\n      \n?\n\n      \n=======================================================================\n\n\n              PREPARED STATEMENTS SUBMITTED FOR THE RECORD\n\n                             April 16, 2008\n\n=======================================================================\n\n      \n      \n    [GRAPHIC] [TIFF OMITTED] T5132.001\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.002\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.003\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.004\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.005\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.006\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.007\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.008\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.009\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.010\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.011\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.012\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.013\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.014\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.015\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.016\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.017\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.018\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.019\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.020\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.021\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.022\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.023\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.024\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.025\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.026\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.027\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.028\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.029\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.030\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.031\n    \n    [GRAPHIC] [TIFF OMITTED] T5132.032\n    \n?\n\n      \n=======================================================================\n\n\n              WITNESS RESPONSES TO QUESTIONS ASKED DURING\n\n                              THE HEARING\n\n                             April 16, 2008\n\n=======================================================================\n\n      \n             RESPONSE TO QUESTION SUBMITTED BY MR. BARTLETT\n\n    Ms. Watson. The National Industrial Security Program (NISP) \n(established by Executive Order 12829, January 6, 1993) authorizes \nfirms to receive classified contracts, and authorizes security \nclearances for their personnel under specific conditions. The NISP \nOperating Manual (NISPOM), DoD 5220.22-M, defines those conditions. The \nfirst condition is that the ``company must need access to the \nclassified information in connection with a legitimate U.S. Government \nor foreign government requirement'' (NISPOM para. 2-102.a.). This \nthreshold condition is met when a Federal government contracting \nactivity or an already cleared company, usually acting as a prime \ncontractor, sponsors a company for a facility clearance (FCL). The \nNISPOM states that ``a contractor or prospective contractor cannot \napply for its own FCL.'' (NISPOM para 2-102)\n    When a company is sponsored for an FCL, the Defense Security \nService (DSS) inspects and evaluates the company's security \nqualifications. Key management personnel would also have to be eligible \nfor a personnel security clearance in order for the company to be \ngranted a FCL. Only a company that has a FCL or is in process for \nreceiving a FCL may submit requests for personnel security clearances.\n    The lack of a FCL does not preclude a company from bidding on \ncontract opportunities that may involve classified work or companies \nwithout a FCL being awarded classified contracts, subject to their \nbeing eligible for a FCL when the classified work on the contract is to \nbegin. In addition, DSS will process a firm for a facility security \nclearance if a contracting activity requires the firm to access \nclassified information in order to prepare a contract bid. [See page \n23.]\n                                 ______\n                                 \n              RESPONSE TO QUESTION SUBMITTED BY MRS. BOYDA\n    Ms. Watson. Airbus Americas is currently involved in commercial \nsales (aircraft design and construction, parts, tools, engineering \nservices, etc.) and does not have any U.S. Defense contracts at this \ntime. As of August 2008, the Defense Security Service did not have a \nrequest for a facility clearance for Airbus Americas. Airbus Americas \nis a European Aeronautics Defense and Space (EADS) company. EADS has \nfive facilities in the United States; four with facility clearances and \none in process for a facility clearance.\n    The Boeing Company has 25 cleared divisions and 15 cleared \nsubsidiaries. The Boeing Company in Wichita, Kansas is cleared to the \nTop Secret level.\n    Further information on details of any contract awards should be \ndirected to the appropriate Government Contracting Activity. The \nDefense Security Service is not involved in the contract award process. \nFurther, DSS only has oversight of companies cleared under the National \nIndustrial Security Program that are performing on government contracts \nrequiring access to classified information. DSS has no oversight \nresponsibility of companies performing on government contracts that do \nnot require access to classified information. [See page 26.]\n?\n\n      \n=======================================================================\n\n\n              QUESTIONS SUBMITTED BY MEMBERS POST HEARING\n\n                             April 16, 2008\n\n=======================================================================\n\n      \n                   QUESTIONS SUBMITTED BY MR. SAXTON\n\n    Mr. Saxton. In 2007 DSS reported 647 FOCI cases. What constitutes a \nFOCI case? Of these 647 cases, were they all a result of self-\nreporting? How much are you missing because the system relies upon self \nreporting or holes in the reporting requirements?\n    Mr. Sullivan and Ms. Watson. According to the NISPOM, a U.S. \ncompany is considered to be under Foreign Ownership, Control, or \nInfluence (FOCI) ``whenever a foreign interest has the power, direct or \nindirect, whether or not exercised, and whether or not exercisable \nthrough the ownership of the U.S. company's securities, by contractual \narrangements or other means, to direct or decide matters affecting the \nmanagement or operations of that company in a manner which may result \nin unauthorized access to classified information or may adversely \naffect the performance of classified contracts.'' A company that is \nunder FOCI is not eligible for access to classified information unless \nthe FOCI can be mitigated. A FOCI case is an action, conducted at HQ or \nin the Field, analyzing affirmative response(s) on the SF 328, \n``Certificate Pertaining to Foreign Interests''. Affirmative responses \non the SF 328 indicate potential FOCI.\n    DSS primarily relies upon information provided by the company to \nmake a determination of the company's eligibility for access to \nclassified information. In this regard, DSS is in a position similar to \nmany other government agencies that rely upon company self-reporting, \nsuch as the SEC. When DSS initially processes a firm for a facility \nsecurity clearance, DSS reviews and attempts to validate FOCI \ninformation provided by the firm. DSS inspects cleared companies, and \nrequires them to correct, supplement and update information which was \nnot accurate when submitted or is out of date. Should DSS determine \nthat the company has failed to provide required and accurate FOCI \ninformation, DSS can invalidate its facility security clearance, which \nprecludes the firm from being awarded new classified contracts, or, if \nwarranted, revoke its facility security clearance. Historically, \nsituations where the company failed to report accurate and complete \ninformation have been rare, however DSS has not measured the extent to \nwhich information reported is incomplete or inaccurate.\n    Mr. Saxton. Do companies with Government Security Committees do a \nbetter job of self-reporting? How does the Government Security \nCommittee improve a company's compliance with NISPOM?\n    Mr. Sullivan. Government Security Committees (GSCs) are a part of \nthe company governance structure required by Voting Trusts, Proxy \nAgreements, Special Security Agreements, and Security Control \nAgreements. These are mitigation measures put in place to protect \nclassified information when there are significant Foreign Ownership, \nControl, or Influence (FOCI) concerns associated with the company. \nCompanies with these agreements have additional reporting requirements \nbecause of the FOCI concerns at the company. They represent \napproximately two percent of the cleared contractor population of \napproximately 12,000 cleared facilities.\n    DSS has not noted that self-reporting or NISPOM compliance by \ncompanies with a GSC is any different than by companies that do not \nhave a GSC.\n    Mr. Saxton. In 2007 DSS reported 647 FOCI cases. What constitutes a \nFOCI case? Of these 647 cases, were they all a result of self-\nreporting? How much are you missing because the system relies upon \nself-reporting or holes in the reporting requirements?\n    Dr. Schneider. The Defense Science Board has not addressed the \nspecific question asked and therefore I can not respond to your \ninquiry.\n    Mr. Saxton. Do companies with Government Security Committees do a \nbetter job of self-reporting? How does the Government Security \nCommittee improve a company's compliance with NISPOM?\n    Dr. Schneider. The Defense Science Board has not addressed the \nspecific question asked and therefore I can not respond to your \ninquiry.\n    Mr. Saxton. In 2007, DSS reported 647 FOCI cases. (a) What \nconstitutes a FOCI case? (b) Of these 647 cases, were they all a result \nof self-reporting? (c) How much are you missing because the system \nrelies upon self-reporting or holes in the reporting requirements?\n    Ms. Calvaresi Barr.\n\n        <bullet>  DSS, industrial security representatives (ISR) are \n        responsible for ensuring that contractors properly identify all \n        relevant foreign business transactions. The ISR is required to \n        collect, analyze, and verify the pertinent information about \n        these transactions to determine whether foreign ownership, \n        control, or influence (FOCI) exists. If contractors' indicate \n        that foreign transactions meet certain DSS criteria \\1\\ or \n        exceed thresholds, such as the percentage of company stocked \n        owned by foreign persons, the ISR forwards the case to DSS \n        headquarters. DSS headquarters works with the contractor to \n        determine what, if any, protective measures are needed to \n        reduce the risk of foreign interests gaining unauthorized \n        access to U.S. classified information. Then, DSS field staff \n        monitor contractor compliance with these measures.\n---------------------------------------------------------------------------\n    \\1\\ The following factors are considered in the aggregate in \ndetermining whether a company is under FOCI: a. Record of economic and \ngovernment espionage against U.S. targets, b. Record of enforcement \nand/or engagement in unauthorized technology transfer, c. Type and \nsensitivity of information requiring protection, d. The source, nature \nand extent of FOCI, e. Record of compliance with pertinent U.S. laws, \nregulations and contracts, and f. Nature of bilateral and multilateral \nsecurity and information exchange agreements.\n\n        <bullet>  Identification of FOCI is generally the result of \n        self reporting on the part of the contractor. However, we can \n        not say whether all 647 cases resulted only from self \n---------------------------------------------------------------------------\n        reporting.\n\n        <bullet>  While we are not able to say how much is being \n        missed, our work found that ISR's lacked the training and \n        knowledge needed to verify complex FOCI cases. Further, we \n        found that DSS headquarters did not know the universe of all \n        contractors operating under all types of protective measures \n        used when FOCI is present.\n\n    Mr. Saxton. (a) Do companies with Government Security Committees \n(GSC) do a better job of self-reporting? (b) How does the Government \nSecurity Committee improve a company's compliance with NISPOM?\n    Ms. Calvaresi Barr.\n\n        <bullet>  A GSC is established after FOCI has been identified \n        to help ensure that the company under FOCI maintains policies \n        and procedures to safeguard classified information and \n        sensitive but unclassified information in the possession of \n        the. The GSC is also to help ensure that the company complies \n        with U.S. export control laws and regulations and does not take \n        action deemed adverse to performance on classified contracts.\n\n        <bullet>  By following through and effectively carrying out its \n        responsibilities under the NISPOM, the GSC increases the \n        likelihood that the company will comply with the NISPOM.\n                                 ______\n                                 \n                  QUESTIONS SUBMITTED BY MR. LOEBSACK\n\n    Mr. Loebsack. In an increasingly globalized world and defense \nindustry, do you consider investment in U.S. defense firms, and a \nstrong, competitive U.S. defense industry, to be important to our \nnational security? a. How do you assure that, when U.S. contracts are \nawarded to foreign companies, U.S. defense and national security data, \ntechnology, expertise, and capabilities are not outsourced to such a \ndegree that we lose them in this country all together? b. Could policy \ndisagreements between the U.S. and nations in which U.S.-contracted \ncompanies are based result in a situation where critical, outsourced \nU.S. defense technology is not delivered or not available? Is such a \npossibility taken into account when assessing the awarding of a U.S. \ndefense contract to a foreign company? c. The United States' aerial \nrefueling fleet is the foundation of every mission undertaken by our \nmen and women in uniform and is vital to the readiness of our Armed \nForces. If the KC-X tanker award is outsourced, won't the United States \nlose our vital edge in this critical technology and capability? d. What \nis being done to guarantee that the United States would have not only \nthe data, but the intellectual and real capital and capability to \nproduce tankers for the U.S. military in the event that something \nunforeseen happens that is outside of our control--politically, \nmilitarily, or otherwise--that will enable the U.S. government to \nensure that it could domestically develop, build and support tankers?\n    Mr. Sullivan and Ms. Watson. The Office of the Under Secretary of \nDefense defers to the Office of the Under Secretary of Defense for \nAcquisition, Technology and Logistics to respond to this question \nbecause the question is outside the oversight responsibilities of the \nOffice of the Under Secretary of Defense for Intelligence.\n    Mr. Loebsack. In an increasingly globalized world and defense \nindustry, do you consider investment in U.S. defense firms, and a \nstrong, competitive U.S. defense industry, to be important to our \nnational security? a. How do you assure that, when U.S. contracts are \nawarded to foreign companies, U.S. defense and national security data, \ntechnology, expertise, and capabilities are not outsourced to such a \ndegree that we lose them in this country all together? b. Could policy \ndisagreements between the U.S. and nations in which U.S.-contracted \ncompanies are based result in a situation where critical, outsourced \nU.S. defense technology is not delivered or not available? Is such a \npossibility taken into account when assessing the awarding of a U.S. \ndefense contract to a foreign company? c. The United States' aerial \nrefueling fleet is the foundation of every mission undertaken by our \nmen and women in uniform and is vital to the readiness of our Armed \nForces. If the KC-X tanker award is outsourced, won't the United States \nlose our vital edge in this critical technology and capability? d. What \nis being done to guarantee that the United States would have not only \nthe data, but the intellectual and real capital and capability to \nproduce tankers for the U.S. military in the event that something \nunforeseen happens that is outside of our control--politically, \nmilitarily, or otherwise--that will enable the U.S. government to \nensure that it could domestically develop, build and support tankers?\n    Dr. Schneider. The Defense Science Board has not addressed the \nspecific question asked and therefore I can not respond to your \ninquiry.\n    Mr. Loebsack. In an increasingly globalized world and defense \nindustry, do you consider investment in U.S. defense firms, and a \nstrong, competitive U.S. defense industry, to be important to our \nnational security?\n    Ms. Calvaresi Barr. Defense trade not only helps support the U.S. \nindustrial base but also provides the economic benefit of a positive \ntrade balance. U.S. military strategy is premised on technological \nsuperiority on the battlefield. The Department of Defense spends \nbillions of dollars each year for the development and production of \nhigh technology weaponry to maintain that superiority. Yet, the \ntechnologies that underpin U.S. military strength continue to be \ntargets for theft, espionage, reverse engineering, and illegal export. \nAt the same time, the programs the U.S. government has in place to \nprotect critical technologies by weighing competing and sometimes \nconflicting national security, foreign policy, and economic interests \nhave long been criticized by industry and allies for their inability to \nadapt to a changing world environment and their lack of efficiency.\n    In addition, as mentioned, the economy has become increasingly \nglobalized as countries open their markets and the pace of \ntechnological innovation has quickened worldwide. The myriad of laws, \nregulations, policies, and processes intended to identify and protect \ncritical technologies so they can be transferred to foreign parties in \na manner consistent with U.S. interests include the national industrial \nsecurity program, those that regulate U.S. defense-related exports and \nthe investigation of proposed foreign acquisitions of U.S. national \nsecurity-related companies. Responsibility for administering or \noverseeing the different programs is divided among multiple federal \nagencies and several congressional committees. However, we have found \nthat these programs are often ill-equipped to weigh competing U.S. \nnational security and economic interests. As a result, to address the \nissues you raise we believe a strategic reexamination of the existing \nprograms is needed to ensure the advancement of U.S. interests.\n\n                                  <all>\n\x1a\n</pre></body></html>\n"