. . .rrr- a f “ r'w v ‘ . \ .IL “Tits-31;”; 54‘ .J 3145'}- : A“; .w Ara-nun? ~ w " --?(r ”rm; "ii: ‘4‘ .. 1' ‘73: ‘SG‘.-.::€';' v .7 ’ V! is? as” ' 14V.- " ‘F’I’m E“? .1 4. m: tw-Mfirfih ’?"+his~7‘5:1:«§e.§fmv. 42m ‘ 229‘“: .19:- . w" m ‘ Y” 34., . ,l m , ' ~ , . . ‘ ‘. ‘4 , r .4 . . '9! A ni‘ v in. V . ' ‘ U 335-? . ’1' ' . «.3 I ' ‘ ry‘ . .Z‘IUF-vfi ‘ ”g; ,3: W r‘ . A -. ass: . ..‘~ .fizi‘i '1‘“, . '9‘1. :‘1 5 I 19"!» “ k {.3 1 é‘fi“ "-4583 This is to certify that the thesis entitled A QUALITY SECURITY COUNTERMEASURES PROCESS FOR FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE OF UNITED STATES DEFENSE FIRMS IN THE NATIONAL INDUSTRIAL SECURITY PROGRAM presented by Daniel Joseph Muscat has been accepted towards fulfillment of the requirements for Master's Criminal Justice degree in Major professor Date April 6, 1994 0-7639 MS U is an Affirmative Action/Equal Opportunity Institution \llllllll\lllllllll \lll lllllllllllllll 3 1293 01033 6729 LIBRARY Michigan State University PLACE IN RETURN BOX to roman this checkout from your record. 0 FINES return on or baton date duo. DATE DUE DATE DUE DATE DUE A QUALITY SECURITY COUNTERMEASURES PROCESS FOR FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE OF UNITED STATES DEFENSE FIRMS IN THE NATIONAL INDUSTRIAL SECURITY PROGRAM BY Daniel Joseph Muscat A THESIS Submitted to Michigan State University in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE School of Criminal Justice 1994 re; reg cla (TQI effe ABSTRACT A QUALITY SECURITY COUNTERMEASURES PROCESS FOR FOREIGN OWNERSHIP, CONTROL, OR INFLUENCE OF UNITED STATES DEFENSE FIRMS IN THE NATIONAL INDUSTRIAL SECURITY PROGRAM BY Daniel Joseph Muscat The National Industrial Security Program (NISP) replaces conflicting Executive Branch industrial security regulations with an integrated strategy to safeguard U.S. classified information. Resource Total Quality Management (TQM) drives this effort to develop an efficient, cost- effective security posture. One complex NISP issue is technology transfer risk inherent in foreign ownership, control, or influence (FOCI) of defense firms. This research focuses on whether TQM guru W. Edwards Deming's "Plan, Do, Study, Act" (PDSA) process improvement theoretical model will aid efforts to detect flaws in current countermeasures and help define an enhanced NISP process. Process improvement ideas resulting from the PDSA exercise are rated by an opinion survey of 114 security professionals from FOCI and non-FOCI firms. The majority of 77 respondents (36% FOCI, 64% non-FOCI) rate 10 of 12 ideas as practical process improvements, suggesting they merit consideration in the National Industrial Security Program. Copyright by Daniel Joseph Muscat 1994 DEDICATION To my wife Carole, and my daughters, Melissa and Kristi, in appreciation of all your love, and support. iv ACKNOWLEDGMENTS The author would like to acknowledge the assistance, dedication, and professionalism of the faculty and staff of the Leadership and Management Program in Security in the School of Criminal Justice at Michigan State University. Individuals who deserve special recognition include thesis chair, Dr. Kenneth E. Christian, Dr. Frank S. Horvath, Dr. David L. Carter, and Dr. Merry Morash. Finally, special thanks are extended to Assistant Deputy Undersecretary of Defense for Security Policy, Mr. Maynard C. Anderson, a recognized leader in the security community, who generously shared his wisdom during this research. List List II. TABLE OF CONTENTS List of Figures. . . . . . . . . . . . . . . . . . . List of Abbreviations. . . . . . . . . . . . . . . I. II. Introduction. . . . . . . . . . . . . . . . . . A. B. C. Total Quality Management: A 0.8. National Secret that became the Secret to Safeguarding 0.8. National Secrets . . . . . National Industrial Security Program and TQM Foreign Ownership, Control, or Influence: A Complex Security Issue . . . . . . . . . . Literature Review . . . . . . . . . . . . . . . A. Deming's Cycle: An Operational Definition of the Plan, Do, Study, Act (PDSA) Theoretical Model. . . . . . . . . . . . . . Defining Foreign Ownership, Control, or Influence . . . . . . . . . . . . . . . . Defining U.S. Foreign Investment Policy. . . Defining U.S. Foreign Investment Regulations. . . . . . . . . . . . . . . . . Defining the Evolution of Defense Industrial Security Program Foreign Ownership, Control, or Influence Security Regulations. . . . . . Board Resolutions. . . . . . . . Reciprocal Facility Clearances . Voting Trust Agreements. . . . . Proxy Agreements . . . . . . . . Special Security Agreements. . . Globalization Future Shock: Thomson CSF Attempts to Acquire LTV. . . . . . . . . . . vi ix xi 10 18 18 23 25 27 30 39 4O 41 42 42 44 II III. Methodology - Deming's Cycle: Plan, Do, Study, Act 48 A. ”Plan" Step One: Identification of the Opportunity for Improvement. . . . . . . . . . 48 B. ”Plan" Step Two: Documenting the Present Process in a Critical Examination of FOCI Security Regulations . . . . . . . . . . . . . 54 We 1. Consistency with Foreign Investment Policy. 57 2. Defense Technology Access . . . . . . . . . 59 3. Defense Security Committee. . . . . . . . . 61 4. Security Awareness. . . . . . . . . . . . . 67 5. Export Control Compliance . . . . . . . . . 68 NSQQS11S_NQ$£§_:_EhQL_N§§Q§_flQIK 6. FOCI National Security Intelligence, Threat Assessment and Risk Analysis . . . . 70 a. Collection . . . . . . . . . . . . . . . 72 b. Evaluation of Reliability and Validity . 74 c. Integration and Analysis . . . . . . . . 76 d. Dissemination. . . . . . . . . . . . . . 79 7. National Interest Determination . . . . . . 81 8. Proscribed Information. . . . . . . . . . . 87 9. Threat Emphasis and Security Countermeasure Development. . . . . . . . . 92 10. Security Agreement Violation Clauses. . . . 96 11. Personnel Security. . . . . . . . . . . . . 100 12. Security Awareness, Training and Education. 101 C. ”Plan” Step Three: Envisioning an Improved NISP FOCI Security Countermeasures Process. . . 107 vii FOOtnc Biblic D. "Plan" Step Four: Scoping the NISP FOCI Security Countermeasures Process Improvement Plan. . . . . . . . . . . . . . . . 1. Management Plan . . . . . . . . . . . . . . 2. NISP FOCI Security Policy Proposal. . . . . E. "Do" Step Five: Survey of Security Professionals . . . . . . . . . . . . . . . . . 1. Survey Objectives. . . . . . . . . . . . . . 2. Survey Instrument and Responses. . . . . . . F. "Study" Step Six: Studying the Survey Results. G. "Act” Steps Seven and Eight: Conclusions, Actions Required for the NISP, and ReCYCIing PDSA O O O O O O O O O O O O O O O O O Footnotes . . . . . . . . . . . . . . . . . . . . . . . Bibliography. . . . . . . . . . . . . . . . . . . . . . viii 110 110 120 158 158 160 194 199 200 201 L1 L2 L1 L2 2.3 L4 L1 L2 L3 14 15 16 I7 18 19 Natio Task The Do Defin; l The It Depart DD For Depart Pertai The Vc Curren (An ad DISP F NISP r FOCI A FOCI A Concep Threat Securi Voting Pr°XY ; seCUtii RQCipr( L10 Securii Board I LIST OF FIGURES National Industrial Security Program Task Force 22 January 1991 . . . . . . . . . . . . The Deming PDSA Cycle (Scherkenbach, 1991, p.61) . Definition of a Process (Scherkenbach, 1991, p.8). The Two Voices (Scherkenbach, 1991, p. 11) . . . . Department of Defense Security Agreement DD Form 441 O O O O O O O O O O O O O O O O O O O O Department of Defense Certificate Pertaining to Foreign Interests DD Form 4418 . . . The Voice of the Customer (NISP) versus the two current Voices of the Process (SSA or Trust/Proxy) (An adaptation of Scherkenbach, 1991, p. 78) . . . DISP FOCI Adjudication Process Model . . . . . . . NISP FOCI Adjudication Process Model . . . . . . . FOCI Adjudication Guidelines, Part 1 . . . . . . . FOCI Adjudication Guidelines, Part 2 . . . . . . . Conceptual Example of a FOCI Threat Assessment Matrix . . . . . . . . . . . . . Security Professional Ratings Voting Trust Agreement Effectiveness . . . . . . . Security Professional Ratings Proxy Agreement Effectiveness. . . . . . . . . . . Security Professional Ratings Reciprocal Clearance Effectiveness . . . . . . . . Security Professional Ratings Board Resolution Effectiveness . . . . . . . . . . ix 15 20 21 32 35 50 55 109 114 115 116 165 166 167 168 Security Professional Ratings Special Security Agreement Effectiveness . Ratings of the National Disclosure Policy/ General Security of Information Agreements Policy Foundation Idea . . . . . . . Ratings of the New, Three Step, FOCI National Interest Determination Process Idea . . . Ratings of the FOCI Threat Assessment Committee Idea . . . . . Ratings of the Automated Form 4418 "Certificate Pertaining to Foreign Interests" Idea. . . Ratings of the NISP FOCI Adjudication Committee Idea. . . . . . . . Ratings of the NISP 441 Security Agreement with FOCI Amendments versus Voting Trust/Proxy/SSA Idea. . . . . . . . Ratings of the Proscribed Data Security Countermeasures Idea. . . . . . . Ratings of the Security Assurance, SF 312, Access Authorization for Foreign Directors Ratings of the Security Awareness, Training and Education for Outside Directors/Proxies/Trustees Idea. . . . . . Ratings of the FOCI Security Awareness, Training and Education for Facility Security Officers Idea . . . . . . . . . . Ratings of the FOCI Security Awareness, Training and Education for Procurement Agency Officials Idea. . . . . . . . . . . Ratings of the FOCI Security Awareness, Training and Education for NISP Oversight Agency Officials Idea. . . . . . Limited Idea. . 169 174 176 178 180 182 184 186 188 190 191 192 193 AIA CFIUS CIA COHSEC CSO DASD CI/ DASD c9: DD Form 4 DD Fol-m 4 DDL DIA DIS DISCO DISP Dog 002 08c ECO ESQ AIA CFIUS CIA COMSEC CSO DASD CI/SCM DASD c’I DD Form 441 DD Form 4418 DDL DIA DIS DISCO DISP DoD DoE DSC ECO ESC FBI LIST OF ABBREVIATIONS Aerospace Industries Association Committee on Foreign Investment in the U.S. Central Intelligence Agency Communications Security Cognizant Security Office Deputy Assistant Secretary of Defense, Counterintelligence/Security Countermeasures Deputy Assistant Secretary of Defense, Command, Control, Communications, and Intelligence Defense Department Form 441 Security Agreement Defense Department Form 4418 Certificate Pertaining to Foreign Interests Decision Disclosure Letter Defense Intelligence Agency Defense Investigative Service Defense Industrial Security Clearance Office Defense Industrial Security Program Department of Defense Department of Energy Defense Security Committee Export Control Officer Executive Security Committee Federal Bureau of Investigation xi rcr. rocr FOCI/AC root/me rso GAO csom nor 1800 I514 LAA KFO NATO NDP NID NISp PCL PDSA PM? SATE SSA TCP TQM FCL FOCI FOCI/AC FOCI/TAG FSO GAO csora nor ISOO ISM NID NISP PCL PDSA PMF SATE SF 312 SSA 'ICP TQM Facility Clearance Foreign Ownership, Control, or Influence FOCI Adjudication Committee FOCI Threat Assessment Committee Facility Security Officer General Accounting Office General Security of Information Agreements Home Office Facility Information Security Oversight Office Industrial Security Manual for Safeguarding Classified Information (DoD 5220.22-M) Limited Access Authorization Multiple Facility Organization North American Treaty Organization National Disclosure Policy National Interest Determination National Industrial Security Program Personnel Security Clearance Plan, Do, Study, Act Primary Management Facility Security Awareness, Training and Education Standard Form 312 - Classified Information Nondisclosure Agreement Special Security Agreement Technology Control Plan Total Quality Management xii I. INTRODUCTION A. na e e : N 0 al Sec e 3‘ iii‘ 1‘ ‘ ’ ' o. " - '. !' s-t°o .1 Sec 1 The year was 1942, and as World War II raged, the U.S. War Department (Pines, 1990) faced an unprecedented demand for materials to aid the Allied cause. Turning to one of its industry suppliers Bell Telephone Laboratories for help, the Department established a Quality Control section staffed largely by Bell employees who employed the ideas of their colleague, statistician Walter A. Shewhart. Eleven years earlier, Shewhart succeeded in making quality a science when he published his thoughts on ”statistical control" of vari- ations in manufacturing processes. Shewhart’s work proved that monitoring manufacturing according to measurable information could bring a process under control and make its future predictable. Statistical control of manufactur- ing the huge quantities of ships, tanks, and planes needed to fight the Axis power quickly became a critical element of the war effort. In fact, at one point Shewhart's quality techniques became classified military secrets. In an irony of history that would not play out for almost fifty years, national defense requirements had given birth to a highly guarded, valuable "body of quality knowledge." 1 l folloa nation Shewha; supplie quality unsucce broader and an 1 the awki. to an in quality. the presj the U.S. battle. Vere each ECOnomy. their sun, with their 2 Ellis Pines (1990) highlighted that one of Shewhart's followers, W. Edwards Deming, later to become one of the nation's foremost quality gurus, taught many courses on Shewhart's quality methods to numerous defense industry suppliers during the war. When the conflict ended the quality techniques were declassified and Deming tried unsuccessfully to sell his quality education courses to a broader spectrum of U.S. businesses. Post war prosperity and an insatiable demand for consumer goods put Deming in the awkward position of trying to preach his quality message to an industrial audience more concerned with quantity than quality. Thus, in July 1950, Deming went to Japan and told the presidents of that country's leading manufacturers about the U.S. military secret that had helped defeat them in battle. These leaders, representing diverse industries, were each striving to re-establish a still faltering economy. Deming told them that quality was essential to their survival, and he urged them to work in partnership with their vendors, to develop instrumentation and to gain control over their processes. Japanese top management hearkened Deming's words on quality, and some thirty years after loosing the military battle, they began to win the global economic war. Scores of books have been written on Deming's theory of management (Aguayo; Deming; Nadler et.al; Scherkenbach; Walton; and many more). Most cite, then further develop, Deming's now famous "fourteen points" which he described as princi 1986 b- fourtei transfc (PDSA) PDSA is the Plai the scie after Wa quality I William 5 W “Y5 to c (1991) ad in fact, 1 tasks or F 3 principles for transformation of western management in his 1986 book Qn§_g1_§:1§1§. In describing point number fourteen, "Take action to accomplish the (quality) transformation," emphasis is placed on the Plan-Do-Study-Act (PDSA) circular model Deming introduced to the Japanese. PDSA is Deming's improvement on what many observers know as the Plan-Do-Check-Act (PDCA) model. Frequently compared to the scientific method, Deming called it the Shewhart Cycle after Walter Shewhart, the Bell Labs pioneer of statistical quality control. The Japanese called it the Deming Cycle. William Scherkenbach's book (1991) Deming's Road to Continggl_1mngy§mgn§ focuses heavily on PDSA and explains ways to convert the theory into practice. Mary Walton (1991) adds perspective by suggesting that the Deming Cycle, in fact, represents work on processes rather than specific tasks or problems. Processes by their nature can never be solved, but only improved. In working on processes, one does, of course, solve some problems. In the late 19703 and early 1980s, mired in a deep recession, American executives journeyed to the Pacific in search of explanations for the huge market share loses they had incurred to Japanese imports. Ford Motor Company alone (Pines, 1990) lost $1.6 billion in 1980 when automobile imports took 26.7 percent of the U.S. market. As they toured Japanese factories, it did not take U.S. executives long to discover that the commitment to quality inspired by Deming started at the top of the corporate ladder and flowed all Japa Give: Total topic Numer more 1 qualit involv where ' reverse the big TQB Defense General 1 was appo‘. Having ac quality u. iSSUed a n .we V111 i coordinate Strategy." DefensE' F efforts the the Depart: 4 all the way to the factory floor. Pines points out that the Japanese effort toward quality was, in a word, "total." Given the American passion for buzzwords, the concept of Total Quality Management, or TQM, quickly became the hottest topic in business schools, books, and professional seminars. Numerous consulting firms popped up, each focusing on one or more variations of the same process improvement theme: quality function deployment; just in time; employee involvement; design of experiment, to name a few. Ford, where "Quality" became "Job 1," adopted Deming’s methods, reversed its downward spiral, and went on to become one of the biggest TQM success stories. TQM found its way back to the U.S. military, by now the Defense rather than War Department, in 1987 when former General Motors executive and Deming disciple Robert Costello was appointed Undersecretary of Defense for Acquisition. Having achieved remarkable improvements in automotive quality using Deming tools, on October 5, 1987 Costello issued a memo to the military departments that announced, ”We will integrate all our efforts related to quality into a coordinated Department of Defense Total Quality Management Strategy." In March 1988, newly appointed Secretary of Defense, Frank Carlucci gave Costello's quality improvement efforts the needed top management commitment making TQM in the Department of Defense (DoD) official. mmmaummnmmmnmw By coincidence, in March 1988, security professionals in the Aerospace Industries Association (AIA) unknowingly jumped on Costello's DoD TQM bandwagon when they conceptualized the National Industrial Security Program (NISP). The NISP focuses on the methods and processes employed by the government and industry to safeguard classified information in industry. An initiative to replace a plethora of overlapping, often conflicting government regulations with a single, coherent and integrated security strategy, the NISP was endorsed by President George Bush. The NISP has evolved into a government-industry response to the challenge for a more efficient and cost-effective method to ensure national security. In an era of diminishing resources, the NISP will standardize security policies and procedures throughout the Executive Branch and make available hundreds of millions of federal and private sector dollars for redirection. Herein lies the irony of history. Process improvement through TQM, a national secret during World War II, emerged years later as the secret to improving the process of safeguarding U.S. national secrets. However, as Pines suggests, the TQM story continues. In late 1988, after further defining the concept, AIA security professionals introduced the NISP to select government security executives. Interest in the concept increased when AIA provided cost data (Atwood, Watkins, 5 Hebst tion ; during repres 104,00 approx: securit million govermm security these la Potentia. fifteen t Observers examPles .. over 1y bm In 19 chief eXec °°mpanies, CommittEQ. supp°rt to that the J car'lUCCi C 6 Webster, 1990) for industrial security program implementa- tion in a sample of fourteen major aerospace companies during calendar year 1989. The fourteen companies represented one-thousand cleared facilities employing 104,000 security cleared employees. These firms spent approximately $800 million in calendar year 1989 on security. It was also estimated that approximately $120 million could have been saved by these companies if the government were to adopt a single standard for personnel security background investigations. While the data from these large firms provided a skewed picture, the full potential for cost savings extrapolated over more than fifteen thousand defense contractors caused many skeptical observers to sit up and take notice. There were many other examples of industrial security practices that had become overly burdensome and costly following World War II. In 1989 support for the NISP concept was received from chief executive officers of more than twenty major aerospace Companies, many of whom sit on the influential AIA Executive cOmmittee. Once again the criticality of top management Support for a TQM effort was demonstrated, an imperative that the Japanese, Ford Motor Company, and Defense Secretary caI‘lucci clearly understood. The AIA chief executives were instrumental in facilitating opportunities to tout the merite of a NISP in Executive Branch cabinet-level bri-efings. The common sense premise and the potential for cost savings inherent in the concept evoked an overw heads Presic April docume in-dep' the Whi‘ and the 1990) s 7 overwhelmingly positive response from many government agency heads, including the National Security Advisor to the President. Responding to the government and industry support, in April 1990, President Bush signed a National Security Review document tasking the Secretary of Defense to coordinate an in-depth interagency NISP feasibility study. The report to the White House by the Secretaries of Defense and Energy, and the Director of Central Intelligence (Atwood et al., 1990) stated: The globalization of industry, coupled with increased economic competition and dramatic strategic develop- ments in East-West relations, will lead to new and different threats from both old and new adversaries. We agree that now is the time for a collective effort by government and industry to establish the single, integrated and cohesive security program needed to protect our economic interests and preserve our technology position of leadership. In accepting the report, President Bush (1990) responded: In our efforts to anticipate the scope and pace of various intelligence threats in a changing environment, we must ensure that our industrial security programs effectively and efficiently protect our vital technologies and sensitive information. The President indicated he was pleased with plans to include industry in development of the concept and requested a status report by September 1991. Accordingly, on 22 January 1991, the initial planning and organization meeting of the NISP Government-Industry Task Force (Figure 1.1) convened at the Interagency Training Center, Fort Washington, Maryland. The Task Force 8 National Security Council [ Executive Committee Steering Committee Chairs: Iiaynm'd Anderson, 000 Harry Volz, Grumman l Exec. Secretary: NISAC Chair-nun [ Monitoring 9. Evaluation Becky Long, 000 Fred Demech, TRW Regulation Greg Gwash, DIS James Graves, Litton information Systems George Bernstein, NSA Robert Atkins, General Electric Physical William Desmond, DOE Robert Saireed, raw Education 8. fiaining Ev Gravelle, DoDSl Dick Black, SBI international John Frlelds, 000 Daniel Muscat, Smiths Charles Wilson, 000 Barry DeBoze, raw FOCI liernbers: DOE, CIA, DIS, lSOO, State, JUSIICO, OMB, CCISCIIO, NRC Working Group Co-Chairs information NSI Steven Ganlnkel, lSOO Jack Chatovrski, an SCI Ken Fiensnavv, CIA Robert Greer, an Energy] Larry Wilcher, DOE RD Ernie Conrads, West'house SAP Art Falans, DoD Lou Boucnard, Grumman Personnel Frank Buocco, CIA Larry Howe, SAIC Hellmt Hawkins, DoD Lynn Mattlce, Northrop —{ Oversight 8. Compliance Mark Borsl, DIS Jed Salter, Boeing Threat Harry Brandon, FBI Edgar Best, Hughes «—r Figure 1.1 National Industrial Security Program Task Force 22 January 1991 [D 51 pL p1 re we: Th1 TQi zea ini hun occ imp Tas 19 9 Ind Pro Pro 9 Steering Committee formed Working Groups, with government and industry representatives appointed as co-chairs, to address the various security disciplines of consequence to successful NISP implementation. During the ensuing weeks, NISP Working Group charters and objectives were published pursuant to Steering Committee procedural controls and planning milestones. Executive Branch department and agency representatives, and select industry security professionals were recruited by the co-chairs of each Working Group. Thus, the NISP transitioned from an innovative idea to apply TQM to industrial security, which was supported by a few zealous security professionals, into a Presidential initiative involving numerous government agencies and hundreds of people. Institutionalization of the NISP occurred when President Bush (1993, January 6) signed the implementing Executive Order 12829. In accordance with a Task Force commitment made to the President in a September 1991 (Atwood, Watkins, Kerr) NISP Report, a National Industrial Security Program Operating Manual would promulgate the new standardized security policies and jprocedures one year from that date. ti cc De hit cha to . trac Vent the 'Cclc Fill Comma. Zone, Regula eXchanS QWMW A Complex Security Issue A myriad of social, political, and economic changes in the world has caused government and industry security professionals to reevaluate the effectiveness of traditional methods used to safeguard valuable national security and corporate assets. In particular, the collapse of the former Soviet Union has prompted a need to redefine the sources of threat in order to implement the necessary national security countermeasures. The Assistant Deputy Under Secretary of Defense for Security Policy, Maynard Anderson (1992) highlighted the enormity of this task when he suggested the changing world economic and political picture is particular- ly challenging because industrial security policy is forced to change rapidly in order to keep up with new international trade agreements, treaties, the unique aspects of joint ventures among both nations and companies and, in general, the globalization of the defense market. Indeed it seems the military confrontations of the ”cold war" era are being replaced by an economic war that will be played on the battle fields of the European Economic Community, the Pacific Rim, the North American Free Trade Zone, and other market alliances that are sure to develop. U.S. Export Administration and International Traffic in Arms Regulations are being revised to accommodate more free exchange of technical knowledge. National security priorities to prevent the loss of technology to foreign 10 he in sa su ha: CO! all inti as i the Soci iron bUSii 11 nations bent on military superiority have become indistinguishable from corporate security priorities to safeguard proprietary information essential to business survival. The cloak and dagger image of military espionage has spawned the progeny of blatant industrial espionage for competitive advantage as the world moves closer to realizing the concept of the "stateless" corporation whose only allegiance is to its stockholders. Unemployed military intelligence officers are finding new career opportunities as they apply their trade to the market research needs of the private sector. These specialists have even created the Society of Competitive Intelligence Professionals that, ironically, espouses ethical standards in conducting the business of industrial espionage. The foregoing provides a glimpse of the dynamic threat environment security executives involved in the design of the NISP face as they endeavor to protect government and corporate sensitive material, automated information systems, export-controlled or defense-critical technologies, and commercial secrets. Clearly, the sophistication of security threats is increasing as rapidly as world maps are being redrawn. Downsizing in government and industry, and ever- present requirements to do more with less, only further exacerbate the problem. Foreign Ownership, Control or Influence (FOCI) of U.S. firms doing classified government work is one of the more complex security challenges facing the NISP architects as pe ma re f 1: max st: 12 evidenced by the creation of a working group specifically focused on that subject. Inherent in the trend toward market globalization is an intensified interest in the national security implications of foreign direct investment in companies supporting the national defense, along with other more obscure forms of control, or influence. The Wall Stzegt_qggznal's Rick Wartzman (1992, November 2) reports that during the 19803 some $300 billion of foreign direct investment poured into the United States, and according to Commerce Department figures, foreigners control about 5 percent of the economy and 14.7 percent of the nation's manufacturing assets. As defense budgets shrink and the recession continues, an increasing number of U.S. defense firms are selling off parts or all of their operations. In many cases, assets are sold to foreign investors who bring strong foreign currencies or lots of cheap dollars to pursue a beachhead in the U.S. marketplace. Additionally, companies, even countries are looking for alliances, joint venture partners and new markets in places that were previously forbidden by national or international trade embargoes. Stratford Sherman asserts in Egrtgge magazine (1992, September 21) that alliances have become an integral part of contemporary strategic thinking. Now that the global marketplace has reached adolescence, it seems almost everyone is under the covers with everyone else. IBM alone has joined in over 400 strategic alliances with various companies in the U.S. and abroad. Sherman also in co hdl woe Rep cor. nee res Spa for f in U. s bud att 59c- est. neCl LOVE 13 reports that the rate of joint venture formation between U.S. companies and international partners has been growing by 27 percent annually since 1985. The possibility that key segments of defense-related industries could come under foreign control is one of the central concerns in the debate about increased investment in the United States (GAO, 1990). In Congress, and in parts of the Executive Branch, there are hawks and doves on foreign investment. The hawks cite national security to back their cold war protectionist viewpoints. The doves, on the other hand, encourage foreign investment to reduce U.S. economic woes. In a non-partisan Congressional Research Service Report, Gary Pagliano (1992) suggests that in addressing the complex issues of foreign investment, U.S. policymakers will need to exercise caution. The application of too many restrictions could be detrimental to the country, by sparking retaliation against U.S. overseas investment and by forcing the U.S. Government, in some cases, to provide financial support to ailing companies. It could disrupt U.S. alliance relations at a time when declining defense budgets make cost-sharing among countries increasingly attractive. It could also disrupt cost-sharing agreements among U.S. and foreign companies in non-defense and dual-use sectors. A major challenge for policymakers will be to establish the appropriate balance between prudent or 'necessary regulation, and facilitation of the momentum toward increasing international economic cooperation. CC is dev effe l4 Crafters of FOCI security policy in the NISP must be cognizant of, and consistent with, prevailing national foreign direct investment policy. At the same time, they can ill afford to get caught up in the complex and often emotional political debate over the benefits and detriments of increased foreign direct investment in the U.S. defense industrial basek Tb successfully complete their mission they must overlook the politics and deal with FOCI as a complex, yet increasingly important security management issue. Only then will they be able to determine whether a quality, threat driven FOCI security strategy can be developed that embraces the NISP goals of efficiency, cost- effectiveness, and Executive Branch standardization. This study capitalizes on the historical irony surrounding development of TQM and the NISP by approaching the FOCI security question utilizing Total Quality Management continuous process improvement theory developed by Walter Shewhart and popularized by W. Edwards Deming. Specifically, foreign ownership, control, or influence of the defense industry in the NISP is reviewed, not as a security policy, but rather in the context of a security countermeasures process. Analysis is organized in accord with Deming's Cycle, the "Plan, Do, Study, Act" theoretical model (Figure 1.2). The research focuses on whether use of the PDSA methodology will aid efforts to detect flaws in the current FOCI security countermeasures process, and more importantly, assist in the identification of a strategy for Pr: obj 15 4. Act on the 1. Develop a Plan Results/ \Inprovement 3. Study \ 2. Carry Out the Results the plan Figure 1.2 The Deming PDSA Cycle (Scherkenbach, 1991, p. 61) process improvement that incorporates the NISP quality objectives. While Shewhart and Deming focused on statistical measures of variation in manufacturing processes, the effective application of TQM in numerous other management challenges provides a basis for the assertion that some of its precepts can be applied successfully to the FOCI national security issue. Scherkenbach (1991) lends support to this idea when he suggests that most of the opportunities for improvement are in non-manufacturing processes, for 86 percent of the people in the U.S. are engaged in non-manufacturing endeavors. The measure of success, or quality improvement, resulting from this signi profe appli SECUI' 16 this particular PDSA exercise lies in the statistical significance of a sample of opinions by industry security professionals which either affirm or dispute the idea that application of the Deming Cycle provides an enhanced FOCI security countermeasures process model. To establish a foundation for addressing this problem, it is first necessary to operationally define a number of concepts including: the Deming Cycle of PDSA; the various types of foreign direct investment in the U.S.; current U.S. foreign investment policy; its associated regulatory controls; and finally, Defense Industrial Security Program (DISP) FOCI security regulations. The forces influencing the evolution of the industrial security regulations are presented as a chronology culminating with a brief description of the controversial Thomson CSF attempt to acquire LTV. This overview provides the necessary introduction to the complexities of the subject matter, while simultaneously demonstrating the need to apply the TQM continuous process improvement PDSA methodology. Building on the operational framework established by defining the relevant FOCI terminology, the PDSA methodology is then invoked. There are several steps in the "Plan" phase of the Deming Cycle, starting with identification of the opportunity for process improvement. The present process is then documented in a critical review of its strengths and weaknesses. Next, focusing on the feasibility of an efficient, cost-effective NISP Executive Branch FOCI SQCU impr qual is d! profi factt devel avoid secur and f arran resul' drawn adjus- ment. . the 9 main t0 ac this 1 more 1 wags foreic 17 security policy standard, the scope of a vision for an improved process is presented and rationalized. In the ”Do" phase of the Deming Cycle, where the quality improvement ideas are tested, a survey questionnaire is developed to gather opinion data from industry security professionals on the merits of process improvement ideas factored into a draft NISP FOCI Security Policy proposal developed during the "Plan" phase of the Deming Cycle. To avoid bias, surveys are administered to a sample of 114 security professionals representing both U.S.-owned firms and firms operating under current DoD FOCI security arrangements. Then, in the "Study” phase of the Deming Cycle, survey results are observed, findings quantified, and conclusions drawn. The last phase of the Deming Cycle, "Act," where adjustments are made to take advantage of process improve- ment opportunities, is addressed as a summary. It is up to ‘the government policymakers responsible for promulgation and administration of FOCI policy and security countermeasures to act, or choose not to act, upon the findings presented in this paper. Regardless of the outcome, as Deming suggests, more will be known about the process of safeguarding classified and sensitive national security information in foreign Owned, controlled, or influenced firms in the NISP. 01 in Ha Sc Vh C0] fa: Met Wit II. LITERATURE REVIEW A. ' ° n o t W One of the most powerful ideas that Deming presented in his lectures on quality control in Japan (Aguayo, 1990), beginning in 1950, was the Cycle of Continual Improvement based on ideas first expounded by Shewhart. Walton (1986) demonstrates Deming's feelings about the importance of the Cycle by highlighting a quote from Deming himself during a 1985 seminar. He said, use of the Shewhart Cycle will lead to continual improvement of methods and procedures. It can be applied to any process and can be used to find special causes detected by statistical signals. Walton goes on to suggest that every activity is a process and can be improved. Aguayo (1990) lends support to these arguments by suggesting that as you improve your process, you improve your knowledge of the process at the same time. Improvement of the product and process goes hand in hand with greater understanding and better theory. Aguayo points out that maybe this is nothing more than the application of the scientific method to business, but it is the only place where he had seen it done. Scherkenbach (1987) describes the Deming Cycle of continual improvement, or Plan, Do, Study, Act (PDSA), in a fashion consistent with Aguayo's analogy to the scientific method. Scherkenbach suggests that the theory could start with a hunch or it could be as certain as a law of nature or 18 d4 e) in He Set res ter l9 physics. The result should not only be the statement of the theory but also the plan by which the theory is tested. The only purpose of collecting data or conducting an experiment or test is to form the basis of rational prediction. According to Scherkenbach, Dr. Deming said that anyone may predict anything that he wishes but he (Deming) is only interested in rational predictions. That is to say, those predictions that have roots based in theory. It is important to make your predictions before the experiment is conducted because too many people can "prove" anything afterward. Scherkenbach (1991) provides an excellent operational definition of the Deming Cycle for process improvement by explaining it in terms of eight action steps for implement- ing the four phases of the Plan-Do-Study-Act methodology. He cautions that some trips through the Cycle result in setbacks; other trips result in no apparent change; others result in improvement. But first, Scherkenbach defines the term ”process" as virtually everything we do and everything 'we think. In its simplest form, a process is a transforma- tion of inputs into outputs (Figure 2.1) which are often thought of in terms of customer and supplier relationships. Customers and suppliers do not have to be people. Resources .in processes, that are both inputs and outputs, include: people; method; material; equipment; and environment. Customer and supplier transactions are facilitated by two sources of communication: the Voice of the Customer and the Vc ii: to Sta Cu: 20 c: Inputs :3 Outputs *— a: People EE People iMettuxi runnnma Material a: Material Equipmnnn: ‘3 ‘Equipmsmt. O h I Enwusxnmment. u" Ehnnunonnnui I: u: I: I- Figure 2.1 Definition of a Process (Scherkenbach, 1991, p. 8) Voice of the Process. The objective of the PDSA process improvement methodology is therefore, to continuously strive to eliminate variance in this communication (Figure 2.2). Stated simply, the goal is to align the Voice of the Customer with the Voice of the Process. According to Scherkenbach, the "Plan" phase of the PDSA Cycle has four steps. Step one is to recognize and identify the opportunity for process improvement. This involves comparison of the present Voice of the Customer with the present Voice of the Process. This action will highlight the variance or gap between the two process Voices. Then, in step two, the present process is documented, preferably in the form of a process flow diagram. Step three operationally defines the opportunity identified in step one by creating a vision of the improved People Method lateril Equi par [wt to: Process IS dEVe incorpo] as the s The the Pilo IS Carri. the “SR organiZat resourCeS Elllll'r-mmer In th The p urDos 21 VOice of the Customer Voice of the Process People People Method Method Material Material Equipment Equipment Environment Environment / Figure 2.2 The Two Voices (Scherkenbach, 1991, p. 11) process. It is similar to step two in that a flow diagram is developed, but this time the process improvements are incorporated. In step four the theory is operationalized as the scope of the improvement effort or plan is defined. The "Do” phase of the model is where action step five, the pilot study, is accomplished. Here the plan or theory is carried out and tested, preferably on a small scale with the customers. The experiment may involve a change of organization or a manipulation of any of the five process resources: people, method, material, equipment, and environment. In the "Study" phase of the PDSA model, step six of the action plan is invoked as the test results are observed. The purpose of this step is to determine if the planned 22 changes in the process result in a smaller gap between the Voice of the Process and the Voice of the Customer. Regardless of the outcome of this step, information is gained-about the process. In the "Act" phase of the model where the opportunity to improve the process materializes, there are two steps. In step seven, after studying the results of the pilot test, the process is improved, or it is not, by creating a new mix of the five process resources. Finally, in step eight, the PDSA Cycle starts again as the next iteration of continuous process improvement begins. An imaginative yet enlightening illustration of the importance of the wisdom embodied in the continuous improvement PDSA model was presented in 1989 by U.S. Air Force General Loh, Commander of the Aeronautical Systems Division. He opened an address to the Modular Avionics Systems Architecture Conference with a tale from MW = Here is Edward Bear, coming downstairs now bump . bump I bump, on the back of his head, behind Christopher Robin. It is, as far as he knows, the only way of coming downstairs, but sometimes he feels that there is another way! if only he could stop bumping for a moment and think of it. B.D_efinina_r_er.eign_mmerahin._c_entmL_er_Influsnss In a Congressional Research Service Report on ”Foreign Investment in U.S. Defense Companies,” National Defense Specialist, Gary Pagliano (1992) identifies three broad types of foreign direct investment in U.S. industry. The first type of investment is when a foreign person or firm acquires ownership of 10 percent or more of the voting equity of a U.S. company. This level of ownership, as defined in the International Investment and Trade in Services Survey Act of 1974, is considered legal evidence of a long-term interest in, and a measure of influence over, the management of a company. The second type of investment is called "portfolio" investment, where foreign investors buy equity in a corporation, but hold less than 10 percent of the equity shares. Buying debt (bonds) in a U.S. company is also allowed without regulation. The third type is a catch-all for different kinds of smaller-scale investments (usually non-equity in nature) between companies such as a joint venture licensing agreement, or consortium agreement. The W (DOD 5220.22-M, 1991) definition differs by placing a 5 percent threshold on equity ownership, and placing more emphasis on the national security implications of control, or influence. Specifically, factors such as foreign contracts, income from foreign interests hostile to the U.S., indebtedness to foreign interests, or the ability of foreign interest to control or influence the election, 23 24 appointment or tenure of senior company officials are considered. National security implications and the need to safeguard classified and export-controlled defense critical technologies provide ample justification for this more encompassing definition. I'E St an. reg aCc tec our 86?: Incr indi much Pol-Si c. MW Mark Hanson, in an article in the Ngzthyestern_lgurnal WW (1989) points out that in recognition of the importance of an unrestricted flow of capital, United States policy on international investment is founded upon the theory that the private market is the most efficient means to determine the allocation and use of capital in the international economy. As a result, the United States pursues an "open door” approach to investment which offers no special incentives to foreigners who invest in the United States and, in general, imposes no special barriers. Furthermore, once foreign investors establish themselves within the United States economy, they generally receive the same treatment as domestic investors. According to Hanson, foreigners invest in the United States for a variety of reasons: the stable U.S. economic and political systems; the relative absence of government regulatory controls on business; a large consumer market; accessibility of leading-edge technology and management techniques; and finally, given the depreciating dollar, current economic conditions often make it a bargain. Conversely, viewed from the U.S. perspective Hanson says, an open investment policy also has many benefits. Increased foreign investment helps the economy grow and individual companies to expand by providing a source for much needed capital and a conduit to the global marketplace. Foreign investment in U.S. companies also produces 25 employm and set leads t investn increas Aerospa Decembe have ac able to capital 26 employment opportunities, tax revenues, and consumer goods and services. Finally, an open foreign investment policy leads to reciprocity in the elimination of barriers to U.S. investment abroad. The importance of this last point in an increasingly global economy is underscored by one of the Aerospace Industries Association's key issues (AIA, 1990 December) for the 1990's which states: Our companies must have access to foreign markets on an equitable basis and be able to work with foreign partners to spread risk, raise capital, improve market access, and develop new technology. Or he 1‘ e: Cre to f 01' ha, mark mmwmmmm Foreign investment in United States is subject to federal review and a number of laws and regulations which are necessary for national defense or the public welfare. Such laws and regulations include: antitrust laws; securities laws; Defense Industrial Security Program regulations; review by the Committee on Foreign Investment in the United States (CFIUS); and, in some situations, Section 5021 of the Omnibus Trade and Competitiveness Act (1988), entitled "Authority to Review Certain Mergers, Acquisitions and Takeovers" which is often referred to as the Exon-Florio Amendment. A brief description follows of all these regulations except the Defense Industrial Security Program regulations which are addressed separately, in detail. U.S. antitrust laws (Hanson, 1989) prohibit foreign investors from obtaining an unfair aggregation of economic power which might weaken or destroy competition. The Clayton Act (1982) prevents foreign investors, acting singly or collectively, from acquiring, or participating in a merger or joint venture with a United States firm, if the result would substantially lessen competition or tend to create a monopoly. The Sherman Act (1982) may also be used to prevent acquisitions, mergers or joint ventures by foreign investors if the transactions unreasonably restrain trade or illegally attempt to monopolize a particular market. Finally the Federal Trade Commission Act (1950) 27 g1 Fc re ho; in Uni. pres Depa 28 prohibits domestic or foreign-owned businesses from utilizing unfair methods of competition. The Hart-Scott- Rodino Antitrust Improvements Act of 1976 (1982) requires a foreign investor to notify the Justice Department and the Federal Trade Commission prior to an acquisition of voting securities, or of assets exceeding a certain amount. The Securities Act of 1933 (1982) and the Securities and Exchange Act of 1934 (1982) require (Hanson,1989) a foreign corporation planning to issue securities in the U.S. market, or to obtain a controlling interest in a publicly- held U.S. company, to comply with proxy rules and certain disclosure requirements. These investment disclosure requirements were expanded in the 1970's which enabled the Departments of Commerce and Treasury to oversee and regulate, but not necessarily restrict, foreign investment in the United States. Specifically, the International Investment Survey Act of 1976 (1982) resulted in the generation of more complete statistical information on foreign direct and portfolio investment. The Domestic and Foreign Investment Improved Disclosure Act of 1977 (1982) required more complete disclosure by foreign investors holding over five percent of any class of security described in Section 13(d)(1) of the Securities Exchange Act of 1934. The interagency Committee on Foreign Investment in the United States (1975) (Hanson, 1989), created in 1975 by President Ford, consists of representatives from the Departments of State, Treasury, Defense, and Commerce, the Adv Tre non, invc poli fund auth 1988 Esta! or ta Drovi t0 na rePOr major imPle not 5 Vere to Vh Vithi Confe and w 29 U.S. Trade Representative, and the Council of Economic Advisors. The Chair of the CFIUS is the Secretary of the Treasury. The CFIUS has primary responsibility for monitoring the impact of direct and portfolio foreign investment and for coordi-nating the implementation of U.S. policy on such investment. Discretionary review is the fundamental authority vested in the CFIUS for it has no authority to administer any laws or regulations. The CFIUS (Pagliano, 1992) process was strengthened in 1988, when Congress passed the Exon-Florio Amendment. It established a process to investigate mergers, acquisitions, or takeovers of a U.S. company by foreign investors and provided the President authority to block a transaction due to national security considerations. 01in Wethington (1991) reported that the definition of "national security" was the major theme of public comments received on regulations implementing Exon-Florio during the summer of 1989. While not specifically defining it, the final regulations which were promulgated in November 1991 suggest the judgement as to whether a transaction threatens national security rests within the President's discretion. Further, a Congressional Conference Report suggests it is to be interpreted broadly and without limitation to particular industries. the regu (DIS) Exec: {3 D! U) [II I Secur 5220. DISP . behal: agencj Classj Invest been c conduC Securj evolvE Secret GIOng reSpon uniun 5220.2. “em SEN . ‘NQQlJ E. "‘11- o‘ho. oo°"“‘e,=‘ 19-: "o._ eu Erggram Egrgign angrgnip, gontrgl, gr Influence fiesuritx_3egulation§ Another method to control foreign direct investment in the defense industrial base exists within the implementing regulations of the Defense Industrial Security Program (DISP) which was established pursuant to Presidential Executive Order 10865 (1960, February 20) Sgrgggarging Qlaasified_Infornatign_flithin_1ndustrx. and the National Security Act (1947). The Department of Defense (DOD ISM 5220.22-M, 1991, January) is the Executive Agent for the DISP and the Secretary of Defense is authorized to act on behalf of twenty other Executive Branch departments and agencies in providing security services to safeguard classified information entrusted to industry. The Defense Investigative Service (DIS) of the Department of Defense has been delegated responsibility by the Secretary of Defense to conduct personnel security investigations and industrial security oversight. A similar arrangement is expected to evolve in the NISP (NISP Report, September 1991) however the Secretary of Energy, the Director of Central Intelligence, along with the Nuclear Regulatory Commission will be responsible for the administration of security matters unique to their statutory authority. DISP security regulations are promulgated in Directive 5220.22-R (1985, December) the Ingnstr1§1_§gggrity_3ggula: sign, Directive 5220.22-H (1991 January), the Ingggtrigl 921-: . ,3,‘°Lo 1 1° ,a“ ‘.-- 1 .,_. ’o., 30 a1 Th. fat uni aut inf fac fir: clas orga or P 441 ' the ( Cont: info: must (FOCI clea: It is eXist Such °P€ra inf0r Cohtr 31 along with a variety of other related security regulations. These regulations provide for the establishment of a facility security clearance to allow industrial firms, universities, or other organizations sponsored by an authorized government agency, to access national security information when performing on classified contracts. A facility clearance is an administrative determination that a firm is eligible, from a security viewpoint, for access to classified information. The firm must be located in, and organized under the laws of any of the fifty United States or Puerto Rico. As part of the facility clearance process, a senior management official of the firm executes a DD Form 441 "Department of Defense Security Agreement" on behalf of the company. The Security Agreement (Figure 2.3) is a contract wherein the firm agrees to safeguard classified information in accordance with QQQ_;§u_§zerz;;_. Furthermore, DoD regulations (1991) state that the firm must not be under foreign ownership, control, or influence (FOCI) to such a degree that the granting of a facility clearance would be inconsistent with the national interest. It is considered to be under FOCI when a reasonable basis exists to conclude that the nature and extent of FOCI is such that foreign dominance over its management and operations may result in the compromise of classified information or adversely impact performance on classified contracts. A firm that is owned, controlled, or influenced by a foreign national or a commercial or governmental entity 32 ‘°"" ..l DEPARTMENTDFDEFENSE ”Nam SECURII Y AGREEMENT Expireslul 31.1993 wwwumm iseesimasedtoaverageianunueeeperreuonse. theueiefor mined-rig data m “when” coinpieong mended-condiment“ m dimmers-yorker act this suggesoonsforreduongthisheeen. tow MW” alfl momma: aniline MWVAJW-emandndworhceof wwmmpnaaien. mtmvourformtoeitheroftheea“ sendyourcomuevee DWWWM This DEPARTMENT OF DEFENSE SECURlTY AGREEMENT (hereinafter called the Agreement). entered into this day of 19 , by and between THE UNITED STATES OF AMERICA through the Defense Investigative Service acting for mmammmmmwwmmmwmmamm (1) aarporationorganiaedandeiosting undarthelawsofthestateof mapertnershipconsistingof (hereinaftercalledtheContractor).whichis: Manindividualtradingas endiiupruiopdofhuandplauofbiianeuatcmotyutateandzvoode) mssmi m7: WHEREAS.theGovernmenthasinthepastpurchasedor mayinthefuturepurdiasefrbrntheContractorsuppliesor services. which are required and necessary to the national security of the United States; or may invite bids or request guptetionsonproposadcontractslorthepurdiaseofsupplies orserwcuwhidiarenoiandandnecesarytothenational secuntyoftheUnitedStetesnnd WHEREASJtisemenu‘althatcertain seciiritymeasuiesbe tatenbytheContractorpriortoandafter beingaccordedacceu uda-ifiedinformationnnd mmmmmnmammmm precautions and specific safeguards to be taken by the Contractor and the Government in order to preserve and maintain the security of the United States through the prevention of impioper disclosure of classified information. sabotage.oranyotheractsdetnmentaltothesecurityofthe United States: NOW.THEIEFOIE.inoonsiderationoftheforegoingand ofthemutiialproiniseshereiiicontairied.thepartieshereto ayeeufoloiiis: Soul-mm (AiTheContractoragreestoprovideandmainteinasystem of security conools within the organization in accordance with the requirements of the Department of Defense ’Industrial Security Manual for Safeguarding Classified lnformation' (hereinafter called the Manual) attached hereto and made a paitofthisagreement.subiect. however.(i)toany revisionsof the Manual required by the demands of national security as determined by the Government. notice of which shall be furnished to the Contractor. and (ii) to mutual agreements enteredintobythepartiesinordertoadapttheManualtothe Contractor's business and necessary procedures thereunder. In order to place in effect such security controls. the Contractor further agrees to prepare Standard Practice Procedures for internal use. such procedures to be consistent with the Manual. in the event of any inconsistency between the Manual. as revised. and the Contractor‘s Standard Practice Procedures. the Manual shall control. (I) The Government agrees that it shall indicate when necessary. by security classification (TOP SECRET. SECRET. or CONFIDENTIAL). the degree of importance to the national security of information pertaining to supplies. services. and othermatterstobefurnished bytheContractortotheGovern- mentorbytheGovernmenttotheContractor.andtheGovern- mentshallgivewrittennoticeofsuchsecuntydasaificationto the Contractor and of any subsequent changes thereof; ..however that matters requiring security classification will be assigned the least restricted security classification consistentwith propersafeguardingofthematterconcerned. Further. the Government agrees that when Atomic Energy information is involved it will. when necessary. indicate by a marking additional to the classification marking that the information is 'RESTRICTED DATA.‘ The 'Department of Defense Contract Security Classification Specification' (DD Form 254) is the basic document by which classification. regrading. and declassification specifications are documented and Contractor. oonveyedtothe (Q The Government agrees. on written application. to grantpersonnelsacuntyclearancestoeligibleemployeesofdie ContractorwhoreouireaccestoinformationclassifiedTOP SECREtSECREtorCONFlDENTIAL. (D) The Contractor agrees to determine that any sub- contractor. subbidder. individual. or organization proposed for thefurnishingofsuppliesorserviceswhichwill involve accuse classified information. has been granted an appropriate Department of Defense facility security clearance. which is still ineffectpriortoaccordingaccesstosudiclassifiedinformation. “dial-mm Designated representatives of the Government ' forinspection pertainingtoindustrialplantsecuntyshall have the right to inspect. at reasonable intervals. the procedures. methods. and facilities utilized by the Contractor in complying with the requirements of the terms and conditions of the Manual. Should the Government. through its authorized representative. determine that the Contractor's security methods. procedures. or facilities do not comply with such requirements. itshall submitawrittenrepoittotheciontractor advising ofthedeficienoes DDFDTMMLJUI.” Previouseditionsareobsolete. name Figure 2.3 Department of Defense Security Agreement DD Form 441 (Page 1 of 2) 33 “cull-mm Modification of this Agreement may be made only by writtenagreementofthepartieshereco. TheManualmaybe modifiedinaccordancewithsectionlofdiisAgreement. “GUN-MM This agreement shall remain in effect until terminated throughthegivingof 30dayswritten noticetotheotherparty of intention to tenninate; provided. however. notwithstanding any such termination. the terms and conditions of this AgreementshallcontinueineffectsolongastheConoactor posseaesclassified information. mV-mmmm Asofthedatehereof. this Agreement replaces and succeedsanyandall priorsecurityorsecrecyagraements. understandingsandrepresentationswithrespecttothesubiect matter included herein entered into between the Contractor and the Government. provided that the term 'security or secrecy agreements. understandings. and representations' shal not include agreements. understandings. and representations contained in contracts for the furnishing of supplies or services to the Government which were previously entered into between the Contractor and the Government. sedan-masts This agreement does not obligate Government funds. andtheGovernmentshallnotbeliableforanycostsordaimsof the Contractor arising out of this Agreement or instructions isued hereunder. it is recognized. however. that the parties mayprovideinotherwri‘ttencontractsforsecuritycosts.whidi maybeproperlychargeablediareto. ImmssmfldhepmtleshuetoheveezeaneddisWasofdwdayandyearwritsenabove: fill “STATES “M” w WWoftheGovernment) (Contractor) MINES! Iy (Title) mammal NOTE: Inceseofacorporation.awitneaisnotreguiredbutthe ceruhcatemustbecompleted. Typeorprintnamesunderal NOTE: WMaWJuddumediefwowingmwbemdmmmmhprovidedthat sameofhcershallnoteeeoiteboditheaigreementandtheCertificete. WT! I. goertifythatlamthe oftheoorporationnamedasContracsorhereinzthat whosignedthisagreementonbehalfoftheContractor.wasthen ofsaidcorporation; thatsaidagreementwasdulysignedforand in behalfofsaidcorporationbyauthorityofitsgoverning body. and iswidiinthescopeofitscorporatepowers (CorporateSeal) (Signature and Date) DDflmmeflflmmnmnnao Figure 2.3 Department of Defense Security Agreement DD Form 441 (Page 2 of 2) 34 whose interests are inimical to the U.S. is not eligible for a facility clearance. However, firms whose FOCI does not derive from such hostile sources may be eligible for a clearance provided action can be taken to effectively negate or reduce associated FOCI security risks to an acceptable level. Compared to other departments and agencies of the Executive Branch, DoD security regulations (5220.22-R and 5220.22-M) addressing FOCI are the most mature. The primary factors considered by DoD in determining whether firms are under FOCI are identified in the DD Form 4418 "Certificate Pertaining to Foreign Interests" (Figure 2.4) which must be completed by the firm as part of the facility clearance determination process and updated whenever conditions related to FOCI change such that it affects the information previously reported. DoD regulations (1991) provide that, if the DIS determines that any of the FOCI factors identified in the 4418 are present, the case will be reviewed to determine the relative significance of each factor in assessing the firm's initial or continuing eligibility for a facility clearance. If a firm under FOCI may be ineligible for a facility clear- ance, or additional action would be necessary to nullify or negate the effects of FOCI, the firm will be so advised by the DIS and requested to submit a plan to preclude foreign access to classified information. If an acceptable plan is not submitted, facility clearance processing is 35 CERTIFICATE PERTAINING TO FOREIGN INTERESTS m "0‘ ”ulna-cosmic (Tynan-helm ExpiresAug 31.1933 “WWMNMdMomabo-nmwmnmpwm.mmemfammmmmfl “Willem. moonornrumimrunumoimm Sew-vowco-wlesedfoimtovourremecbveCogi-iaantsecwnyorna. PENALTY NOTICE Failure to answer all questions or any mis- representation (by omission or concealment. or by misleading, false or partial answers) may serve as a basis for denial of clearance for access to classified Department of Defense information. In addition, Title 18. United States Code 1001, makes it a criminal offense. punishable by a maximum of five (5) years imprisonment. $10,000 fine. or both. knowingly to make a false statement or representation to any Department or Agency of the United States. as to any matter within the jurisdiction of any Department or Agency of the United States. This includes any statement made herein which is knowingly incorrect. incomplete or misleading in any important particular. PROVISIONS I. This report is authorized by the Secretary of Defense pursuant to authority granted by Exe- cutive Order 10865. While you are not required to respond. your eligibility for a facility security clearance cannot be determined if you do not complete this form. The retention of a facility security clearance is contingent upon your come pliance with the requirements of 000 5220.22-M for submission of a revised form as appropriate. 2. When this report is submitted in confidence and is so marked. applicable exemptions to the Freedom of Information Act will be invoked to withhold it from public disclosure. 3. Complete all questions on this form. Mark 'Yes' or 'No' for each question. If your answer is 'Yes' furnish in full the complete information under 'Remarks.‘ QESTIONS AND ANSWERS . Do foreign interests own or have beneficial ownership in 5% or more of your organization's securities? Does your organization own any foreign interest in whole or in part? Do any foreign interests have positions. such as directors. officers. or executive personnel in your organization? Does any foreign interest control or influence. or is any foreign interest in a position to control or influence the election. appointment. or tenure of any of your directors. officers. or executive personnel? Does your organization have any contracts. agreements. understandings or arrangements with a foreign interest(s)? Is your organization indebted to foreign interests? Does your organization derive any income from designated countries or income in excess of 1096 of gross income from non—designated foreign interests . Is 5% or more of any class of your organization's securities held in ‘nominee shares.‘ in 'street names' or in some other method which does not disclose the beneficial owner of equitable title? Does your organization have interlocking directors with foreign interests? IO. Are there any citizens of foreign countries employed by or who may visit your facili (or facilities) in a capacity which may permit them to have access to classi ed information? 11. Does your organization have any foreign involvement not otherwise covered in your answerstothe above questions? DOM“1$.AUGN Previouseditionsareobsolete. Figure 2.4 Department of Defense Certificate Pertaining to Foreign Interests DD Form 4415 (Page 1 of 3) h‘ [CERT WIW555: 36 REMARKS (Attach additional shggtsl if necessagl for a full £00m statgmggt.) CERTIFICATION lCEltTlFYthattheentries made bymeabovearetrue. complete. and correcttothebestofmy knowledge and belief and are made in good faith. WITNESS: (DateCertified) sy (Contractor) (Title) :Incaseofcorporation.awitnemisnotrequiredbut below must be completed. Type or print names underallsignatures W m: Connector.ifamrpaaoon.muammefuh~mgcemhcaumuencuudundmmmad.wmme ' I th . CERTIFICATE l. . certify that I am the of the corporation named as Contractor herein; that who signed this certificate on behalf of the Contractor. was then of said corporation; that said certificate was duly signed for and in behalf of said corporation by authority of its governing body. and is within the scope of its corporate powers. (Corporate Seal) (Signature and Date) DDFormu1Slteverse,AUGso Figure 2.4 Department of Defense Certificate Pertaining to Foreign Interests DD Form 4418 (Page 2 of 3) in (I com Subt- ‘orri amt DUES of off 37 INSTRUCTIONS FOR COMPLETING THE DD FORM 441$ In completing the DD Form 441s. all items are to be answered by indicating X in either the YES or NO column. If an answer to any question is YES. the following paragraphs provide instructions for the submission of the necessary data. QUESTION 1. Identify the percentage of any class of shares or other securities issued. that is owned by foreign interests. broken down by country. If the answer is YES and a copy of Schedule 130 and/or Schedule 13G filed by the investor with the Securities and Exchange Commission (SEC), has been received. ' attach a copy to the revised 00 Form 441s. QUESTION 2. Furnish the name. address by country. and the percentage owned. Include name and title of officials of the facility who occupy positions with the foreign entity, if any. QUESTION 3. Furnish full information concerning the identity of the foreign interest. and the position he or she holds in the organization. QUESTION 4. Identify the foreign interest(s) and furnish full details concerning the control or influence. QUESTION S. Furnish name of foreign interest. country. and nature of agreement or involvement. Agreements include licensing. sales. patent exchange. trade secrets. agency. cartel. partnership. joint venture. and proxy. If the answer is YES and a copy of Schedule I30 and/or 136 filed by the investor with theSEChasbeen received. attach a copy totherevised DD Form 441s. QUESTION 6. Furnish the amount of indebtedness and by whom furnished as related to the current assets of the organization. Include specifics as to the type of indebtedness and what. if any, collateral. including voting stock. has been furnished or pledged. If any debentures are convertible. specifics are to be furnished. QUESTION 7. State full particulars with respect to any income from Designated countries. including percentage from each such country. as related to total income. and the type of services or products involved. If income is from non-designated countries. give overall percentage as related to total income and type of services or products in general terms. If income is from a number of foreign countries, identify countries and include percentage of income by each country. QUESTION 8. Identify each foreign institutional investor holding 5 percent or more of the voting stock. Identification should include the name and address of the investor and percentage of stock held. State whether the investor has attempted to. or has in fact. exerted any management control or influence over the appointment of directors. officers. or other key management personnel. and whether such investors have attempted to influence the policies of the corporation. If a copy of Schedule 13D and/or 136 filed by theinvestorwiththeSEChas been received. attach acopy tothe revised DD Form 441s. QUESTION 9. Include identifying data on all such directors. If they have a security clearance. so state. Also, indicate the name and address of all other corporations with which they serve in any capacity. QUESTION 10. Provide complete information by identifying the individuals and the country of which they are a citizen. Foreign visitors. officially sponsored by a foreign government or User Agency. are not included in the range of this question. QUESTION 11. Describe the foreign involvement in detail. including why the involvement would not be reportable in the preceding questions. ' Figure 2.4 Department of Defense Certificate Pertaining to Foreign Interests DD Form 4418 (Page 3 of 3) tez Dot dec mit SEC] fore of w] by-ca subje discr Direcl dl'l QVC has be Cases. ment, FTOm i' been g1 Viable is De under fit under C0 concern ‘ sufficien 38 terminated or an existing facility clearance is revoked. DoD provides an appeal process for termination or revocation decisions and will work with the firm to modify the FOCI mitigation plan until it adequately protects national security interests. Hanson (1989) points out that the greatest obstacle to foreign investment in the defense industry is passing the threshold test for FOCI. There is no standard determination of what constitutes FOCI, and decisions are made on a case- by-case basis. Ultimately, the determination of FOCI is a subjective evaluation, in which the DIS has substantial discretionary authority. Several FOCI mitigation instruments are detailed in DoD Directive 5220.22-M. These security solutions demonstrate an evolution of policy over more than thirty years, which has been the DoD's response to increasingly complex FOCI cases. In general, policy changes were prompted by govern- ment, industry, or situational demands for flexibility. From its inception, DoD FOCI security policy appears to have been guided by an understanding of the criticality of a viable defense industrial base, and the need for access to U.S. or foreign-owned leading-edge technology. Department of Defense regulations (1991) state that under normal circumstances, foreign ownership of a U.S. firm under consideration for a facility clearance becomes a concern when the amount of foreign-owned stock is at least sufficient to elect representation to the U.S. firm's Board of Dir positi applie Foreig itself EgagdL; Di when t3 control the Boa allowed IIitigat firm mu Continu The res represe it Inst exclude and fro the fir claSsif chief e. interes‘ 39 of Directors or foreign interests are otherwise in a position to select such representatives. This standard also applies to equivalent equity for an unincorporated business. Foreign ownership which is not so manifested is not, in itself, considered significant. WEIRD: Department of Defense regulations (1991) suggest that when the amount of stock owned by a foreign interest is not controlling, but is sufficient to elect representation to the Board, or a representative of a foreign interest is allowed to sit on the Board, the effects of FOCI may be mitigated by a "Resolution of the Board of Directors." The firm must first acknowledge the FOCI, and second, its continuing obligations under the DoD 441 Security Agreement. The resolution must identify the foreign shareholders, their representatives, and the extent of ownership. Additionally, it must certify that the foreign interest can be effectively excluded from access to government classified information, and from any positions which would enable them to influence the firm’s policies and practices in performing on classified contracts. Further, the company chairperson and chief executive officer must be U.S. citizens, the foreign interest can not be the largest single shareholder, and U.S. citizens must own a majority of the stock. Compliance with such arrangements, which date back to the 1950s, is monitored by the DIS during facility security inspections. A8 necessary, the Board may be required to implement add resi CODE anotl faci] estab (GSOL agree: betwee inform Standa; deVelo‘ lilitaz Recipro illflllen f°r aCCI C°nSist¢ agreeing; Wanting of 0’19 CI Facility goveUmEn firm has 1 natiOnis E 40 additional administrative controls or adopt further resolutions to ensure the facility clearance remains consistent with the national interest. WW Department of Defense regulations (1991) provide another FOCI mitigation instrument called a "Reciprocal" facility security clearance, a solution which stems from established General Security of Information Agreements (GSOIA) between the U.S and certain allied nations. These agreements facilitate the exchange of classified information between cooperating countries, and the safeguarding of such information in accordance with mutually acceptable standards. The Reciprocal security clearance concept was developed in the 1960's in response to co-production military programs between the U.S. and Canada. The Reciprocal clearance allows a firm owned, controlled, or influenced by investors from an allied nation to be eligible for access to the other nation's classified information consistent with the terms of the government-to-government agreement. These arrangements also provide a method for granting personnel security clearances to foreign nationals of one country employed by a firm in the other country. Facility clearance processing requires the transmittal of a government-to-government security assurance that the parent firm has been cleared to the necessary level under that nation's security regulations. 41 Who The Department of Defense developed the Voting Trust Agreement in 1968 to isolate a parent company when it encountered the first 100% foreign ownership case. The Voting Trust has evolved into an acceptable method to eliminate FOCI risks when a foreign interest owns a majority of the voting securities of a cleared U.S. firm, or if it owns less than 51% of the stock but it can be determined that the foreign interest is in a position to effectively control, or have a dominant influence over, the business management of the firm. In a Voting Trust Agreement, legal title of foreign-owned stock is transferred to U.S. citizen trustees who are approved by the DIS. The trustees must not have had any prior affiliation with either the foreign investor or the cleared U.S. firm, and must be provided all prerogatives of stock ownership. Trustees accept a fiduciary responsibility, a DoD security "watchdog" role, and have the complete freedom to act independently and without consultation with, or interference by, the foreign investor. The investor derives the benefits of ownership in terms of profit or stock dividends, but otherwise has only limited input into the management or operations of the company. The Voting Trust Agreement may limit the authorities of the Trustees by requiring the foreign investor's approval for such transactions as: sale of all or a significant part of the firm's assets; pledges, mortgages or other encumbrances on the capital stock held in trust by the : corpi the : busii inde; m 42 the foreign investors; mergers, consolidations, or major corporate reorganizations; dissolution of the company; or the filing of a bankruptcy petition. The cleared U.S. business must be organized and financed to function independent from the foreign interest. Ergxx_Agrssments The Voting Trust concept was modified in the 1970’s by creation of the Proxy Agreement. The terms of the Proxy are substantially the same as the Voting Trust except that under the Proxy the voting rights of the foreign-owned stock are transferred to Proxy Holders, however, legal title to the stock remains with the foreign interests. This arrangement accomplishes the same level of isolation between the foreign interest and the U.S. firm, and is more palatable to the investor. W Finally, when a foreign interest acquires a majority of the voting stock of a cleared U.S. firm, or effectively controls its management or operations and refuses to relinquish that control, a facility security clearance may be granted under the terms of a Special Security Agreement, or SSA. The SSA concept was develOped in 1984 and has been used in certain situations to grant a majority foreign investor minority representation on the Board of Directors of a cleared U.S. firm. The SSA is an agreement among the U.S. company, the foreign interest, and the DoD. It is designed to mitigate or limit the potential for disclosure of cl adve: the I tailc prese Agree FOCI class secur. direcl Trusts ”Offic Serve board. secur i Which "IISid Classi DSC ma; Proxy. lover E “Wm 9°Vernm a Polic agency v ”her hi. 43 of classified or other export-controlled information, or for adverse management impact exercised by a foreign interest on the U.S. operation. Security countermeasures incorporated into an SSA are tailored to the risk and the nature and extent of FOCI present in the case. Minimally, a Reciprocal Security Agreement must be in place with the nation from which the FOCI emanates, and only U.S. citizens are allowed access to classified information in connection with the facility security clearance. A number of U.S. citizen "Outside" directors function in a watchdog capacity similar to the Trustee or Proxy Holder. Additionally, U.S. citizen "Officer" directors operationally manage the business and serve as a liaison between the cleared company and the board. Outside and Officer directors, along with the security officer, form a Defense Security Committee (DSC), which ensures security and export regulation compliance. "Inside" directorsrepresenting the parent are excluded from classified or export-restricted discussions of the board. A DSC may be formed in a firm cleared under a Voting Trust or Proxy. An SSA is generally granted at the SECRET level or lower after a National Interest Determination (NID) is accomplished by DoD security officials and the contracting government agency. On occasion, based on demonstrated need, a policy waiver may be granted by an authorized government agency which allows the U.S. firm access to TOP SECRET, or Other highly sensitive classified material. DISP Freni F.9121E1W3 WWW Perhaps the most significant test of the quality of DISP FOCI security regulations came in April 1992, when the French-owned company Thomson CSF made a controversial bid to acquire part of the assets of the U.S. defense contractor LTV (Pearlstein, 1992, April 19) which had been in Chapter 11 bankruptcy-court proceedings since 1986. Thomson offered $280 million for LTV's missile division in a joint effort with a Washington investment firm, the Carlyle Group, who bid $90 million cash and $30 million in preferred stock for the LTV aerospace division. Hughes Aircraft Corp., a unit of General Motors Corp., also agreed to buy a 15% stake in the missile business. The Thomson/Carlyle team later indicated that it had received assurances from Defense Department officials that Thomson could receive security clearance to work on the bulk of LTV's army missile contracts, and that they had been advised there were no "show stoppers" to a Thomson bid. The $400 million total Thomson/Carlyle offer topped a $355 joint offer for the business from the U.S.-owned Lockheed and Martin Marietta Corporations, and started a high stakes bidding war. Before it was over the foreign-led investors increased their offer to $450 million with a $20 million non-refundable deposit. The U.S. partners increased their bid to $385 million fully exPecting the French offer would not receive the requisite government approval. ’The decision by a New York bankruptcy 44 judge Lockhe played T indust Congre nation m ThomSOI manufac someday Thomsor evaluat jUdge's into f0 45 judge to accept the Thomson/Carlyle bid enraged the Lockheed/Martin Marietta team and sparked a controversy that played out in Congressional hearings and the news media. The Thomson deal, a significant step toward defense industry globalization, shocked and concerned many in Congress and the Executive Branch because of the acute national security considerations inherent in the deal. The fiall_§rrger_lgurnal (Hayes, 1992, April 6) portrayed the Thomson bid as triggering fears that the sale of a missile manufacturing business (LTV) to a foreign concern would someday come back to haunt the U.S. government. As the Thomson/Carlyle offer moved through the regulatory evaluation process in the weeks following the bankruptcy judge's decision to accept the bid, three threat issues came into focus. First, attention centered on the French government's ownership of 58% of Thomson CSF. Given a recent national television disclosure by the retired head of the French foreign intelligence service that his organiza- tion had been spying on U.S. industry for years, many in government and the private sector speculated that the French ‘were overtly attempting to steal U.S. missile technology. Second, as a major defense firm involved in sophisticated aerospace and missile technology, LTV was known to possess large amounts of highly classified information. The French made it clear that they wanted a sPecial Security Agreement in order to have some control over the management and operations of their multi-million dollar holding Iestrlc categOI firn,i T Mac Caroli Chaim Brady outlaw the de goverr i natj lee ; CUstoi diVeri Stati by re the r. the 5. Defen. natiOr both H to enhe U] desiqne 46 dollar investment. The significant percentage of classified holdings at LTV in the TOP SECRET, Restricted Data, Formerly Restricted Data, COMSEC, and Special Access Program categories, which are normally off limits to an SSA cleared firm, quickly became a point of contention. The third threat issue in the case was best summarized by a comment (Wartzman, 1992, November 2) written by South Carolina Democratic Senator, and Commerce Committee Chairman, Ernest Hollings to Treasury Secretary Nicholas Brady warning that Thomson "has a record of selling arms to outlaw regimes.” Indeed part of the controversy surrounding the deal, highlighted by the Senator’s allegation, was the government's ability to accurately quantify the threat from a national security intelligence perspective. A Busieeee fleet article (1992, July 20) cited a July 2 report that the Customs Service was investigating whether Thomson illegally diverted U.S. lasers to Iraq. Thomson denied the charge, stating the lasers were French-made and the sales approved by regulators in Paris. In any case, the Senate condemned the Thomson deal in a nonbinding resolution, 93-4. Later in the summer, acting on the work of the fiscal year 1993 Defense Authorization Conference findings that found FOCI national security intelligence gathering efforts lacking, both Houses of Congress passed legislation (Tolchin, 1992) to enhance FOCI data collection and risk assessment. Ultimately, DISP FOCI security regulations worked as designed and Thomson CSF was forced to accept a Voting Trust or P safe LTV. who i vithc (Silv to Lo partni Los A1 47 or Proxy arrangement as the only acceptable means of safeguarding the sensitive technology in the possession of LTV. This ruling proved to be a deal-breaker for the French who were ultimately able to back out of the deal gracefully without loosing their sizeable deposit. LTV was later split (Silverberg, 1992, August) as the missile business was sold to Loral in New York and the aerospace business to a new partnership formed between the Carlyle Group and Northrop in Los Angles. III. for 1 tion of ti to hi Presi provi and i such inclui authoi Of an FOCI I Objecl PTBSL FOCI i imPaCI reViEI VdS pg eVallia 9°Vernn rationaj III. METHODOLOGY - DEMING’S CYCLE: PLAN, DO, STUDY, ACT A. r n - the W The first part of the Deming Cycle calls for a "Plan" for process improvement. Scherkenbach's (1991) interpreta- tion of this phase suggests step one involves a comparison of the Voice of the Customer with the Voice of the Process to highlight the variance or gap between the two voices. President Bush's 1991 endorsement of the NISP concept provided an opportunity to create an interagency government and industry forum of security professionals to accomplish such a comparison on all industrial security policy, including that pertaining to FOCI situations. Granted the authority to take a clean slate approach in the development of an Executive Branch standard, the International Security FOCI Working Group indicated progress toward its stated objectives in the 1991 NISP Report (Atwood, et al.) to the President. Not surprisingly though, media scrutiny of DISP FOCI security regulations in the wake of Thomson CSF/LTV impacted the NISP FOCI Working Group efforts to critically review the current Voice of the Process. Thomson's effect was perhaps even more significant than the mood for process evaluation and improvement originally generated by the NISP. After the Thomson case, it became a challenge for government policymakers to set aside opposing convictions on the merits of foreign direct investment and move toward a rational security policy for foreign ownership, control, or 48 influei is a c titled Issist Securi desigr FOCI s POliC) natior strawu Voting highli the V0 T Voice effect Proces Depart °f sec VaI'Yin has ac. the 5p, while i °ften v. counter-n mine it a“angelic l 49 influence of defense firms in the NISP. One example of this is a controversial August 28, 1992 memorandum (Stewart) titled, "Interim guidance on FOCI Cases" from the Deputy Assistant Secretary of Defense, Counterintelligence and Security Countermeasures. Later described as a "strawman” designed to stimulate dialogue in charting the future of FOCI security policy, the memo suggested a very restrictive policy trend that many in government, industry, and foreign nations found unworkable. The controversy surrounding the strawman policy, which advocated broader application of the Voting Trust/Proxy isolation methodology, did however highlight the variance between the Voice of the Customer and the Voice of the Process as illustrated in Figure 3.1. The Voice of the Customer is quite clear, it is the Voice of the NISP that calls for an efficient and cost- effective, threat driven security program. The Voice of the Process is unfortunately less clear. Despite Defense Department attempts over thirty years to develop a variety of security countermeasure solutions which respond to varying levels of FOCI threat, in recent years the Process has actually developed two distinct and competing voices, the Special Security Agreement and the Voting Trust/Proxy. While in many ways these two voices are similar, they are often viewed as polar extremes. An "either/or" security countermeasures situation has seemingly developed. The Voting Trust or Proxy is seen by some as a perfect security arrangement because it isolates the foreign parent from the 50 Voice of the Customer Volce of the Process Voting Trust or Proxy Figure 3.1 The Voice of the Customer (NISP) versus the two current Voices of the Process (SSA or Trust/Proxy) (An adaptation of Scherkenbach, 1991, p. 78) cleared U.S. subsidiary. The SSA, on the other hand, has developed an undeserved stigma as a technology sieve because it only insulates the subsidiary and is designed to mitigate or limit the potential for adverse management impact exercised by the foreign parent on classified or export- controlled technology. Thus, in the minds of some policy- makers and administrators, either a Voting Trust/Proxy is implemented, or little has been done about the FOCI threat. This is an unfortunate circumstance because, reiterating the statement in the 1990 NISP (Atwood et al.) report: the globalization of industry, coupled with increased economic competition and dramatic strategic develop- ments in East-West relations, will lead to new and different threats from both old and new adversaries. Po the Proi develop' in a st Conuitt militaz do not maPI indicai mitiga‘ GAO st. (no ci‘ neqate C Office and be Classj 90Vern dEmons SeCuri Defens 51 Policymakers might dispute the idea of two Voices of the Process; however, evidence of their existence was developed by the General Accounting Office (1990, March 21) in a statement prepared for the House of Representatives, Committee on Armed Services. The GAO stated that some military service and Defense Investigative Service officials do not agree that an SSA is a fully acceptable alternative to a Proxy or Voting Trust Agreement. Each service indicated that SSAs are the least desirable method to mitigate FOCI and should be used only as a last resort. The GAO statement also referenced a 1989 Army policy memorandum (no citation provided) that stated: because an SSA does not negate FOCI it can only be used when all other means fail. Conversely, GAO stated that some officials from the Office of the Secretary of Defense do not share these views and believe that SSAs provide adequate protection for classified material. The lack of empirical data in the government to justify skepticism about SSAs was also demonstrated in the GAO inquiry. GAO indicated that security officials from the Office of the Secretary of Defense, the Defense Investigative Service, and the military services said they were not aware of any compromises of classified data under SSAs. In the final analysis, the Voting Trust/Proxy and SSA alternatives seem to have taken on lives of their own, partly based on fact, mostly on myth. The real issue, as evidenced elsewhere in the GAO testimony, appears to be a widespread lack of understanding of FOCI securit circunsl aopropr tateria Gi Process for FOI First, Opporti countei looking 0f the method, 0f the Creati- that '1 In oth must i: seem Ways, 52 security countermeasures, and a need to clarify the circumstances under which an SSA is acceptable or appropriate, particularly for protecting highly classified material. Given the reality of two FOCI security countermeasure Process Voices, there are actually two major opportunities for FOCI security countermeasures process improvement. First, given the dynamic threat environment, there is the opportunity to encourage those involved in FOCI security countermeasures planning for the NISP to take a more forward looking approach to their efforts. This entails elimination of the total reliance on past or present threat abatement methods and the preoccupation with the two dominant Voices of the Process, the SSA and Voting Trust/Proxy. A menu of creative approaches should replace the "either/or" mentality that inhibits progress on this complex security challenge. In other words, the range of security countermeasure options must be flexible enough to adapt to the multiplicity of FOCI security threats which manifest themselves in different ways, and in varying degrees of seriousness. The second opportunity for process improvement, which is integral to the first, involves alignment of the Voice of the Process with the Voice of the Customer. This opportunity is really a restatement of the NISP goal to tailor the security countermeasures process to the level of threat inherent in each case, and to do so in the most efficient and cost-effective manner. This necessitates “6* deve COM 53 development of a graduated scale of threat driven security countermeasures applicable to increasingly complex FOCI threat scenarios. The end product as Deming and Scherkenbach suggest, is a single Voice of the Process that is clear and aligned with the Voice of the Customer. Plan docu diag make inef modi the 1 Voice Proqz strai is pr 000 s ICert as tr r9P0: SPEcj B. " " ° en es We: According to Scherkenbach (1991), in step two of the Plan phase of the Deming Cycle the present process is documented, preferably in the form of a process flow diagram. A graphical representation of the existing process makes it easier to spot parts of the process that are inefficient or ineffective, and therefore lend themselves to modification or simplification. The problems identified in the process flow model relate to the variance between the Voice of the Process and the Voice of the Customer. An illustration of the Defense Industrial Security Program FOCI adjudication process model which is fairly straight forward, and usually initiated by the cleared firm, is provided in Figure 3.2. As described in Section E above, DoD security regulations (1991) provide the Form 4418 "Certificate Pertaining to Foreign Interests" (Figure 2.4) as the primary avenue for reporting FOCI information. The reporting requirements section of the regulations, however, specify that in the case of a change in ownership, operating name, or when entering into discussions with foreign interests which may increase the level of FOCI, the firm must report the details to the Defense Investigative Service by letter. Such reports, when submitted in confidence, are protected from unauthorized disclosure under the applicable exemptions of the Freedom of Information Act. The DIS and the cleared firm work together to develop a case file 54 -No . New COUF abie Using ' Von'r ' Prop ' Boar: ‘Spec . Rem: 55 Forengn Interests), or other g45586rw<:I situation at the firm. In the rapidly expanding glObal marketplace, the probability that a U.S. firm with a number of foreign customers could be considered under FOCI, Yet Still fall well short of a majority percentage of t°reign ownership, is fairly high. Further, the customer SE Se Age Adl inc and Cont inte Fete: 76 base of most firms is dynamic, changing daily in many cases. It would therefore be possible for a firm to routinely fluctuate in and out of FOCI parameters, certainly more rapidly than the 4418 could be updated and adjudicated. One final concern arises regarding the significance of the seemingly arbitrary 5 and 10 percent FOCI thresholds established on the Form 4418. It raises the question, is 11 percent FOCI income, stock ownership, or nominee share control more alarming than 10 percent? If so, why? c. Integration & Analysis The Defense Intelligence Agency, Defense Technologies Resources Group (Swim, 1991) has developed a FOCI intelli- gence automated information system. The purpose of the system is to develop a series of relational databases to provide an integrated core of key information for analysis. Examples of existing databases included in the relational series are those available from: the Defense Technical Services Administration; the Federal Emergency Management .Agency; the Defense Logistics Agency; and the Defense Advanced Research Projects Agency. Other examples may include financial data from commercial sources such as Dunn and Bradstreet. Swim indicates that it is difficult in defense cOntracts to determine corporate ownership since a specific ithelligence database on acquisition does not currently eXist. Such information suggests that the Committee on FOreign Investment in the U.S. (CFIUS) currently has 77 insufficient data for informed Exon-Florio determinations. Of particular interest to DIA are the foreign "spoilers" whose motivation is to pilfer U.S. high-technology from small firms, then sell or close them. Swim suggests that with its new database, DIA will initially look at the "high poles in the tent" for proliferation considerations and technology pilferage. He defines the high poles as foreign investors who come back every year to buy more and more U.S. technology, clearly a national security concern. In 1991, Swim indicated that DIA faced an uphill battle in its efforts to establish a FOCI database. At that time the biggest challenge was to convince the policymakers that intelligence priorities were changing from those which dominated the traditional militarily-oriented standoff, to those of the new economic war. While attempting to define its new role in the post cold-war era, the Intelligence Community3 struggled to recognize that foreign acquisition of the defense industrial base was becoming one of the more .1mportant threats of the future. In 1992, however, the inhomson case crystallized the reality of changing times, and the Defense Authorization Conference for fiscal year 1993 legislated some new intelligence gathering priorities. The effectiveness of the DIA database venture will, in Part, depend upon the ability of agencies with what Carter (1990) defines as "exclusive" intelligence gathering 1Teaponsibilities focused only on national policy missions (like those of the Central Intelligence Agency, Defense 78 Intelligence Agency, National Security Agency) to cooperate amongst themselves, and with those agencies who have "non- exclusive" responsibilities (national policy and law enforcement like the Federal Bureau of Investigation, Drug Enforcement Agency, and U.S. Customs Service). In the cold- war world when the threat (Soviet Communism) was clearly understood, the spheres of responsibility of the various intelligence agencies became institutionalized. Now, in an era of regional conflicts and rapidly changing intelligence interests, a process modification may be required. The traditional split of intelligence responsibilities along foreign (CIA) versus domestic (FBI) lines may no longer be successful. For example, an accurate domestic intelligence picture of the U.S. operations of a foreign-owned firm, and its ability to protect sensitive and classified technology, has significant importance. However, if considered from a non-proliferation viewpoint (especially nuclear, biological, and chemical weapons of mass destruction), intelligence on 'the foreign parent or government may have equal or greater value. This concept of a complex, comprehensive FOCI intelligence product describing the threat posed by an entire corporate lineage, suggests an integrated foreign and (icmmestic intelligence apparatus which may require a cultural adjustment to' achieve .the necessary level of coordination anllengst competing federal intelligence resources. Anything less would result in an incomplete FOCI risk assessment, and insufficient security countermeasures. 79 Finally, there is a notable difference in the FOCI analysis and adjudication methodology employed by the various federal agencies who contract with FOCI firms. In determining whether to grant or continue a firm's clearance for access to classified information when FOCI occurs, the Departments of Defense and Energy differ from the Central Intelligence Agency. The CIA assembles experts with intelligence, security, legal, and acquisition backgrounds. Defense (which also reviews FOCI cases on behalf of 20 non- Defense agencies) and Energy generally use only security and legal experts. Defense occasionally uses acquisition personnel when conditions warrant. The CIA review seems to be more comprehensive, and perhaps more effective. d. Dissemination Since the Form 4418 requests information that describes the competitive business posture of the firm, an issue of consequence to industry is the privacy considerations. The Defense Investigative Service, which is chartered to review 'the forms pursuant to the granting and continuance of a :facility clearance, will ensure confidential handling of the (Iata, if requested. Frequently however, government cus- tomers, especially in the procurement branch of the military Components request a copy of the form when awarding a cOntract. Contractors, worry that the same level of care is not; afforded the documentation in these other organizations. Unfairly disclosed competitive sensitive information could ENE devastating, especially to smaller firms. 80 A related issue of competitive sensitivity surrounds the access controls established for the DIA FOCI database. Given the previously addressed Form 4418 privacy issues, the automation of such data, compounded by a diverse and distributed network of users, gives cause for alarm. Many concerns arise from the business perspective: identification of the user community; confidence in the system's software access controls designed to prevent data manipulation; and safeguards for data integrity to ensure accurate information supplied by the contractor is not altered. Given access to competitive sensitive information, such as the financial well-being of a company or its merger and acquisition history, unethical firms could develop a strategy to sabotage corporate growth objectives of their competition. Inaccurate data viewed by a procurement official that results in the elimination of a viable competitor for a defense contract is not in the best interests of the government or the firm. The frequency of dissemination for strategic and tactical intelligence purposes may also be of ozonsequence. Since the database is primarily for national security risk assessment purposes, procurement branches of the defense agencies should perhaps not be on distribution. That way, appropriately cleared FOCI firms are less likely ‘t&3 be eliminated from competition due to unjustified Protectionist viewpoints about foreign direct investment. Tulese DIA database information dissemination issues affect b0th foreign-owned and U.S.-owned firms. 81 7. National Interest Determination (NID) As described in Section E above, when a foreign interest acquires a majority of the voting stock of a cleared U.S. firm, or effectively controls its management or operations and refuses to relinquish that control, DoD regulations (1991) allow a facility security clearance to be granted under the terms of a Special Security Agreement, or SSA. The SSA allows a majority foreign investor to have minority representation on the Board of Directors of the cleared U.S. firm. The SSA allows flexibility in the design of security countermeasures which are tailored to the risk, nature, and extent of FOCI in the case. A Reciprocal Security Agreement must be in place with the nation from which the FOCI stems, and only U.S. citizens are allowed access to classified material in connection with the facility security clearance. A SSA is generally granted at the SECRET level or lower after a National Interest Determination (NID) has been accomplished by DoD security officials and the procuring :military component or government agency. ,Information loackets presented to contractors pursuing a SSA by the (foice of the Secretary of Defense indicate that, as a openeral rule, a favorable NID includes: an essential, impending, or prospective need to use, on a classified basis, the products, services, or technical expertise of a U.S. firm under FOCI when cleared or clearable firms are unavailable or insufficient to satisfy industrial preparedness, mobilization, planning research, production, or production base requirements of a Department of Defense component or a participating non- DoD agency.‘ 82 The NID is processed through the procurement channels of the government agency(s) or military component(s) that have contracted with the firm that has come under FOCI. Starting with the government Contracting Officer, the NID moves up the chain of command in the military service or agency and over to the Industrial Security function in the Office of the Secretary of Defense. In parallel, the contractor is usually providing the procurement officials justification to support the requirements of the NID. While the NID is processed, the contractor’s facility security clearance is usually invalidated, which means it cannot receive new classified contracts. Given interim security measures, it may continue performance on existing programs. Generally, SSA cleared companies are not allowed access to the highly sensitive "proscribed" categories of classified information listed below. If the company has proscribed contracts when acquired, the NID process can take up to two years, while the government considers novation or Iassignment of the sensitive contracts. Meanwhile the firm's :facility clearance remains invalid, a devastating setback to rmew business growth. Proscribed categories include: - TOP SECRET information -' Communications Security (COMSEC) information '- Restricted Data, as defined in the U.S. Atomic Energy Act of 1954, as amended " Special Access Program information " Sensitive Compartmented Information 83 On occasion, based on an overriding need or sole source justification demonstrated during the NID process, a policy waiver is granted by an authorized government agency which allows the contractor access to proscribed classified material for contracts existing at the time of acquisition. Such waivers may also be granted at a later date for a specific government procurement. The GAO (1990, March 21), however, found the NID process lacking. The GAO reported to Congress that the services' implementing policies and procedures for NIDs require procurement activities to justify a need for a product or service that is mission-critical, cannot be obtained in sufficient quantity from U.S.-owned sources, and involves a unique product or technology. Military service security officials interviewed by the GAO indicated that supporting justification for these determinations is sometimes incomplete or inadequate. The GAO also reported that in one SSA, several commands had requested the retention of almost every contract with the contractor Without documenting the need in each case. In some cases, contracting officers did not indicate what steps, if any, Were taken to identify U.S.-owned suppliers. In another case' the services’ files indicated that several U.S. firms could fill the user' s requirements, but an SSA was requested and approved. In another case, the foreign company Ireq‘lested approval of an SSA before it bought a U.S. firm. The SSA was approved by the takeover date. 84 The GAO findings demonstrated in 1990 that the NID process was not effective. The lack of supporting documentation for waiver decisions in the services' files may be attributable to the amount of effort required to compile such data. Realistically these files probably contribute little to procurement decisions because hesitancy over FOCI concerns tends to be overridden by the requirement to purchase the best available technology at the lowest possible price. Therefore, like an insurance policy, the files would only be useful in the event of a technology compromise, should it become necessary to prove to Congress that the procuring command satisfied all the regulatory Steps. The GAO evidence shows the military components have opted, on occasion, not to pay the costly insurance premium because of its questionable value. Since the process has not changed since 1990, it is doubtful there has been any InGazasurable improvement. The GAO NID critique is unfortunately incomplete since it only describes the degree of compliance with the process as it is currently structured, not whether the process itself is effective. To properly critique the process, it is important to first step back and review the purpose of the NID from a security countermeasures perspective. Such I‘eflection leads to the realization that the original intent is consistent with basic security principles and the national security imperative to identify the FOCI threat, quantify risks to classified material, and define security 85 countermeasures to protect such material in a manner acceptable to the government. For the reasons detailed below, however, in practical application the NID process does not achieve these important objectives. Viewed as a security countermeasures process, the current NID appears misdirected. In its present format, the NID confirms military procurement needs as opposed to defining threat, risk, and security countermeasures. Specifically, the NID can be characterized as a process of "passing the buck" for acceptance of FOCI risk from the lowest ranked person in the procurement chain to, at minimum, an Assistant Secretary level in the procuring command. During the NID, each successive management level must assume FOCI risk responsibility so the foreign-owned technology source is maintained as a productive part of the defense industrial base. Oddly enough, the NID process does not include an effort to design security solutions to counter real or perceived threats to the sensitive or classified technology. The important and obvious, yet seemingly overlooked fact is that maintaining access to the best available technology in the defense industrial base, regardless of ownership, is clearly in the national security interest. Similarly, continuance of the American jobs in the contractor's facilities acquired by the foreign interest is in the national economic interest. The real question, not properly addressed by the NID process is: given a defined FOCI threat and risk scenario, 86 what national security information safeguards would permit the firm to continue serving defense industrial base requirements? Acceptance of risk, using a very resource intense NID process that only reaffirms source selections and procurement needs withoutimposing threat driven security safeguards, is not productive for the government or industry, and is a waste of tax dollars. Once a SSA is in place, the situation is exaggerated, and competition further stifled, as the NID process is repeated for new programs or other situations like classified meetings requiring access to proscribed information. New program NIDs normally cannot be processed in the forty—five to sixty days routinely allotted for the proposal stage of the procurement cycle. SSA cleared firms become especially exasperated when procurement officials put up roadblocks or initiate NID procedures for programs that do not contain proscribed category classified information, simply because they to not understand Department of Defense security policy. To avoid losing out on major contract opportunities, SSA cleared contractors may resort to costly work-arounds like third-party contracts between the procuring activity and another U.S.-owned supplier of such expertise as TEMPEST evaluations (compromising electronic emanations) involving COMSEC material, or nuclear hardness (survivability) analysis involving Restricted Data. In these arrangements proscribed classified material is not provided to the SSA 87 firm. The third-party contractor reviews the SSA firm's design and delineates changes based on the requirements of the proscribed specification. Such arrangements work, but increase product development time and cost because the SSA cleared firm is essentially designing with one eye closed. Restricted Data and COMSEC facility clearance limitations more adversely impact the competitive posture of SSA firms than the other proscribed categories because of the prevalence of military specifications which include those types of material. Due to the limitations, procuring agencies are sometimes faced with losing a long-standing and valued supplier which adversely impacts the competitive nature of the procurement process. In the final analysis, the GAO report seems to detail symptoms rather than the root cause of problems with the NID process. The interests of national security, the procuring government activity, and the FOCI firm would all be better served if the current system of risk "acceptance" were changed to a proactive process of risk "management." To accomplish that, a new approach to the issue of protecting proscribed information in FOCI firms is required. 8. Proscribed Information There is no question that safeguarding proscribed information national security assets in cleared firms that come under FOCI should be the preeminent objective of the NID process. However, not all foreign investment poses the same level of threat, and not all countries are, or should 88 be treated equal. This premise is the heart of the "Special” Security Agreement concept where countermeasures are tailored to threat and risk. In some cases threat or risk may justify strict access limitations. In others, security solutions can negate FOCI risks, or reduce them to an acceptable level. Unfortunately, as demonstrated in the Thomson CSF case, adjudication of FOCI cases can get politicized. Decisions may be biased by media influenced opinions of the business reputation of the foreign investor(s), or by the state of their country's relations with the U.S. at the time of investment. Political overtones can even overshadow the common sense evaluations of the value of the technology at stake and the consequences of its compromise. In order to downplay the political aspects of any given FOCI case, it is prudent to approach the NID from a sound national security policy foundation. That foundation already exists in the form of the U.S. National Disclosure Policy (NDP) and General Security of Information Agreements (GSOIA). Unfortunately, the U.S. government has not taken advantage of the rational NDP process to make "risk management" decisions as opposed to "politically correct" decisions. The W .- gr: ‘ e2 ,_ 1.. . Oguat . . 9 -_- overnme : WW (NDP-l. 1981) (Seymour. 1993) controls the release of classified U.S. defense articles and technology to foreign governments and is 89 promulgated in a classified directive. A NDP Committee, chaired by the Department of Defense and consisting of members from Defense, State, the Military departments, the Joint Staff, and other special members, is the controlling element for the U.S. Government’s NDP program. Disclosure authority and release considerations are based on legislation, national security policy, treaties, nonproliferation concerns, existence of General Security of Information Agreements (GSOIA), and other factors. The U.S. has negotiated GSOIA with several allied nations which facilitate the exchange of classified information between cooperating countries, and the safeguarding of such informa- tion in accordance with mutually acceptable standards. The NDP Committee approves and maintains current Delegation Disclosure Letters (DDL) for each country, and forwards them to the Military Departments and other agencies for implementation and guidance. The DDL's specify levels of releasable classified information for each country, both in the general sense and specific to unique programs such as foreign military weapons sales. When requests, either through Foreign Military Sales or an export license application, are received for a particular country, the Department of Defense will compare the request with the latest DDL for that country, and determine if the technology is authorized for release or if it would require an "exception to National Disclosure Policy.” If an NDP exception is required, the case (or license application) 90 will be "returned without action," pending receipt of an ”expression of interest" from the foreign country itself. Only a foreign country may submit such an expression, and only on a government-to-government basis, through its own Embassy in Washington, DC or through the U.S. Embassy in its country. If an expression of interest is formally made by the foreign country, one of the members must agree to ”sponsor" the exception to NDP, prepare supporting justification documentation, and staff it through the NDP exception review process. The sponsoring member must be convinced, through the justification submitted by the foreign government or the U.S. mission in that country, that an exception is in the national interest, is not precluded by law or treaty, and is desired by or considered beneficial to the Department of Defense and the sponsor. Sponsorship may also be initiated by an agency other than the Department of Defense, depending on the technology involved (e.g., nuclear matters, intelligence issues, space programs, etc). The majority of NDP exception requests are approved. Most denials result from overriding foreign policy considerations, inhibiting legislation or national policy, lack of a GSOIA, conflicting treaty obligations, or insufficient justification. All NDP exception votes must be unanimous. Foreign nationals investing in cleared U.S. firms possessing proscribed classified information likely will not 91 require, or if requested, be granted access to that material. However, if the GSOIA and disclosure policy for the country from which the FOCI stems otherwise allows for release of such material, then a reasonable basis exists for a favorable NID to authorize access to cleared U.S. citizens of the American subsidiary. The risks to proscribed information could be measured against two sets of criteria: (a) those used in developing the GSOIA and NDP for the nation(s) involved; and, (b) those adjudication criteria established authorizing cleared U.S. citizens access to such information when working for a U.S.-owned company. The degree of trust and responsibility placed on them, with or without foreign involvement, is afterall the same. Finally, the decision would be fair because it would be traceable to bilateral agreements negotiated through diplomatic channels. If the foreign investor’s government felt its company was being discriminated against, it could file an expression of interest on a government-to-government basis. Given a sound-policy foundation for proscribed information release to foreign-owned U.S. firms, the next step is to correct the shortcoming of the current NID by enhancing the security of such material in FOCI firms. A model for additional safeguards exists in the procedures already used for handling the material in U.S.-owned firms. Special Access and Sensitive Compartmented Information programs normally incorporate a number of supplemental controls including: special personnel background 92 investigations; a system to limit personnel access authorizations; special accountability procedures; and segregated storage with a higher degree of physical security protection. Building on this concept of supplemental protection, a carefully crafted and routinely audited set of security countermeasures designed specifically to safeguard proscribed information entrusted to FOCI firms would result in considerably more security than is presently derived from the NID system. More importantly, and consistent with the NISP goals and objectives, this enhanced level of security could be realized at less cost. For instance, if a set of security options were available to FOCI adjudicators, and the threat scenario warranted, they could be imposed immediately as the terms of the FOCI agreement are negotiated. If correctly implemented, the need to exercise the procurement arm of the services to justify equipment needs for an initial clearance or program specific access request would be eliminated. Countless manhours of government and industry time spent chasing risk acceptance signatures would be saved. Most importantly, the government will have efficiently imposed a much more effective security program to protect classified or sensitive technology. 9. Threat Emphasis and Security Countermeasure Development Current FOCI security policy and associated counter- measures form a system that is only geared to deal with the tip of the threat iceberg. Approximately 100 high-profile majority ownership cases have received, by far, the most 93 attention from policymakers and the media. Meanwhile the threat posed by control or influence of the balance of the U.S.-owned defense industrial base seems to go unnoticed. Alliances, consortiums, licensing agreements, joint ventures, co-production programs, indebtedness to foreign lenders, and majority foreign supplier or customer dependency cases provide realistic examples of a much expanded FOCI picture. For instance, a small contractor deriving a large portion of its revenues from foreign customers without a set of isolation or insulation security controls like those in a Voting Trust, Proxy, SSA, or other arrangement, is perhaps at greater risk to compromising foreign influence than a properly cleared foreign-owned firm. A foreign interest seeking competitive business information, or cooperating in a state-sponsored intelligence operation, might be more successful at acquiring the technology it seeks by duping such a firm with a scam to purchase a single product, while it targets another technology. Such an approach would eliminate the need for a large capital investment to acquire the company, not to mention the government scrutiny and legal fees involved in obtaining a FOCI agreement. Policymakers may have inadvertently developed an inaccurate picture of the real FOCI threat environment because of their preoccupation with a recognized set of security solutions. It may even be fair to suggest that marketplace globalization has rendered obsolete the U.S. 94 government's concept and operational definition of Foreign Ownership, Control, or Influence. FOCI is certainly not a security challenge that is unique to the U.S. government as evidenced by the extent of U.S. investment abroad. Instead, ownership, control, or influence of a world-wide network of corporate assets or trading partners is a key element of any multinational corporation’s strategy to develop a global market presence. Some U.S. government officials are reluctant to acknowledge this trend, or the fact that U.S. industry no longer holds all the world’s technological crown jewels, but rather a dwindling percentage. International economic competition will eventually force this realization, along with an understanding of the need for a threat driven, efficient, and effective menu of security countermeasures options to combat threats posed by all forms of foreign involvement, not just ownership. The unhealthy dependence by policymakers on current FOCI security solutions is further highlighted by examining the focus and intent of such arrangements. In practical application, the Voting Trust, Proxy, and SSA differ somewhat; however, they all focus on control of the power and authority of corporate directors and senior managers. The idea that a compromise could occur because of adverse management impact or influence exercised by the parent or its representatives is valid, however, illicit classified or export-controlled technology transfer is more likely to occur at the engineer-to-engineer level. Professional 95 curiosity among U.S. and foreign colleagues, or eagerness to get the job done on joint ventures present more probable scenarios for inadvertent or intentional technology compromise. Current agreements provide considerable guidance on control of management data exchanges between the foreign parent and the cleared subsidiary, but little on controlling communication between the technology experts. Therefore, to overcome the dependency on existing security solutions, with their inherent weaknesses, a paradigm shift is required. Such a shift could be initiated by eliminating the terms Board Resolution, Voting Trust, Proxy, SSA, and Reciprocal facility clearance. Deletion of the Reciprocal clearance concept is especially important because it does not incorporate the same type of legal contract between the foreign interest or the U.S. subsidiary and the U.S. government as the other arrangements. The limited effectiveness of these options, and the distinct aura that each has acquired, would be replaced by a simple, yet logical approach. Each cleared government contractor, regardless of the level of foreign ownership, control, or influence, would execute a NISP 441 Security Agreement with the entire Executive Branch of the government. Using the NDP and GSOIA as a foundation, as risk of classified technology increases due to greater foreign involvement, proportionate security countermeasures could be imposed as contract amendments to the NISP Form 441. In essence, the countermeasures imposed on the firm as technology protection 96 requirements above baseline standards in the NISP security regulations would correspond to real or perceived threats uncovered in the aforementioned improved National Interest Determination. The amendments to the NISP 441 might be similar to the terms of the current mechanisms; however, the handicaps to implementation caused by the mythical image that each has acquired would be eliminated. Further, depending on which Executive Branch department(s) or agency(s) used the products or services of the FOCI firm, amendments could be tailored to the unique requirements of that institution. CIA or DoE requirements might be more stringent than those of DoD to allow access to proscribed classified information. This approach incorporates the previously described methodology of factoring proscribed classified material supplemental controls into the strategy. Such a concept incorporates the basic NISP objective of threat driven, efficient, cost-effective security. 10. Security Agreement Violation Clauses Under Executive Order 12356 (1982) National Segurity Informatign, the Information Security Oversight Office (1800, 1988) is responsible for monitoring the information security programs of all executive branch departments and agencies that create or handle national security informa- tion. In National Security Decision Directive No. 84, March 11, 1983, the President directed 1800 to develop and issue a standard ”Classified Information Nondisclosure Agreement" (1988) to be executed by all cleared persons as a condition 97 of access to classified information. Threat of prosecution under applicable espionage and sabotage acts (18 U.S.C. SS 793, 794, 798), other criminal and civil statutes and export control laws is an important deterrent in federal government efforts to safeguard classified information. Department of Defense security regulations (1991) require that persons cleared for access to classified information read the applicable federal statutes and acknowledge their responsibilities concerning unauthorized disclosure of classified information by executing a Standard Form (SF 312) "Classified Information Nondisclosure Agreement." The primary purpose of the SF 312 (1800, 1988) is to inform employees of (a) the trust that is placed in them by providing them access to classified information; (b) their responsibilities to protect that information from unauthorized disclosure; and (c) the consequences that may result from their failure to meet those responsibilities. Secondly, by establishing the nature of that trust, those responsibilities, and those consequences in the context of a contractual agreement, if that trust is violated, the U.S. will be in a better position to prevent an unauthorized disclosure or to discipline an employee responsible for such a disclosure by initiating a civil or administrative action. Despite the carefully orchestrated legal boundaries placed around U.S. citizens as a condition for access to national secrets, interestingly enough, the same violation clauses are not detailed in security agreements established 98 with FOCI firms. Recognizing the obvious increase in risk associated with foreign involvement, rather than capitalize on the deterrent factor of espionage statutes by citing them as a consequence of noncompliance, facility clearance revocation is the most severe penalty established. Given the value of the information involved, and the views of protectionist critics who would opt for an isolationist policy, loss of clearance does not appear to be a big enough penalty to ensure adherence with the terms of the agreement. For example, a hostile intelligence service or corrupt corporation bent on espionage or technology pilferage for military gain or competitive advantage may gamble and commit the crime. Presently, if caught, the worst case scenario appears to be: a public relations crisis; possible loss of the U.S. firm's facility security clearance; and perhaps, prosecution of principal U.S citizen managers who may, or may not, have known about or willingly participated in the compromise. Logically speaking, it would not be the U.S. citizens perpetrating the crime, but rather, the representa- tives of the foreign interest who, acting on behalf of the foreign parent or its government, might employ clandestine methods to acquire the target information. If the tech- nology were valuable enough, the consequences described above might present a covert operations risk worth taking. If initially undetected, the foreign interest could cover its tracks by selling or dissolving the company. More importantly, if detected, such a conspiracy would likely 99 result in prosecution of the U.S. citizen managers who signed the SF 312, not the representatives of the foreign interest who could be the real criminals. Having avoided espionage prosecution, the foreign investor could respond to negative press with innocent claims that the compromise was an unintentional security breach, or boldly retort the cold war is over and "anything goes" in today's increasingly tolerant environment of competitive business intelligence. As FOCI situations become more prevalent, it will become obvious that the long arm of U.S. law must extend, if possible, to the foreign nationals or firms who stand to benefit financially, or otherwise, from their investment in U.S. high technology. Presently, a legal review is required to determine the feasibility of (a) requiring the foreign investor(s) to be cleared or clearable in their own country pursuant to bilateral security agreements; (b) to have the representatives of the foreign interest execute a SP 312 or like document as a part of their security arrangements with the U.S. government; and, (c) to structure a legal framework such that the foreign investor(s) or their representatives can be prosecuted under existing or improved U.S. espionage statutes for violation of those arrangements. If legally practical, such proactive enhancements would improve, through deterrence, the enforcement of FOCI security policy. From a reactive perspective, given a compromise, the U.S. government would be in a better position to impose its justice system on guilty foreign nationals. 100 11. Personnel Security In recent years the Office of the Secretary of Defense has facilitated significant improvements in international cooperation on security matters among NATO and other allies through such mechanisms as the Multinational Industrial Security Working Group. An excellent example is the Foreign Visit System which uses technology to electronically transmit personnel security clearance data among cooperating countries on a government-to-government basis for such requirements as attendance at classified meetings and performance on Foreign Military Sales programs. Transmission of classified visit requests which previously took 45-70 days to process are now completed in a few hours. Use of the Foreign Visit System is not limited to international cooperative arms programs. For example, DoD security regulations (1991) provide for the granting of a Limited Access Authorization (LAA) at the CONFIDENTIAL or SECRET level to a foreign national requiring access to classified information in connection with the granting of a facility clearance to a firm in the U.S. under foreign ownership, control, or influence. In these cases the Foreign Visit System is used to obtain a security assurance from the person's country of origin to document that the individual has a clearance in that country at a similar level to the U.S. classified access requirement. Persons granted an LAA sign a SF 312, which is interesting given the espionage prosecution issue addressed above. 101 While the concept behind the Foreign Visit System and the security assurance process are recognized as valuable by all participating governments, unfortunately the U.S. does not use the system to its full potential for FOCI cases. DoD uses the process when issuing LAAs to foreign nationals who serve in executive positions of firms cleared under a Reciprocal facility clearance, perhaps because of the large volume of foreign disclosure decisions required by such arrangements. However, when foreign representatives hold key positions as "Inside" Directors in FOCI firms cleared under a Special Security Agreement, the DoD does not obtain a security assurance or grant a LAA. The Inside Directors may not require access to classified material, but in their position of trust and influence at a corporate board level, the security assurance and SF 312 Non-Disclosure Agreement seem like prudent measures. At least then, they would have acknowledged the espionage statutes and their responsibility to protect classified national security information. 12. Security Awareness, Training and Education Few policymakers or government and industry security professionals understand the complexity of FOCI issues or policy. Seemingly fewer procurement officials understand the subject matter or realize cleared foreign-owned firms are chartered in the U.S. (Alderman, 1990, February 22), employ U.S. citizens,.and are subject to U.S laws and regulations. Consequently, a xenophobia exists that is a product of the widespread ignorance of the intricacies of 102 Voting Trusts, SSAs, and NIDs, etc. This phobia can be compared to the fear impacting many adults who find themselves forced, against their will, to adjust to the computer age. The media, intent on selling news copy, does a disservice to casual observers by adding confusion with misleading, yet intriguing stories that suggest ulterior motives and industrial espionage. Clarifying facts on the policy, threat, risks, and countermeasures are lost amongst the insinuations of evil intentions by foreign investors. Therefore, as with the computer literacy problem, the natural reaction to a FOCI problem, in or out of government, is to avoid the issue. Responses in government range from protectionist policies in the Legislative and Executive Branches, to unfortunate procurement decisions eliminating viable foreign-owned U.S. firms from supplier lists resulting in stifled competition and the loss of American jobs, to ineffectual oversight by industrial security personnel who avoid the subject during audits. Inside the foreign-owned firms, Trustees, Proxies, and Outside Directors, often with little or no training and even less understanding of what is expected of them, are thrust into an important role that has security and fiduciary responsibility. Company employees feel frustration and doubt about the firms future when established customer relationships become strained because they are suddenly treated as foreigners, even though they have not changed citizenship. Representatives of the foreign parent may 103 experience the greatest shock as they adapt to being viewed as second class vendors in an increasingly competitive "buy American" defense business culture. Having often invested millions of dollars for a foothold in the enormous U.S. military market, this makes for a difficult adjustment. Education and training needs for FOCI stem directly from the same cultural transition occurring in non-defense sectors brought on by globalization and the swift expansion of international markets. It may be more difficult for Americans to adjust to international markets and competition than executives from other nations because, comparatively, the domestic market has been so bountiful for so long. Now, in a post cold-war world the defense industry is not quite as lucrative. Competition for fewer defense dollars is heating up, major players are merging or folding, and the technological prominence enjoyed by U.S. industry is fading as capable foreign sources emerge. Protectionist survival tactics seem to be the first reaction in government and industry. Eventually, however, U.S. manufacturers find themselves rising to the challenge of global economic war and, as demonstrated by the auto industry, producing better widgets for sale in overseas markets. As this globalization metamorphosis happens, understanding of FOCI issues will increase. To help the process along so that government and industry are equipped to handle the inevitable increase in FOCI issues, specific education and training gaps must be filled. 104 A basic understanding of national foreign investment policy is the first education and training requirement. Building on a solid foundation of why the U.S. chooses to encourage foreign investment as part of its national economic strategy, it would be beneficial to eliminate the mystery surrounding FOCI policy. This could be done by presenting FOCI adjudication as a process which has been reduced to understandable concepts like threat, risk, and security options. Rather than attempt to teach a skeptical audience the finer points of Voting Trust/Proxies, SSAs, and NIDs, etc., which are often perceived to be as complicated as the inner workings of a computer, it would be more effective to take a simplistic approach. Specific FOCI training and education requirements include a course for Trustees, Proxies, and Outside and Officer Directors on their fiduciary responsibilities and government security watchdog role. This training should be a prerequisite to assuming such a position and should, at minimum, include a review of the role of the Defense Security Committee, the Facility Security Officer, the Export Control Officer, as well as security procedures like the foreign parent Visitation Agreement. The government's expectations regarding oversight of the U.S. operations and the requirements of an annual compliance report should also be explained. In a fashion similar to the training DoD makes available to security professionals on handling classified 105 material, a course is needed for the Facility Security Officer of a firm that has come under FOCI to clarify policy and detail acceptable standard security practices. Such a course should include operational implementation of a FOCI visitation agreement, and the control of other forms of voice and data communication. The course should provide examples of employee security awareness programs directed at FOCI situations and an effective working relationship between the Security and Technology Control Officers. A variation of the course should be made available to Facility Security Officers of U.S.-owned firms who find themselves involved with FOCI firms in classified contract matters. In the government, policy and procurement officials require a different type of training. They do not necessarily need to know the mechanics of administering a FOCI agreement, however, they should understand the insulation or isolation provided by the various instruments. Assuring effective FOCI agreement administration should be left to the government's industrial security inspection cadre who need still another type of training. They should know something about corporate organizational structures in order to monitor the variety of communications occurring between a parent and its subsidiary. Certainly all compa- nies are not the same, however, some types of communication exchanges are consistent like: strategic marketing plans; profit and loss reports; capital and expense budgets; sales volume and backlog; bid and proposal activity; and proposed 106 alliances, joint ventures, acquisitions. Much of this information is only sensitive to the company and does not threaten classified or export-controlled technology. In addressing the technical matters, inspectors should understand how to probe at interactions occurring through avenues like technical libraries, program reviews, or joint ventures that require Department of State or Commerce approved technical assistance or manufacturing license agreements. To properly safeguard sensitive technology, the government security representative must understand how such arrangements are organized. Education and training requirements specified above are not unique to the handful of foreign acquisitions. As indicated, globalization of the defense market through international teaming, consortiums, joint ventures, etc., provide ample justification for creating education courses geared to the needs of each group. If everyone understands the issues, the problems should soon dissipate. Pausing to revisit the Deming PDSA theoretical model, we recall that Scherkenbach (1991) points out that Step Three is where an operational definition of the opportunity for process improvement identified in Step One is defined by creating a vision of the improved process. It is similar to Step Two in that a flow diagram is developed, but this time the process improvements are incorporated. In accomplishing this task it is important to acknowledge that in the complicated process of FOCI adjudication, there are numerous, often competing voices exerting pressure in order to influence the outcome. To achieve consensus that the new process is an improvement over the old, the new process vision must incorporate the policy objectives of most, if not all, the voices. The following is an attempt to merge those voices. Starting with the goals and objectives of the NISP, and recognizing the complexities of the FOCI threat environment, the NISP FOCI security countermeasures process must be threat driven, cost effective, and flexible. Building on the positive and negative aspects of the current policy discussed in the preceding analysis, obviously it must safeguard classified and export-controlled national security information assets possessed by FOCI firms. To be fair from an international relations perspective, it must be consistent with National Disclosure Policy (NDP) and General 107 108 Security of Information Agreements (GSOIA) with foreign nations. To be economically attractive, it must be consistent with national foreign investment policy goals while protective of the U.S. employment base. From the perspective of the military, it must satisfy defense procurement needs for leading-edge technology and availability in time of war, yet facilitate R&D burden- sharing among international allies. Simultaneously, it must be tolerant of the competitive position of industry and eliminate impractical facility clearance limitations that stifle competition. It must be cognizant of the realities of multinational corporations which acquire businesses around the world to establish an international market presence. Finally, it must be adaptable to a dynamic FOCI scene in a rapidly changing global economy. A graphical representation of a process that attempts to incorporate all these requirements is shown in Figure 3.3. 109 A , w . Defense Investigative A Samoa ~ 7 -* DASD Cl/SCM D ‘ of'FOC! situation .—: Develop ABC fie on classfiedfifififfiéi contracts. RF! & terms of sale‘i-fPSg-{iffi . Determine sate lflfOl'matIOfl sensmwty & safeguards """" 1‘ ' ’ NISP FOClThreat ‘* ~-~~~Assessment Committee ' 3 7f £33315. Conduct Intelligence and ifiifgffifrjjmvestment in U S (CFIUS) D AAAAAAA technology assessment Coordinate Threat Assessment ------ .: Define and quantnfy threat ,. :;:I;.J_;f8§;fif - Report to NSF FOCI ’-~’Adjudtcatuon Committee l 1+ Notify ABC Inc. of decssron “or referral to CFIUS wg;,;jzg;z.;;:gi5;‘;.j. D :. Amend MS? 441 to include I 171::- Notify DIS of Violations or 2 H """""" FOCI secuqufj‘i countermeasures attempted “0'3"009 Audst ABC inc compflance M Report any new FOCI via 441$L§rififffj Figure 3 . 3 NISP FOCI Adjudication Process Model In implementing Step Four of Scherkenbach's (1991) description of the PDSA methodology, it appears the most effective way to scope recommendations for a NISP FOCI Security Countermeasures Process Improvement is to create a Management Plan. Part One of this section provides a plan incorporating the logic behind policy recommendations. Part Two provides an actual NISP FOCI Security Policy proposal incorporating the enhancement objectives. 1. Management Plan As stated in the discussion of proscribed information (Section B-8), successful transition to a new process requires a sound FOCI security policy foundation. Step One of the Management Plan is to get all concerned parties, foreign and domestic, government and industry, to realize that the foundation is already in place. General Security of Information Agreements between the U.S. and friendly foreign nations, and the National Disclosure Policy facilitate exchange and safeguarding of classified material in accordance with standards mutually acceptable to the cooperating countries. The applicability of the GSOIA and the NDP process to FOCI adjudication and countermeasures planning must be promulgated domestically by U.S. security policy revision and established internationally through a forum like the Multinational Industrial Security Working Group. These mechanisms must be recognized as the basis of 111 an equitable policy on the release of classified material, including ”proscribed" information, to foreign owned, controlled, or influenced U.S. companies in the NISP. For example, if the NDP and GSOIA between the U.S. and the United Kingdom or Canada allow release of proscribed COMSEC or Restricted Data to those governments, but such is not the case with Japan or France, that would be the basis for adjudication decisions regarding cleared U.S. firms with FOCI stemming from those countries. As the NDP and GSOIA are altered to compensate for changes in the international political climate; facility clearances, access requirements, threat, risk, and compensating security countermeasures could be reviewed in the affected firms. Step Two of the Plan, perhaps the most important step, involves revamping the FOCI National Interest Determination process. Pursuant to the NISP Threat Working Group goal of creating a Catalogue of Threat Assessments (Section B-6a); the legislation of the 1993 Congressional Defense Authoriza- tion Conference (1992); and, organized by the White House endorsed DoD/CIA Joint Security Commission on future security, intelligence, and counterintelligence requirements (White House, 1993, May 26 and N81 Advisory, 1993, July); an interagency FOCI Threat Assessment Committee (FOCI/TAC) should be established to conduct effective National Interest Determinations of defense-critical technologies. In accordance with the directions of Congress, the capabilities of such entities as the Defense Intelligence Agency, the 112 Army Foreign Technology Science Center, Naval Maritime Center, and the Air Force Foreign Aerospace Science and Technology Center should be employed in this process. As stated in the examination of FOCI intelligence, threat assessment and risk analysis (see pages 77-78), the traditional "exclusive" versus "non-exclusive" boundaries of responsibility should be altered to allow for a more integrated and comprehensive foreign and domestic intelligence product. To be effective, the NID must not be an affirmation of procurement needs, but rather, include: - an intelligence and technology assessment; - a risk analysis and quantification of threat; and, - a definition of appropriate security countermeasures. Certain tools, such as the DIA initiated NISP FOCI database, and an unambiguous Executive Branch NISP 4418 "Certificate Pertaining to Foreign Interests" standard are necessary. Taking advantage of modern technology, the usefulness of the database could be enhanced by creating it as a secure distributive processing network that uses "Contractor and Government Entity" code numbers as user identification, thus allowing timely 4418 data entry and update by industry. Encryption, password protection, and appropriate software security controls would be mandatory to satisfy industry database accuracy and integrity concerns. Access must be strictly controlled in the NISP organization structure and intelligence circles because it might contain company private or sensitive securities-related information. 113 Step Three of the Plan is to create an interagency NISP FOCI Adjudication Committee (FOCI/AC) in one of three ways. One is to expand the charter of the National Disclosure Policy Committee (see page 88) to include FOCI adjudication. Another, would be to create a FOCI Adjudication Subcommittee of the National Disclosure Policy Committee that is linked to the NISP oversight structure when it is formalized. A third option would be to reorganize and enhance the CFIUS investigative body with leadership from, and more direct links to, the intelligence and security communities. Even if it is managed elsewhere, the FOCI/AC would still provide input to the CFIUS in extreme threat cases. Regardless of how it was constituted, the purpose of the FOCI/AC would be to evaluate the technology and threat assessments, intelli- gence reports, and risk analysis provided by the FOCI Threat Assessment Committee to determine appropriate security solutions for defined levels of threat in keeping with the NDP and GSOIA. The FOCI/AC must be interagency to ensure the facility clearance is acceptable to all departments and agencies who use the products or services of the contractor in the NISP. For instance, the CIA or some other agency might request certain unique requirements due to classified or covert relations with the supplier. Alternatively, that agency might abstain from deliberations if it does not contract with the firm. In any case, FOCI/AC deliberations should be patterned after the CIA model with intelligence, legal, acquisition, and security input into decisions. 114 Step Four is to make sure the FOCI/AC has available, not only the products of the FOCI TAC, but the current NDP, the GSOIA with foreign nations, the latest Delegation Disclosure Letters, and some guidelines such as those detailed in Figures 3.4 and 3.5 below. The guidelines, developed by government and industry security professionals, and updated in the NISP security regulations when technology or methodology advancements dictate, would provide a menu of options for negation or mitigation of risk associated with particular levels of foreign involvement. Figure 3.4 FOCI Adjudication Guidelines, Part 1 115 ;.-;;;gzgggg;:;j* M Supplemental Secunty Countermeasures ’ ' . Proscribed lnformauon A o ~~4Requare a Sync e’TScope Background lnvesboation lSSBll. * """ ‘ ,j.:,j=ti;nomally reserved fer TOP SECRET er SENSITWE. , , f .f V ' 'ff‘jCOMPARTMENTED INFORMATION on FOCI f‘rm employees . _i~5fii..§_.‘jfaccesmng RESTRICTED DATA or COMSEC. » . , '- 0 gjffflMpose a ballet system limiting proscribed access ° tilde-.19'iifiifilmplement Securny Awareness Trammo"eizfiflffEducation (SATE) ff? Figure 3.5 FOCI Adjudication Guidelines, Part 2 Given the appropriate tools for adjudication, it may be possible over time, for the NISP FOCI/AC to develop a Threat Assessment Matrix such as that depicted in Figure 3.6. As the adjudication process is refined, beneficial cost to both the government and industry could be quantified. Addition- ally, it may be possible to expedite adjudication as security countermeasures for similar threat scenarios prove their effectiveness in the oversight and compliance portion of the NISP. Time and money for adjudication and security countermeasures planning could be saved by government and industry. Foreign investors would also have an upfront, clear understanding of what would be expected of them should they acquire a firm, rather than wondering what deals can be struck during the FOCI agreement negotiation process. 116 .380 .2250 .95.: .233 Sec pontomoi new memos own 2:88.. .25 330 @5553 823958530 69:62 up 3:33 Sac 89:82.... 3:25 a own 285 .mocoflmxooum so *op 55 «up. so 3.9.2.: 22532.. o=oeto¢ .G>Onm mm OENW 66% mm 95m 663 mm 3.5 .353 9: .6 3:99: a .928 «Bangs c228 29.2: 22:22 6.223 35623:.» $3.53.? .8 memoo 3.503 35302.. .o 30.9%. 85o can 563 new 5:935 ._o>m= omo $5.3 .2025 023:0;on .230 @5553 p.339: .5238 a 6033533 .EoEmmomm< 39:; 6322 memo consumes 380:. Somquz ram 5:235 6mg Basso "canon co Em 3.558 26.3 to .>on e 9:. .3 sees so: u. .525 an... e 28 seem dEmBESo v.08» .302 9.53.05 new .2 a: Ease c. 33:95ng 282:3 c922 >655 3:322 69.83 .3 2a» : o3mo=ee< uoz .35 a 5885:? .EoEmmomm< “moan... .wDEU new 2.2.... -coxm m3 2mm xoo_m Stave EoEEo>oa c928 >653 Bros—2 69.8... e 28. x 2323.2 82 .moso a 52823? .EoEmmomw< «mots... .mDEU new 25¢ .53 a? 2mm xoofi .353 EoEEo>oo c928 >653 3:922 69.8... e 2e... C. 2823.2 82 .500 >mhmnoz. .mamo a £9628? £5633“? smooch PmOU P2w22£m>00 .wDEU new 9.2.... .55 m3 2mm xoo_m mm3m556. 65 5.335 5 3:55.55 55955:. .>oo_o::5... 32:5 2.552 :8 556556 5.335 5 9.5: 5:555 592 55.. 69.59 t «5.5 53 85:: 52559.3 60.55.55 9:55. 5 .955 5.92 :o 556 5.5.5 5 5595: 69.269 .5 53 55:... 35592 :mUZwD.EZ... .5555. 9:65. 5:958:998 m B «55956:. .2323? 62 69.59 mm 6.52, 5259555. 6599.5: 5:93 5 8:955 3555 5 55 59.55. {.5952 .8 888 :59553. 5.3 55555.3( «551‘ 5:8... 5 65 2.5:. -m9o< 95285.52. «5 mm .555: 5.99 :o mo55mm< 3.55m 9059.0 5 655 5.55595 9: 5 555.5539 5:05: 5.90". hmoo Ethan—Z. hmoo PZwEme>00 555255300 Eaaomm . :JOmFZOU: Pfl’US:M HEZEISDfl'UE=w 182 Practical Impractical Process No Value Improvement Added Ratin s of Interagency NISP FOCI Ad udication Committee Idea PRACTICALITY Practical Impractical 27 6 Non-FOCI Firm l4 3 FOCI Firm Column 41 9 Total 82.0% 18.0% x2(1) = .002 P = .96 VALUE Process No Improvement Value Added 17 7 Non-FOCI Firm 15 5 FOCI Firm Column 32 12 Total 72.7% 27.3% x2(1) = .095 P = .75 Figure 3.16 Ratings of the NISP FOCI Adjudication Committee Idea Unsur 8 Row Total 33 66.0% 17 34.0% n=50 100% Row Total 54.5% 20 45.5% n=44 100% 183 Survey questions 9 - 10 addressed two security countermeasures ideas. The first idea (question 9) suggested replacement of the current FOCI risk mitigation instrument terminology with a NISP Form 441 with amendments. The second idea (question 10) suggested supplemental safeguards for proscribed information in FOCI firms. 9. Despite a variety of security countermeasures options, FOCI adjudication is often reduced to elgne; a Voting Trust/Proxy, er a SSA. Myths about the effectiveness of these alternatives then dominate ensuing debates. Unfortu- nately, the needs of government, the cleared firm, and the foreign investor do not always coincide with these alter- natives. To define threat-driven solutions, how would you rate the idea of deleting the terms Voting Trust, Proxy, Reciprocal, Board Resolution, and SSA? Instead, the NDP FOCI Adjudication Committee (with a report from the FOCI Threat Assessment Committee) would define required counter- measure amendments to a standard NISP 441 "Security Agree- ment" from a list provided in the NISP Operating Manual Supplement. Select ell that apply. 184 45 40 35 P30 9 I25 C 320 n t15 10 5 0 Practical Impractical Process No Value Unsure Improvement Added Ratings of NISP 44 Security Agreement with Amendments Idea PRACTICALITY E Practical Impractical Row M Total P 28 2 30 L Non-FOCI Firm 61.2% 0 Y 17 2 19 M FOCI Firm 38.8% E N Column 45 4 n=49 T Total 91.8% 8.2% 100% x2(1) = .23 P = .63 VALUE E Process No M Improvement Value Added Row P Total L 19 5 24 O Non-FOCI Firm 64.9% Y M 11 2 13 E FOCI Firm 35.1% N T Column 30 7 n=37 Total 81.1% 18.9% 100% x2(1) = .16 P = .68 Figure 3.17 Ratings of the NISP 441 Security Agreement with FOCI Amendments versus Voting Trust/Proxy/SSA Idea 185 10. Given the National Disclosure Policy/General Security of Information Agreement policy premise established in question number 4 for "proscribed” information access, how would you rate the idea of providing a menu of additional safeguarding options for such data in the National Industrial Security Program Operating Manual Supplement? For example; a) a Single Scope Background Investigation, normally done for TOP SECRET/Sensitive Compartmented Information, on FOCI firm employees accessing Restricted Data or Communications Security (COMSEC), b) a billet system to limit access, c) vault storage of all proscribed data. Select ell that apply. Ii Eitdlil< C>t*’U:!IM Ii Zitdiil< C>t*'U::lM 186 Practical Non-FOCI Firm FOCI Firm Column Total Non-FOCI Firm FOCI Firm Column Total Impractical Process Impr ovement No Value Added Ratings of Proscribed Data Security Countermeasures Idea PRACTICALITY Practical Impractical 16 9 11 6 27 15 64.3% 35.7% x2(1) = .002 P = .96 VALUE Process No Improvement Value Added 10 11 11 5 21 16 56.8% 43.2% x2(1) =1.65 P = .19 Figure 3.18 Ratings of the Proscribed Data Security Countermeasures Idea Unsure Row Total 59.5% 17 40.5% n=42 100% Row Total 56.8% 16 43.2% n=37 100% Irr~4mnzznnq 187 Survey question 11 addressed the personnel security enhancement of ideas of a security assurance, Limited Access Authorization, and SF 312 Non-Disclosure Agreement on foreign directors in FOCI firms. 11. As a process improvement in the area of personnel security, how would you rate the idea of requiring a SECRET security assurance from the nation where FOCI stems on foreign interest Owners, Officers, Directors or Executive Personnel of FOCI firms? A Limited Access Authorization (LAA) would be granted consistent with the NDP and GSOIA for that country and they would be required to execute a SF 312 "Non-Disclosure Agreement" for prosecution under U.S. espionage laws. Select ell that apply. 35 30 P25 6 1:20 852M23H=Ot*filxlfl BIZEISDt*'U:!lM 0% Zitdill< C>t*'U::Ifl 192 Practical Non-FOCI Firm FOCI Firm Column Total Non-FOCI Firm FOCI Firm Column Total Impractical Process Improvement Added No Value Unsure Ratings of FOCI SATE for Procurement Officials Idea PRACTICALITY Practical Impractical Row Total 32 3 35 63.6% 18 2 20 36.4% 50 5 n=55 90.9% 9.1% 100% x2(1) = .03 P = .85 VALUE Process No Improvement Value Added Row Total 24 2 26 59.1% 16 2 18 40.9% 40 4 n=44 90.9% 9.1% 100% x2(1) = .15 P = .69 Figure 3.22 Ratings of the FOCI Security Awareness, Training and Education for Procurement Agency Officials Idea 7‘? 451 w.“ . r. I _ 193 60 so P40 0 I c30 O :20 10 0 Practical Impractical Process No value unsure Improvement Added Ratings of FOCI SATE for NISP Oversight Agency Officials Idea PRACTICALITY E Practical Impractical Row M Total P 36 1 37 L Non-FOCI Firm 61.7% 0 Y 23 0 23 M FOCI Firm 38.3% E N Column 59 1 n=60 T Total 98.3% 1.7% 100% x2(1) =- .63 P = .42 VALUE Process No E Improvement Value Added Row M Total P 21 2 23 L Non-FOCI Firm 59.0% 0 Y 14 2 16 M FOCI Firm 41.0% E N Column 35 4 n=39 T Total 89.7% 10.3% 100% x2(1) = .14 P = .70 Figure 3.23 Ratings of the FOCI Security Awareness, Train- ing and Education for NISP Oversight Agency Officials Idea In the "Study” phase of the PDSA model, step six of the action plan is invoked as the test results are observed. The purpose of this step is to determine if the planned changes in the process result in a smaller gap between the Voice of the Process and the Voice of the Customer. The opinions of industry security professionals on the merits of process improvement ideas developed during the PDSA exercise ‘ JIM-Lu are used to determine if the gap between the Voice of the Customer and the Voice of the Process has decreased. I“. -' Consistent with the typically intense debate that occurs in the Legislative and Executive Branches of government when the topic of foreign ownership, control, or influence of the defense industrial base is raised, the survey of security professionals prompted many impassioned responses. Several respondents not only checked the blocks on the form, but many added substantive or rhetorical comments in the margins. A few even attached letters to further expound on their views, personal experiences, or frustrations with current FOCI security policy. Conclusions drawn from the survey data are tempered by acknowledgement of the fact that the sample size is small, 77 responses out of 114 surveys distributed for a 67.5% response rate. The sample is, nevertheless, consistent with the PDSA methodology which suggests testing on a small scale with the customers. Additionally, it is important to recog- nize that the number of security professionals who regularly 194 195 deal with FOCI issues due to their employment in a FOCI firm, or if employed by a non-FOCI firm, because of con- tracts involving FOCI entities, is also small, but growing. Given these cautions, analysis of the results begins with the demographic data developed in questions 1 and 2 (page 162) which address the employment of the respondents and the type of security arrangement employed to clear their firms. Not actually part of the PDSA test of process improvement ideas, these two questions were asked to facilitate analysis of data by FOCI versus non-FOCI firm respondent. While the data from question 1 indicates that nearly twice as many responses were received from non-FOCI firms (49) as were received from FOCI firms (28), the data from question 2 indicates that all types of current FOCI arrangements were represented in the response. Question number 3 (Figures 3.7 - 3.11, pp. 164-168) was also not part of the PDSA test of process improvement ideas. It used a Likert style rating scale to measure the security professional’s opinions on the effectiveness of current Voting Trust, Proxy, Reciprocal, Board Resolution, and SSA FOCI security countermeasure instruments. Rating choices included; Very Effective, Somewhat Effective, Somewhat Ineffective, Very Ineffective, and Unsure. Four observa- tions are made about the data received on this question. First, none of the Chi Square calculations were above the critical value of 3.84 at the 95% confidence level. This indicates the variables Employment and Effectiveness 196 are independent and FOCI versus non-FOCI firm orientation does not appear to bias the rating patterns of the respondents on the effectiveness of current risk mitigation instruments. Therefore, this factor is not related at all to the discussion of responses to this question. Second, the percentage of respondents who chose Effeeelye (Very Effective and Somewhat Effective combined) versus leefifeeelye (Somewhat Ineffective and Very Ineffective combined) when rating the Voting Trust, Proxy, Reciprocal, and Board Resolution is consistent; on average, 66% Effective, 34% Ineffective. This consistency is worth noting due to the fact that, on average, only 66% of the respondents rate these four instruments as effective, a majority, but not overwhelming. This observation becomes significant when the third comment below is considered. Each ratings chart (Figures 3.7 - 3.11) shows that a substantial number of respondents (ranging from 18% to 32%) chose Unsure. This may be attributable to a lack of direct personal experience. Conversely, it may demonstrate what the General Accounting Office audits of DoD FOCI security policy have underscored, the fact that it is difficult to determine whether these arrangements really work on an operational basis, since performance criteria vary among companies. Referring back to point number two above, if the Unsure responses are viewed with the Ineffective ratings, the overall confidence level is somewhat bleak. The fourth, somewhat surprising observation, pertains Immerse 3V“; 197 to the SSA cross tab on page 168, Figure 3.11. In contrast to the results on the other four instruments, and despite the controversy surrounding the SSA during the GAO audit (1990, March 21) and the Thomson CSF/LTV case in 1992 (Pearlstein, Hayes, Wartzman), 51 out of 59 respondents (86.4%, which does not include those Unsure), rated the SSA either Very Effective or Somewhat Effective. Since the SSA attempts to tailor countermeasures to threat, and given the threat focus of the process improvement ideas developed using the PDSA methodology, it would be interesting to further pursue the reasons why the respondents rated the SSA more favorably than the other instruments. The last set of observations pertain to the PDSA test of process improvement ideas, Figures 3.12 - 3.23. Once again, all the Chi Square calculations but one, did not exceed the critical value of x’(1) = 3.84 with P = .05 or less. The exception is the practicality of Security Aware- ness, Training, and Education for Directors contained in the cross tab on page 190 which was X’(1) = 7.2 with P = .007. Aside from chance, there is no readily apparent explanation for this result which is inconsistent with the others; therefore, it is not considered important. In looking at the cumulative totals for each question, the first observation is that, with the exception of two ideas, the vast majority of the respondents rated nearly all of the FOCI security countermeasures ideas as both Ereetleel and a £meeeee_lmpzeyemem§. The bar graph charts in Figures 198 3.12 - 3.23, where Unsure ratings are included, display an obvious difference in the percentage of respondents who chose Practical and Process Improvement over Impractical, No Value Added, or Unsure. However, the cross tab charts which eliminate the Unsure ratings from consideration, provide an even more noticeable display of the ratings pattern of the respondents. In ten of the twelve cross tab charts, the percentage of respondents who rated the idea Practical versus Impractical ranged from 76.7% to 98.5%. Further, for those same ten ideas, the cross tab charts indicate that the percentage of respondents who chose Process Improvement versus No Value Added ranged from 72.7% to 95.1%. There are two exceptions; 1) Figure 3.18, the idea on proscribed data security countermeasures, and, 2) Figure 3.19, the idea on a Limited Access Authorization (LAA) for foreign Directors based a Security Assurance from their own country and execution of an SF 312 Nondisclosure Agreement. On these ideas, a more even ratings split appears which may be explained by written comments received. On the pro- scribed data countermeasures idea, the value of a billet system was questioned. On the LAA/SF 312 idea, questions were raised on the applicability of U.S. espionage laws to foreign persons. In summary, it does appear that the PDSA exercise has reduced the gap between the Voice of the Customer and the Voice of the Process, and provided a model for an improved FOCI security countermeasures process in the NISP. 9, "Act" seeps Seyen amg Eight; geneleslons, . ,,- a-eL -. . 9‘ 7' an! ;- . 'l . Recall that in the "Act” phase of the PDSA Cycle where the opportunity to improve the process materializes, there are two steps. In step seven, after studying the results of the pilot test, in this case the opinions of security pro- fessionals on the FOCI security process improvement ideas, the process is improved, or it is not, by creating a new mix of the five process resources: people, method, material, equipment, and environment. As suggested in the intro- duction, in this particular PDSA exercise, it will be up to government policymakers who promulgate and administer the FOCI security countermeasures process to act, or choose not to act, upon the findings presented in this paper. The flurry of activity associated with the recent high-profile Thomson CSF/LTV FOCI case, the GAO audit (1990) of DoD procedures, the DoD/CIA Joint Security Commission (1993), and the implementation deadline for Executive Order 12829 (1993) on the National Industrial Security Program seem to provide ample reasons for cognizant officials to at least consider the ideas and observations presented in this paper. Finally, in step eight of the Deming Cycle, the PDSA exercise must start again. Assuming the appropriate authorities agree that at least some of these process improvement ideas warrant consideration, they should be field tested, preferably as Deming suggests, on a small scale. Then, the PDSA Cycle must begin again. 199 FOOTNOTES FOOTNOTES ‘Assistant Secretary of Defense (Production and Logistics), October 1990, Bepgtt to Congmess en the pefenee 111W states: the defense industrial base includes government and privately owned plants and equipment as well as government and private technology development efforts. The defense industrial base is both large and complex. It encompasses a network of prime weapon system manufacturers, many of whom are highly dependent on the DoD for business, and thousands of large and small subtier firms with varying proportions of commercial and military sales. The government-owned facilities are operated either by government or private sector firms. In addition to this vast array of United States industrial capability, our allies possess strong industries that support U.S. defense requirements. These industries often supply the U.S. with essential components and specific capabilities that enhance U.S. R&D and production efforts. In particular, the North American Defense Industrial Base (NADIB) represents U.S.-Canadian cooperation on industrial base issues. 2Inscription on the Smiths Industries Aerospace & Defense Systems Inc., Grand Rapids Division, Edward Bear Award for Team Excellence in Total Quality Management. 3Intelligence Community - described by Carter (1990) as the intelligence agencies which gather national security intelligence information such as the Central Intelligence Agency, National Security Agency, Defense Intelligence Agency, Federal Bureau of Investigation, Drug Enforcement Agency, and U.S. Customs. ‘National Interest Determination definition supplied by the Office of the Secretary of Defense, Counterintelligence and Security Countermeasure, Industrial Security Programs Directorate to foreign-owned, controlled or influenced firms considered for a facility security clearance under the terms of a Special Security Agreement. 200 BIBLIOGRAPHY BIBLIOGRAPHY Advisory. (1993, July). Administration sets up new commission to review government security. Netieeel W Framingham, MA: 3(12). 2-3. Aerospace Industries Association. (1990, December). 1991 AIA Issues, Aerospace: A Global Industry. AlA_Neyelettez, 1, 6, p. 4. Aguayo, R. (1990). ' , New York, NY: Fireside. Anderson, M. C. (1992, June). Considerations affecting the future of industrial security. Detemee_leeeee, 1(43). Washington, DC: American Forces Information Service. Anderson, M.C. (1992). A prudent approach to industrial security: The background and promise of the National Industrial Security Program. yleypelmte;_e_2etledleel ”WWII. 31- 45. Alderman, C. (22 February 1990). Release of export controlled technical data to foreign-owned U.S. firms. Deputy Under Secretary of Defense (Security Policy) Memo I-90/10652. Arms Export Control Act, 22 U.S.C. S 2776 et seq. (1976). Assistant Secretary of Defense (Production and Logistics), (October 1990)- W W Falls Church, VA: DoD Office of Industrial Base Assessment. Atwood, D. J., Watkins, J. D., 8 Webster, W. H. (1990, October 17). . Washington, DC: Department of Defense. Atwood, D. J., Watkins, J. D., 8 Kerr, R. (1991, October 18). ;--o . - Q . _ Seem:ity_£zegtem. Washington, DC: Department of Defense. 201 202 Auerbach, S. (1990, February 3). President tells China to sell Seattle firm. The_Hashinst9n_Rsst. Bagley, J. J., Evans, M. E. (1989). Foreign traumas; an overview of foreign acquisition of U.S. defense-related companiee- 19srnal_9f_Ihe_Natisnal_91assifisatisn Management_fissietx. xxx. 65-74- Beach, Jr., C. P. (1992, June 4). Acting DoD General Counsel testimony on Exon-Florio and DoD’s role in CFIUS before the Senate Subcommittee on International Finances and Monetary Policy Committee on Banking, Housing and Urban Affairs. Washington, DC: Author. Brandon, H. B. (1991, May 30). NISP Threat Working Group memorandum to the NISP FOCI Working Group: Eezelgn e Aesessmemt. Washington, DC: Author. Bremner, B., Payne, 8., & Levine, J. BL (1992, July 20). They don’t let just anyone buy a defense contractor. .Bu_ine§§__eek p. 41-42. Burgess, J. (1991, March 22). Reversal of firm's sale revives national security debate. Ihe_fleenlmgtem_geet, p. 1. Burgess, J., Richards, E. (1990, October 23). Does foreign investment in U.S. pose a threat?; Japanese firms’s bid for chip supplier sparks debate. The_fleeelmgtem_geet, p. 1. Bush. G- H. (1992. January 29)- Esmerandum_frsm_tne 2resisent_r2_Eesrerarx_9f_nefenss_en_rhe_uarisnal Insus:rial.§sssritx_2rssram- Washington. DC: The White House . Bush. 6. H. (1990. December 6). Memsrsndum_fr2m_ths Eres1dent_ts_sasreIarx_ef_Defsnse_9n_rhe_Natisnal Industrial_§esnritx_£rssram- Washington. DC: The White 1101188 . Bush. G- H. (1992 February 3)- Letter_ts_the_industrial ‘- - ‘ _ OIIII! 0! Q \t 'I 9'. EIQQIQE- Washington, DC: The White House. Carlucci, F. C. (1992, June 8L Acquisition of LTV by Thomson/Carlyle a win-win opportunity for all parties. Ariati2n_Heek_§_§nsse_1esnnslssx PP- 66- 67- 203 Carter. 0- L- (1990)- Lax_enforsement_intellisense onerari9ns1_s9nsesrsi_issues1_and_terms. (MonoqraphI- East Lansing: Michigan State University, School of Criminal Justice. (pp. 7-8). Chaisson, K. (1992, July 31). Thomson-CSF bails out of LTV deal. Esrld_Asrosnass_Essle. Issue 578. p- 15- Classified Information Nondisclosure Agreement, National Security Information - Standard Forms S 2003.20, 32 C.F.R. 53 (Sept. 29, 1988). Clayton Act of 1982, 15 U.S.C. S 7 (1982). Cohen, V. D. (1989, November). Exon-Florio an imperfect tool for protecting U.S. technology. Ayietiem Wee; a §P§£§_IEQLEQLQQY. PP- 53'59- Criscuoli, E. J. (July 1988). The time has come to acknowledge security as a profession. Ine_emeele_et_tne Amerisan_Asademr_sf_2olitissl.and_§osial_§siesse. 423. 98-107. Cunningham, W. C., Taylor, T. H. (1985). Ih§_fiallg£§§E ° c . Portland, OR: Chancellor Press. Defense Forecasts Ino- (1992) E9reisn_lnxestment_in_the_ -: - - 8- I ._ - tr. :-1 .Washington, DC: Author. Defense Policy Advisory Committee on Trade (1990).1ee:;eng_ v e ':°° ;-..7 . If ense an- I: U1§1_Trase_8enrssenratixe Washln9ton. DC: Author- Deming, W. E. (1986). get_et_gzlele, Cambridge, MA: Massachusetts Institute of Technology. Deming, W. E. (1982). , Cambridge, MA: Massachusetts Institute of Technology. Diamond, J. (1991, February 20). §eeetlty. The Associated Press. Department of Defense, Directive 5220. 22-M (January 1991). ‘Ol O I. 0:; L0 1 1 . . Informatign, 5 2-400 through 2-406. Department of Defense, Directive 5220.22-R (December 1985). IndusIrial_§esnritx_8esulation. 5 2-200 through 2-208- 204 Department of Defense, Security Review Commission (November 1985)- Eeeein9_rhe nationis_§esretsi_s_renort 'o _cies as! . .. - ‘1 . ’- ° 1. __ _-_.‘, ! Eteetleee. Washington DC: Author. Domestic and Foreign Investment Improved Disclosure Act of 1977, 15 U.S.C. SS 78m, 78o (1982). Eastin, K. E. (1990, September). Acquisitions of U.S. defense contractors by foreign entities. y§_fleme_end Analxsis. 2. PP- 11'17- Engardio, P., Einhorn, B., & Ellis, J. E. (1992, March 9) McDonnell Douglas far east hopes are dimming. geelmeee H223. P- 49- Espionage and Sabotage Acts of 1954, 18 U.S.C. SS 793, 794, 798, 1001, 2151 - 2157. Executive Order No. 10865, 3 C.F.R. 398 Sefiegeezdlmg Qlassified_Infornation_flithin_1ndustrx. (February 20, 1960). Executive Order No. 11858, 3A C.F.R. 990 Qemmittee on E2rei9n_Inxestmsnt_in_the_nnited_§tates. (1975)- Executive Order No. 12356, 3 C.F.R. 66 (1982 Comp.); 47 Fed. Reg. 14874 . r i s o t‘o ' Industrx. (April 2. 1982)- Executive Order No. 12829, 5 C.F.R. 58 Netlenel_lmdeetzlel_ cu ' P , (January 6, 1993). Export Administration Act (as amended), P.L. 96-72. (1985). Export Administration Regulation (EAR), 15 C.F.R. s 368.1-399.2 (1987). Federal Trade Commission Act of the Defense Production Act of 1950, 15 U.S.C. s 45. (1950). Finnegan, P. (1992, October 5-11) Congress may curb foreign buyers. Defense.fless. PP- 1. 42- Frields, J. E. (1988, April). DoD tracks foreign interest in U-S- companieS- National_§esur1tx_lnstitsteis Adxisorx. ll. Frields, J. E., Muscat, D. J. (1991, April 16). NISP FOCI Working Group memorandum to the NISP Threat Working Group: r e Aeeeeement. Washington, DC: Authors. 205 Gallati. R- R- J- (1983)- Intr9dn2tion_to_£rixate_§eouritr. Englewood Cliffs, NJ: Prentice-Hall. General Accounting Office. (1992, June 4). Eetelge vest ° a e IV' 0‘! ‘ - 1‘ ‘ .er- 0 '0 97- ,8'01 Tes 009 e e 'na ce H ! E J' : °!! E II N i I nrban_Affairsi_21§1_fienare- Washin9ton. 00: Author- General Accounting Office. (1990, March 21). §peelel ur eme e - e i s 9‘ 'QI', :- ‘2 9' ‘l-‘ 'I - -. aeIIe ° 91 ‘ ' '. 4. is. '1'. ,‘ _ 1!! I ‘ a .9 - 4, i 5 pivisien, to tee Qommittee en Azmed Sezyiees, House 9: Representetivee. Washington, DC: Author. General Accounting Office (1990, March). Rteelgentle c s' e om ' 'ves 'tu ce t ir . ° a anufacture .. t-s .IIO .- g - - ’COIIJI “ O omen ' Qonsumer Pretectiom and Competitlyemess; Heeee 0 e Besressntstixss- GAO/T-NSIAD-90-21- General Accounting Office. (1990, March). Fetelgn inyestmenI1_analYzin9_national_sesuritr_sonsern§. (GAO/NSIAD 90-94). General Accounting Office. (1990, June). Ee;elgm_lmxe§tment: analxzin9_national_sesurit¥_soneernso(GAO/NSIAD 90-94I- General Accounting Office. (1990, October). Eerelge ' a lmyestmemt in the Quiteg Steteg. GAO/NSIAD-90-253R. Green. G- (1981)- Introdustion_to_§ssuritx. Woburn. MA: Butterworth. Hanson, M. L. (1989). The regulation of foreign direct investment in the U.S. defense industry. Neztewestezn I9urnal_of_International_Lau_and_Busine§s. 2: 553-584- Hart-Scott-Rodino Antitrust Improvements Act of 1976, 15 U.S.C. 5 18a (1982). Hayes, A. S. (1992, April 6). Thomson's bid on LTV stirs concern about foreign control of defense firms. Well §§I§§§_QQBIDQ11 A4- Healy, R. J.; Dr. Walsh, T. J. (1971). e ' - , United States: American Management Association. 206 Hicks, D. A. (October 1990). Foreign Ownership of Defense Firms Boosts US Security- Arned_£orses_lonrnal International. 56. 58. 60- Huge, E. c. (1990). - ’s G the_lggge, Homewood, IL: Business One Irwin. Improved National Defense Control of Technology Diversions Overseas, S 2537, 10 U.S.C. S 838 (1992). Information Security Oversight Office. (1988, September). oSS ' ‘ I aqua '! 1010 e . ’ u ‘ a!!! a forn_112_briefin9_bookler. Washington. no: author. International Investment Survey Act of 1976, 22 U.S.C. 55 3101-3108 (1982). International Traffic in Arms Regulation (ITAR), 22 C.F.R. s 120.1-130.17 (1993). Melcher, R. A., Hollifield, A. (1992, July 20). They don't let just anyone buy a defense contractor. fiusiness Egg—Kr pp‘ 41-42 ° National Security Act of 1947, as amended. Nadler, D. A., Gerstein, M. 8., Shaw, R. B., and Associates (1992). - , San Francisco, CA: Jossey-Bass Inc., Publishers. National Policy and Procedures for the Disclosure of Classified Military Information to Foreign Governments and International Organizations (NDP-1), Sept. 9, 1981. NISP FOCI Working Group. (1991, March). ghette;_emg Qtjeetlyee. Washington, DC: Author. Omnibus Trade and Competitiveness Act of 1988, Pub. L. No. 100-418, S 5021, 102 Stat. 1107, 1425 (1988). Pagliano, G. J. (1992, April 2) Detenee_§empenlee (Congressional Research Service Report 92- 331 F). Washington, DC: Library of Congress. Pearlstein, S. (1992, April 19). Undoing a done deal: How a few days broke Marietta's grip on LTV Aerospace. Esshin9t2n_zosr. P- h01- Purpura. Philip P- (1984). sesuritx_£_Loss_Erexention. Woburn, MA: Butterworth. 207 Scherkenbach, W. W. (1991). Qemlmg'e Beeg te Qontinual Immzexement, Knoxville, TN: SPC Press. Scherkenbach. W- W- (1991)- Iha_nening_Bouts_to_Qnality_and Er9dnstixity1_Boadnans_ann_39asblocks. Washington. DC: CeePress. Securities Act of 1933, 15 U.S.C. SS 77a-77bbbb (1982). Securities and Exchange Act of 1934, 15 U.S.C. SS 78a-78kk (1982). Seymour, P. (1993, February 5). U.S. National Disclosure Policy. - - Edltlem, Washington, DC: Author. Sherman Act of 1982, 15 U.S.C. SS 1,2 (1982). Sherman, S. (1992, September 21). Are strategic alliances working? Eezteme, pp. 77-78. Silverberg, D. (1992, October 19-25). U.S. Air Force official raps DoD's foreign investment rule. Defemee Hess. P- 42- Silverberg, D. (1992, August 17-23). LTV sale fallout likely will spark process overhaul. Detenee_fleme, p. 26. Silverberg, D. (1992, September 21-27). DoD eyes restrictions on foreign ownership. Defiemee_Neme, p. 1, 36. Stewart, N. J. (1992, August 28) Pentagon draft memorandum for distribution: Interim guidance on foreign ownership, control or influence (FOCI) cases. Stewart, N. J. (1992, October 26-November 1) Commentary Letter: Mistaken Viewpoint. Qefienee_flege, p. 18. Suto, E. J. (1992, November-December) DIS achievement report- 9M_anllerin_2f_tns_naiinnal_£lassifisat12n nanagensnr_§osiefy_1nsi. KKYIto) P- 3- Swim, L. (1991, October 31). [NISP FOCI Database: telephonic interview]. Defense Intelligence Agency, Washington, DC: Author. Thompson, T. J., Dyer, J. J. (October 1990). Foreign acquisitions of United States companies: What you don’t know may hurt you- sonirasr_nanagsnent. 18-20. 42-44, 50. 208 Timm, H. w., Christian, K. E. (1991). o to EIi!§L§.§§QQIi§¥. Belmont, CA: Brooks/Cole. Tolchin, S. (1992, October 19-25). U.S. moves to guard vital industries. Detemee_Neye, pp. 27-28. U.S. rules on foreigner's defence sector purchases. (1991. November 20)- Einanaial.Tinas- Walton. N- (1991)- Danin9_uanagenant_at_flark. New York. NY: Peregree Books. Walton. N- (1986)- Tha_namingsuanagement_uatnad. New York. NY: Peregree Books. Wartzman, R. (1992, November 2). Keep out: Foreign moves to by U.S. defense firms face higher hurdles. Wall Street Journal. PP- 1. 4- Wartzman, R. (1990, March 20). Japanese equity role in Boeing project grows increasingly remote, sources say. Eall_§treat_lournal. P- 3- Wartzman, R. (1991, November 15) A McDonnell deal in Asia would jolt the airliner industry. fiell_§t;eeteleezmel, p. 1. Wethington, O. L., (1991, November 15). Exem;£le;lg - . (Report 91-307-A). Washington, DC: U.S. Department of the Treasury. White House, (1993, May 26). yiee Eteelgent peeises effezt te streamline security procedures; plam reflects goele ef Nationel Eezfogmemee Beviey. Washington, DC: Office of the Vice President, Press Release. Yancey, M. (1991, June 12). Foreign Investment. The "7‘5! jun]...- "‘IIIIIIIIIIIIIII