Executive Office of the President

The White House Security Officer told GAO that between 1993 and 1996, he could not find any White House-wide procedures to control access to highly classified information. Central Intelligence Agency (CIA) directives require that access to such information be controlled under the strictest application of the need-to-know principle and in accordance with applicable personnel security standards and procedures. Since at least 1996, the National Security Council has granted temporary access to highly classified information to government employees and individuals from private industry and academia--before completion of a security background investigation and without notifying the CIA. The White House-wide security procedures issued in March 1998 do not set forth security practices that White House offices are to follow in safeguarding classified information. Moreover, the White House has yet to establish a security self-inspection program, despite an executive order mandating such a program. The Director of the Information Security Oversight Office said that his office has never done an on-site security inspection of classified programs at the White House.

GAO noted that: (1) the EOP Security Officer told GAO that, for the period January 1993 until June 1996: (a) he could not find any EOP-wide procedures for acquiring access to SCI for the White House Office, the Office of Policy Development, the Office of the Vice President, the National Security Council, and the President's Foreign Intelligence Advisory Board for which the former White House Security Office provided security support; and (b) there were no EOP-wide procedures for acquiring access to SCI for the Office of Science and Technology Policy, the Office of the United States Trade Representative, the Office of National Drug Control Policy, and the Office of Administration for which the EOP security office provides security support; (2) the EOP-wide security procedures issued in March 1998 do not set forth security practices EOP offices are to follow in safeguarding classified information; (3) in contrast, the Office of Science and Technology Policy and the Office of the Vice President had issued office-specific security procedures that deal with safeguarding SCI material; (4) the remaining seven EOP offices that did not have office-specific procedures for safeguarding SCI and other classified information stated that they rely on Director of Central Intelligence Directive 1/19 for direction on such matters; (5) neither the EOP Security Office nor the security staff of the nine EOP offices GAO reviewed have conducted security self-inspections as described in Executive Order 12958; (6) EOP officials pointed out that security personnel routinely conduct daily desk, safe, and other security checks to ensure that SCI and other classified information is properly safeguarded; (7) these same officials also emphasized the importance and security value in having within each EOP office experienced security staff responsible for safeguarding classified information; (8) Executive Order 12958 gives the Director, Information Security Oversight Office, authority to conduct on-site reviews of each agency's classified programs; and (9) the Director of the Information Security Oversight Office said his office has never conducted an on-site security inspection of EOP classified programs.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: