By Nick Schwellenbach
Every Friday, POGO will strive to make one document available that we or others have obtained through the Freedom of Information Act (FOIA), especially documents that have not previously been posted online. Some of these documents will be more important than others, some may only be of historical interest— although relevance is in the eye of the beholder. POGO is doing this to highlight the importance of open government and FOIA throughout the year.
This week’s document: Partial list of defense contractors that are under foreign influence, control, or influence (FOCI) and what type of FOCI mitigation they use
Document agency: Defense Security Service
The Defense Security Service (DSS), an obscure Pentagon agency, is responsible for ensuring that government contractors adequately protect U.S. classified information in their possession. Long story short, contractors with access to classified information are supposed to be in compliance with the National Industrial Security Program. Part of this job requires that contractors that are under foreign ownership, control, or influence (FOCI) have appropriate mitigation agreements in place. While these FOCI contractors are a tiny fraction of the contractors overseen by DSS, on average they receive poorer facility inspection ratings than non-FOCI contractors, according to a December 2010 DSS presentation. For instance, 3 percent of FOCI contractor facilities inspected by DSS received a marginal or unsatifactory security rating compared to 0.7 percent of non-FOCI contractor facilities.
According to DSS, “A US company is considered to be under FOCI when a foreign interest has the power, direct or indirect, whether or not exercised, to direct or decide matters affecting the management or operations of the company in a manner which may result in unauthorized access to classified information or may affect adversely the performance of classified contracts.”
FOCI mitigation instruments are supposed to mitigate the chance that foreign interests can obtain unauthorized access to classified information or adversely affect the company’s performance. There are several types of instruments, including: Special Security Agreements, Proxy Agreements, and Voting Trust Agreements, and a few others. A comparison of the Proxy/Voting Trust Agreements versus Special Security Agreements can be found on DSS’s website.
The Government Accountability Office (GAO) was critical of DSS’s ability to oversee companies under foreign influence in a 2005 report. In 2008, the GAO reviewed the status of its recommendations from the 2005 report and found DSS had not satisfactorily implemented 6 out of 8 recommendations. For instance, “to assess overall effectiveness of DSS oversight of contractors under FOCI,” the GAO recommended that “the Secretary of Defense should direct the director of DSS to collect, aggregate, and analyze the results of annual FOCI meetings, contractors' compliance reports, and data from the counterintelligence community.”
According to GAO, the DoD “said it was not going to implement the recommendation because of the 12,000 cleared contractors, fewer than 3 percent are under any type of FOCI mitigating mechanisms.” The DoD added that “analysis of the results of annual compliance meetings and reports as well as CI data does not appear to provide value in assessing DSS effectiveness for ensuring the protection of classified information.”
The problems haven't seem to have gone away. According to suggested talking points for a speech the current DSS director gave in March to DSS employees, there has been “incorrect FOCI [Foreign Ownership, Control, or Influence] Case processing” by DSS, among other oversight problems.
We’ve asked DSS for comment and will update this post accordingly. Update: DSS spokeswoman Cindy McGovern emailed us, citing the December 2010 DSS briefing, and said:
As far as responding to the 2005 GAO study, I would also refer you to the 2010 briefing you have. Slides 20, 21, 22 and 28 were meant to provide security officials at companies under FOCI with details on what DSS will be reviewing during its reviews/inspection and further summarizes DSS findings from these inspections. Slides 30-36 provide a summary of the analysis DSS is doing of FOCI companies. This briefing clearly shows DSS is doing exactly what the GAO requested."
But what companies does FOCI even cover? It's not always obvious. Through the Freedom of Information Act (FOIA), POGO got a hold of a partial list of U.S. government contractors that are under foreign ownership, control, or influence. We did this by FOIAing the list of prior FOIA requests to DSS for the last several years (these are called FOIA logs and here they are for FY2008, FY2009/FY2010, and early FY2011). We saw some of the requests were for “FOCI Data.” Then, we FOIAed the previous DSS responses to these two earlier FOIA requests. This is an old FOIA trick: since the earlier requests were already processed and redactions applied if necessary, it speeds up the FOIA process for these requests.
Even though the two original requests were made and closed in 2009, the list of companies with FOCI mitigation agreements seems to be incomplete. No companies with FOCI agreements initiated after 2003 are on the list. We found a clue in the response to one of the requestors. In July 2009, DSS wrote to this requestor that:
DSS Industrial Security is currently in the process of reviewing agency policy concerning the disclosure of certain information pertaining to DoD facilities operating under SSA [Special Security Agreements] and/or Proxy Agreements. Therefore, until the review is completed DSS can only provide you a partial response to your request.
According to a December 2010 DSS presentation, there are 286 FOCI agreements covering 702 FOCI facilities. The document produced under FOIA appears to only cover 94 FOCI agreements. Of these 94, 74 are Special Security Agreements, 19 are Proxy Agreements, and 1 is a Voting Trust Agreement. These agreements were initiated between 1988 and 2003. One agreement can cover more than one facility. We’ve asked DSS for clarification on whether over 200 new FOCI agreements have been signed since 2003 and whether its disclosure policy regarding its FOCI contractor list has changed.
If it's true that over 200 new FOCI agreements have been signed since 2003 -- over less than a decade -- there has been a speed up in government contracting involving classified information with companies under foreign influence (compare that with 94 agreements over more than a decade).
Update: DSS spokeswoman Cindy McGovern emailed POGO and told us that DSS's review policy had changed on release of facility clearance and FOCI mitigation information. She wrote:
...you asked about DSS' disclosure policy regarding its FOCI contractor list and whether or not it changed. I sent you a policy letter last week dated October 2009 which articulates the DSS policy regarding the analysis that DSS must conduct prior to responding to any request for a list of cleared facilities. In July 2009, DSS was reviewing its policy concerning the disclosure of the DoD cleared contractor facility list. Contractors that are cleared under an SSA and/or Proxy Agreements would be included in the aggregate cleared facility list. All are cleared facilities and "yes," DSS changed its policy beginning in 2009 with respect to the analysis we conduct when considering whether to disclose a list of cleared companies.
She had earlier wrote:
As part of a continuing review of internal policies and procedures, DSS determined that the list of cleared facilities, which is a compilation of information about cleared facilities and their locations compiled for industrial security oversight purposes, could provide hostile entities with information needed to target cleared facilities, personnel, and programs, thereby potentially putting sensitive U.S. information, technologies and U.S. citizens at risk.
DSS routinely reviews its internal operating policies and procedures for improvements. The direction to more carefully consider the effect of releasing a list of cleared facilities prior to releasing the list was
the result of such a review.
Comments