(SANITIZED)

Approved For Release 2008/03/06: CIA-RDP87BO1034R000500060017-7 Department of Energy Washington, D.C. 205:45 NOV101982 Chairman DCI Security Committee CIA Headquarters Washington, DC 20505 We have reviewed the UDIS proposal relating to a National Policy on Damage Assessments and have found it to be useful and constructive. This Department tends to agree with the proposal for National level guidance, with an emphasis on guidance rather than control. Such guidance should set out broad minimum requirements in the assessment process, while giving agencies reasonable parameters in which to operate. The policy should recognize, however, that such latitude may tend to encourage some agencies_to apply only the minimum required procedures. In the formula- tion of policy details, it should be recognized that the information security practices of different agencies are widely varied, often being influenced by manpower resources and the volumes and levels of classified processed. For example, while a cabinet level department may currently have a damage assess- ment data base of its own, most small agencies have never even considered establishment of such a data base. Nevertheless,' the Department of Energy concurs with, and supports the UDIS proposal on Damage Assessments. Sincerely,. ?Membe'it DCI Security Committee DOE review completed. Approved For Release 2008/03/06: CIA-RDP87BO1034R000500060017-7  Approved For Release 2008/03/06: CIA-RDP87B01034R000500060017-7 SECRET 7. The report also notes, as a final point, that agencies which have not yet issued regulations implementing ISOO Directive No. 1 ought to do so. (U) 8. I certainly share the concerns of the UDIS. At CIA, we already have in place mechanisms to conduct damage assessments both internally and at our industrial contractor facilities. Security infractions are investigated and appropriate administra- tive actions are taken. Punishments range from verbal reprimands through termination from employment, depending on the gravity of the infraction. We have found our Reinvestigation Program-and our Agency's use of the polygraph to be exceptionally helpful tools in such matters. More'recently, we have drafted a new Agency regulation directed specifically at the conduct of damage assessments. (U) 9. CIA is now heavily involved in security reeducation, both in-house and among our industrial contractor population. I believe that this progam will go a long way toward sensitizing our people to the need for protecting the classified data with which they are entrusted. I would like to see information on the weaknesses of U. S. Government classified information control systems receive judicious dissemination. We can all learn from our mistakes to improve our security posture. Within that context, I-consider it useful.to pursue development of an unauthorized disclosure database, as suggested by UDIS, pro- vided that proper dissemination controls can.be developed and exercised. I would suggest that SECOM is the appropriate forum in which to pursue such an initiative. (U) .00t'- r? Approved For Release 2008/03/06: CIA-RDP87B01034R000500060017-7