PROPOSED ODP POLICY EXCLUDING ADPE OF FOREIGN MANUFACTURE

Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280IR000100130040-5 4 MAY 198i MEMORANDUM FOR: Chief, Procurement Division, OL STAT30m: Chief, ADP&EB/PD/OL Proposed ODP Polity Excluding ADpa. of Foreign Manufacture REFERENCE: Memo dtd 21 Apr 81 fm C/MS/ODP to C/PD/OL (ODP-81-437) 1. The above reference contains ODP's proposed policy "that automatic data processing eqUipment which is-substantially of foreign manufacture will not be procured foruse in. Office ? Data Processing computer networks." 2. ODP's concerns leading to this policy are enumerated in paragraph ? 1 of thereference. ODP cites two primary reasons., i.e., physical security considerations and potential require- ment for visits to Agency facilities by representatives such: as manufacturing engineers. 3. In response, to ODP's request for reasons to strengthen the policy, we ?suggest that-thee are questions which should first be addressed, including those in Attachment 1. 4. Upon adequate response-to these questions and further identification of the'specific security .considerations which necessitate the proposed policy, we are prepared to -further -assist in development of approaches to meet actual needs in this area. STAT Att Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 /\ Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 3. Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Attachment 1 1. What are the parameters Or "Substantially- of Foreign Manufacturer?" The entire system, :individual components - subcomponents? 2. How are these determinations (Foreign Manufacture)- to be made? On a case by case basis? For each ,procurement? By who? Any exceptions? ? 3 Will vendors have an opportunity to rebut this policy and its presumptions? 4. What are the established security- safeguards presently imposed upon ADPE systems to prevent these occurrences? 5. Shouldn't this type of policy apply to the Agency vice ODP? 6. What is the olicy. of other intelligence organizations, i.e., NSA, DIA.,- ARMY AIR FORCE, FBI? 7.. Have there been prior docutented _instances of tampering foreign national consultations, etc.?. 8. What Source- would be available, to the Agency, given the fact that Most ADPE vendors utilize transnational corpor- ations for parts, mainframe assembly, etc.? 9. How would domestically ? manufactured, not foreign designed equiptent, be treated under the policy? ? npriassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved forfo'r IrieTear-se 2013/09/11: CIA-RDP91-00280R000100130040-5 Attachment 1 RESPONSE TO QUESTIONS BY OL/ADP&EB ON FOREIGN-MANUFACTURED ADPE POLICY* .1 & 2 - Security determinations always require the exercise of judgment.- ODP would expect that when required a panel of OL, OS and ODP'personnel would make?the determination on a case-by-case basis. We would also -agree to a more detailed definition and guidelines if thWere j-udged practical (by Place of manufacture of critical components; -place of final assembly, etc.). We recognize that the problem ? is complicated. But, if we routinely make personnel security judgments, judgments such as we are suggesting should be Possible and, .in fact, are frequently made even now. For example, OL has recently acted, in conjunction with ODP a/hd based on existing OS policy, to preclude ODP :/ ASusiness with a formerly U. S .we- 25X1 !under foreign ownership It .No. They will tl5e given the opp8rtunity to present the facts Of their specific situation and to present a rebuttal to the initial Agency position. The final -Agency determination will not be subject to 26(1 challenge. 4. Existing security procedures prevent us from allowing non-U. S. citizens .access to our ADPE, such as for specialized maintenance, or support, (All regular maintenance personnel must be U. S. citizens and preferably Agency cleared. The maintenance firm must also ..be U. S7-. owned. These- are lOngstanding OL and 'OS polic,ies.). With equipment predominantly from U. S,- owned vendors and of U. S. manufacture, access to technical staff,. (engineering, manufJ,,cturing, etc.) who are Q. S. citizens is generally not a problem. This would not be 1,c,- .ith equi Tent of foreign -25X1. manufacture. *Responses Pr,!ferenee. 25X1 are keyed to questions, by number, in Attachent 1 of Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 N?17-?.7,. ? ? Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: alA-RDP91-00280R000100130040-5 Factory modification of ADPE is..always potentially- a threat.. We rely-, .for lack of more sophisticated controls, on the intearity. of U. S.-owned firms and their personnel.. We would be far more vulnerable in this ..regard with equipment substantially of foreign 25X1 manufacture. . 5. We would stron support a. similar Agency-wide-, 25X1 policy. 6. We do not know the policies,of other agencies in the regard. We, however, do not consider other agencies, policies particularly relevant. .CIA security policy is separate and distinct from the policies of other . 25X1 agencies. We have on numerous occasions consulted with manufacturing and engineering personnel when particularly difficult problems have been encountered and local maintenance personnel. could not provide the? required support. We have obviously not used foreign manufacturing or engineering personnel in this regard. The purpose of .this Policy is to avoid being ? put in the position where we have no choice. To our /knowledge we currently use no ADPE that would fall 25X1-. ./ under this policy.. We have no docuented instances,.of factory-tampering ? with ODP ADPE. The intelligence target is of high value and the technology, available. Prudent security- ( ?management requires us to take action to minimize the 25X1 possible threat. No equipment in our current inventory would, in our judgment,. be excluded by the criteria of this program policy. Thus, for example,- our existing sources would remain available to us at least in the near future. 25X1 Domestically manufactured, not foreign designed? equipment from a U.- S.-owned firm .does not fall under this policy or present an unusual- security problem. 25X1 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 . . ? MEMORANDUM FOR: FRO:4: FAIRJECT: 25X1 R: 3RENCE: ? ? ? C)9 JUN iS1 Deputy Director of. Security Physical, Technical aridArea ,Security Information Systems Security Group, OS ???:?.7 ? ? -7STAT .Proposed ODP Policy Excluding ADPE of Foreign Manufacture ? dated 4 May 1981 same , ? :-..-Memorandum dated 21 April 1981 from -C/MS/ODP to C/PD/OL (ODP 81-437) 1: This Office fully supports the policy outlined in paragraph 2 of reference (b). This policy incidentally was first surfaced in 'our joint OS/ODP Computer Security Working Group and, in fact, prior to final publication by the Office of Data Processing (0D2), Managemant Staff (MS) was coordinated with the, Office of Security (OS), Information Systems Security Group 25X1sG)-... 25X1 ? ? ? 2-:...11ith-respect to the two basic -concerns raised by ODP; - ? ' ? '7 - - ? ? - - -__ ? a. There is-a-distinct threat'ito ADPE both .at the manufacturing point. and/or at the servicing end via a device used for: the purpose already stated in reference (b). We believe, "however, that there would be better ways for a hostile or (friendly) government to obtain information but that threat nevertheless exists. b. Regarding service reresentatives - any foreign national representative of these manufacturers would not be permitted entry to complex for obvious security reasons. .3. In answer to specific questions listed in attachment (1) rezerence (a), we have the following comments correspon:ain7, to pararao-as in attachment): 25X1 a. We view these rJaremeters as the entire system to ? inclune- irvaividual com2onents of a colt10uter,- meory 110 - well as,communication equipment. Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 7- Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 . . . 0 . ? .; - ? - - b.. - We would 'prefer that these be made at time of 'procurement as part- of*-the procurement process. Inquiries should be made as -to 'foreign affiliation and if possible - ?place of manufacture of computer units under procurement consideration. -- There should .be no exceptions unless there are overriding 'circumstances not now envisioned and then only with written 'concurrence by the Director of Security. and the Director of Data . Prtocessing. . .? ? c.. No.: We believe that this is an 'internal rvg. ency policy :matter _necessitated by the .DCI s legal responsibility r to protect- Sources-and Methods. DDO -.data which is Processed .on our -co=uters -1.-yOuld -.certainly. be considered in this ?- not: specifically analyze implanted devices or for Technical. Security Division/Office of Security people, '..-:however,vidoTmake-;:a periodic_ "audio sweep" of outlying Agency building's which. conceivably would .pick up emanating signals. Regarding _Visiting service representatives: service technicians who regularly maintain our computer eguime_nt -must be. cleared and badged (vNE: badge includes polygraph - ..intervieW). Service personnel on the Agency account, who regularly service our ,eouipment but who .do not qualify for a badge ( less than 100 visits per rear) 'are also , generally appropriately cleared. In the .event there are . no badged or cleated service. personnel available, uncleared ....-.representatives will be asked to perform maintenance - ---functions:u.hder escortby .a "knowledgeable" individual.' Of .- course this' procedure-is difficult- to enforce in- the daily ? sub j ect area. do .., - equipment. for ? new-- computer-; modifications . work environment ? .:.e. Yes. We-are currently reviewing Agency and Community policy in the information security area in order to update existing-regulations/directives and will consider this cuestion as part of that review. Additionally, we feel that it should also apply-to the intelliaence Community STAT ( e -9., to member Agencies processing under DOLT) 1/16) f. To our 'knowledge there is currently no icy -Community-wide specifically addressing this ratter. very, recently, as you know, there was a spec i ie "buy- _A7r,-E.-ican" clause in the GSA procurement 6 irect Lves w-clir2h no., has been voided by 1-,xecutive Order. Further, historically the United States comput,r .manufacturers have not had any competition from .foreign companies. However, with recent technical strides in computer manuEr-tul7i 'PrOble r3f usinc;' faco Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 . _ 25X1 h. We are not as concerned about United States computer ? manufacturers using transnational corporations for parts, _.....etc. ,....as-we?are of foreign manufacturers producing this _computer &quip:I-lent in their own country under their. "total" -1-controL.-:'In short, we have to live -with the "facts of fife" 0E-American business.. i.;any questions 'would first have to be ?-answered such . --asdegree of foreign control; the -distribution process for --c?? this.equipment,.tvoes of contracts (overt/covert) under. 25X1 .-consideration. ?4.. Obviously ?lanation. 25X1 25X1-.1..be .the Point of contact . _ . ? - these questions need further discussion (secure extensi Wi th in ' ISSG on this issue. and ?1 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 25X1 STAT- STAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 /CE) Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 20 July 1981 STAT STAT STAT QTAT ',TAT STAT WA! STAT STAT STAT 25X1 25X1 STAT STAT MEMORANDUM FOR THE RECORD SUBJECT: Foreign Manufactured ADP Hardware 1. On 13 July 1981, the undersigned repiesented OL/SS ata meeting held in the ODP Management Staff area, Room 2-D-03 Head- quarters Building. In attendance were Actin Chief ODP Management Staff and Chief, ODP Policy and Plans Group Chief, Informations Systems Security Group, OS; Assistant General Counsel, Procurement Law Division, Chief, ADPU Branch of OL/PD: Contracting ?GC; Officer, ADPU Branch of OL/PD and ODP Security Officer. 2. The meeting was called by to discuss concerns with ODP' .s proposed policy tor excludang the procurement of foreign manufactured ADP hardware. This policy is set forth in the 21 April 1981. memorandum (Tab A) from ODP to response (Tab B) raised several issues which were responded to ny ODP Management Staff (Tab C) and OS/ISSG (Tab D) T1-1-hrIckground of ODs policy formulation was explained by The Direc- tor of ODP, Mr. Bruce Johnson, is responsible for the ODP Management Staff production of a policy paper. He was aware of the impending procurement of several Central Processing Units (CPU's) and queried his staff in regard to Agency policies for the procurement of foreign manufactured ADP equipment, and CPU's in particular. He was advised that the most pertinent regulation that had a bearinc7 on his concerns was located in This extract was presented as a view graph at the meeting. At some point in.the ODP's search for a specific policy, Mr. JOhnson had occasion to 'discuss ADP equip- ment of foreign manufacture with. the -(then) DDA, Mr. Hugel. Mr. Hugel indicated his support for a policy that would preclude purchasing foreign manufactured ADP equipment in even more stringent terms than those envisioned by Mr. Johnson. Until this point, ? Mr.: Johnson had proposed excluding the procurement of "major systems" only. Mr. Hugel suggested that the prohibition be extended to all ADP hardware. The end result of Mr. JohnSon's deliberations was the 21 April 1981 policy memo which was written at his direction by the ODP Management Staff. 3. early remarks directed the course of the meet- ing. He indicated that an "ODP Policy Statement" governing the procurement of foreign manufactured ADP equipment was r1-)ably an incorrect format to achieve the desired results, suggested, and the attendees agreed, that a Headquarters regu aLion per aining ? to this subject should eventually be published and that a notice Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 cip) SUBJECT:. Foreign Manufactured ADP HardWare Or other appropriate instrument signed.by the Director Of Logistics serve as an interim measure. Agreement on the plitlication of a_D/L notice was the only truly-firm course of action decided upon airing tlie---rsolve.d---that the Director of ODP will, send a -re-qUe-g-t--176?Ihe Director of Logistics for .the publication of a D/L notice. Included in the request will be an ODP policy statement, highlighting the issues that they feel should be addressed in the . notice. The request will contain a concurrence line for the Director .of Security's signature and will be coordinated with ISSG and OL/SS. ODP views the-D/L notice as the means to insure that contracting officers consider the origin of ADP equipment in their evaluations .of responses to ADP-RFP's. .4. The issue of the nature of the threat posed by the purchase STAT of foreign ADP equipment was raised by .He suggested that it would be appropriate :to justify the publication of a D/L notice to the 'Director of Logistics. The request might include case histories or technical evidence to support a ban on the procurement of foreign ADP equipment. Although the existence of evidence of a threat was. ? ? alluded to by. some of the attendees, no specific cases were mentioned. STAT The groietp deferred to who indicated that the critical consideration is that all ADP equipment has the potential to be net- worked within the Agency. :There is no guarantee that- a stand alone piece of ADP equipment, ostensibly purchased for unclassified use, will not be networked into a highly classified system at some future date. It was decided that a lengthy justification would not be in- cluded in the D/OBP's request to the D/L, in that the threat is self-evident. S. A discussion was held concerning the variables in ownership or place of manufacture that would disqualify an ADP vendor from STAT consideration for procurement. - presented a chart (Tat F) that reflects ODP's concerns in this area.: There was_general agree- ment among the attendees that theeprocurementeof a complete ADP system manUfactU-red-oVer-Se-is is completely unacceptable, Beyond this, vari- atiOns in:the-hardware-assembly were discussed (parts:manufactured overseas, but assembled in the U.S.; inert parts manufactured overseas, but installed in U.S. systems, etc.) that pointed out the need for flexibility in the application of any policy to ban procurement of foreign ADP hardware. There was no attempt to formulate specific evaluation-standards during the .meeting 6. There was tentative consensus that future RFP's for ADP _ _ _ _ _. _ -ocurerent should include a clause spellin,c, outire Agency's prohi- --;, ultaon OR tne procurement of foreign nanutactured ADP equipment. Ihe _ _ ____?____ - Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 SUBJECT: Foreign Manufactured -ADP Hardware clause would be based on the policy _no-tice that will be sought from the Director of Logistics. -A questionnaire designed to disclose the ? origin- of manufacture of the system or components being offered would also be included in the RFP. The questionnaire would be used in evaluating the vendor's response. For any evaluation to be mean- ingful and consistent. baselon:e pass/fail standards will have to be STAT created. acknowledged that the creation of such . standards would require extensive ISSG participation, if indeed the ? ? task was not exclusively ISSG's. 7. It 1s apparent that implementatiOns of a policy to ban _foreign ADP equipment will require much_ more consideration, especially . in the area of. formulating meaningful evaluation criteria. For. now, as noted above, the only action that will' be sought by ODP is a policy direCtive over the signature of the Director of Logistics. STAT AttaChment Security Staff, OL 3 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 STAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 R Next 2 Page(s) In Document Denied Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 STAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 '21; '"/ Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 MEMORANDUM FOR: See Distribution STAT,R0I ODP-81-963 27 July 1981 Security Officer, ODP SUBJECT Automatic Data Processing Equipment of Foreign Manufacture - Draft Memorandum ? Attached is a draft of. a memorandum from the Director of Data Processing to the Director of Logistics via. the Director of' Security. Please review the draft to ensure that you are in ? -agreement with its contents. Please submit your concurrence or comments by 3 August 1981. STAT DI STRIBUTION- STAT STAT 25X1 - OS/ISSG- OL/ADP & EB. OL/SS - c/o OL/SS Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 25X1 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 rsr-N .7-1 A I ODP-81-95.1 24 July 1981 U . MEMORANDUM FOR: Director of Logistics VIA- Director of Security -FROM Bruce T.Johnson Director of Data Processing SUBJECT Automatic Data Processing Equipment of Foreign Mandfacture 1. Automatic data processing equipment (ADPE) manufactured in a foreign country is becoming more and more common in the American marketplace and, hence, senior OD? managers are becoming increasingly concerned, for security reasons, about the possible introduction of foreign manufaCtured ADPE into Central Intelligence Agency facilities. Two primary reasons for these concerns are physical security considerations and the potential requirement for visits to Central Intelligence Agency facilities (2(' 771 Declassified in Part - Sanitized Copy Approved for Release 2013/09/1'1 : CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 by representatives of foreign manufacturers such as design or systems engineers. New equipment will use technology that will make detection of surveillance devices very difficult and thus increases the possibility of;a successful .penetration of our ??? security safeguards. When difficult, complex engineering -problems-:are-encountered with ADPE manufactured in the U. S., it usually is pos.s'ible and sometimes necessary to bring specialize engineering personnel-to Headquarters to resolve the problems. This clearly would not be. possible with a foreign manufacturer having a foreign nation'al staff. Our s'ecurity conCerns, therefore ?include: Alteration of equipment for surveillance or disruptive purposes during manufacture. Embargo of spaces, upgrades, enclineerir:g changes, or follow-on technology. Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 O Alteration of eauipment fnr lanrin Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 purposes during service (including modification of TEMPEST equipment). o Difficulty in access to engineering/manufacturing personnel. o Possibility of having to utilize foreign national engineering/manufacturing specialists for non-routine 25X1 maintenance of hardware/software. ? IA 6? g>S1 2. I wish to make it clear from the outset that we )0 %? /04 recognize the complexity of this problem. Current Agency 9 V ocj!,procurement and security policy does not permit contracting with P?ii$"' "corporations under foreign ownership, contract or influence." \ Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 I ii Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Our. intent here isLs extend this protection Lo that it covers the location and ownership of the manufacturer even when the equipment is obtained from a separate and distinct U. S.-owned vendor and the routine maintenance performed by a U. S.-owned 'maintenance. organization. We view this situation as 'a gap in our current security and procure-ment policy and believe for the reasons stated above this gap should be closed. Our concern here is driven by our knowledge of the current ADPE market where, in fact, foreign-manufactured IBM-compatible mainframes are available from U. .-owned sales and service corpoi-ations. therefore with the concurrence of the Director of Security -a-c-4-6 .(.). l? .-, I ( -P) N..N youncu_rre.nce would like to establish a procurement policy ?,?j?,, . \ .(.k1 ?;,---? ? which, for security reasons, does not permit the acquisition of V% c r, :.-, , ADPE substantially of foreign manufacture for use in CIA data ,,1* ? _ (fiYic r.:J, . ip--I., . . processing activities. Until we have more experience with this A 1 - proposed policy our working definition of ADPE substantially of 's N)?. foreign manufacture will be that critical subsystems or final assembly is performed by a foreign manufacturer. We further Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Lo.reign manu rcii.Turer in relation to gecraphy or ownership ? (i.e., ADPE manufactured in-the U. S. by a foreign-owned firm would also be excluded). /STAT 3. Representatives of the offices of Logistics, Security, General Counsel and Data Processing discussed this matter on 13 ,July 1981,*. They .proposed, and I Support the proposal, that C4,4A 14a- policy prohibiting the procurement of ADPE substantially of foreign manufacturer be established for use in CIA data processin6 activities. If you are.in agreement and the Director. .?/ of Security concurs., I suggest that a Headquarters Regulation be published establishing this policy. In the interim this policy could he implemented in a Procurement Notice. . Our view is that the issue of foreign yte4 ? manufacture will A, be evaluated along with other security factors in the overall contractor evaluation. process.. A panel of Logistics, Security and Data Processing. personnel can be convened, if required, to 7-per-fOrm the comprehensive security evaluation. . Requests for Proposal would bring this matter to the attention of the potential contractors and contain a eSTAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 STAT ? . ? Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 questionnaire simila, to the DD Form 4415, Cei---ificate pertaining' STAT to Foreign Interests (attached). A similar form will be developed in ODP and coordinated with your office and the offices of General Counsel and Security. 6. As you well know the Agency is increasingly relying on automatic data processing. equipment for the manipulation ?and storage of classified information. This, in turn, increases our vulnerability ,to security penetrations that exploit weaknesses in our ADPE equipment or procedures. We believe this policy is one more seep in improving our ADP security posture and reducing our risk of loss or compromise of classified information. Attachment: CONCUR: Wu' Director of. Security. STAT CD?/NS/ Bruce T, Johnson STAT (243u1y81)(red 41 disk) STAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 U Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 25X1 25X1 G NI 4 25X1 25X1 25X1 29 July .1981 MEMORANDUM FOR: Director of fogistics FROM: . SUBJECT: REFERENCE: Jim: Associate General Counsel Foreign Ownership of Contracto Manufactured Products and. Multi Adse Memo fm SO/ODP, dtd 27 July 1981, Subj: Automatic Data Processing Equipment of Foreign Manufacture - Draft Memorandum (ODP-81-963) 1..Attached is a copy of my comments regarding referent. The draft is more evidence of the problem the Agency is confronted with. I hope, however, it is not a ruse just to permit sole source acquisitions from a few chosen. contractors. 2. In any event, ont./'acts Staff, spoken to me regarding his immediate problems with Have you decided definitely that its ()Kay to go forward with the completion of the two OTS contracts presently underway? I told .that was my understanding, but I Would double check. Also, is he to attend With the officers from OTS, has Att: ? As stated ? ? 1 I STAT STAT STAT STAT STAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 STAT LUN 1-101:1\1 1 IAL Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 OGC 4)06425 25X1 25X1 MEMORANDUM FOR: FROM: SUBJECT: REFERENCE: Security Officer, 29 July 1981 Office of Data Processing STAT Counsel Equipment of Foreign Associate General Automatic aAta Processing. Manufacture - Draft Multi Adse memo fm dtd 27 July 1981; Memorandum STAT SO/ODP, same subject (ODP81-963) 1. Attached are our comments concerning referent memorandum. ? We would point out specifically page 4 of the draft. that the language should be revised to reflect that the Director of Logistics', in accordance with his area of responsibility, is being asked to/ establish the particular procurement policy of no foreign ADP, rather than merely co se Suggested wording to this 25X1 effect 'has been provided. /2. If you have any questions, please feel free to call par, 25X1 at extension Att.: As stated cc: D/L, Watt C/ADP&EB/PD/OL, Watt 25X1 N Fl D N I.. STAT Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5 ? SEE ANNOTATIONS IN COLUMNS OF TAB 6 Vr.e. Declassified in Part - Sanitized Copy Approved for Release 2013/09/11: CIA-RDP91-00280R000100130040-5