TOPSHOT-US-INTELLIGENCE-MILITARY-DOCUMENTS-LEAK-MEDIA

This photo illustration created on April 13, 2023, shows the suspect, national guardsman Jack Teixeira, reflected in an image of the Pentagon in Washington, DC. (Photo by Stefani REYNOLDS / AFP) (Photo by STEFANI REYNOLDS/AFP via Getty Images)

WASHINGTON — After a 45-day review of its security procedures and policies following the leak of hundreds of classified documents, the Pentagon says it can’t point to a single point of failure, but its “ambiguous” policies may have created “inconsistencies” that are partly to blame.

“So there wasn’t a single point of failure,” a senior defense official said in a call with reporters today. “I think here the way to think about it is there are contributing factors to any security incident and so this was an opportunity, whilst the other work goes on with the Air Force and the law enforcement investigation, to make sure that we looked at this as quickly as possible to make sure that we made the improvements that we could quickly.

“I think what we see here is we have a growing ecosystem of classified facilities and a body of personnel who are cleared,” the official continued, speaking on the condition of anonymity. “I think within that we have opportunities to clarify policy. We have opportunities to make sure that we are ensuring that the local-level managers have the best picture and that we are training our workforce in an understandable way for the information that they are working with.”

The review was launched in April after a 21-year-old member of the Massachusetts Air National Guard was hit with two federal charges alleging that he shared classified information about the Russia-Ukraine war on the social media platform Discord. Immediately after the leak, Defense Secretary Lloyd Austin designated the undersecretary of defense for intelligence and security (USD(I&S)) in coordination with the DoD chief information officer (CIO) and the director of administration and management to review DoD’s “security programs, policies and procedures.”

According to a DoD fact sheet, the review focused on four areas: personnel security, information safeguarding and accountability, physical security, and education and training. DoD components were sent a 50-question survey to “self assess” their organizations over those four areas. 

Several long-term and immediate recommendations were made following the review. One of the near-term actions DoD will take is to, apparently again, review its existing policies, the official said. 

“I think what… the review team found was ambiguity in the policies that create inconsistencies as you get further and further out into the department,” the official said.

“I think there are areas where we can be clearer about what is required, and particularly between… the different gradations of classified information,” the official said. “So making sure that the requirements, if there are differences, they’re meaningful and they’re understandable and if they’re not, being more standard about what’s required to protect classified information versus top secret, SCI [sensitive compartmented information], secret, etcetera, etcetera.”

Other recommendations include establishing a “Joint Management Office for Insider Threat and Cyber Capabilities to oversee User Activity Monitoring and improve threat monitoring across all DoD networks” within 90 days. 

“It’s applicable to both our insider threat hubs, but also to this… kind of need to know access piece,” the official said. “And so what we have proposed doing is working with our CIO colleagues to make sure that we’re jointly managing that program so that as we make user activity monitoring decisions, they are serving the department’s full range of interests.”

The USD(I&S) and DoD CIO are also tasked with implementing a “phased approach to increase accountability, manage access, and increase security to classified data by August 28, 2023” and issue guidance “to immediately enhance accountability and control of TOP SECRET information, including a requirement to appoint Top Secret Control Officers,” among other actions.

DoD components will also have to issue plans of action and milestones to ensure “all DoD personnel are included and accounted for in designated security information technology systems by August 21, 2023.”

“DoD Component Heads will ensure that a Plan of Action and Milestones for all DoD personnel are assigned to a Security Management Office (SMO) by August 31, 2023,” according to the fact sheet. “Components will identify challenges to assigning or transferring their personnel to the appropriate SMO, including data tracking in Advana or other system of record, and report their progress in addressing these challenges through the Defense Security Enterprise (DSE) Executive Committee (EXCOM).”