Good News - Mostly......

We interrupt our regular programming to bring you a piece of very good news. And some less good news.

The good news is that, after literally years of promising to update the Department of State's contact-reporting policy, the Bureau of Diplomatic Security has actually put forward for clearance a DS-approved contact-reporting policy that should now be reviewed and cleared by other bureaus and could be turned into regulations perhaps as early as July. This will update the 12 FAM portion of the Department's CR policy, and either lead to the elimination or the rapid revision of the 4 FAM portion.

That is an enormous step towards helping employees understand what DS requires them to do, and in theory, should reduce the number of employees who lose their clearances because they inadvertently err in interpreting the vague and outdated policy currently on the books.

Certainly, the proposed new rules will eliminate any ambiguity about what DS wants, and what the consequences will be for not giving DS what it wants. And that, in and of itself, is something we and others have been seeking for a long time.

The rules also correct some deficiencies in procedure which have been highlighted in cases of interest to CFSO. It is clear that DS has considered its own past failures, as well as those of employees, in addressing the issue.

Overall, it is a very positive step, and the DS offices involved deserve real kudos for this significant move forward.

But the news is not all good.

We used the words "in theory" above because, while the new rules eliminate much ambiguity, we suspect that if they are published as drafted, they will lead to an increase rather than a decrease in the number of undeserved clearance suspensions.

Unless employees are already holding SCI clearances (which most State employees don't have or need) they will find the new rules dramatically more stringent than the current (outdated) ones. That is not unexpected. There are more real threats now than there were a dozen years ago.

What bothers us are the misleading rationale and philosophy behind the new policy, the ways the new policy will be administered, and the burdens that will be placed on employees, RSOs and post resources in order to satisfy these very stringent new rules.

Like so many things that are done these days, the new rules appear to be a triumph of short-term political gamesmanship over the long term needs and realities of the service. This is particularly evident in the philosophy expressed in the opening paragraph, which distorts the intent of Presidential Decision Directive (PDD/NSC-12)and implies a Presidential directive (which does not exist) to standardize reporting requirements across agencies.

We hope that those whose task it will now be to review and clear this draft will consider the following points as they consider whether to approve the draft as it is, or to suggest changes.

Yes, the White House has asked agencies to standardize the procedures by which security standards are adjudicated, and there has been a general interest in the Congress, on both sides of the aisle, to do this for some time.

In fact, we have questioned, and continue to question, the Department's continued refusal to follow the lead of DOD and OPM in the manner in which it adjudicates security clearances and conducts the appeal process.

But standardizing the procedures by which security clearance standards are adjudicated does not mean that agencies must or even should standardize their contact-reporting policies. Those policies do and should differ dramatically between agencies based on the differing missions those agencies perform and the differing realities under which their employees live and work.

PDD/NSC 12 of 5 Aug 93 concerns the need to report foreign contacts when illegal or unauthorized access is sought to classified or otherwise sensitive information or when the employee is concerned that he/she may be the target of actual or attempted exploitation by a foreign entity. It does not require that employees report all contacts with certain nationalities; it has been interpreted by other agencies less stringently than by the DS proposed draft; and it most certainly does not mandate, or even address in any way, the idea put forth in the draft that programs must be similar between agencies.

It's always disturbing when the first paragraph of a new set of rules does not accurately portray the wording or intent of the documents referenced in that paragraph.

It is inappropriate to impose on State Department employees at embassies overseas the same reporting standards that are required of servicemen at an overseas Airforce base or other military installation. The environment and the mission are different.

Moreover, there are serious risk-management issues implied by the considerable new burdens the draft policy would place on employees, RSOs and post management.

Compliance with the rules would, for example, require employees to familiarize themselves not only with the threat level in their country of assignment (as they should already be doing) but also in any country they may wish to visit in a completely private capacity as a tourist, or that might be the country of origin of a third-party national they might choose to converse with more than once.

Very few FSOs are currently familiar with the ever-changing list of country threat levels and many cannot name every group on the list of FTOs, even in their country of assignment. To be fair, DS has made the list available on a classified website. But there will still be employees unable to access it when needed.

Given current DS practices and zeal (which is disproportionate to the low historic susceptibility of FSOs to subversion) we are very concerned that the new regulations will increase the likelihood that DS will hold employees responsible for adhering to rules that require them to know things many are not in a position to know, or for being on the receiving end of events beyond their control.

Are we going to see FSOs lose their clearances because they simply failed to report an electronic greeting card sent by a person whose nationality is unknown to them? Or because an FSN colleague at a post to which they were formerly assigned wrote to them to share some personal news?

Are the new rules going to open the way for requiring employees to open their hotmail accounts on demand or present their cellular phones to RSOs for scrutiny?

Most importantly, we are concerned that DS will continue to hold employees responsible for failures by DS personnel to satisfy the DS (RSO) requirements of the policy. We have seen many cases in the past where an employee has been held responsible because an RSO failed to do something (either write something down, or forward something to Washington, or perform a briefing, that was never performed).

In every case of dispute so far, even where some evidence exists that an RSO was responsible for a failure, DS has blamed the employee and held the RSO's version of events to be accurate. Several employees have lost clearances as the result of exactly such circumstances.

It is unusual for the FAM to discuss disciplinary or other consequences of failure to follow a given set of rules. In the context in question, however, it is probably not a bad thing. Clearly stating the consequence of failure to comply contributes favorably to the clarity we have been seeking.

But if the accountability of the employee is going to be thoroughly stated, then the accountability of other parties in the process should be addressed as well. More is involved than fundamental fairness. If the team is not functioning as it should, it is important to recognize where the breakdown is occurring.

If you are going to talk about teamwork and cooperation between employees and security professionals, why not make the process easier, and hold all members of the team to the same standard of accountability?

The proposed new rules impose important new requirements on RSOs, PSOs and in some cases DCMs. What will happen if an "employee's" failure to comply with the regulations is due to failure by another party to deliver the appropriate briefings or deliver appropriate documentation? How will disputes on this issue be resolved?

Given that failure to comply with requirements as written is likely to lead to clearance suspensions and expensive and disruptive investigations, and given a procedure that clearly involves more than one party, the rules should address with greater specificity the accountability required of the RSOs, PSOs and others involved, how compliance will be verified, and how disputes will be handled.

For that matter, why not just eliminate the middlemen altogether, and make the forms involved e-mailable, with automatic distribution to the offices involved and an automatic receipt notification proving that the employee met his or her obligation? Briefings as well could be delivered electronically, much as the Department handles ethics briefings, computer-security briefings and many FSI exams.

After all the publicity the Department gave its deployment of E-QIP and an electronic report management system, why not continue the trend and make contact-reporting easier for employees, rather than more complicated?

DS has every right to specify the information it feels it needs to make legitimate security decisions. On the other hand, the procedures for implementation should not be so stringent that they set up the average employee to fail, nor written to be easily used unfairly against an employee should DS choose to abuse the security clearance process for any of the many reasons it currently does so.

The proposed new rules are very clear about what is expected of the employee, and what is expected of the other actors in the process. They should be equally clear about the consequences of inaction by all of the players involved.