SAP Basics Flashcards
Definition of SAP
A program established for a specific class of classified information that imposes safeguarding and access requirements exceeding those normally required for information at the same classification level.
When is a SAP established?
When the program is required by statute
OR
Upon finding of exceptional vulnerability of, or threat to, specific information
AND
When the normal criteria for determining access to information classified at the same level is insufficient
What are the levels of classification for SAPs?
Top Secret
Secret
Confidential
In addition to classification level, what else is required for SAP classification?
- Assigned nickname and/or codeword
- Identification of any special handling procedures
Define a SAP in the simplest terms
A classified program with enhanced safeguarding and access requirements
When were SAPs publicly acknowledged?
1980s
Why were SAPs originally established?
- To protect DoD acquisition programs
- To hide sensitive operations
What were SAPs originally called?
Black Programs
SAP changes in the 1990s
- Black Program replaced with Special Access Program (SAP)
- SAP security procedures were modified to include intelligence programs and operations and support programs (not just acquisition programs)
What is a well known Black Program?
- Skunk Works (code name for Lockheed Martin’s Advanced Development Programs)
- Responsible for the design of many famous and technologically advanced aircrafts, including the F-117A Nighthawk stealth fighter
What is the reason for greater oversight of SAPs?
An operation went ary and investigation prooved illegal use of funds, court martial and imprisonment of personnel and lack of oversight.
What is Operation Yellow Fruit?
- Army operation dealing with Iran Contra
- In 1983, an Army civilian stumbled onto billing irregularities at a U.S. intelligence front company that was handling secret supplies for Central America.
- Discovery led to the uncovering of the Yellow Fruit operation and the mismanagement of $300 million in funds over a 5 yr period
- Investigation proved illegal use of funds and lack of SAP oversight
- Personnel involved were court martialed and imprisoned
- Attracted the interest of Army’s Joint Chief of Staff and Congress
- Resulted in greater oversight of SAPs
Common SAP Misconceptions
- SAPs are used as a means to hide money spent on certain programs.
- SAPs are not a place to hide money; they are used to ensure the security and accountability of a specific project is maintained to the highest level. - SAPs are used to avoid taxpayer scrutiny.
- That is also not true. In fact, taxpayer understanding and awareness is often a key to an acknowledged program’s success. - SAPs are also believed to lack Congressional oversight.
- Following Yellow Fruit, Congressional oversight increased significantly and now requires reports on every DoD SAP be submitted to Congress annually.
Reasons for enhanced protections via SAP
Classification as a SAP is dictated by a program’s vulnerability to exploitation and the risk of compromise.
- Protect technology breakthroughs and ensure the U.S. maintains its leading technological edge.
- Ensure once we discover and exploit an adversary’s vulnerabilities, the knowledge of the exploitation remains secure and the adversary does not develop a countermeasure.
- Ensure sensitive operational plans are completed without disclosure. Of equal importance
- Protect intelligence information, which is often the key to a successful mission. Reducing the amount of intelligence gathered on U.S. forces significantly enhances our success on the battlefield.
F-117A Information
- Designed and built to go undetected by radar, the F-117A stealth fighter dramatically changed U.S. strategic advantage.
- During Operation Desert Storm, the F117A made up only two percent of the sorties, yet accounted for forty percent of the bomb damage.
- The importance and power of what can be accomplished through the use of SAPs should not be understated.
Importance of SAP Security - Example 1
In 1987, the USSR began deployment of the MiG-29 to its allies. It bore a striking resemblance to the U.S. F-15.
We have several examples of the Russians emulating U.S. military jets.
Importance of SAP Security - Example 2
In the late 1970s and early 1980s, the U.S. spent well over a million dollars developing the technology to allow aircraft to transport the space shuttle. A few years later, the Russians “borrowed” our technology, requiring far less research and development dollars.
Importance of SAP Security - Example 3
- In 2001, former FBI agent Robert Hanssen was arrested for selling American secrets to Russia. During his liaison with the DoD, Mr. Hanssen had access to SAPs.
- Due to the accountability mechanisms built into the SAP environment, it could easily be determined when and to what programs Mr. Hanssen had access.
- Such measures are essential to knowing the people involved in your programs and help facilitate damage assessment when necessary.
SAP Personnel Overview
- Number of personnel who have access to a SAP is kept to an absolute minimum.
- If an individual will not materially and directly contribute to a SAP, that person is not authorized access.
- Access to SAPs is not granted on a convenience basis.
- Records of individuals who have or have had access to a SAP are maintained. This record-keeping capability far exceeds what is required for collateral programs.
- An individual’s need-to-know is a key piece of maintaining the security of SAPs.
Consequences of Lack of Enforcement:
Need to Know
Brian Patrick Regan, a retired U.S. Air Force Sergeant, asked questions about information he did not need to know. He ended up selling detailed, comprehensive classified documents and photos containing U.S. reconnaissance mission information to China, Iraq, and Libya. This act caused a grave risk of death to U.S. Air Force reconnaissance pilots
Need-to-Know Principle
It is not enough just to have the appropriate clearance and formal approval to access a SAP. In addition, a person must have a need- to-know that pertains to the specific information
Need-to-Know Definition
Determination made by an authorized holder of classified information that a prospective recipient requires access in order to perform or assist in a lawful and authorized governmental function.
Who is an authorized holder of classified information?
- You!
- Anyone with access to classified material
Duties of an Authorized Holder of Classified Information
- Ensure that person has the appropriate clearance for the information.
- You are obligated to ask for sufficient information so you can make an informed decision whether or not to share your classified information with the requestor.
- Do not assume when someone asks you for information that he or she has a legitimate need-to-know
Verify that individual…
- Needs the information specifically to do their work
- Has the appropriate clearance
- Was given permission to access the information from someone in a position of authority
*Withhold your information until you can establish the need-to-know is legitimate!