SAP Basics

Question 1

Definition of SAP

Answer 1

A program established for a specific class of classified information that imposes safeguarding and access requirements exceeding those normally required for information at the same classification level.

Question 2

When is a SAP established?

Answer 2

When the program is required by statute
OR
Upon finding of exceptional vulnerability of, or threat to, specific information

AND
When the normal criteria for determining access to information classified at the same level is insufficient

Question 3

What are the levels of classification for SAPs?

Answer 3

Top Secret

Secret

Confidential

Question 4

In addition to classification level, what else is required for SAP classification?

Answer 4

• Assigned nickname and/or codeword

- Identification of any special handling procedures

Question 5

Define a SAP in the simplest terms

Answer 5

A classified program with enhanced safeguarding and access requirements

Question 6

When were SAPs publicly acknowledged?

Answer 6

1980s

Question 7

Why were SAPs originally established?

Answer 7

• To protect DoD acquisition programs

- To hide sensitive operations

Question 8

What were SAPs originally called?

Answer 8

Black Programs

Question 9

SAP changes in the 1990s

Answer 9

• Black Program replaced with Special Access Program (SAP)
• SAP security procedures were modified to include intelligence programs and operations and support programs (not just acquisition programs)

Question 10

What is a well known Black Program?

Answer 10

• Skunk Works (code name for Lockheed Martin’s Advanced Development Programs)
• Responsible for the design of many famous and technologically advanced aircrafts, including the F-117A Nighthawk stealth fighter

Question 11

What is the reason for greater oversight of SAPs?

Answer 11

An operation went ary and investigation prooved illegal use of funds, court martial and imprisonment of personnel and lack of oversight.

Question 12

What is Operation Yellow Fruit?

Answer 12

• Army operation dealing with Iran Contra
• In 1983, an Army civilian stumbled onto billing irregularities at a U.S. intelligence front company that was handling secret supplies for Central America.
• Discovery led to the uncovering of the Yellow Fruit operation and the mismanagement of $300 million in funds over a 5 yr period
• Investigation proved illegal use of funds and lack of SAP oversight
• Personnel involved were court martialed and imprisoned
• Attracted the interest of Army’s Joint Chief of Staff and Congress
• Resulted in greater oversight of SAPs

Question 13

Common SAP Misconceptions

Answer 13

1. SAPs are used as a means to hide money spent on certain programs.
   - SAPs are not a place to hide money; they are used to ensure the security and accountability of a specific project is maintained to the highest level.
2. SAPs are used to avoid taxpayer scrutiny.
   - That is also not true. In fact, taxpayer understanding and awareness is often a key to an acknowledged program’s success.
3. SAPs are also believed to lack Congressional oversight.
   - Following Yellow Fruit, Congressional oversight increased significantly and now requires reports on every DoD SAP be submitted to Congress annually.

Question 14

Reasons for enhanced protections via SAP

Answer 14

Classification as a SAP is dictated by a program’s vulnerability to exploitation and the risk of compromise.

• Protect technology breakthroughs and ensure the U.S. maintains its leading technological edge.
• Ensure once we discover and exploit an adversary’s vulnerabilities, the knowledge of the exploitation remains secure and the adversary does not develop a countermeasure.
• Ensure sensitive operational plans are completed without disclosure. Of equal importance
• Protect intelligence information, which is often the key to a successful mission. Reducing the amount of intelligence gathered on U.S. forces significantly enhances our success on the battlefield.

Question 15

F-117A Information

Answer 15

• Designed and built to go undetected by radar, the F-117A stealth fighter dramatically changed U.S. strategic advantage.
• During Operation Desert Storm, the F117A made up only two percent of the sorties, yet accounted for forty percent of the bomb damage.
• The importance and power of what can be accomplished through the use of SAPs should not be understated.

Question 16

Importance of SAP Security - Example 1

Answer 16

In 1987, the USSR began deployment of the MiG-29 to its allies. It bore a striking resemblance to the U.S. F-15.

We have several examples of the Russians emulating U.S. military jets.

Question 17

Importance of SAP Security - Example 2

Answer 17

In the late 1970s and early 1980s, the U.S. spent well over a million dollars developing the technology to allow aircraft to transport the space shuttle. A few years later, the Russians “borrowed” our technology, requiring far less research and development dollars.

Question 18

Importance of SAP Security - Example 3

Answer 18

• In 2001, former FBI agent Robert Hanssen was arrested for selling American secrets to Russia. During his liaison with the DoD, Mr. Hanssen had access to SAPs.
• Due to the accountability mechanisms built into the SAP environment, it could easily be determined when and to what programs Mr. Hanssen had access.
• Such measures are essential to knowing the people involved in your programs and help facilitate damage assessment when necessary.

Question 19

SAP Personnel Overview

Answer 19

• Number of personnel who have access to a SAP is kept to an absolute minimum.
• If an individual will not materially and directly contribute to a SAP, that person is not authorized access.
• Access to SAPs is not granted on a convenience basis.
• Records of individuals who have or have had access to a SAP are maintained. This record-keeping capability far exceeds what is required for collateral programs.
• An individual’s need-to-know is a key piece of maintaining the security of SAPs.

Question 20

Consequences of Lack of Enforcement:

Need to Know

Answer 20

Brian Patrick Regan, a retired U.S. Air Force Sergeant, asked questions about information he did not need to know. He ended up selling detailed, comprehensive classified documents and photos containing U.S. reconnaissance mission information to China, Iraq, and Libya. This act caused a grave risk of death to U.S. Air Force reconnaissance pilots

Question 21

Need-to-Know Principle

Answer 21

It is not enough just to have the appropriate clearance and formal approval to access a SAP. In addition, a person must have a need- to-know that pertains to the specific information

Question 22

Need-to-Know Definition

Answer 22

Determination made by an authorized holder of classified information that a prospective recipient requires access in order to perform or assist in a lawful and authorized governmental function.

Question 23

Who is an authorized holder of classified information?

Answer 23

• You!

- Anyone with access to classified material

Question 24

Duties of an Authorized Holder of Classified Information

Answer 24

• Ensure that person has the appropriate clearance for the information.
• You are obligated to ask for sufficient information so you can make an informed decision whether or not to share your classified information with the requestor.
• Do not assume when someone asks you for information that he or she has a legitimate need-to-know

Verify that individual…

• Needs the information specifically to do their work
• Has the appropriate clearance
• Was given permission to access the information from someone in a position of authority

*Withhold your information until you can establish the need-to-know is legitimate!

Question 25

Ted tells you he is working as a database administrator on a project similar to yours. Ted is curious to see if your project uses some of the same data as his, and he asks to see your database, which is classified. Does Ted have a valid need-to-know?

Answer 25

No. Ted does not have a valid need-to-know that would justify his seeing your classified materials. Even though he is working on a similar project, he has no need to work with your information as part of his job, and no one has authorized him to see it. Sharing it with him could compromise the information. You don’t know what he will do with it.

Question 26

Ann’s supervisor tells you that Ann has been assigned to your project as a technical writer and will need access to all your project materials. Ann later asks to see your project plan, which is classified. Does Ann have a valid need-to-know?

Answer 26

Yes. Ann does have a valid security clearance and need-to-know, because she has been authorized by her supervisor to work on your project and to have access to all of your project materials, whether classified or not. Because her supervisor has told you directly about this authorization, there is no reason to suspect that Ann will compromise the information.

Question 27

Which of the following do SAPs aim to achieve

Answer 27

“Protect technological breakthroughs - yes
 Cover exploitation of adversary vulnerabilities - yes
 Protect sensitive operational plans - yes
 Reduce intelligence on U.S. force capabilities -yes”

Question 28

SAP Expectations

Answer 28

• Oversight will be much greater than the collateral programs you’ve worked on in the past.
• Must work using enhanced security processes and procedures.  
• Personnel access to your program will be kept to an absolute minimum.

Question 29

Acknowledged SAP

Answer 29

• Existence may be openly recognized.
• Purpose may be identified.
• Details, technologies, materials, and techniques of are classified as dictated by their vulnerability to exploitation and the risk of compromise.
• Funding is generally unclassified.
• There is no such thing as an unclassified SAP. An acknowledged SAP is not unclassified!!!

Question 30

Unacknowledged SAP

Answer 30

• Existence is protected.
• Purpose is protected.
• Details, technologies, materials, and techniques of are classified as dictated by their vulnerability to exploitation and the risk of compromise.
• Funding is often classified, unacknowledged, or not directly linked to the program.

Question 31

Waived SAP

Answer 31

• Unacknowledged SAPs for which the Secretary of Defense has waived applicable reporting requirements under Section 119, Title 10 U.S. Code.
• More restrictive reporting requirements.
• More restrictive access controls.

Question 32

Purpose of SAP Type/Protection Level

Answer 32

Communicates how the SAP is acknowledged and protected.

Question 33

Acquisition SAP

Answer 33

• Established to protect sensitive research, development, testing and evaluation, modification, and procurement activities.
• Involves buying or building something, such as a weapons system or aircraft.
• Majority of all DoD SAPs are acquisition SAPs.

Question 34

Intelligence SAP

Answer 34

• Established to protect the planning and execution of especially sensitive intelligence or CI operations or collection activities.
• Generally associated with the intelligence community.

Question 35

Operations and Support SAPs

Answer 35

• Established to protect the planning for execution of and support to especially sensitive military operations.
• Involves the use of soldiers, sailors, airmen, and marines.
• May protect organizations, property, operations, concepts, plans or activities.

Question 36

How to refer to SAPs?

Answer 36

Using both the protection level and category

Examples:
Acknowledged acquisition SAPs
Unacknowledged intelligence SAPs
Unacknowledged waived operations and support SAP

Or any other combination.

Question 37

Government Program Manager (GPM)

Answer 37

• Senior government program official

- Responsible for all aspects of the SAP

Question 38

Contractor Program Manager (CPM)

Answer 38

• Industry equivalent of the Government Program Manager (GPM).
• Responsible for the program’s overall management within the contractor facility.
• Responsible for executing all contractual obligations.

Question 39

Program Security Officer (PSO)

Answer 39

• Government security professional.
• Responsible for all aspects of security.
• Appointed in writing by the SAP Central Office (SAPCO).
• Exercises all authorities for security policies and requirements on behalf of the SAPCO or service component designee.
• Each SAP has only one PSO.

Question 40

Government SAP Security Officer (GSSO)

Answer 40

• Service component appoints the GSSO
• Provides SAP security administration and management at government program facilities.
• Provides SAP security administration and management based on guidance provided by the PSO
• A SAP that is large and complex enough may have multiple Government SAP Security Officers (GSSOs) subordinate to the PSO.

Question 41

GSSO Duties and Responsibilities

Answer 41

• Coordinate with the PSO and GPM to create a secure environment to develop and execute a SAP at each organization or location where SAP information is stored, accessed, or SAP-accessed personnel are assigned.
• Responsible for security management, to include SETA, and operations within their assigned activity, organization, or office.
• Adhere to applicable laws as well as national, DoD, and other security SAP policies and requirements.
• Coordinate SAP security matters with the PSO and GPM.
• Establish, conduct, and document initial, event-driven, and annual refresher training for all assigned SAP-accessed individuals.
• Conduct an annual self-inspection, document the self-inspection, and submit to the PSO a corrective action plan that identifies actions to establish compliance.

Question 42

Contractor Program Security Officer (CPSO)

Answer 42

• Industry equivalent of a Government SAP Security Officer (GSSO)
• Provides SAP security administration and management for industry
• Provides SAP security administration and management as directed by the PSO.
• A SAP that is large and complex enough may have multiple Contractor Program Security Officers (CPSOs).

Question 43

CPSO Duties and Responsibilities

Answer 43

• Coordinate with the PSO and CPM to create a secure environment to develop and execute a SAP at each organization or location where SAP information is stored, accessed, or SAP-accessed personnel are assigned
• Responsible for security management, to include SETA, and operations within their assigned activity, organization, or office.
• Adhere to applicable laws as well as national, DoD, and other security SAP policies and requirements
• Coordinate SAP security matters with the PSO and CPM
• Establish, conduct, and document initial, event-driven, and annual refresher training for all assigned SAP-accessed individuals
• Conduct an annual self-inspection, document the self-inspection, and submit to the PSO a corrective action plan that identifies actions to establish compliance

Question 44

What is a Black Program?

Answer 44

• Original name for Special Access Programs
• Generally restricted to protecting DoD acquisition programs.

“Black” because they were close-hold, people were unaware of their existence, and were conducted in tight-knit organizations

Question 45

What is meant by “collateral”?

Answer 45

“Collateral” refers to the classification levels of Top Secret, Secret and Confidential with no SAP or SCI caveats attached to the level.

Question 46

What are the SAP Type/Protection Levels?

Answer 46

• Acknowledged and Unacknowledged.

- Waived is a subset of Unacknowledged.

Question 47

What are the categories of SAP?

Answer 47

Acquisition

Intelligence

Operations and Support