SAP Basics Flashcards
Definition of SAP
A program established for a specific class of classified information that imposes safeguarding and access requirements exceeding those normally required for information at the same classification level.
When is a SAP established?
When the program is required by statute
OR
Upon finding of exceptional vulnerability of, or threat to, specific information
AND
When the normal criteria for determining access to information classified at the same level is insufficient
What are the levels of classification for SAPs?
Top Secret
Secret
Confidential
In addition to classification level, what else is required for SAP classification?
- Assigned nickname and/or codeword
- Identification of any special handling procedures
Define a SAP in the simplest terms
A classified program with enhanced safeguarding and access requirements
When were SAPs publicly acknowledged?
1980s
Why were SAPs originally established?
- To protect DoD acquisition programs
- To hide sensitive operations
What were SAPs originally called?
Black Programs
SAP changes in the 1990s
- Black Program replaced with Special Access Program (SAP)
- SAP security procedures were modified to include intelligence programs and operations and support programs (not just acquisition programs)
What is a well known Black Program?
- Skunk Works (code name for Lockheed Martin’s Advanced Development Programs)
- Responsible for the design of many famous and technologically advanced aircrafts, including the F-117A Nighthawk stealth fighter
What is the reason for greater oversight of SAPs?
An operation went ary and investigation prooved illegal use of funds, court martial and imprisonment of personnel and lack of oversight.
What is Operation Yellow Fruit?
- Army operation dealing with Iran Contra
- In 1983, an Army civilian stumbled onto billing irregularities at a U.S. intelligence front company that was handling secret supplies for Central America.
- Discovery led to the uncovering of the Yellow Fruit operation and the mismanagement of $300 million in funds over a 5 yr period
- Investigation proved illegal use of funds and lack of SAP oversight
- Personnel involved were court martialed and imprisoned
- Attracted the interest of Army’s Joint Chief of Staff and Congress
- Resulted in greater oversight of SAPs
Common SAP Misconceptions
- SAPs are used as a means to hide money spent on certain programs.
- SAPs are not a place to hide money; they are used to ensure the security and accountability of a specific project is maintained to the highest level. - SAPs are used to avoid taxpayer scrutiny.
- That is also not true. In fact, taxpayer understanding and awareness is often a key to an acknowledged program’s success. - SAPs are also believed to lack Congressional oversight.
- Following Yellow Fruit, Congressional oversight increased significantly and now requires reports on every DoD SAP be submitted to Congress annually.
Reasons for enhanced protections via SAP
Classification as a SAP is dictated by a program’s vulnerability to exploitation and the risk of compromise.
- Protect technology breakthroughs and ensure the U.S. maintains its leading technological edge.
- Ensure once we discover and exploit an adversary’s vulnerabilities, the knowledge of the exploitation remains secure and the adversary does not develop a countermeasure.
- Ensure sensitive operational plans are completed without disclosure. Of equal importance
- Protect intelligence information, which is often the key to a successful mission. Reducing the amount of intelligence gathered on U.S. forces significantly enhances our success on the battlefield.
F-117A Information
- Designed and built to go undetected by radar, the F-117A stealth fighter dramatically changed U.S. strategic advantage.
- During Operation Desert Storm, the F117A made up only two percent of the sorties, yet accounted for forty percent of the bomb damage.
- The importance and power of what can be accomplished through the use of SAPs should not be understated.
Importance of SAP Security - Example 1
In 1987, the USSR began deployment of the MiG-29 to its allies. It bore a striking resemblance to the U.S. F-15.
We have several examples of the Russians emulating U.S. military jets.
Importance of SAP Security - Example 2
In the late 1970s and early 1980s, the U.S. spent well over a million dollars developing the technology to allow aircraft to transport the space shuttle. A few years later, the Russians “borrowed” our technology, requiring far less research and development dollars.
Importance of SAP Security - Example 3
- In 2001, former FBI agent Robert Hanssen was arrested for selling American secrets to Russia. During his liaison with the DoD, Mr. Hanssen had access to SAPs.
- Due to the accountability mechanisms built into the SAP environment, it could easily be determined when and to what programs Mr. Hanssen had access.
- Such measures are essential to knowing the people involved in your programs and help facilitate damage assessment when necessary.
SAP Personnel Overview
- Number of personnel who have access to a SAP is kept to an absolute minimum.
- If an individual will not materially and directly contribute to a SAP, that person is not authorized access.
- Access to SAPs is not granted on a convenience basis.
- Records of individuals who have or have had access to a SAP are maintained. This record-keeping capability far exceeds what is required for collateral programs.
- An individual’s need-to-know is a key piece of maintaining the security of SAPs.
Consequences of Lack of Enforcement:
Need to Know
Brian Patrick Regan, a retired U.S. Air Force Sergeant, asked questions about information he did not need to know. He ended up selling detailed, comprehensive classified documents and photos containing U.S. reconnaissance mission information to China, Iraq, and Libya. This act caused a grave risk of death to U.S. Air Force reconnaissance pilots
Need-to-Know Principle
It is not enough just to have the appropriate clearance and formal approval to access a SAP. In addition, a person must have a need- to-know that pertains to the specific information
Need-to-Know Definition
Determination made by an authorized holder of classified information that a prospective recipient requires access in order to perform or assist in a lawful and authorized governmental function.
Who is an authorized holder of classified information?
- You!
- Anyone with access to classified material
Duties of an Authorized Holder of Classified Information
- Ensure that person has the appropriate clearance for the information.
- You are obligated to ask for sufficient information so you can make an informed decision whether or not to share your classified information with the requestor.
- Do not assume when someone asks you for information that he or she has a legitimate need-to-know
Verify that individual…
- Needs the information specifically to do their work
- Has the appropriate clearance
- Was given permission to access the information from someone in a position of authority
*Withhold your information until you can establish the need-to-know is legitimate!
Ted tells you he is working as a database administrator on a project similar to yours. Ted is curious to see if your project uses some of the same data as his, and he asks to see your database, which is classified. Does Ted have a valid need-to-know?
No. Ted does not have a valid need-to-know that would justify his seeing your classified materials. Even though he is working on a similar project, he has no need to work with your information as part of his job, and no one has authorized him to see it. Sharing it with him could compromise the information. You don’t know what he will do with it.
Ann’s supervisor tells you that Ann has been assigned to your project as a technical writer and will need access to all your project materials. Ann later asks to see your project plan, which is classified. Does Ann have a valid need-to-know?
Yes. Ann does have a valid security clearance and need-to-know, because she has been authorized by her supervisor to work on your project and to have access to all of your project materials, whether classified or not. Because her supervisor has told you directly about this authorization, there is no reason to suspect that Ann will compromise the information.
Which of the following do SAPs aim to achieve
“Protect technological breakthroughs - yes
Cover exploitation of adversary vulnerabilities - yes
Protect sensitive operational plans - yes
Reduce intelligence on U.S. force capabilities -yes”
SAP Expectations
- Oversight will be much greater than the collateral programs you’ve worked on in the past.
- Must work using enhanced security processes and procedures.
- Personnel access to your program will be kept to an absolute minimum.
Acknowledged SAP
- Existence may be openly recognized.
- Purpose may be identified.
- Details, technologies, materials, and techniques of are classified as dictated by their vulnerability to exploitation and the risk of compromise.
- Funding is generally unclassified.
- There is no such thing as an unclassified SAP. An acknowledged SAP is not unclassified!!!
Unacknowledged SAP
- Existence is protected.
- Purpose is protected.
- Details, technologies, materials, and techniques of are classified as dictated by their vulnerability to exploitation and the risk of compromise.
- Funding is often classified, unacknowledged, or not directly linked to the program.
Waived SAP
- Unacknowledged SAPs for which the Secretary of Defense has waived applicable reporting requirements under Section 119, Title 10 U.S. Code.
- More restrictive reporting requirements.
- More restrictive access controls.
Purpose of SAP Type/Protection Level
Communicates how the SAP is acknowledged and protected.
Acquisition SAP
- Established to protect sensitive research, development, testing and evaluation, modification, and procurement activities.
- Involves buying or building something, such as a weapons system or aircraft.
- Majority of all DoD SAPs are acquisition SAPs.
Intelligence SAP
- Established to protect the planning and execution of especially sensitive intelligence or CI operations or collection activities.
- Generally associated with the intelligence community.
Operations and Support SAPs
- Established to protect the planning for execution of and support to especially sensitive military operations.
- Involves the use of soldiers, sailors, airmen, and marines.
- May protect organizations, property, operations, concepts, plans or activities.
How to refer to SAPs?
Using both the protection level and category
Examples:
Acknowledged acquisition SAPs
Unacknowledged intelligence SAPs
Unacknowledged waived operations and support SAP
Or any other combination.
Government Program Manager (GPM)
- Senior government program official
- Responsible for all aspects of the SAP
Contractor Program Manager (CPM)
- Industry equivalent of the Government Program Manager (GPM).
- Responsible for the program’s overall management within the contractor facility.
- Responsible for executing all contractual obligations.
Program Security Officer (PSO)
- Government security professional.
- Responsible for all aspects of security.
- Appointed in writing by the SAP Central Office (SAPCO).
- Exercises all authorities for security policies and requirements on behalf of the SAPCO or service component designee.
- Each SAP has only one PSO.
Government SAP Security Officer (GSSO)
- Service component appoints the GSSO
- Provides SAP security administration and management at government program facilities.
- Provides SAP security administration and management based on guidance provided by the PSO
- A SAP that is large and complex enough may have multiple Government SAP Security Officers (GSSOs) subordinate to the PSO.
GSSO Duties and Responsibilities
- Coordinate with the PSO and GPM to create a secure environment to develop and execute a SAP at each organization or location where SAP information is stored, accessed, or SAP-accessed personnel are assigned.
- Responsible for security management, to include SETA, and operations within their assigned activity, organization, or office.
- Adhere to applicable laws as well as national, DoD, and other security SAP policies and requirements.
- Coordinate SAP security matters with the PSO and GPM.
- Establish, conduct, and document initial, event-driven, and annual refresher training for all assigned SAP-accessed individuals.
- Conduct an annual self-inspection, document the self-inspection, and submit to the PSO a corrective action plan that identifies actions to establish compliance.
Contractor Program Security Officer (CPSO)
- Industry equivalent of a Government SAP Security Officer (GSSO)
- Provides SAP security administration and management for industry
- Provides SAP security administration and management as directed by the PSO.
- A SAP that is large and complex enough may have multiple Contractor Program Security Officers (CPSOs).
CPSO Duties and Responsibilities
- Coordinate with the PSO and CPM to create a secure environment to develop and execute a SAP at each organization or location where SAP information is stored, accessed, or SAP-accessed personnel are assigned
- Responsible for security management, to include SETA, and operations within their assigned activity, organization, or office.
- Adhere to applicable laws as well as national, DoD, and other security SAP policies and requirements
- Coordinate SAP security matters with the PSO and CPM
- Establish, conduct, and document initial, event-driven, and annual refresher training for all assigned SAP-accessed individuals
- Conduct an annual self-inspection, document the self-inspection, and submit to the PSO a corrective action plan that identifies actions to establish compliance
What is a Black Program?
- Original name for Special Access Programs
- Generally restricted to protecting DoD acquisition programs.
“Black” because they were close-hold, people were unaware of their existence, and were conducted in tight-knit organizations
What is meant by “collateral”?
“Collateral” refers to the classification levels of Top Secret, Secret and Confidential with no SAP or SCI caveats attached to the level.
What are the SAP Type/Protection Levels?
- Acknowledged and Unacknowledged.
- Waived is a subset of Unacknowledged.
What are the categories of SAP?
Acquisition
Intelligence
Operations and Support
