The following document is from the PRIVACY Forum Archive at Vortex Technology, Woodland Hills, California, U.S.A. For direct web access to the PRIVACY Forum and PRIVACY Forum Radio, including detailed information, archives, keyword searching, and related facilities, please visit the PRIVACY Forum via the web URL: http://www.vortex.com ----------------------------------------------------------------------- National Aeronautics and Space Administration MANAGEMENT REVIEW OF THE AMES RESEARCH CENTER August 1992 This report is UNCLASSIFIED and does not contain privacy information. FOREWORD The end of the cold war has resulted in a fundamental change in the character of global competition from military to economic. Espionage, as we traditionally view it, has changed as well. While our defense secrets continue to be of interest to several nations, numerous nations are now conducting industrial and economic espionage operations against the United States. High technology activities in the aerospace and electronics sectors are often targeted. The multinational scope of these business sectors coupled, with their mobile, multinational workforces, make them especially enticing targets to nations desiring access to cutting edge high technology. NASA, as a leader in the development of key aerospace and electronics technologies, is at least as vulnerable to economic espionage as industry. This, coupled with the change to global economic competition, necessitates a reexamination of the traditional NASA desire to share technology internationally. The Administrator's recently stated goal to support the U.S. bottom line as the highest priority of NASA is a positive step in this direction. This management review found deficiencies in the culture and environment at the Ames Research Center that could lead to a significant loss of commercially valuable/sensitive technologies. It recommends corrective actions and also identifies steps which could further improve NASA's ability to protect commercially valuable/sensitive technology for first use by U.S. industry. I. EXECUTIVE SUMMARY In July, 1992, the NASA Administrator chartered a Management Review Team (MRT) to conduct a comprehensive review of management policies and practices related to the protection and handling of classified and sensitive technological information at the NASA/Ames Research Center (ARC) located in Mountainview, California. The resultant review took place during the period July 31 to August 12, 1992. The MRT was established after a classified briefing was presented to NASA Headquarters management by ARC management. The briefing identified potential national security problems. The NASA Administrator determined that the situation at ARC was potentially so serious that it warranted a special, one time review to determine whether the issues and problems existed and, if so, what type of corrective action should be taken. The Federal Bureau of Investigation (FBI) was consulted on the national security and foreign counterintelligence aspects of the problems identified. A management review plan was developed to address the following issues: - What is the risk of a hostile intelligence operation at Ames? NASA? - The possible mismanagement of the protection of national security information and sensitive NASA and industry technology at Ames. - Whether appropriate NASA management and contract administration policies and practices existed and were in use at Ames. - The possible damage to NASA credibility with NASA customers, namely the U. S. taxpayer, U. S. industry, and U. S. colleges and universities. - The resolution of conflict between NASA's desire to share technological information internationally, and the Administrator's goal to support America's economic interests. The results of the MRT lead to the following conclusions concerning the above issues. ARC is considered "high risk" for hostile intelligence operations. ARC exacerbated a marginally effective security posture by not focusing appropriate management attention on the handling of sensitive technology. Structural and functional weaknesses existed in the way the Ames security office worked in relation to other center operations. In addition to security concerns, processes and practices in the areas of personnel, legal, procurement, and data and technology protection are contributing to the potential risk rather than serving as controls over the risk. The ARC culture and environment were found to be the underlying cause of NASA's vulnerability; the culture is strongly biased toward maintaining an academic reputation rather than meeting U. S. industry and national needs. Generally accepted management controls, as well as security, legal, personnel, and procurement policies, are often viewed as impediments and are sometimes sidetracked or avoided. Lax procedures and attitudes were identified that set the stage for widespread dissemination of commercially valuable technology being developed by ARC personnel. ARC's credibility with U. S. aerospace industry has been damaged as a result of these problems. Some of NASA's customers and partners are reluctant to share important data with NASA for fear it will be disseminated with little or no regard for its sensitivity. In order to regain credibility, specific processes for the identification and handling of sensitive and commercially valuable technologies at ARC must be developed and fully implemented by ARC employees. To resolve the conflict between NASA's desire to share technology internationally and the need to place U. S. interests first, an environment and culture must be developed at ARC, and elsewhere at NASA, which focuses NASA's attention on the needs and expectations of U. S. industry and the taxpayer. Basic science efforts actively involve and will continue to involve the international community, but applied technology, developed at U. S. taxpayer expense, must be protected for U. S. industry use in accordance with applicable laws and regulations. NASA must work internally, and externally with appropriate members of the Administration and Congress, to address the problems and develop long-term solutions. The MRT also found a number of specific discrepancies in the areas of procurement, misuse of government equipment, and apparent violations of the law and/or NASA policy. The MRT referred this information, as appropriate, to the NASA Office of Inspector General (OIG) and the FBI, who has jurisdiction over foreign counterintelligence issues resulting from this review. Cases were opened up by the OIG and FBI. It is anticipated that the OIG effort will be completed in December 1992. The MRT developed findings and recommendations, including: developing specific processes for identifying and handling sensitive and commercially valuable technologies at ARC, establishing an agency- wide process and database for acquiring and sharing crucial security risk information, reducing security clearances to a minimum, disciplining individuals involved in irregularities, improving the overall posture of computer security, and providing improved management development programs. II. MEMBERSHIP The Management Review Team (MRT) membership included: Thomas C. Betterton (Leader) Cecil C. Rosen, III (Aeronautics) Vince Rausch (NASP) Matt Donlon (Security) Pam von Soosten (Legal) Carl Eichenlaub (Procurement) John Pennington (Human Resources) III. SCOPE AND CONDUCT Scope The review was planned during mid-July 1992, at NASA Headquarters. The first phase, a security review of six selected building at ARC and the initiation of procurement, human resources and legal activities, was conducted over the weekend of July 31, 1992, through August 2, 1992. The second phase was initiated on Monday, August 3, 1992. It consisted of several parallel activities including: * Management Team discussions with key ARC management personnel; * Individual evaluations, interviews and data gathering in the procurement, human resources, security, and legal areas; * Interviews to address issues discovered during Phase I and other interviews where appropriate; * Interviews of selected individuals with emphasis on those holding security clearances to explore practices and gather information; and * Interviews with representatives of three firms which provide technical support services at ARC. The second phase concluded on Wednesday, August 12, 1992. The remainder of the month was devoted to the development of the team's report, the provision of relevant information to the appropriate organizations for further action as necessary, follow-up data gathering and actions, and addressing unanticipated issues arising from the review itself. Conduct _Planning_ During mid-July 1992, the MRT planned the review. NASA top management was regularly informed of the status of MRT planning and of all issues. On July 27, 1992, NASA management reviewed the MRT planning. Employee rights vis-a-vis the security review and interviews were thoroughly covered, as was the potential reaction of employees. The plan and approach were endorsed with minor changes. On July 28, 1992, the NASA Associate Administrator for Public Affairs was notified about the review. He suggested that initial public affairs would best be handled on site by the ARC public affairs focal point, and that he would discuss follow on public affairs aspects with the ARC focal point upon initiation of the review. On July 29, 1992, the proposed plan was briefed to the Chief of Staff, ARC Center Director, Inspector General, General Counsel, Associate Administrator for OAST, and a representative of the FBI. The Chief of Staff approved the plan with a few changes. The MRT traveled to the ARC local area on July 30, 1992. _Execution_ - Entry Meeting at ARC The MRT conducted an entry meeting with the ARC Director and selected members of his staff at 3:30 pm on July 31, 1992. The Center Director designated the Chief of the Acquisition Division as the MRT liaison. Follow-up meetings for 4:30 pm were scheduled by the Center Director with representatives from Procurement, Personnel, Legal and Public Affairs. The MRT discussed areas of interest and outlined specific needs in the following key areas: * Procurement * Human Resources * Legal * Security The MRT requested the Center Director send a memorandum explaining the review to employees. Instead, a brief announcement was signed by the ARC Director and left on affected employees' desks during the weekend review. The announcement included a phone number at which employees could contact the MRT. - Phase I Review (7/31/92-8/2/92) The Phase I review was initiated Friday evening on July 31, 1992. Physical building lock-up and computer isolation of six ARC buildings were performed. The six buildings were selected based on the number of individuals holding security clearances and on an assessment of the importance of work being performed. Personnel (no more than six total) still in the buildings were asked to leave. Two-person teams, all of which included at least one NASA employee (assisted by security experts), conducted all lock-up, computer isolation and subsequent searches with one person performing an activity and the other witnessing. On the morning of August 1, the MRT legal representative again briefed team members on the extent of their authority to conduct searches. The announcement signed by the Center Director was to be posted on doors and left in employee offices concerning the conduct of the inspection. On August 1, the team requested the Center's assistance in reconnecting personal computers in offices in which searches were complete, in order to minimize the disruption Monday morning. A preliminary screening of information and findings was performed at the end of the day on both August 1st and 2nd. The MRT used this data to plan Phase II activities. Physical and computer restoration began at 1:00 pm on Sunday, August 2, 1992, and was completed at 11:45 pm. It should be noted that while there were a few problems with computer connections, every effort was made by the MRT to minimize any adverse impact on the ARC workforce, including conducting this portion of the review over the weekend. The MRT received several phone calls about incorrect computer connections. The MRT provided callers with instructions on how to correct the computer connections. During the late afternoon and evening of Sunday, August 2, 1992, the MRT reviewed and assessed the data that had been gathered. It was determined that of the several hundred personnel occupying the six buildings involved in the review, there was sufficient reason to warrant the denial of access of ten individuals to their workspace/offices and computers while additional information was being gathered or questions resolved. Notices were placed at each of the affected individual's offices/workspaces to report to the ARC MRT liaison for further instructions upon arrival at work on Monday, August 3, 1992. It should be noted that there were additional individuals about whom the team had concerns. However, the team determined that it was not necessary in these cases to restrict the individual's access to his/her office/workspace and computer while additional information was being gathered or questions resolved. - Phase II (8/3/92-8/12/92) Phase II was initiated on Monday, August 3, 1992. Several parallel activities had been planned to facilitate the review: * Management team information-gathering discussions with key ARC management personnel. * Individual interviews, evaluations and data-gathering in the procurement, human resources, security, and legal areas. * The formation of teams to interview the individuals identified during Phase I and other individuals as required. * The formation of teams to interview selected individuals with emphasis on those holding security clearances to explore practices and gather information. On Monday, August 3, 1992, the ARC liaison and MRT legal and human resources representatives met with the ten individuals who were denied access to their offices/workspaces and computers. The group met with each person individually. The ARC liaison, as the representative for the Center Director, informed each civil servant that a Management Review Team was conducting a review of a number of issues at the Center, and that the review was not complete in their area. Accordingly, it was explained that civil servants were placed on administrative leave. It was made clear that this was not a disciplinary action, and that the employee was not being suspended. The five employees of universities or private companies were told that they were not to work in their office. If the individual had questions, the group provided whatever information was available. The individuals were also asked to provide a list of all passwords and accounts by which they had access to NASA computers. They were told that the team would be contacting them to either inform them that they could return to work or to set up a time for an interview. Anyone who wished to was permitted to retrieve personal items from their office. The Management Team conducted information-gathering discussions with key ARC management personnel between August 3 and August 10. Each discussion lasted approximately one hour. Twelve ARC management personnel were contacted. Management Team discussions centered around the processes and practices related to the protection of commercially valuable/sensitive technological information. Typical questions and discussions included: * Organizational description (type of work, size of staff, mix of civil service and non-civil service personnel, customers); * Amount and kind of classified work and competitively valuable Research & Technology (and processes and approaches used to handle); * Customer interfaces and involvement in planning and handling data; * Access of foreign entities to commercially valuable technologies and data; * Process for transfer of computer codes to non-government organizations; * Current promotion process and career path rewards international recognition verses the protection of commercially valuable/sensitive technology; * Accountability/responsibility for determining what is commercially valuable/sensitive information and controlling it; * Work environment at ARC and managerial qualifications; and * Basic science versus technology. On August 3, 1992, the interview teams developed a schedule for interviews of nine individuals who had been denied access to their office/workspace and other individuals as appropriate. (The team determined that one company employee did not have to be interviewed.) Interviews of the nine individuals were planned to be conducted on Tuesday, August 4 and Wednesday, August 5. The schedule for the nine individuals was passed to the ARC liaison who notified the individuals concerned. Subsequent adjustments to the schedule were necessary because interviews took longer than anticipated for two people and additional individuals to be interviewed were added. By August 10, 1992, all the individuals who had originally been denied access to their offices/workspaces had returned to work. The first individual returned to work on the afternoon of August 4 after the apparent discrepancy was quickly resolved during the interview. In addition, between August 3 and August 6, teams of two people (at least one of which was a NASA employee) conducted 62 informal, short interviews with individuals holding security clearances who occupied the six buildings involved in the security review. The teams asked how often individuals handled classified information, participated in classified programs or tests, and were trained on security procedures. The MRT security representative reviewed overall practices and procedures in the handling of classified information, proprietary data, and commercially valuable/sensitive technologies within selected ARC organizations. This review consisted of facility inspections, a classified holdings audit and personnel interviews. The Human Resources assessment focused on ARC employment practices associated with staffing professional positions, ARC policy and procedures for determining position sensitivity, and ARC policy and procedures for dealing with employee suitability (suitability for government employment) issues. In addition to the review of selected personnel files, suitability files, and merit staffing records, the MRT human resources representative conducted five interviews related to the human resources assessment. During Phases I and II, 14 government employees were interviewed by the MRT procurement representative. The MRT legal representative spoke with four ARC employees about legal involvement in decision making and the consortium agreement (discussed in the "Findings" and "Recommendations" sections.) Each evening, the team members reported significant findings, and discussed what actions should be taken the following day. Daily meetings were held with the ARC Director and/or liaison through August 7 and on August 10 to ensure they were fully appraised of MRT status and actions. On Tuesday, August 4, 1992, the MRT was alerted to the perception by the ARC Asian-American community that it had been targeted by the MRT. The MRT conducted several discussions with members of the ARC Asian-American community to understand the situation, to show MRT concern, to calm concerns, and to assure them that the MRT was not unfairly focusing on the Asian-American community. _Reporting_ NASA Headquarters was briefed daily on MRT status and actions. Between July 31 and August 11, several members of Congress and their staffs were notified about the MRT activities at ARC. IV. FINDINGS 1. The MRT identified cases of computer code and export control data being given to unauthorized recipients. The overall security posture of ARC, as reflected in the protection of national security information, is marginally effective. There are a number of structural and functional weaknesses which lead to an assessment of high security risk potential. * Security organization's role at ARC is very limited and functions are not an integral part of the Center's operations. - Security does not actively participate throughout the personnel and position sensitivity decision-making process. - Computer security handled in a separate organization. * Risk of some form of espionage activity at ARC is high. - Broad spectrum of technologies under development. - High number of on-site non-government personnel. - Significant lack of management attention and control. * Loose personnel practices and suitability standards increase risk. - Current practices to augment the government work force pose a significant risk to proper protection of commercially valuable/sensitive information. - Civil servants were allowed to remain in the same job capacity after they were found to have disqualifying background information and denied a national security clearance. - In one case, an individual who had been denied a security clearance supervised employees with national security clearances performing classified work. * Risk of disclosure of technology, subject to export controls, without export licenses. * Large number of security clearances held by employees and supported by management due to the possibility for future need. - Center could operate with significantly reduced number of security clearances with little or no impact on current roles and mission. * Lax procedures for handling classified materials. * Some of these findings were previously identified in a NASA IG Report dated 1988 on Security Operations at ARC. 2. General policies exit for handling commercially valuable/sensitive technologies, but there is limited management attention or interest with regard to effective and consistent implementation. * No routine implementation of processes for identification and handling. * No involvement of customers in identification of, in developing handling plans for, or in evaluating transition effectiveness of commercially valuable/sensitive technologies. * No apparent ownership in many elements of the management chain. * Internal processes for initiation, approval and transfer of technical papers and computer programs are in place. - Not well understood; execution practices vary widely. - Common practice to bypass rules. - No training or education programs for workforce. * Several technical people stated that they view the U.S. aerospace industry as their competitor, not their customer. - "Need to protect our ideas and information so that industry outsiders will not steal them and get credit for them." 3. The management and environment at Ames Research Center (ARC) are strongly biased toward maintaining a reputation in the academic and scientific research community. There is a noticeable lack of sensitivity for policies and practices more responsive to the protection of U.S. technologies. * Current management resistant to change. - Long tradition of success and accomplishment at ARC argues for status quo. - Major recent changes in global environment mandate changes to processes for handling commercially valuable/sensitive technology. - ARC must be responsive to changes in nation's needs. * Team orientation and goals are not apparent at any level within the Center. - No evidence of incentives or meaningful rewards for teamwork. - Individual versus team focus. * Lack of appreciation for the importance of non-technical Center functions. - Security, procurement, legal, and personnel functions are not well integrated into overall processes and products. * Cooperation between and among organizations is the exception rather than the norm; cooperation with other Centers is not encouraged. * Promotion criteria incentivize international scientific reputation over national interests and domestic customers. - Changes would be required to incentivize different goals and behaviors for technical and managerial personnel and to emphasize U.S. Interests and customer value/payoff. 4. Generally accepted management controls, as well as security, personnel, legal, and procurement policies are often viewed as impediments to the proper conduct of scientific research. * Inadequate internal oversight or self-checking processes for identifying and assessing risks, security concerns or technology transfer issues. - Foreign correspondence is heavy and often sidetracks official channels and rules. - Computer correspondence is unchecked and unbounded. - NASA NMI (1371.3b) on foreign access to NASA facilities and information does not include contractors, grantees, NRC associates, etc. * Reluctance to handle issues at the appropriate management level. - Resistance to appropriate policy and guidance. - Failure to accept responsibility. * Major Center leadership void and communication breakdown during management review. - No perceptible communication when it most mattered. -- Several key Code R managers went on travel. -- No organizational meetings until 8/6-7 (RT & RF). -- No communique from Center Director until 8/10. - While management says employees have "major problems and concerns", there is no visible Center management action. - Major push required from MRT to get ARC Center management action on communication with employees, the delay in action resulted in much damage. - After completion of the review, some senior ARC managers encourage continued controversy. * Promotion policies and practices are viewed as a major problem. - Primary focus on international recognition and publication to obtain highest GS/GM levels. - Promotions to highest GS/GM levels are accomplished "outside the system." -- Direct request to Center Director. - Promotion to managerial levels is based on technical accomplishments, not on supervisory, managerial or leadership skills or potential. 5. A number of ARC civil servants and employees of firms receiving cooperative agreements appear to have violated the law and/or NASA policies on a broad range of subjects. * Supervisors engaged in financial investments with subordinates for whom they approve performance appraisals and promotions. * Employee makes extensive use of government computers for mutual personal investments for himself and supervisor. * Extensive use of government computers for non-official activities. * A number of civil servants were routinely providing computer access to unauthorized individuals. * Significant amounts of lost or missing equipment reported with no corrective action taken. * Falsification of employment information and security clearance requests. - ARC management has repeatedly determined individuals to be suitable for continued employment notwithstanding knowledge of falsified information. No action taken to either discipline individuals or process their termination's as civil servants. * Civil servants knowingly ignored Center Director's order not to correspond with or contact a named individual. * Civil servant assisted private sector company in preparing proposal for submission for NASA funding. * Civil servants directing firms receiving cooperative agreements to employ specific individuals at stated salaries by certain dates. * Civil servant directed president of firm to prepare modifications to his own cooperative agreement. * Center used cooperative agreements (issued by Procurement Office) or Joint Research Interchanges (issued by External Affairs) rather than contracts or personnel actions to obtain services. 6. There is significant misuse of ARC's computational capability. Present computer network technology essentially precludes detection of unauthorized access from remote locations once the official account has been compromised. * Widespread access to major computer systems by unauthorized individuals through password sharing including routine foreign access. * Significant use of government computers and equipment for personal activities and interests. * Programs in place to monitor unauthorized use are ineffective. * Numerical Aerodynamic Simulation (NAS) program represents excellent capability guided by appropriate management philosophy. - Questionable or inappropriate access often sponsored by ARC research organizations. 7. The procedures for making and documenting position sensitivity determinations are in place, but are not well understood and implemented by management and support staff. The processes for adverse suitability determinations are ad hoc and informal. Line personnel and support staff are not trained sufficiently. * Position sensitivity designation changed for purpose of hiring or if individual unable to obtain clearance. * Condition of employment agreement circumvented. * Substantial time lapse (greater than one year) between appointment and receipt of negative suitability information from OPM. * Failure to take strong disciplinary action against employees for falsifying employment applications. - Frustration with Merit System Protection Board stated as reason. 8. There are a large variety of non-competitive special feeder programs, hiring mechanisms and appointing authorities in place at ARC. These have been used to create a sizable research support staff on-site at ARC which has resulted in a high incidence of on-site mixing of civil service and non-civil service workers. * Over 50 existing programs and mechanisms for bringing non- civil servants on board (contractors, grantees, university faculty, students, and employees working under cooperative agreements). * Varying procedures, eligibility requirements, and performance standards, lead to an unmanageable situation. * No clear distinction in work assignment or supervisory channels. * Two organizations involved; multiple methods. - Office of External Affairs University Consortium and Joint Research Interchanges. -- Awarded by Public Affairs and administered by San Jose State University. -- Involve "collaboration" between ARC scientist and University scientist in preparation of proposal and conduct of research. -- Subject to the terms of the Space Act (not the Federal Acquisition Regulation or the NASA Grant Handbook). - Office of Procurement Contracts -- To be announced competitively in accordance with Federal Acquisition Regulation. Grants -- Awarded to universities and other non-profit organizations in response to unsolicited proposals for research. Must comply with NASA Grant Handbook. Cooperative Agreements -- Similar to grants except there will be "substantial involvement" between recipient and the government. * ARC Code R Awards from FY89 to Present: UNIVERSITY CONSORTIUM INTERCHANGES -- 113 CONTRACTS -- 88 COOPERATIVE AGREEMENTS -- 51 GRANTS -- 36 9. NASA employee involvement in the negotiation of overhead rates with profit and non-profit organizations is very limited. 10. There are a number of procurement irregularities which represent serious problems. * Misuse of funds, improper payments, and possible case of fraud in overhead charges to NASA by several firms working under contracts and cooperative agreements. * Potential inclusion of classified material in unclassified proposals and reports. * Inadequate protection of government property. * Suspected operation of their own businesses, using Ames provided offices, by employees working under cooperative agreements. * Suspected operation of a company as a front or pass-through operation. * Cases of NASA employees directing firms to hire certain employees. V. RECOMMENDATIONS 1. Develop and implement specific processes for the identification and handling of commercially valuable/sensitive technologies at ARC. * Goals and essential criteria of processes should include: - World class in developing _and_ handling technology; - Ownership and accountability at every management level; - Broader internal and external communication (why and how); - Customer involvement in identifying commercially valuable/sensitive technologies, developing handling plans and transitioning technology to the user; and - Education, training and involvement required to ensure that people understand processes. * NASA HQ and Centers review existing policy framework and modify as necessary (1/15/93). * NASA HQ and Research Centers jointly develop implementation plans and processes (3/15/93). * NASA HQ delegate responsibility and authority for approval of certain items to the Centers. - Report distribution, papers for international forums, foreign travel and foreign visitors. - Accountability to and review by Headquarters. * NASA HQ and Centers establish a process action team to review the effectiveness of the Computer Software and Management Information Center (COSMIC) process and recommend changes. * NASA HQ seek Administration support for legislative relief for responding to FOIA requests for commercially valuable/sensitive technology. 2. Code J, in coordination with the Centers, establish an agency- wide process and database for acquiring and sharing crucial security risk information. 3. Establish a management environment and culture at ARC that fully supports evolving Agency policies and emphasis. * Increase Center management emphasis on the overall NASA and ARC team. - Human resources, procurement, security, legal and technical. - Effective integration and utilization of all elements. - Increased emphasis on and rewards for team accomplishments. * Design and implement a proactive oversight process to identify emerging issues for Center management action. * Strengthen personal communications between top management and the Center workforce. - Specifically, hopes, goals, values and expectations. * NASA HQ and the Centers jointly revise promotion criteria for technical and managerial ranks to reflect changing global environment. - New incentives (U.S. Interests and customer payoff & value) - Managerial skills and customer understanding & experience required for consideration in managerial ranks. 4. Significantly reduce the number of security clearances at ARC. Maintain only the minimum number required to meet commitments. 5. Initiate appropriate management or disciplinary action in those cases that were identified during the review. * Legal irregularities referred to NASA OIG for further investigation/action. 6. Initiate management action to investigate and correct the procurement irregularities that were identified during the review. * Details on all procurement related irregularities have been referred to the NASA OIG. 7. Headquarters and the Centers form a process action team to examine the alternatives for the organization of security responsibilities and structure (to include computer and communication security) and elevation to a level that allows effective input and influence on appropriate management decisions. 8. NASA Headquarters and ARC establish a process action team to develop and implement a plan to improve the overall posture of computer security given the unique capability and connectivity at ARC. User education and periodic audits of compliance should be integral elements. The plan should be reviewed by an external NASA team. 9. Develop and implement an Agency-wide management development program which emphasizes "customer experiences." * Essential elements would include: - Prestigious program with high demand; - Aspiring managers spend one year in customer organizations in flight centers, industry, DoD or other; - Required for certain level of management; and, - Opportunity for developing cultural diversity. * Headquarters and Center employee development organizations develop a proposal for review with NASA senior management (Headquarters and Centers) by 1/31/93. * NASA top management (Headquarters and Centers) develop new measures to incentivize greater mobility in the executive ranks. - People with new and different ideas. - Emphasis on leadership and management, not only on technical credentials. 10. Train ARC personnel on determination of position sensitivity. Document and enforce policies and procedures for suitability determinations. Identify alternate processes to provide timely personnel suitability information on an agency-wide basis. 11. Review all personnel feeder programs and hiring mechanisms at ARC, with the objective of significant consolidation and/or elimination of programs. * Transfer Consortium Agreement to Procurement and consider discontinuing by: - Allowing active Joint Research Interchange (JRI's) to expire. - Not entering into any new JRI's. - Terminating Consortium Agreement. -- Six month notice to all participating universities. -- Responsible for costs incurred to date. -- If funds are not available, no notice required. - Using other authority for work with academic community. -- Intergovernmental Personnel Act -- Proper grants and cooperative agreements -- Proper research contacts * Review cooperative agreements for personal services. 12. Conduct a NASA-wide assessment of overhead rates which were negotiated by NASA personnel with profit and non-profit organizations to evaluate and determine NASA vulnerabilities to overcharging. 13. Reinforce the communications between the Office of Inspector General and the Center Director (or appropriate management) to facilitate early identification and resolution of areas of vulnerability determined during ongoing audits and investigations.