Justice Bans Foreign Nationals From Its Info Tech Work

The Justice Department has banned contractors from using foreign nationals on projects involving the department's information technology systems unless the workers are granted waivers by the agency.In an order dated July 12, the department said: "Foreign nationals shall not be authorized access to assist in the development, operation, management or maintenance of department IT systems," unless the department's chief information officer grants a waiver.Justice Department officials said any foreign nationals now working on projects are not grandfathered in, so companies doing work with Justice will need waivers. Further, the Justice officials said, any non-U.S. citizens working on projects should stop until their waivers are granted. These waivers are separate from security clearances the workers may have undergone in order to work on their projects.Identifying those who need waivers rests with the agencies for whom the IT projects are being done, the officials said, speaking on background. The purpose of the waiver requirement is to strengthen the Justice Department's information security policies and procedures, they said. The Information Technology Association of America sent a letter Aug. 16 to the Justice requesting a meeting to discuss the new requirement. "Even with the waiver provision, we are concerned that the current order could exclude thousands of talented, experienced workers from work on federal contracts; disrupt procurements now in the pipeline; create a new layer of administrative process with attendant costs and schedule delays; and be conducted in an uneven manner, unsettling fair and open competition in the federal marketplace," Harris Miller, association president, said in the letter.Insider hacking is a problem for all organizations, but "ITAA is unaware of any credible studies correlating such behavior with immigration status or national origin," Miller said.The policy move by Justice concerns ITAA, because other government agencies taking steps to improve their information security policies and procedures might consider it an appropriate precedent, said ITAA spokesman Robert Cohen.The IT security policy was revised in 1993, and Justice has been under the gun to update it for some time, officials said.The revised policy also takes into account recent laws that affect the IT industry, they said, such as the Clinger-Cohen Act, which requires that agency heads establish a process to select, manage and control their IT investments; and the Government Information Security Reform Act, which requires agencies to assess the security risks their systems face.Justice officials said they did not know how many individuals, if any, would be affected by the change in policy.Representatives of several companies working on Justice Department projects said they hadn't been informed of the new policy. But they said their contracts call for such high levels of security clearance that U.S. citizenship is a requirement."It sounds to me there are very few positions you can get without a security clearance," said John McNeilly, spokesman for PEC Solutions Inc. of Fairfax, Va. The company has undertaken work for several agencies within the Justice Department.Wayne Jackson of AT&T Corp. said that GRC International Inc., a wholly owned subsidiary of the New York company, has done work for Justice before. Officials there are aware of the policy, he said, but it has not affected their projects, which have required U.S. citizens. "But it could slow things down in the future," he said.Ray Bjorklund, vice president of consulting services with Federal Sources Inc., a market research and consulting firm in McLean, Va., said he was surprised at the scope of the new policy."While it's easy to understand why the department would be interested in protecting its systems in the interests of national security and law enforcement and so on ... putting these kinds of constraints on contractors seems to be inconsistent with the free-market attitude we otherwise see in this administration," he said. Bjorklund said he also wondered if the policy might, in part, be a response to export control laws. Foreign nationals who work on Justice IT contracts gain knowledge that could be valuable to countries who are not friends of the United States, he said; a policy such as this keeps them from developing the know-how to begin with.There is debate over whether this is a new policy or clarification of existing policy. Richard Rector, a partner with the Washington law firm Piper Marbury Rudnick & Wolfe LLP, said the language in this order is new, and that the order it supersedes contained no reference to the status of foreign nationals.Linda Burek, deputy assistant attorney general for information resources management in the Justice Management Division, the group that issued the order, said the department's security officer released a memo in September 1998 that required security program managers to consider "the unique security concerns ... present when hiring contract employees who are not U.S. citizens."That memo stated that when a "sufficient background investigation could not be conducted" for a non-U.S. citizen, written authorization had to be obtained from the deputy assistant attorney general.