Summary: Pursuant to a congressional request, GAO reviewed the Department of Defense's (DOD) and military services' adherence to national TEMPEST policy. TEMPEST refers to technical investigations and studies of compromising emanations from electronic data processing equipment. National security policy requires federal agencies to protect classified information from such emanations.
GAO found that: (1) TEMPEST countermeasures are very costly to implement; (2) while total DOD TEMPEST-related costs are unknown, they are estimated at hundreds of millions of dollars annually; (3) DOD has not issued an implementing regulation in connection with the national TEMPEST policy directive; (4) DOD has issued conflicting TEMPEST policy memoranda and, as a result, the services are interpreting and implementing TEMPEST policy in different ways; (5) the services sometimes acquire TEMPEST countermeasures without determining whether they are needed; (6) the services and defense contractors are sometimes processing classified information without performing TEMPEST evaluations; (7) the services do not always conduct follow-up evaluations at contractor facilities to ensure that TEMPEST countermeasures are being implemented as needed; and (8) the Defense Investigative Service, which performs many TEMPEST evaluations for other DOD components, believes that its personnel are not adequately trained to perform TEMPEST evaluations or compliance inspections.