initial security briefing - industrial security … · initial security briefing last updated april...

INITIAL SECURITY BRIEFING

Last Updated April 2016

Purpose

Personnel Security

Physical Security

Information Security

The Threat

Cybersecurity

Public Release of Information

Operations Security

Policies

TOPICS

To understand National and DoD security policies to counter threats. Safeguarding classified information is a serious matter … and we are all responsible to protect it.

This briefing will help you to identify threats to classified and unclassified government assets including, but not limited to:

• Insider Threats• Criminal and Terrorist

Activities• Foreign Intelligence

Entities• Foreign Governments

PURPOSE

We are bound by Executive Order 12829, National Industrial Security Program (NISP) which establishes rules and regulations to properly protect and control all classified material in our possession or under our immediate control.

We have been granted a Facility Clearance (FCL) by the Defense Industrial Security Clearance Office – a division of the Defense Security Service. This process requires the company to agree to standards outlined in a DD441 which is issued when a company becomes cleared.

Not only does the company need to be cleared, employees and consultants requiring access to classified information in order to perform work on classified contracts need to be granted “eligibility” by DSS and “access” by the company based on the issued contract & the “Need to Know”.

Government Contractors – Facility Clearances

PERSONNEL SECURITY

PERSONNEL SECURITY | SECURITY CLEARANCE

Contract DD254, position sensitivity and/or duties determine level of clearance and access. Clearance levels are:

• Top Secret, Secret, or ConfidentialAdditional access may be needed for IT Levels, NATO, COMSEC, etc. and are defined in the contract and/or DD254.

Position Legal Status Access Levels Allowed

Requires access to classified information

US Citizen Secret, Top Secret, SCI

Requires access to Controlled Unclassified Information (CUI)

US CitizenLawful Permanent Resident Aliens

CUI – no government IT systems or technical data access

Requires access to CUI/Government IT Systems/ITAR Technical Data

US Citizen CUI/Government IT Systems/ITAR Technical Data

General Positions – no access to classified information

Anyone authorized to work in the US

Low sensitivity information

PERSONNEL SECURITY | ACCESS REQUIREMENTS

CLEARANCE ELIGIBILITY

SF 312

NEED TO KNOW

ACCESS

PERSONNEL SECURITY | BACKGROUND INVESTIGATION

Department of Defense Central Adjudication Facility (DoD CAF) grants a security clearance based upon the personal information provided on your application (eQIP) and appropriate back ground investigation.• Completed SF86 forms are reviewed to determine suitability for granting a

security clearance and are subject to continuous evaluation submitted by company FSO’s• Tier 5 – Top Secret, SCI• Tier 3 – Secret, Confidential

• Completed SF85 forms are reviewed to determine Public Trust suitability and are submitted by government agencies:• Tier 1 – NACI with favorable results• Tier 2 or 4 – MBI/BI : NACI with favorable results and credit check

PERSONNEL SECURITY | BACKGROUND INVESTIGATION

Once cleared, you are required to sign a non‐disclosure contract (SF312) with the US Government.

A SPECIAL TRUST IS PLACED IN YOU

LIFELONG AGREEMENT

YOU MUST PROTECT FROM UNAUTHORIZED DISCLOSURE

SERIOUS CONSEQUENCES FOR NON‐COMPLIANCE

PERSONNEL SECURITY | BRIEFING REQUIREMENTS

• Coordination of access briefings and trainings will be

completed with your PM and/or security team:

Only those applicable to your position will be required

• Indoctrination/Orientation

• NATO

• COMSEC

• SAP

• SCI

• Any contract specific trainings or briefings

PERSONNEL SECURITY | REPORTING REQUIREMENTS

• Changes to:• Name• Marital Status• Citizenship

• Adverse information• Based on facts NOT rumors • Self or co‐worker

Includes but not limited to:‐ Criminal activities‐ Alcohol or drug related incidents‐ Financial difficulties

Potential Espionage Indicators Exhibited by Others


• Unexplained affluence• Keeping unusual work hours• Divided loyalty or allegiance

to the U.S.• Willfully disregarding

security procedures• Unreported foreign contact

and travel • Pattern of lying• Attempts to enlist others in

illegal or questionable activity

• Verbal or physical threats• Inquiring about

operations/projects where no legitimate need to know exists

• Unauthorized removal of classified information

• Fraud/Waste/Abuse of government credit cards


• Loss, compromise, or suspected compromise of classified information• Includes tampering of or unlocked & unguarded security

containers• Secure information immediately• Report immediately to security or supervisor

• Lost or stolen badges


• Foreign contacts• Continuous contact with foreign nationals

Includes, but is not limited to:‐ Cohabitation‐ Marriage

• Suspicious contacts with or by foreign nationals• Member of immediate family or spouse’s immediate

family is a citizen of a foreign country• Member of immediate family or spouse’s immediate

family has taken residence outside the United States

• Foreign Travel• You are required to report all foreign travel for business

and personal trips. Coordinate with your security team for briefings and reporting forms.

• Foreign Interest, employment or service• Foreign government, national, organization or entity, or a

representative of any foreign interest (paid or unpaid. Any business enterprise organized under laws of another country. Any form of business that is foreign owned or controlled. Contact from a non‐US Citizen or national.


PHYSICAL SECURITY

PHYSICAL SECURITY

Includes, but is not limited to:

• Perimeter Fences

• Antiterrorism

• Employee and visitor access

controls

• Badging

• Intrusion Detection Systems

• Guards/patrols

• Prohibited items

• Entry/exit inspections

• Escorting

• Local procedures varied by

contract/site requirements

INFORMATION SECURITY

INFORMATION SECURITY | CLASSIFICATION LEVELS

TOP SECRET Exceptionally Grave Damage to the National Security

SECRET Serious Damage to the National Security

CONFIDENTIAL Damage to the National Security

There are other categories of information which, while not classified, also deserve mention: For Official Use Only (FOUO) is unclassified government information

which is exempt from general public disclosure and must not be given general circulation.

Company private or proprietary information is business information not to be divulged to individuals outside the company.

Recently DoD has placed great emphasis on protecting Controlled Unclassified Technical Information. The treatment of this type of information will be addressed in follow on slides

INFORMATION SECURITY | CLASSIFICATION LEVELS

Controlled unclassified technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. The term does not include information that is lawfully publicly available without restrictions. There are no exceptions for commercial items. Examples of technical information include research and engineering data, engineering drawings, and

associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog‐item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Contractors are required to safeguard unclassified controlled technical information and to report the compromise of such information to the DoD within 72 hours of discovery.

Contractors subject to the clause are required to implement data security controls identified in National Institute of Standards and Security (NIST) publication SP 800‐53

Contractors are responsible for assuring that their subcontractors that are provided with controlled technical information also comply with the data security standards. The new contract clause is a mandatory “flow‐down” clause to subcontractors. This includes so‐called “cloud” data storage providers.


• Classified information basics:It is your personal responsibility to know that the person you are dealing with is both properly cleared and has a need to know. You must never reveal or discuss classifiedinformation with anyone that is not properly cleared and has a need to know.Classified information:• Must never be left attended• Must never be discussed in public areas• Must be under the control of an authorized person• Stored in an approved storage container• Never be processed on your computer unless approved

by the US Government


• Based on the contract that you work on you may have classified and controlled unclassified information (CUI) that must have protection from unauthorized disclosure, including, but not limited to:• Marking• Handling• Transmission• Storage• Destruction

• Machinery

• Documents

• Emails

• Models

• Faxes

• Photographs

• Reproductions

• Storage media

• Working papers

• Sketches

• Maps

INFORMATION SECURITY | TYPES OF MATERIAL

Includes, but is not limited to:

INFORMATION SECURITY | MARKING

Appropriately marked to alert recipients of the information’s classification

TOP SECRET (TS)

SECRET (S)

CONFIDENTIAL (C)THIS IS A COVER SHEETTHIS IS A COVER SHEET

FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION

ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTTIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALSECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.

HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.

CONFIDENTIALCONFIDENTIAL


SECRETSECRET

SECRETSECRET

THIS IS A COVER SHEETTHIS IS A COVER SHEET






TOP SECRETTOP SECRET














SECRETSECRET

SECRETSECRET





SECRETSECRET

SECRETSECRET



















SECRETSECRET

SECRETSECRET





















SECRETSECRET

SECRETSECRET





SECRETSECRET

SECRETSECRET














How Is Information Classified?

• Original Classification• Only specific positions within the U.S. Government can

originally classify information

• Derivative Classification• All cleared and trained DoD and contractor personnel can

be derivative classifiers


What Information Can Be Classified?Only Information that falls under one or more categories of section 1.4 of Executive Order 13526 may be eligible to be classified:a) military plans, weapons

systems, or operationsb) foreign government

informationc) intelligence activities (including

covert action), intelligence sources, methods, or cryptology

d) foreign relations or foreign activities of the United States, including confidential sources

e) scientific, technological, or economic matters relating to the national security

f) United States Government programs for safeguarding nuclear materials or facilities

g) vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security

h) the development, production, or use of weapons of mass destruction


Information cannot be classified to:

• Conceal violations of law, inefficiency, or administrative error

• Prevent embarrassment to a person, organization, or agency

• Restrain competition

• Prevent or delay the release of information that does not require protection in the interest of the national security

• Classify basic scientific research information not clearly related to national security


Classification Challenges

• You have a responsibility to report information that you believe is improperly or unnecessarily classified.

• Contact your security official for additional guidance for submitting a classification challenge.


Safeguarding Classified Information

• Must be under the positive control by an authorized person or stored in a locked security container, vault, secure room, or secure area

• Must respect and understand the markings and the downgrade/declassification instructions on classified material

• Must receive appropriate training prior to performing derivative classification duties and refresher training every two years thereafter

• Discuss or send via secure communications

• Process on approved equipment

• Destroy by approved methods

• Discuss in an area authorized for classified discussion


Controlled Unclassified Information (CUI)

• CUI is unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government‐wide policy.

• Departments and agencies within the U.S. Government assign different CUI designations.

• CUI designations include, but are not limited to:• For Official Use Only (FOUO)• Law Enforcement Sensitive (LES)• Sensitive But Unclassified (SBU)


Sanctions

• You may be subject to criminal, civil or administrative sanctions if you knowingly, willfully, or negligently:• Disclose classified information to unauthorized persons• Classify or continue the classification of information in

violation of DoD regulations• Create or continue a Special Access Program (SAP) contrary

to the requirements of DoD regulations• Disclose controlled unclassified information (CUI) to

unauthorized persons• Violate any other provision of applicable DoD regulations


Disciplinary Graduated Scale Actions for Security Violations

• Progressive Disciplinary actions may include, but are not limited to:• First instance: Verbal Counseling• Second instance: Written Warning and Performance Improvement Plan • Third instance: Final Written Warning– For Major Violations• Same as minor violations and may include suspension/termination of

employment• Loss of security clearance• Arrest• Imprisonment and/or fines

Based on the violation, disciplinary action may not include all steps listed and may necessitate immediate dismissal.

For additional information refer to the Employee Handbook; Policy 211 Employment – Performance Improvement/Conduct; and Policy 212 Employment – Termination of Employment.

THE THREAT

THE THREAT

America's role as the dominant political, economic, and military force in the world makes it the Number 1 target for foreign espionage. It’s not just intelligence sources that are targeting us. Other sources of the threat to classified and other protected information include:

Foreign or multinational corporations. Foreign government‐sponsored educational and scientific institutions. Freelance agents (some of whom are unemployed former intelligence officers). Computer hackers. Terrorist organizations. Revolutionary groups. Extremist ethnic or religious organizations. Drug syndicates. Organized crime.

ECONOMIC & INDUSTRIAL ESPIONAGE

What Are They After?The increasing value of technology and trade secrets in the global and domestic marketplaces, and the temporary nature of many high‐tech employments, have increased both the opportunities and the incentives for economic espionage.

The rapid expansion in foreign trade, travel, and personal relationships of all kinds, now makes it easier than ever for insiders to establish contact with potential buyers of classified and other protected information.

The development of automated networks and the ease with which large quantities of data can be downloaded from those networks and stored and transmitted to others increases exponentially the amount of damage that can be done by a single insider who betrays his or her trust.

Foreign governments’ continued ability to acquire state‐of‐the‐art U.S. technology at little or no expense has undermined U.S. national security by enabling foreign firms to push aside U.S. businesses in the marketplace and by eroding the U.S. military lead.

WHAT ARE WE DEFENDING?

Information concerning military capabilities, locations, equipment; and technology is protected for a reason. Unauthorized release of this information, whether classified or sensitive can have a detrimental effect on the Warfighters’ survivability.

ANTITERRORISM ACTIONS

• Antiterrorism includes defensive measures used to reduce the vulnerability of individuals and property to terrorist acts, including limited response and containment by local military and civilian forces.

• Additionally, antiterrorism includes actions taken to prevent or mitigate hostile actions against personnel (including family members), information, equipment, facilities, activities, and operations.

CYBERSECURITY

CYBERSECURITY

• Cybersecurity prevents damage to, protects, and restores information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation.

• Information systems include, but are not limited to:• Computers• Electronic communications systems/services• Personal Digital Assistant (PDA) (i.e. BlackBerry)• Cell phones

• Your responsibilities include:• Comply with password policy directives and protect

passwords from unauthorized disclosure• Complete training through your contract site.

PUBLIC RELEASE OF INFORMATION

PUBLIC RELEASE OF INFORMATION

• Release of government information must be approved by the Public Affairs Office (PAO)

• Do not discuss classified or sensitive information with the media; refer inquiries to your local PAO

OPERATIONS SECURITY

OPERATIONS SECURITY ‐ OPSEC

• Operations Security (OPSEC) is a systematic process that is used to mitigate vulnerabilities and protect sensitive, critical, or classified information. It is just as applicable to an administrative or R&D facility as a military operation. The five components are:

• Identify Critical Information• Analyze Threats • Analyze Vulnerabilities • Assess the Risks• Apply Countermeasures

IDENTIFY CRITICAL INFORMATION

Critical information is the core secrets of an activity, capability, or intention that if known to the adversary, could weaken the operation. Usually this information involves only a few key items that stolen could impact the way we conduct business. It is information required to be successful in our jobs and is collected in a variety of ways including monitoring conversations; financial or purchasing documents; job announcements; travel documents; blueprints and drawings; and even personal information online or items found in the trash.

Some examples of critical information are: Employees’ Safety (9/11) Fleet of ships and aircraft (USS Cole) Facilities Design (Oklahoma City) Security Vulnerabilities (Anthrax mailings) Satellite Data (Weather, Environmental Data) Law Enforcement Activities (Fisheries) Management Decisions (All levels)

ANALYZE THREATS

Adversaries have changed over the years but the intent is the same. They are former allies; terrorists, some of whom receive high level training including principles of espionage and counterintelligence; as well as those who are political and economic competition.

How do they do it? Signals Intelligence (SIGINT) – transmitted information Imagery Intelligence (IMINT) – photographic imagery Human Intelligence (HUMINT) – traditional spies Open Source Intelligence (OSINT) – public sources & social

media

ANALYZE VULNERABILITIES

Vulnerabilities are defined as the characteristics of a system which can cause it to suffer degradation as a result of having been subjected to some level of a hostile threat. We must look at ourselves as the adversary would. This perspective allows us to determine what are true, rather than hypothetical vulnerabilities.

ANALYZE RISKS

Vulnerabilities and specific threats must be matched or ranked by risk.

Where the vulnerability is great and the threat is evident, the risk of exploitation should be expected. A high priority for protection should be assigned and corrective action taken.

Where the vulnerability is slight and the adversary has a marginal collection capability, the priority should be lowered.

APPLY COUNTERMEASURES

Countermeasures need to be developed that eliminate the vulnerabilities, threats, or utility of the information to the adversaries. The possible countermeasures should include alternatives that may vary in effectiveness, feasibility and cost.

These may include anything that is likely to work in a particular situation. The decision of whether to implement must be based on cost/benefit analysis and an evaluation of the overall program objectives.

POLICIES

POLICIES

Reference Security Policies and Regulations (not all inclusive):

• Executive Order 13526 ‐ Classified National Security Information

• Executive Order 12968 ‐ Access to Classified Information • DoDD 5205.02E, DoD OPSEC Program• DoDI 2000.12, DoD Antiterrorism (AT) Program• DoDI 8500.01, Cybersecurity• DoDM 5200.01, Vol. 1‐4, DoD Information Security

Program• DoD 5200.2‐R, DoD Personnel Security Program• DoD 5200.08‐R, DoD Physical Security Program• Homeland Security Presidential Directive (HSPD)‐12,

Policy for a Common Identification Standard for Federal Employees and Contractors

REPORT IT! Hotline Numbers

Defense Department 1‐800‐424‐9098, (703) 693‐5080 Defense Intelligence Agency (703) 907‐1307 National Security Agency (301) 688‐6911 Department of Army 1‐800‐CALLSPY (1‐800‐225‐5779) Naval Criminal investigative Service 1‐800‐543‐NAVY (1‐800‐543‐6289) Air Force Office of Special Investigations (202)767‐5199 Central Intelligence Agency Office of the Inspector General (703) 874‐2600 Department of Energy (202) 586‐1247 US Nuclear Regulatory Commission Office of the Inspector General 1‐800‐233‐3497 US Customs Service 1‐800‐BE‐ALERT (1‐800‐232‐5378) Department of Commerce/Office of Export Enforcement (202) 482‐1208 or 1‐800‐424‐2980 (to

report suspicious targeting of US export‐controlled commodities) Department of State Bureau of Diplomatic Security (202) 663‐0739 When traveling overseas, suspect incidents should be reported to the Regional Security Officer

(RSO) or Post Security Officer (PSO) at the nearest U.S. diplomatic facility