Saturday, May 31, 2008

They're searching our computers at the borders!!

Does that headline get your attention? Computer World has published an article in their online magazine about random computer searches conducted at our borders. Lawyers have taken the fight that this violates peoples rights and circuit courts are holding that border agencies do have the right to search the laptops of any travelers crossing the boarder. Does this really raise an alarm within the security community, or is the article based on fears of privacy invasions?

I’ll leave the last part of question for the courts, and gladly use the article as a good training resource for security managers and executives. The first implication is that this activity should not be surprising. Anytime an employee travels abroad, they SHOULD expect to be liberated from your computer at the host country’s customs. They should also expect to have the hard drive duplicated, files read and etc. These are the contingencies for which astute security specialists plan.

As with all bad news (hopefully this is not news to you) the best place to begin change is by facing the facts. Other people want your information. Now that that's out, security professionals have the task of making the information very difficult to get. However, we spend too many resources on actions that don’t address the real threat. For example physical security efforts may focus on fortifying businesses with barriers, alarms, access control, cameras and etc. One would think that the threat is foreign agents breaking in to physical locations to steal secrets and technology. Good luck finding a news source reporting that kind of crime. Risk assessments indicate that technology is leaked through careless or malicious employee behavior.

Develop a culture within your company to affect the right behavior or at least prevent unauthorized disclosure of economic, classified or sensitive information. Destroy waste properly, lock all desk and cabinets drawers after work, and use access control to keep employees, vendors and janitors from accessing unauthorized areas.

Now, back to the borders. Employees having computers searched by US Customs means one thing…they are returning from overseas travel. The biggest question should address what was taken overseas and who else had access. The least of the problems is the news that U.S. Government Agencies are accessing computers.

So, what can we do? Prior to employee travel anywhere, download company information or prepare special travel computers with only the information they need to conduct business at hand (make sure the information is authorized by license or agreement with the State Department or Commerce Department to prevent an exports violation).

Hopefully this article has addressed how to focus security resources. Know the facts, gather information and address the real threats. Constructing a fortress won’t protect your information if it’s being thrown out with the garbage. Computer World has made a good report, however the security manager should recognize that the only way U.S. Customs searches is because we are either leaving or entering the U.S. If this event is causing concern, then we must have been asleep during the advent of international business travel.

Monday, May 26, 2008

Pentagon or FSO...Who is ultimately responsible?

Leaks in high-tech fighter? Makes for a great headline and one in which grabs the attention of any professional safeguarding sensitive and classified information. This article appeared in many newspapers across the country but originated with the Washington Post.

The article makes many pointed remarks toward government agencies, including the Department of Defense as not providing the proper oversight. Reading the article I realize that there is just not enough information to draw a conclusion of who dropped the ball at the government level. Many of you in the field probably realize some of the obvious questions that need to be answered before we can assign blame to Defense Security Services or the various agencies.

However, one thing is clear; even with all of the policies in place; something broke down. Many government regulations give specific instructions for safeguarding classified material. The International Traffic In Arms Regulation (ITAR) instructs how to properly release technical information to foreign persons. The National Industrial Security Program Operating Manual (NISPOM) gives explicit instruction on how to properly disseminate classified material between agencies and governments. If anyone were to ask whether or not policies to protect sensitive and classified information were in place, there would be a resounding yes, and plenty of it. The article even points out “government and its contractors appropriately controlled the export of classified technology to foreign companies”.

The above statement can only support what was observed and documented. However, what about what was discussed privately, in closed meetings, passed along in conversation or trough a note, or otherwise turned over through unauthorized methods by ill advised technicians? Here’s where the security manager (Facility Security Officer ((FSO)) or other industrial security specialist as identified by NISPOM) is responsible. Nothing should take place on any classified effort without someone assuming complete accountability and control. Industrial security does a great job at fortifying infrastructure, making policy for copying and disseminating classified material, training on who the bad guys are.

However, there is a major weakness. We are so busy training to look for spies, that we lose sight of irresponsible employees. So, here's where YOU, the security manager comes in. The industrial security specialist needs to ensure the technicians, engineers, program managers and etc know as much about the security of technical data as they do. Security is not a single point of failure. The structure must be woven into all aspects of the enterprise from purchasing to program management to point of sale.

Our government owns classified information and makes it available to trusted contractors to use while working on contracts. The industrial security specialist or FSO of the contracting company maintains accountability and control of all classified information in the contractor’s possession. Everyone possessing classified information has to realized and understand that they are responsible for protecting it and only giving it to authorized persons. Who is the authorized person? It’s up to the possessor to verify.

Security managers do a great job fortifying places of business with alarms, access control and many other technical and physical devices to stop unauthorized persons from breaking into a building or sensitive area without being detected. However, without a real assessment, throwing technical, state of the art electronics and heavy construction creates security that is nothing but doing what everyone else is doing and not being effective. There has to be a complete assessment of REAL threats and vulnerabilities to include unauthorized and accidental disclosure of the protected product. Security is severely lacking when there has been no thought to preventing unauthorized disclosure during legitimate business transactions. Security managers; know your product, understand your business, commit to the customer’s security requirements, follow all government regulations and ensure all company employees do the same.

Saturday, May 3, 2008

Managing Classified Contracts

Since allowing industry to use classified information on the performance of contracts, the Department of Defense regulates a contractor's ability to work with classified material. They have published a policy appropriately titled: The National Industrial Security Program Operating Manual. This page turner is sponsored by the Presidential Executive Order (E0)12829 for the protection of information under E.O. 12958. Having poured over both publications and the updates, I can confidently assure you that they take this business very seriously.

When specific work calls out performance on these efforts, provisions of the applicable DD 254 and Security Classification Guide (SCG) shall govern. Both documents spell out what specific work a contractor can and cannot perform and what exactly is classified. Both of these documents not only should be available prior to execution but read and understood by all performing employees.

Classified information is marked with a classification designation and must be afforded protection at the appropriate level. For example, unauthorized disclosure of Confidential information could reasonably be expected cause damage; Secret could reasonably be expected to cause serious damage; and Top Secret could reasonably be expected to cause exceptionally grave damage to national security. Prior to discussing or providing classified data, employees are required to ascertain the receiving party's clearance level and need-to-know. They will advise the receiving party of the classification level of information provided.

Protective measures exist to help protect our nation's classified information. This is done with the complete cooperation and coordination between the Facility Security Officer (FSO) contracts, program managers, the customer and other entities involved in this type of work. If working on a classified effort, the customer should provide the above mentioned documents specific to the contract or delivery order. Both publications identify the work to be performed and describe the classification level of materials, documents, tasks, and details as required. The FSO's job is to also work out details concerning the proper storage, handling and maintaining of classified material, documents and items.

For more information on security's, contracts, and a company's role in classified efforts, read the NISPOM and consult your Defense Security Services representative. You can also visit for information on security certifications.

Executive Order

Why should government employees and military personnel earn a security certification? There are several reasons to achieve certification. One of which allows security managers to take advantage of opportunities offered in the recent Presidential Executive Order: National Security Professional Development. The Executive order states: "In order to enhance the national security of the United is the policy of the United States to promote the education, training, and experience of current and future professionals in national security positions (security professionals)..."

The National Strategy identified in the Executive Order provides a plan to give security professionals access to education, training to increase their professional experience in efforts to increase their skill level and ability to protect our nation's secrets.

The ISP Certification is sponsored by NCMS (Society for Industrial Security) a professional organization specializing in protecting classified information. The ISP holder demonstrates a high level of knowledge in this area. The certification is based on the National Industrial Security Professional Operating Manual (NISPOM) but also covers electives such as: COMSEC, OPSEC, and other topics.

The NISPOM may not be familiar to you, but the security functions identified within are. The NISPOM is the government contractor's guidance from DoD on how to receive, process and distribute classified information. It covers how to mark, document, store, disseminate and destroy classified as well as how to set up classified computing. If you have worked with contractors or plan to work with contractors, you should be familiar with the NISPOM. Chances are that you are already familiar with the processes from your military and government experiences.

This certified professional communicates to supervisors, the promotion board, and others that they are committed to the business, the industry and the protection of national interests. It equips the security manager with the knowledge and skills to perform critical tasks as well as relate well to what civilian counterpart requirements. Most of all, it gives the bearer confidence in their ability to apply their knowledge. As this certification program evolves, more and more employers will require the certification.

The ISP Certification Exam is an open book on line test consisting of 110 multiple choice questions and takes up to 120 minutes. There is a clock that keeps track of the time and the test times out automatically. You can download the NISPOM to your desktop and use it to help search the test questions.

The following websites offers the NISPOM, test taking tips, study materials and conference calls: Offers study manual, online NISPOM and practice tests. Great information on how to sign up for the test.

What can you do to increase your experience and skills? Professional certification is a great move for security managers. Whether or not you will make the military a career, you will find this certification a career enhancer. With the advent of the new Executive Order, certifications may become requirements in the civilian sector and perhaps even in government security positions. Also, consider joining a professional security organization. There are national and international chapters of the American Society of Industrial Security International (ASIS) and NCMS Visit their websites for more information.

Exports Compliance

Recently, Latifi, and executive and owner of Axion Corp has been vendicated of Export Violation charges filed by the U.S. Government. Though not as sinister and espionage riddled as other recent news events, it demonstrates the grave attention the State Department gives to contractor activities. Not only must DoD contractor companies mind the store concerning classified projects, but they must be prepared to live above reproach while dealing with foreign entities. In this case, the leader of Axion had no mal intent but though acquitted, lost his clients and company.

A little education for those who desire to pursue contracts with foreign persons; the U.S. Government encourages companies to pursue business with foreign enterprises. However, there are rules in effect that govern such exporting.
Exporting is defined as the business of:
• Sending or taking hardware out of the U.S. or transferring to a foreign person in the U.S.
• Disclosing (oral, email, written, video, or other visual disclosure) or transferring technical data to a foreign person whether in the U.S. or abroad
• Providing a service to, or for the benefit of a foreign person, whether in the U.S. or abroad
This just reminds us to be cognizant of what kind of information we disclose to foreign persons. Whether or not we are in the U.S. or visiting overseas, we can only discuss what is authorized by our licenses.
Keep in mind that exports can and do occur not only during shipments but when hosting foreign visitors, during meetings, trade shows, plant tours, chat-room discussions, published articles and many other means. You can even export technical items exposed on your desk or otherwise revealed when a foreign visitor tours the facilities.

The enterprise must do everything within its power (and then some) to ensure no technical data or service is given with out proper approval. This means performing due diligence prior to foreign visitor stepping onto the plant, sending business development to trade shows, and prior to hiring non US person janitorial crews to clean on premises.

How Security Classification is Assigned

Original Classification Authority-

For over 18 years John A. Walker, Jr. had sold secrets during and after his career in the Navy. Though entrusted with a security clearance and a “need-to know”, he did not demonstrate the trustworthiness of which his thorough background investigation deemed him worthy. When the opportunity revealed itself, he took advantage of his position and responsibilities to smuggle classified information to his Russian connections.

During the investigation into his arrest, authorities discovered a complex spy ring consisting of family members and other recruited operatives. Walker had earned the trust and cooperation of his family to commit one of the most notorious of all espionage cases. As a result of his crimes, he received two life terms plus 10 year, his son received 25 years and the damage to the U.S. national security was tremendous. According to the NY Times, “It has been estimated by some intelligence experts that Mr. Walker provided enough code-data information to alter significantly the balance of power between Russia and the United States”.
This is not meant to be a study into the mind of our traitors and foreign espionage operatives. Though important, what is more vital is understanding the responsibilities those who possess access to classified information have in protecting our Nation’s secrets. This protection includes proper accountability and documentation that should adequately prevent espionage and unauthorized disclosure in the early stages.

More enlightening in the case of Walker and others who have been involved in espionage are the ignored indicators of such activities. Studying the after action reviews, reports and publicly accessible information on these cases reveals that others could have stopped the spying in the beginning. The safeguarding procedures, security awareness training and documenting required in the National Industrial Security Program (NISP) should be applied to protect assets and recognize and prevent future instances of costly espionage.

The NISP is designed to protect classified government information. At first glance information in this article may seem to address items out of the scope of the security manager’s day-to-day focus; however that assumption would be wrong. Such a high-level view of the National Industrial Security Program equips the user with the fundamental knowledge necessary to better understand and protect our nation’s secrets.

On Friday January 8, 1993, the President of the United States signed Executive Order (EO) 12829, establishing the National Industrial Security Program. The program is commonly referred to as the NISP and is an acronym with which those working with classified contracts should become familiar. The NISP gives excellent guidance, training and directives that Industrial Security professionals can better protect classified materials. It also creates agencies that have oversight of contractors performing on classified contracts.

According to the EO, the program’s purpose is to safeguard classified information that has been or may be released to… “current, prospective, or former contractors, licensees, or grantees of United States agencies”. It is also designed to provide for the protection of classified material as outlined in EO 12356 and the Atomic Energy Act of 1954, as amended.

Under EO 12356, eventually superseded by 12958, the implementing and monitoring of the NISP is granted to the Director of the Information Security Oversight Office (ISOO). The ISOO has many responsibilities include working with other agencies to develop directives for implementation; review and modify agency regulations, rules or guidelines affecting directives; oversee compliance with directives; inspect and conduct on-site review of users that have access to or stores classified information; report violations to the head of agency or the senior official designated; address issues and complaints concerning the NISP and report annually to the President through the National Security Council.

The NISP also establishes the National Industrial Security Program Policy Advisory Committee (NISPAC). This NISPAC is designed to represent the departments and agencies affected by the NISP and is chaired by the Director of ISOO. Together they work to advise departments and the President on matters concerning the NISP, recommend changes to policies in the EO, and discuss policy issues in dispute.
The members of the NISPAC serve as an additional duty if government or on voluntary status if presenting industry. However, the EO gives provisions for non-governmental members to collect reimbursement for travel and per diem. The Administrator of General Services supports the committee with resources to include facilities and staff.

The President also requires that the Secretary of Defense consult with agencies and works with the Secretary of Energy, the Nuclear Regulatory Commission and the Director of Central Intelligence to issue and maintain the National Industrial Security Program Manual (NISPOM).

The agencies have specific guidelines and sections included in the NISPOM. For example, the Secretary of Energy and the Nuclear Regulatory Commission will have the lead in detailing requirements for protecting classified information identified in the Atomic Energy Act of 1954. The Director of Central Intelligence will provide a section for intelligence sources and methods, to include Sensitive Compartmented Information (SCI). However, in this coordination each agency maintains its authority. We will see more specific examples as we discuss this in future chapters.

The NISPOM provides restrictions, rules, guidelines and procedures for preventing unauthorized disclosure of classified material; it is the primary regulatory reference for performing industrial security. The NISPOM applies to authorized users of classified information and equips those working on classified contracts with critical instruction on how to implement the NISP in their organizations. It is up to the contractor and the oversight agency to work together to provide accurate interpretation of the guidelines to the specific classified contract requirements. It is this interpretation that the oversight agency will use while conducting annual security reviews.

The Secretary of Defense and the other identified agencies apply the concept of Risk Management while implementing the NISPOM. There are three factors necessary in determining risk. The first is the damage to national security that could be reasonably expected to result from unauthorized disclosure of classified material. We will discuss later the levels of classification and other identifiers that are used to designate and recognize the severity of damage. At this point it’s important to know that the NISPOM provides explicit guidance to user agencies on how to identify and protect classified items at all levels.

The second factor is the existing or anticipated threat to disclosure of information. The third factor is the short and long term costs of the requirements, restrictions, and other safeguards. The second and third factors aren’t spelled out in the NISPOM, but are recognized as legitimate concerns to prevent the NISP from becoming a burden to industry. Astute Industrial Security managers develop risk management analysis to better interpret the risk and discover the potential impact. They will also develop solutions to reduce the risk and the predicted damage. The
bottom line is to reduce the probability of unauthorized disclosure of classified information.

The Secretary of Defense has operational oversight of those who access classified material. This office inspects, monitors, and determines who has access to classified material. The Director of Central Intelligence serves the same purpose for matters of intelligence and will have oversight. The same goes for the Secretary of Energy and the Nuclear Regulatory Commission. The Director of Central Intelligence, the Secretary of Energy and the Nuclear Regulatory Commission can enter into written agreements giving the Secretary of Defense authorization to inspect or monitor programs or facilities. Otherwise they are carved out and not inspected or monitored by the Secretary of Defense.

The Secretary of Defense has oversight over the National Industrial Security Program. DoD chairs an executive committee composed of the Director of Central Intelligence, the Secretary of Energy, and the Nuclear Regulatory Commission.
As the executive agent, the Secretary of Defense can work with the other agencies to standardize procedures to help promote and implement the NISP. Without this standardization, the implementation of the program would prove difficult and an undue burden on those who work within the NISP. The Executive Order directs the Secretary of Defense and agencies involved to document and account for all costs associate with the program. These costs will be reported through the Director of Information Security Oversight Office to the President.

Security Education

Security education is vital to a security manager’s growth. With the motto “Solutions Begin Here”, ASIS has produced a class security training act in Las Vegas. As security professionals, it’s important to get all the education necessary to perform as top players in our profession. Because of your responsibilities in physical security, IT, or loss prevention, excellent training is vital.
There were over 24,000 people and 4,000 venders present. The convention offered several hundred classes throughout the week. Even in the midst of traditional security training I was pleased to see instruction on safeguarding classified information. I also appreciated seeing the Defense Security Services (DSS) conducting seminars. Additional classed including an introduction to DoD security and fundamentals of classification proved that even mainstream public companies were becoming aware of the growing trend in this arena.
Though there were opportunities to train in one of hundreds of classes, the overarching topics covered three primary areas: disaster preparation, converging IT with physical security, and risk management. Many of our Facility Security Officers (FSO) and industrial security specialists have many other titles in addition to security. While attending classes I was reminded of the need for all industrial security professionals to learn all areas of security in addition guarding classified materials.
We were treated to several great speakers who helped us stay focused on our awesome responsibilities and how to conduct them with limited time and resources. Former Secretary of State, Dr. Henry Kissinger thanked the security industry as “those who protect our structures and people”. Leadership guru Tom Peters, and Christopher Gardner of Pursuit of Happyness, led us on topics from current world affairs to taking charge of our future. Tom Peters provided a statement of which I’ll use to wrap up this article. “You are not security, you are risk managers. The company employees are security and you manage the risk.”