Monday, May 26, 2008

Pentagon or FSO...Who is ultimately responsible?

Leaks in high-tech fighter? Makes for a great headline and one in which grabs the attention of any professional safeguarding sensitive and classified information. This article appeared in many newspapers across the country but originated with the Washington Post.

The article makes many pointed remarks toward government agencies, including the Department of Defense as not providing the proper oversight. Reading the article I realize that there is just not enough information to draw a conclusion of who dropped the ball at the government level. Many of you in the field probably realize some of the obvious questions that need to be answered before we can assign blame to Defense Security Services or the various agencies.

However, one thing is clear; even with all of the policies in place; something broke down. Many government regulations give specific instructions for safeguarding classified material. The International Traffic In Arms Regulation (ITAR) instructs how to properly release technical information to foreign persons. The National Industrial Security Program Operating Manual (NISPOM) gives explicit instruction on how to properly disseminate classified material between agencies and governments. If anyone were to ask whether or not policies to protect sensitive and classified information were in place, there would be a resounding yes, and plenty of it. The article even points out “government and its contractors appropriately controlled the export of classified technology to foreign companies”.

The above statement can only support what was observed and documented. However, what about what was discussed privately, in closed meetings, passed along in conversation or trough a note, or otherwise turned over through unauthorized methods by ill advised technicians? Here’s where the security manager (Facility Security Officer ((FSO)) or other industrial security specialist as identified by NISPOM) is responsible. Nothing should take place on any classified effort without someone assuming complete accountability and control. Industrial security does a great job at fortifying infrastructure, making policy for copying and disseminating classified material, training on who the bad guys are.

However, there is a major weakness. We are so busy training to look for spies, that we lose sight of irresponsible employees. So, here's where YOU, the security manager comes in. The industrial security specialist needs to ensure the technicians, engineers, program managers and etc know as much about the security of technical data as they do. Security is not a single point of failure. The structure must be woven into all aspects of the enterprise from purchasing to program management to point of sale.

Our government owns classified information and makes it available to trusted contractors to use while working on contracts. The industrial security specialist or FSO of the contracting company maintains accountability and control of all classified information in the contractor’s possession. Everyone possessing classified information has to realized and understand that they are responsible for protecting it and only giving it to authorized persons. Who is the authorized person? It’s up to the possessor to verify.

Security managers do a great job fortifying places of business with alarms, access control and many other technical and physical devices to stop unauthorized persons from breaking into a building or sensitive area without being detected. However, without a real assessment, throwing technical, state of the art electronics and heavy construction creates security that is nothing but doing what everyone else is doing and not being effective. There has to be a complete assessment of REAL threats and vulnerabilities to include unauthorized and accidental disclosure of the protected product. Security is severely lacking when there has been no thought to preventing unauthorized disclosure during legitimate business transactions. Security managers; know your product, understand your business, commit to the customer’s security requirements, follow all government regulations and ensure all company employees do the same.

No comments: