Tuesday, December 30, 2008

How can a new administration impact national security?

How do presidential elections impact the Department of Defense contractor community’s ability to compete for contracts? “In recent history two sequential presidents have provided separate executive orders directing how to protect classified information,” says security consultant and author Jeffrey W. Bennett. Presidents Clinton and Bush have issued policies directing what qualifies to receive a CONFIDENTIAL, SECRET or TOP SECRET classification.
Democrat presidents often reflect a policy of openness. Some policy changes President Clinton implemented tightened the reins on what could be classified and for how long. “President Clinton’s policy made it tougher to classify information and contributed to the declassification of thousands of documents,” says Bennett.
Republican Presidents tend to ease classification standards. However, President Bush kept pretty much the same structure as President Clinton’s Executive Order 12958. He later implemented Executive Order 13292. “The changes President Bush implemented included providing more flexibility of the classification process. He also added defense measures against transnational terrorism,” says Bennett.
Both examples of recent elections changed the way government agencies and DoD Contractors conduct business. President Clinton’s Executive Order set a specific duration of classified information. “Classified information outside of the established time frame had to either go through a process to retain the classification or be re-marked. If the information did not qualify for extended classification, then a classification change had to be annotated at a lower level or declassified all together,” says Bennett. President Bush made changes that required re-designation of classification markings and extended duration of classification when necessary.
Those are only a few examples of the changes affecting the DoD contractor industry. Reduction in classified holdings was a benefit of changes both administrations made. “Depending on the government report, between 10 percent and 90 percent of documents are over-classified. Tougher classification standards are good provided that national security is still protected,” adds Bennett. From a financial overhead point of view, a reduction in classified holdings helps lower overhead costs as fewer security containers and vaults are needed.
What changes can we expect from President Elect Obama? “The industry shouldn’t expect drastic changes. Though there may be an effort toward openness, our nation’s leaders understand the importance of protecting national security. Providing classification for the right reasons protects our country and reduces the amount of classified information needing specialized storage.” The trend will require materials and manpower to make the changes in markings and reduce the classified holdings.

Monday, December 29, 2008

Not another required training event

You’ve no doubt read the NISPOM and other federally regulated security requirements addressing training. These regulations list the topics to be covered (as a minimum) and how often they are to be given. Some of you may have worked in organizations where the security manager followed the guidance to the letter…that’s it. So, once a year cleared employees amble into the briefing room to attend “required training”.
“Why do I have to attend another security training event?” they ask.
“Because regulations state…,” you begin to respond.
STOP! Don’t complete the answer until you read the rest of this. Take a deep breath and save your credibility.
One of the primary reasons security training fails is our inability to demonstrate how the training affects the bottom line. Sure, we know the regulations and the impact of not conducting training. However, our primary training objective is to increase security awareness and include employees in the security program. Contrary to most training programs, the focus should not be on passing the annual DSS review.
The successful security manager understands the importance of running a program where all employees take part in protecting the company, employees and national security. Implementing a security program to protect classified information need not be the responsibility of a lone ranger as is often the situation. Developing key relationships through training and interaction facilitate extending security’s influence. Under a successful program contracts, HR, engineering, program management and other departments function as eyes, ears and muscle. They are security’s force multipliers stretching the effectiveness of the security department.
Security managers are expected to conduct annual training and file reports as required by the NISPOM for industry or applicable security regulations for other contractors and federal agencies. Instead of conducting training just to meet compliance, the training process can be an effective relationship building opportunity. An opportunity to protect classified material; detect attempts at espionage and other security violations; and report incidents, violations and status changes affecting personnel and facility clearances. In a good synergistic relationships the training manager will not face the question, “why do I have to attend another training event”. Instead employees may ask, “What’s on the agenda?” as they look forward to contributing to the security program.

Monday, December 8, 2008

Secure IT

Information systems allow businesses to increase work productivity at blinding speeds. Documents, images, and media can be duplicated, printed, emailed and faxed much quicker than technology allowed just a few years ago. The lightening fast capabilities enable enterprise to perform on contracts more efficiently and in less time. However, because of fast distribution and processing speeds, measures must be in place to prevent unauthorized disclosure, spillage and compromise of classified information. Once a spillage occurs, the errant person cannot take the action back. Information systems identified to process classified information is marked according to the highest classification.
As with protecting physical classified properties, information systems and their products must also be safeguarded at the appropriate level. Computers used for uploading, storing, processing, disseminating, printing and other functions are protected at the level of the information being worked. These protection levels include creating an environment where users of IS understand the policies, threat, and that they operate in such a way that security plays a primary role in the development, procurement, operating, processing, and storage of classified information.
As with the entire spectrum of a security program, the safeguarding of the information systems reflects the compliance with agency regulations as well as the results of thorough risk management. The security manager’s responsibility is not to look at the effectiveness of protection measures as they relate only to the computer or system, but as it affects the entire organization mission and perhaps even our national security. The FSO or security manager invites and involves senior organization officers to take part in the risk management to ensure the vision incorporates the protection of classified information. This allows industrial security specialists and others in a security discipline to provide proactive security measures and not play catch-up with expenses and security policy.
Key control custodians maintain accountability of combinations, locks and keys used in the storage of classified material. In the same way, an administrator controls the authentication and identification and ensures measures are in place for the proper access of the classified information stored or processed on the IS. The authentication, user identification and logon information acts as “keys” controlling when the classified information is available on the system. Without the strict control, there is no way to prevent unauthorized persons from getting to the data stored in computers or components.
To protect the data, all information regarding authentication is restricted to only those with the proper clearance and need to know. Each user has the ability to access only the data authorized. The segregation of access and need to know per user can be affected on either individual systems or components dedicated to only one access requirement or one entire system or component capable of allowing many user level accesses. The custodian, ISSM or ISSO can protect the authentication data by making it unreadable or file access controls. This system is the same theory as controlling access to security combinations and storing them in a security container affording the proper level of protection.
Just as combinations and keys are rotated and changed during certain events, user identification, removal and revalidation are also in place. These similar measured are used to ensure the proper users have access and those who have moved, lost their clearance or need to know, changed jobs or otherwise no longer require access are no longer given the capability to access the IS. This control is in place through removing the user identification. Additionally, each user identification is revalidated at least yearly for those who still require access. Authenticators such as the keys, passwords, smartcards, etc as discussed earlier are to be protected at the highest level of classified information accessed. The users are not authorized to share, loan out or otherwise give to others. They are personal and access to individual logons are audited.
Passwords are to be protected at the level of classification of the data stored or processed by the IS. If, as in our earlier example, XYZ Contractor’s IS is configured to process data classified at the SECRET level, then the password is classified at SECRET. It cannot be stored in a phone, personal data assistant, or otherwise written down unless stored in a security container. The pass words are at least eight characters long and are generated by an approved method. This approval is based on length of password, structure and size of password space as described in the SSP designed by the ISSM. The passwords are changed annually. Passwords already installed in software and operating systems are always replaced prior to giving users access to the IS.
Physical access to IS is controlled to prevent unauthorized personnel from obtaining and or otherwise compromising classified material. This also applies to the maintenance of IS. Information systems do often require repair, upgrades and other maintenance that is not normally performed by the ISSM or ISSO. When necessary and available, maintenance should be performed by cleared personnel with need to know or at least with an ability to control the need to know. This is the least risky of all options as a technically knowledgeable employee can escort and monitor the repairs and ensure security processes are in place.
However in many cases maintenance personnel without security clearances or if they do have clearances are not cleared to the level of IS classification. They are not employees of the company and do not have the need to know. These maintenance professionals must be U.S. citizens and require constant escort. The escort or other employee will conduct all login and logoff procedures as well as have a keystroke monitoring system in place. All classified data and media should be cleared and removed to deny access to the unauthorized repair persons. These controls prevent the un-cleared persons from gaining access to passwords, authentications and classified data. They are only allowed to work on the system after system access is granted. The system is similar to opening a combination and removing contents of a security container prior to granting authorization for a locksmith to make repairs.