Wednesday, January 28, 2009

The Classified Visit

Let’s test your knowledge of international operations. The following situation is fiction, but is based on issues facing businesses everyday. This situation is tricky enough with unclassified contracts, but the addition of possible classified work may complicate the issue. Try to answer the following question:
As the security manager of a classified facility, you have many responsibilities including approving classified visits. Not a problems since most visit requests are handled through agency approved data bases such as JPAS. Besides, you have a very large staff and the process is pretty much routine until….
A program manager enters your office and informs you that her foreign customer wants to send an employee to work onsite on a classified program for six months. The program manager wants you to give her a visit request form that the foreign company can use to submit a visit request. You think about this for a moment and realize that though the situation is unusual, it should be a workable solution. Do you provide the visit request form? Why or why not?
In the course of business, it is not unusual for a foreign entity to request a visit to a U.S. company. Foreign business employees may desire to visit a U.S. contractor in furtherance of a contract. When the business is related to a classified contract, involves classified information or relates to a government to government agreed upon plant visit, the foreign entity requests the visit through their embassy. The only way these types of visits are authorized is through government to government channels. Unclassified visits are sent through commercial channels and are conducted through licenses with the Department of State or the Department of Commerce.
Visit requests submitted by a foreign entity pass through their government channels to the U.S. government for approval. The U.S. government agency having jurisdiction over the classified contract submits the request to the U.S. contractor for their approval. The request also includes guidance and limitations of the information and items the foreign national will be allowed to access. The contractor reviews the limitations and determines whether or not they concur with the request. The contractor has the final say of whether or not the foreign national will access their facility.
Security managers, exports compliance officers, technology control officers, etc will face more challenges as our market becomes global. The next topic we will discuss is once a visit is authorized. What does a contractor need to do in preparation for the visit? How does one prepare employees and the visiting foreign person from exporting unauthorized technical data.

Tuesday, January 20, 2009

Assessing the security climate

I’ve recently fielded questions to some cleared employees. The intent was to generate discussion and get an assessment of how well they understood the National Industrial Security Program. I’ve received a variety of answers. The responses were intelligent, well thought out, but inaccurate. They demonstrated a lack of understanding based on popular culture and word of mouth.

Keep in mind that out of all possible respondents less than a handful replied to each question. Additionally, the survey was in no way scientific. It was just a simple fielding of questions and not intended to be a representation of the industry in general. However, they do provide a sound training solution. How can one use such data to train the force? Well, thanks for asking.

First of all, followers of this blog and the subsequent newsletter can use the same questions while conducting walk around security or otherwise conducting a security survey. Field these questions to your teams. If they respond correctly give loud and public praise. If they answer incorrectly you have just created a training opportunity. Proceed with diplomacy. Use the data you collect as a foundation to design future training. These responses go a long way in identifying weaknesses in the overall understanding of the National Industrial Security Program. These weaknesses could prove a vulnerability to your security program if not addressed properly.

Another application is to use the answers I provide here to bring about discussion or add to your security education agenda. Again, no scientific study here. However, certain broad assumptions can be made about general knowledge of the National Industrial Security Program.

Now, the questions and answers:

1. Will your security clearances or the way we protect classified material be impacted by the new administration?

a. "The President can de-classify any classified information."
b. "There should be some sort of "transition" in place for business that overlaps 4-year Admin tenures."
c. "I don't foresee any significant changes."

The reality: In recent history two sequential presidents have provided separate executive orders directing how to protect classified information. Presidents Clinton and Bush have issued policies directing what qualifies to receive a CONFIDENTIAL, SECRET or TOP SECRET classification.

Contractors and government agencies protect classified information based on the guidance from the executive orders. When changes occur, they affect storage capacity, employee manpower and resources toward re-marking or improving security. These resources are funded through overhead and impact profits. Organizations can project requirements and put a proactive plan in place to make necessary transitions easier.

2. Is a defense contractor allowed to advertise their facility security clearance level?
"It depends on what level you're advertising. YOu should be able to advertise clerance levels."
The reality:
According to the National Industrial Security Program Operating Manual (NISPOM , the contractor can not use their security clearance level to advertise for business.

NISPOM 2-100. General. An FCL is an administrative determination that a company is eligible for access to classified information or award of a classified contract.

c. A contractor shall not use its FCL for advertising or promotional purposes

As the lead security education provider, the Facility Security Officer has to break through perceptions. Those cleared employees should grasp a good understanding of their responsibilities to protect classified information. The FSO’s can ask simple questions to gage the effectiveness of the training and discover areas in which to conduct training.