Information for the CIO, CSO, FSO, ISSO and other security professionals. Understanding NISPOM and ITAR compliance is tough. With over 12,000 cleared defense contractors, a majority of those don't have a security staff. We'll hope to help fill the gap. From security clearances to performing on classified contracts, you can find help here.
Applicants for security clearance must demonstrate that they can protect sensitive information. Under Guideline K, “deliberate or negligent failure to comply with rules and regulations for protecting classified or other sensitive information raises doubt about an individual’s trustworthiness, judgment, reliability, or willingness and ability to safeguard such information, and is a serious security concern.” Any history of allowing unauthorized access, forgetting to enforce security rules, or loaning out passwords will definitely raise red flags and call trustworthiness into question. Review the following cases and see if you can identify the Guideline K issues.
YOU’RE JUST SAYING THAT TO GET ME
A clearance holder brought a camera into a restricted area against security rules. Additionally he committed many other security violations to include discussing sensitive information with unauthorized non-U.S. persons in an unauthorized area, left foreign nationals unattended with a classified workstation, and did not store classified hard drives. He was formally disciplined and removed from his place of employment due to continuous disregard of security procedures.
These are not only security violations, but due to the foreign national and non-U.S. person aspect, the individual, his company, and fellow employees are at risk of export licensing and International Traffic In Arms Regulation violations.
During the hearing, he failed to produce any mitigating circumstances, provide explanation, or offer character witness statements. He did state, however, that the charges were lies spread by persons who did not like him and were “out to get [him].”
COMSEC AND HIGHER THAN COLLATERAL
Some classified information requires additional protection because of the very nature of its existence; Communications Security (COMSEC) information is one example. Those with access to COMSEC are required to attend additional training and sign documents prior to possession of COMSEC material.
While accessing COMSEC information, an individual failed to practice security requirements on many occasions. These violations include failing to close and lock a COMSEC security container or secure a COMSEC vault door, leaving classified information in an unsecure area, and a few other incidents that put COMSEC at risk.
The applicant did provide mitigations, to include character witnesses, work accomplishments, and how she is a stellar performer. However, the mitigations did not address the security violation concerns. Though the incident happened in the past, the judge still had questions and doubts about her ability to protect classified information and denied the clearance.
DON’T LEND OUT USERNAME OR PASSWORD; SERIOUSLY DON’T
JPAS is the system Facility Security Officers (FSO) use to maintain facility and personnel clearances and contains sensitive information. DSS requires JPAS users to hold a security clearance and trains them to never share their usernames and passwords.
In this case, while the individual had received training from the Defense Security Service, he knowingly provided his JPAS username and password and granted unauthorized access to sensitive information. He provided his username and password to an uncleared employee for almost two years, allowing him to delegate FSO and JPAS responsibilities. Because of the potential risk to sensitive and classified information and the frequency and length of time the violations occurred, the violations were not mitigated and the judge denied the applicant’s security clearance.
I ONLY SPIED BECAUSE I WAS CHEATING
A married applicant gained access to his girlfriend’s e-mail without permission or authorization. This included a classified email account that contained information of which he did not have need to know. This violates Guideline K as “inappropriate efforts to obtain or view classified or other protected information outside one’s need-to-know”. Additionally, as a privileged information system user, he took advantage of his position to gain information for his own personal use and did not practice the requirement to accountable for his actions on an information system.
The applicant did however provide mitigation, to include admitting to his wife that he had had an affair, reconciling with his wife and demonstrating a passage of time since the events occurred (four years). Additional mitigations included the attendance of many security trainings, and a demonstration of his excellent attitude toward security rules. The judge ruled that the security incidents are “unlikely to recur and does not cast doubt on the individual’s reliability, trustworthiness, or good judgment,” and that “the individual responded favorably to counseling or remedial security training and now demonstrates a positive attitude toward the discharge of security responsibilities,”. The seriousness of the applicant’s conduct was outweighed by the presence of rehabilitation and the amount of time elapsed since its occurrence
The ability to demonstrate trustworthiness and proclivity to protection classified and protected information is often based on history. Any red flags or shortfalls with obeying rules and regulations set for protecting protected data surely must be mitigated. In the above cases only one was mitigated and the clearance granted. This decision was based on the work that the applicant spent to rehabilitate himself and demonstrate that his violations were history, and that his future included a focused security attitude.