Classified information can arrive to a cleared contractor in many different ways. Whether delivered via courier, mail carrier, overnight carrier, classified electronic means, and etc. the FSO should have a process in place to control and protect classified information from reception to dissemination or destruction. The FSO should establish procedures for the proper reception of classified material. The receiver of classified material plays a critical role in both safeguarding classified material as well as identifies security violations that the sender may have committed.
FSOs can control the introduction and dissemination of classified information with a centralized document control system. The NISPOM requires that a cleared contractor have an information management system in place to control classified information. This can be accomplished with a centralized system to facilitate the proper introduction and control of classified information entering the facility. This system requires visitors, couriers, mail carriers, overnight delivery companies, and other means of classified transmissions to perform under the FSO’s established procedures. Without such controls, classified information is vulnerable to unauthorized disclosure, loss, or compromise.
The centralized reception and dissemination provides the FSO with a tool for the positive control of classified information. In certain circumstances, cleared facilities may have multiple delivery docks and mailing addresses. Classified information should only be addressed and delivered to the established classified mailing address. A good practice is to have the classified address and centralized processing location co-located Simply put, uncontrolled introduction of classified information can lead to accountability problems, potential security violations and compromises of classified material. Addressing this at annual security awareness training is a good way to ensure cleared employees understand.
Outer Layer-The first step to receiving classified information is to examine the outer layer for evidence of tampering or compromise of classified material. The inspector should look for evidence of tearing, ripping, re-wrapping or some other means of unauthorized access to the material.
Next, review the shipping label for full approved classified mailing address, return address and which does not identify any recipient by name. Discrepancies should be addressed with the sender. Additionally, there should be no classification markings on the outer layer of the item. Inner Layer -The inner layer is inspected the same way as the outer layer for evidence of tampering or unauthorized disclosure. However, the inside wrapping contains the full address of the recipient as well as classification markings on the top, bottom, front and back. TOP SECRET and SECRET material should have a packing list or receipt of contents either on the outside or inside of the container. If no receipt is included, contact the sender. According to the NISPOM, CONFIDENTIAL information does not need a receipt included with the shipment. If a receipt is included, the signer should sign it and return it to the sender.
Compares the receipt against the label to ensure the item has been identified correctly. The receipt should contain information to direct the contents to the appropriate recipient. The properly filled out receipt identifies the sender, the addressee and correctly identifies the contents by an unclassified title and appropriate quantity. Since the receipt may be filed for administrative and compliance purposes, ensure it contains no classified information. If the receipt contains a classified title, contact the sender to see if it can be issued an unclassified title, reinvent an appropriate title, or prepare to store the receipt long term in an a GSA approved container because it is a classified item.
Once the material is received and the delivery inspected against the receipt, the FSO can input the information into a information management system. This database can be something as simple as logging the information into a notebook or through technology such as proprietary software sold on the market. Some companies and federal agencies have developed internal forms and examples are available on the internet. Once complete, put the classified information in the security container or other approved classified storage.
Thursday, December 17, 2009
How to Wrap Classified Packages
How to Wrap Classified Packages
By: Jeffrey W. Bennett, ISP
The National Industrial Security Program charges cleared contractors with protecting classified information. This protection extends through all phases of contracts and throughout the duration of the classification. Protection also includes the reception, storage, dissemination, and destruction of the information.
Dissemination is a critical part of protecting classified information as the classified information leaves the control of the cleared organization. Whether couriered, mailed, or otherwise delivered, it is removed from a cleared facility and must be prepared in a way to protect the information from unauthorized disclosure.
Prior to sending out classified information the FSO should ensure that it is double wrapped with opaque paper to preclude casual observation of the classification markings and contents. The inner wrapper is marked with the proper classification, provided an address with sender and addressee indicated, and properly sealed on all seams. Additionally, a receipt should be included with the inner wrapping to indicate the contents, sender, and addressee. No classified information should appear on the receipt. Though the NISPOM directs SECRET and above deliveries to include a receipt, it is a good practice to also send a receipt with CONFIDENTIAL information. Receipts should be signed by the addressee once they inspect the delivery. The outer wrapper should not include a classification and should be addressed to the security department or FSO and the classified mailing address.
Always store and protect classified information properly. The information provided below can prove helpful as a checklist for transmitting classified information:
INNER WRAPPING:
Stamp opaque envelop with highest classification and other required restrictive markings.
Label with recipient company name and address, ATTN: Recipient’s name or office, section, mail stop, etc.
Seal all seams with opaque tamper-proof tape
Include two copies of receipt inside or attached to inner opaque envelop
OUTER WRAPPING:
Label opaque envelop with classified mailing address ATTN: FSO
Seal with opaque tamper-proof tape covering all seams.
Classification or other restrictive markings are not annotated on outer envelope.
By: Jeffrey W. Bennett, ISP
The National Industrial Security Program charges cleared contractors with protecting classified information. This protection extends through all phases of contracts and throughout the duration of the classification. Protection also includes the reception, storage, dissemination, and destruction of the information.
Dissemination is a critical part of protecting classified information as the classified information leaves the control of the cleared organization. Whether couriered, mailed, or otherwise delivered, it is removed from a cleared facility and must be prepared in a way to protect the information from unauthorized disclosure.
Prior to sending out classified information the FSO should ensure that it is double wrapped with opaque paper to preclude casual observation of the classification markings and contents. The inner wrapper is marked with the proper classification, provided an address with sender and addressee indicated, and properly sealed on all seams. Additionally, a receipt should be included with the inner wrapping to indicate the contents, sender, and addressee. No classified information should appear on the receipt. Though the NISPOM directs SECRET and above deliveries to include a receipt, it is a good practice to also send a receipt with CONFIDENTIAL information. Receipts should be signed by the addressee once they inspect the delivery. The outer wrapper should not include a classification and should be addressed to the security department or FSO and the classified mailing address.
Always store and protect classified information properly. The information provided below can prove helpful as a checklist for transmitting classified information:
INNER WRAPPING:
Stamp opaque envelop with highest classification and other required restrictive markings.
Label with recipient company name and address, ATTN: Recipient’s name or office, section, mail stop, etc.
Seal all seams with opaque tamper-proof tape
Include two copies of receipt inside or attached to inner opaque envelop
OUTER WRAPPING:
Label opaque envelop with classified mailing address ATTN: FSO
Seal with opaque tamper-proof tape covering all seams.
Classification or other restrictive markings are not annotated on outer envelope.
Friday, November 13, 2009
Changes to the National Industrial Security Program Impact Defense Contractors
Just five short years ago several changes came out almost simultaneously. The changes challenged the thinking of many security specialists because the ideas were so new. The proactive employees put plans into place that made the changes easier to implement within their organizations. The others found themselves implementing the changes at the last minute.
I cannot imagine working without the Joint Personnel Adjudication System (JPAS). However, when it first came out the protest was pretty loud. One of the many objections identified using JPAS to submit visit authorization requests instead faxing personal identifiable information to a hosting cleared facility. I heard one FSO comment that “need to know” could not be properly controlled by such an impersonal system. Though unfounded, such objections still needed to be met. T o prepare industry for the new process, Defense Security Services and professional organizations such as NCMS (Society of Industrial Security Professionals) began preparing ways to educate Facility Security Officers and other JPAS users. Now, JPAS is required throughout the Department of Defense.
Remember the thick personnel files? FSOs maintained huge volumes of cleared employee information. SF86 applications, medical and information release forms, SF 312 forms and more were packed into manila folders and stuffed into bulging lateral cabinets. I remember hearing of one security professional stating that they had requested a new lateral filing cabinet. Their supervisor balked at such an expense and the employee argued the need for it. Fortunately another employee who kept up with changes in the NISP reminded the two of a then recent change; the FSO could no longer maintain SF 86 information once a security clearance determination had been made. As a result, the cleared employee files withered to a few pieces of paper and some of the lateral cabinets were emptied.
The point here is that new changes are bound to come because of amendments to Presidential Executive Orders or policy updates. FSOs and security specialists should begin a plan immediately to implement the new requirements. While incorporating the changes into the security program, prepare another report of the impact to your organization. Will the new requirements increase costs of doing business or are there significant cost reductions? Document the findings and keep management informed. Finally, prepare to hi-light significant changes for presentation during annual security awareness training.
I cannot imagine working without the Joint Personnel Adjudication System (JPAS). However, when it first came out the protest was pretty loud. One of the many objections identified using JPAS to submit visit authorization requests instead faxing personal identifiable information to a hosting cleared facility. I heard one FSO comment that “need to know” could not be properly controlled by such an impersonal system. Though unfounded, such objections still needed to be met. T o prepare industry for the new process, Defense Security Services and professional organizations such as NCMS (Society of Industrial Security Professionals) began preparing ways to educate Facility Security Officers and other JPAS users. Now, JPAS is required throughout the Department of Defense.
Remember the thick personnel files? FSOs maintained huge volumes of cleared employee information. SF86 applications, medical and information release forms, SF 312 forms and more were packed into manila folders and stuffed into bulging lateral cabinets. I remember hearing of one security professional stating that they had requested a new lateral filing cabinet. Their supervisor balked at such an expense and the employee argued the need for it. Fortunately another employee who kept up with changes in the NISP reminded the two of a then recent change; the FSO could no longer maintain SF 86 information once a security clearance determination had been made. As a result, the cleared employee files withered to a few pieces of paper and some of the lateral cabinets were emptied.
The point here is that new changes are bound to come because of amendments to Presidential Executive Orders or policy updates. FSOs and security specialists should begin a plan immediately to implement the new requirements. While incorporating the changes into the security program, prepare another report of the impact to your organization. Will the new requirements increase costs of doing business or are there significant cost reductions? Document the findings and keep management informed. Finally, prepare to hi-light significant changes for presentation during annual security awareness training.
Thursday, November 12, 2009
Need to Know-the Rest of the Story or Establishing Need to Know within the National Industrial Security Program
According to E.O. 12869, no one can have access to classified information unless they have been determined eligible for a security clearance and have “need to know”. Access is a determination made by an expert based on the results of a proper investigation. This eligibility is easy to determine after the U.S. Government provides the notification of a granted security clearance or upon validation of an approved cognizant security agency database. When an employee is granted a CONFIDENTIAL, SECRET or TOP SECRET clearance they are eligible for access to classified information at the level of clearance and below.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.
Identification and the Defense Contractor’s Rolodex
Identification is a critical part of our business. Those who possess classified information cannot just disclose it to anyone who asks; verification is necessary to ensure that those who are authorized to receive such information are who they say they are. Sometimes identification is made visually through recognition of a friend, colleague or co-worker. More often than not the visual recognition is backed up with technology. Many contractor and government organizations and agencies have internal identification systems using software and hardware designed to recognize biological and electronic information. There are many configurations of card reading technology. Some use picture badges unique to organizations coupled with small chips providing a code for entry into access controlled areas.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.
Friday, September 18, 2009
How Facility Security Officers and other Security Professionals Contribute to their Communities
One thing that I like about security professional organizations like American Society of Industrial Security Professionals International (ASIS) is their emphasis on giving to the community. The group sponsors scholarships, provides security services and training opportunities designed to help non-profit or not for profit organizations. Churches, charities, and students benefit from the generosity of local and national security professionals. In my own community I began to look at examples of how security professionals could contribute in a meaningful way.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.
The best examples I can give are what we have done in my neighborhood. For one organization in particular, I arranged for an FBI agent to present a small presentation on cyber security. The audience consisted of interested parties representing the community and various demographics. We had teachers, children, baseball teams and senior citizens all together for breakfast and training on a fine Saturday morning. The presenter gave valuable information derived from real data. The audience was appreciative and provided positive comments. This, of course was a few years ago. We are thinking of presenting it again since social networks like Face book, LinkedIn, and MySpace are so prevalent.
Just recently I invited a fellow security professional to present “Active Shooter” training for my church. I’ve known the presenter for the past few years as a result of NCMS (Society of Industrial Security Professionals) and ASIS. We’ve both spoken in the professional organizations’ seminars and luncheons. We’ve set up booths next to each other during conventions. One day while he thumbed through my latest book I had on display, he told me of his side business. I asked him his expertise and he said that he consults churches and non-profit organizations on security.
Coincidently, in a church meeting the next month our leadership raised concerns of recent violence in religious institutions during the past year. I thought of my friend and offered a solution. After a few months of planning, we hired him as a consultant. One Monday night, with over 50 people present, we learned how to possibly prevent or reduce the impact of an active shooter incident. Interestingly, we have police officers and federal agents at our church and many were in attendance. However, just because one is in law enforcement, does not necessarily mean they are an expert in a certain discipline. What we learned was how to plug law enforcement into the scenario and rehearse responses. The best part was that even though my buddy presented the training, my church leadership began to view my skills and training as a security professional in a new light.
So, how can you contribute to your community? The first step is to look at needs and trends. Look at the crime rate, high risk neighbors, gang affiliations, unique issues and national trends. You might consider identity protection, family security, loss prevention, anti-terrorism or cyber security training. Your security, operations security and risk management training offer very valuable opportunities to train volunteer based organizations with tiny budgets. Each community’s needs are different; however you may just have the necessary skills or connection to fill in vital gaps.
Thursday, September 17, 2009
Why FSOs and Defense Contractors Protect Classified Information
FSOs implement and direct security programs to protect classified information. As an FSO or a supporting security professional in this role, have you ever wondered how the classified information you protect gets its designation? We can find the answer in Presidential Executive Order 13292 . You may have heard and read reports of how over-classification results in unnecessary costs. You might also understand from similar reports of how under-classification can lead to compromise of sensitive information. To better prevent unauthorized disclosure and ensure that classification is assigned to only that information needing protection, the President has issued special guidelines. In cases where items may be assigned an original classification, four conditions must be met:
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
According to E.O. 13292, Sec. 1.1. Classification Standards. (a) Information may be originally classified if all of the following conditions are met:
(1) an original classification authority is classifying the information; Specifically, only the President and in certain circumstances the Vice President, agency heads designated by the President in the Federal Register, and appointed U.S. Government Officials can serve as OCA’s. Agency heads are responsible for ensuring that only the minimum amount of subordinate officials are delegated original classification authority. It is these Government checks and balances that ensure responsibility and accountability.
The President, Vice President, agency heads, and officials designated by the President can delegate TOP SECRET original classification authority. SECRET and CONFIDENTIAL original classification authority also may be given to senior agency officials who are designated by agency heads in writing. The authority may not be automatically re-delegated.
The original classification authorities attend training as identified in the executive order and other directives. The education is similar to annual security awareness training the FSOs are required to offer employees with security clearances. For example, they learn how to protect classified information, how to mark it, and how to handle dissemination in addition to learning how to determine the classification level.
(2) the information is owned by, produced by or for, or is under the control of the United States Government; An original classification authority may not determine a classification on anything that is not owned, produced or controlled by the U.S. Government. For example, the Government contracts a company to make a product important to national security. As part of the contract, the government will require that the company construct and assemble items that must be safeguarded at the SECRET level of classification. They will work with the contractor and provide direction and means for production, protection measures in addition to the stipulations of the contract. The company is then contracted to make defense articles or provide services that the Government owns.
(3) the information falls within one or more of the categories of information listed in section 1.4 of this order; and Classification levels are assigned to classified materials and information only if they fall into one of eight categories designated in the EO.
a. Military plans, weapons systems or operations
b. Foreign government information
c. Intelligence activities, sources or methods or cryptology
d. Foreign relations or activities of the United States including confidential sources
e. Scientific, technological, or economic matters relating to national security, including defense against transnational terrorism
f. U.S. programs for safeguarding nuclear materials or facilities
g. Vulnerabilities of systems, installations, infrastructures, projects, plans or protection services related to national security including terrorism
h. Weapons of mass destruction
(4) the original classification authority determines that the unauthorized disclosure of the information reasonably could be expected to result in damage national security, which includes defense against transnational terrorism, and the original classification authority is able to identify or describe the damage. This is the fourth and final requirement that must be met before an original classification authority can assign a classification level. Classification levels are designed to implement the proper level of protection. It is part of the risk management component of security. The consequence of loss of the information is part of the categorization process.
The impact of disclosure is categorized from reasonably causing “damage” for CONFIDENTIAL information through “serious damage” for SECRET information to “seriously grave damage” for TOP SECRET information. The EO 13292 states that the impact of loss or compromise of the information must be at one of the three defined levels in order to be assigned a classification. The other part is that the classifier should be able to describe or identify the damage. This measure again informs the user that the information is to be safeguarded at a necessary level and also to prevent the original classification authority from assigning a classification level needlessly.
Subscribe to:
Posts (Atom)
Posts
