Protecting CUI on work Computers

It’s a common practice to allow employees to use enterprise computers outside of the enterprise. This has become more common where employees are increasingly working at home. Though a common practice, these occurrences are not always best practices. Anytime an employee leaves work with a company computer, the expectation is that all information is vulnerable. Malware, ransom ware “supply chain attacks”, hacking and other threats are prevalent. In many cases this can be controlled through applying NIST standards and strong cybersecurity measures. This article will focus on limiting use of loaned laptops and not on technical cybersecurity application.

The organization should assign a strong risk assessment based on use prior to assigning company computers for at home use. This risk assessment should limit the information to be provided and for specific purposes. For example, if a user works on a specific project, then the laptop might only contain information for that specific use. The laptop removed for home use should not contain all information available unless that information is absolutely necessary. Even though there may be strong policy and cybersecurity requirements required by the organization, the CUI on the computer is still vulnerable to the whims of whether or not the employee will follow the guidance.

A specific example of a common, but not best practice is providing a laptop to an employee for college use. In this case, the employee would take the provided laptop to college, home, and many places along the way. They may connect to wifi and choose not to use a VPN. This would leave any information stored on the laptop vulnerable to exploitation. The organization should also expect to have the any number of hacking, thieving, or destroying attacks. This is a high risk activity if the laptop contained CUI. However, a low risk if the laptop does not contain any information.

The point is to control data, not the laptop. If assigning laptops for non business (but approved) use, it should be provided with only the information absolutely needed and with the right protections. Performing work with CUI should be limited to the CUI necessary to accomplish tasks and with the controls in place required to protect CUI. If assigned for non CUI tasks, such as college or professional development, no CUI should be on the computer.

Laptop issuing risk management should identify contingencies for which astute technology control officers, export compliance officers and security specialists plan. Sensitive, and protected technology should not be contained within computer and related media without proper permissions.

Consider following export controls and applying these best practices to the risk assessment. Export violation can occur within the U.S. borders.

Foreign governments want US Technology and aggressively seek it and defense contractors should make the information very difficult to get. Cyber hacking and supply chain attacks are increasing, calling for stronger controls. Relying on technical controls is not enough, often appointing too many resources for actions that don’t address the real threat. For example physical security efforts may focus on fortifying laptops with barriers, alarms, access control, and etc. These are important, but the employee may make information vulnerable when the first time they use public WIFI without first logging in to VPN for example. Risk assessments include technical controls AND limiting data to be used on the laptop. CUI is leaked through careless or malicious employee behavior or actions taken due to poorly understood responsibilities and security discipline.

Export compliance officers and Facility Security Officers should develop a culture within their organizations to prevent unauthorized disclosure of economic, classified or sensitive information. Such practices include destroying sensitive waste properly, locking all desk and cabinets drawers after work, and using access control to keep employees, vendors and non-US persons from accessing unauthorized areas.

Prior to removing any devices with CUI, employees should understand the risks. A defensive security briefing is for cleared employees who travel overseas and may be vulnerable to foreign entity recruiting methods. These or similar types of training could be tailored and given to all employees who remove information from the enterprise.

If technical data and laptop computers will be removed from the organization, CUI and other sensitive information, export controlled information not under license or TAAs should be limited to the need to know to perform necessary work.

If you need assistance with FSO or security training please contact me or visit my consulting site www.jeffreywbennett.com. Additionally, we have NISPOM fundamentals training perfect for studying and applying to your CDC facility. https://bennettinstitute.com/course/nispomfundamentals/

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training:  NISPOM Fundamentals/FSO Training" and  Cleared Employee Training".Jeff is available to consult. Consulting Website"

Security Training Topics For Cleared Defense Contractors

New cleared contractors should understand that the CDSE provides initial training and special briefings to their appointed Facility Security Officer (FSO). This training is invaluable as the new FSO will have a chance to learn about their responsibilities. Sometimes the new FSO will be learning for the first time exactly what is expected of them. After training, the FSO is then authorized to present the training to the organization’s cleared employees.

According to NISPOM, the FSO is also required to attend the DSS mandated FSO Program Management Course within one year of appointment. This means that cleared contractors should be prepared to send a designated FSO to the DSS Academy for the training, or take the training on line. Either way, the FSO must be certified.

CDSE provides new courses designed for FSOs of possessing and non-possessing facilities. FSOs should coordinate with their representative to determine the training that’s right for their situation. The training is designed to prepare the FSO to implement and direct a NISPOM based security program in their cleared contractor facility including, but not limited to the following topics:

Protecting classified material – The proper receipt, accountability, storage, dissemination and destruction of classified material.

Required training – This instruction helps the FSO establish an ongoing training program designed to create an environment of security conscious cleared employees.

Personnel security clearances – The FSO gains an understanding of the personnel security clearance request procedure, briefing techniques and maintenance of personnel clearances.

Facility clearance – The FSO learns how FCLs are established and which records and activities are required to maintain the FCL.

Foreign Ownership Control and Influence (FOCI) – Organizations analyze foreign investments, sales and ownership on a regular basis using the Certificate Pertaining to Foreign Interests (SF 328). FSOs learn to interact with management and provide guidance and direction in preventing a foreign entity from unauthorized access to or controlling work involving classified and export controlled information.

Exports compliance and international operations –FSOs receive instruction on how to prevent unauthorized disclosure of critical technology, classified and export controlled information.

Restricted areas – The restricted area is established to control temporary access to classified material.

Closed areas – Space is approved to store and work with classified material. This involves approved construction and limited accesses controls to prevent unauthorized disclosure during and after work hours.

Contract security classification specification (DD Form 254) –The cleared contractor is allowed access to classified contracts based on the DD Form 254. The FSO would learns how the DD Form 254 is constructed and how to provide input to better meet security requirements.

Security classification guides (SCG) – As the DD Form 254 provides authorization to execute a classified contract, the SCG provides the “how to” instruction.

Security administration and records keeping – This teaches the maintenance of facility and personnel security clearance information as well as all other accountability. The FSO is expected to provide information on personnel clearances, original documentation of their facility clearance and demonstrate classified information accountability during the DSS annual security inspection.

Sub contracting – When approved to subcontract classified work, the prime contractor will provide a DD Form 254 to the subcontractor.

The academy issues a certificate which should be filed for presentation during security audits. The FSO training should not end with this course. Career enhancing training is available through various security and management courses. More in depth online and residence training is available in each above mentioned topic. Other agencies may offer more training certification in special access programs, COMSEC, and intelligence protection. Other training is available in colleges, professional organizations, vendor websites, through books like this and within the security community.

 

You can find study recommendations, practice questions and NISPOM links at https://www.redbikepublishing.com/ispcertification/ and https://bennettinstitute.com/course/ispisoctipis/

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training:  NISPOM Fundamentals/FSO Training" and  Cleared Employee Training".Jeff is available to consult. Consulting Website"

Security Clearance and Foreign Employment

 

I’ve recently received many emails from people who are curious about security clearances and working for foreign owned companies. Though the volume of those questions have increased, I guess the topic is no longer surprising in content as it could have been many years ago.

 

Many years ago, we might automatically assume that working for a foreign owned company would be indicative of highly questionable practices, but maybe not any longer. 

Things have changed. More foreign owned companies are opening doors in the U.S. Internet opportunities open doors to employment. Working for foreign companies provides new opportunities regardless of boarders such as: investment, teleworking, and creative content services that allow artists to bid on customer jobs have made this more of a possibility. 

But the questions have been pretty vague and hard to answer. 

• Am I allowed to work for a foreign company if I have a security clearance?
• Will I be able to get a security clearance if I work for a foreign company?

 

The questions are vague because there are so many scenarios that the questions can reflect. Some scenarios include:

• You are currently employed by a cleared defense contractor and have a security clearance and want to quit and work for a foreign owned company, and would one day like to return to working with a clearance. This scenario is very risky as you could lose out on future employment, but can be mitigated.
• You do not have a security clearance, but may one day like to work on classified contracts in some capacity. However you want to apply to work for a foreign owned company. This scenario is less risky because you have nothing to lose other than the possibility of getting a clearance “one day”.

 

There are many other scenarios and reasons describable and all are different and my answer would be, “It depends on the scenario”. Additionally, it may depend on the security clearance level such as SECRET, TOP SECRET SCI, etc.

The bottom line is, can you be entrusted with national secrets because of  employment with a foreign owned company? Having a security clearance is a very important responsibility. The security clearance holder is responsible for protecting classified information and supporting the security program to protect that classified data. 

This opportunity is based on the adjudication process. Security clearance award is provided after the adjudication of the investigation results. Allegiance to the United States and Foreign Influence are two very important considerations that would have to be addressed prior to awarding the security clearance.

There are many ways to adjudicate risks under Allegiance to the United States, Foreign Influence and other adjudicative criteria. There are no automatic answers to these questions since it depends on the situation. Get all the facts prior to taking on such a job, determine your risk level, and develop a strategy to mitigate the risk to your security clearance. 

If you have questions about this or other security clearance topics, visit my consulting site https://www.jeffreywbennett.com or email me at editor@redbikepublishing.com

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training:  NISPOM Fundamentals/FSO Training" and  Cleared Employee Training".Jeff is available to consult. Consulting Website"

Three Ways FSOs can Impact the Cleared Defense Contractor

 

The Facility Security Officer’s (FSO) successful program depends on developing relationships with employees, managers and executives to facilitate execution of company policies, necessary security awareness training, willful employee self-admittance of security infractions or change of status, and proactive action toward expired, existing and future classified contracts. Any of the above mentioned success measures is difficult to obtain in a changing employee and contract environment, but is simplified through employee and executive buy-in.

How to do this:

The following 3 points pave the way for a successful security program.

1. Gain executive, manager and work force buy-in. This can be accomplished by first demonstrating a sound understanding of company mission, classified contract requirements and providing sound security policy. Cross cultural buy-in is critical for integrating the security plan into all business units and company operations.

2. Become the “go to” person for all new security challenges. The FSO doesn’t need to be involved in every decision made by cleared employees. However, if it involves a procedural change or the degradation in security, contacting the FSO should be an automatic response. Become recognized as not only and expert at NISPOM compliance, but a part of the team. This will help ensure that all units within an enterprise notify the FSO of any change in disposition of classified material storage. This integrated system will trigger the contracts, program manager, business development and other units to coordinate with the FSO and keep the FSO informed of expired, current, and future contract opportunities and responsibilities.

3. Create a budget based on mission and NISPOM compliance. An obviously important task is to direct the security program to protect classified information. But this is not to be assumed at all costs. Even NISPOM identifies the need to apply using economically feasible solutions. The FSO’s task should be to have an award winning program while supporting the company’s primary mission; to make money. The FSO owes allegiance to protecting nation’s secrets, but will not be able to do so if the company profits go straight into the security budget. Do this by becoming a good steward of company resources and develop policy that corresponds with the mission.

1. More tips can be found in the book “How to Get U.S. Government Contracts and Classified Work”

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training:  NISPOM Fundamentals/FSO Training" and  Cleared Employee Training".Jeff is available to consult. Consulting Website"

Impactful ways to augment security awareness training

 

 

When Defense Counterintelligence and Security Agency (DCSA) conduct reviews of cleared defense contractor facilities, they go with a purpose. Their first priority may be to conduct a risk assessment of classified information in the contractor’s possession. However, they are also looking at above and beyond metrics that demonstrate the commitment to national security. These above and beyond attributes are often recorded and rewarded. Here are some ideas Facility Security Officers can employ to demonstrate above and beyond NISPOM application. Some of the suggested ideas include:

• Security fairs-Security fairs are great ways to demonstrate the added value security provides to the cleared defense contractors. The FSO can set up designated booths that functions to provide security solution and awareness. For some examples include:
• Document wrapping booth to demonstrate how to properly mark and wrap classified packages. You can take the opportunity to brief courier and other classified transport opportunities.
• Fingerprint booth-As FSO I ordered children’s finger print cards. When we had a company picnic, I invited all the parents to come by to get their children fingerprinted. I then turned the completed cards back to the parents for safe keeping. This provided a service to the company and helped establish personal and working relationships.
• Document destruction-You can extend shredding and destruction services to employees. Invite them to bring in personal information such as financial records and shred them on site. If you have a vendor that provides the service for you, they many offer to do so in support of the security fair. While there, you can relay the importance of protecting and properly destroying classified, export controlled and privacy information.
• Interactive designated security focused weeks-You can implement great security training by having theme weeks. For example, you can designate one week for information security, one week for personnel security, one week for general security and etc. During the focus weeks, you can provide educational emails, letters, posters or announcements with the relevant security reminders or training.
• Security lunch events-I worked with a company that initiated a “lunch with the FSO”. The FSO reserved a conference room, carved out time in his schedule, and invited subject matter security experts to sit on a board. Every employee was extended an invitation to attend the monthly events.  The FSO opened the meeting with any updates or reminders of security policy and invited the attendees to ask questions of the subject matter experts.
• Hosting guest speakers on security related topics –There are great resources that the FSO can call on to provide guest speakers. Fellow members of professional organizations may be happy to help. You can enlist fellow professionals to talk about International Traffic in Arms Regulation (ITAR) compliance or how to escort foreign visitors or other subject matter expert to on any topic appropriate for your company. You can contact a vendor to talk about their security related products or bring in a paid speaker or consultant. Also, don’t forget counter intelligence agencies, DSS or the FBI’s domain coordinators who may be available for such occasions. You might even consider inviting an Industrial Security Professional (ISP) or Industrial Security Oversight (ISOC) certified guest speaker to discuss the value of hiring employees board certified to protect classified information.
• Webinars-More and more training is being conducted on line. Professional organizations have such material available to paid members, DSS has a catalog of tons of training, and there is lots of free training available online. There are also great vendors who provide training software and hosting for company developed online training. Additionally, many vendors offer already developed online NISPOM training perfect for sending to your employees.

Be sure to visit Red Bike Publishing for books and training.

If you have questions, visit Jeff’s website: jeffreywbennett.com

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training:  NISPOM Fundamentals/FSO Training" and  Cleared Employee Training".Jeff is available to consult. Consulting Website"