Thursday, June 26, 2008

A New Level of Classification?

A buzz is sweeping the security community since May as folks are notified of the new CUI program. The President has published a Memorandum with the subject, Designation and sharing of Controlled Unclassified Information. This memorandum implements a program designed to encourage the speedy sharing of information to those authorized and to better protect the information, privacy and legal rights of Americans. The Controlled Unclassified Information program is designed to promote proper safeguarding and dissemination of unclassified information.
Many readers may be familiar with the program CUI has replaced. Sensitive But Unclassified (SBU) information had enjoyed protection to a certain level but was not conducive to the necessary information sharing. Controlled Unclassified Information (CUI) provides procedures for a more appropriate Information Sharing Environment.
Controlled Unclassified Information is a designation of unclassified information that does not meet the requirements of Executive Order 12958, as amended (Classified National Security Information). However the protection is necessary for national security or the interests of entities outside the Federal Government. The unclassified information also falls under the law or policy advocating protection from unauthorized disclosure, proper safeguarding and limiting dissemination. Though not a classification, the controls in place may prove to require significant administrative action.
These controls include assigning two levels of protection procedures identified as standard or enhanced. The standard is marked “Controlled” and the enhanced is marked “Controlled Enhanced”. Likewise, there are two dissemination controls identified with “Standard Dissemination” and “Specified Dissemination”. These controls are combined into one of three possibilities indicating how the unclassified information is to be protected and disseminated:
• Controlled with Standard Dissemination
• Controlled with Specified Dissemination
• Controlled enhanced with Specified Dissemination
The responsibilities under this memo continue to look like requirements as identified in Classified National Security Information. All information must:
• be protected from unauthorized disclosure
• be properly marked
• the markings must distinguish whether or not the text is CUI and non-CUI
• markings are necessary for all media of dissemination including verbal
Designation of CUI can only be based on mission requirements, business prudence, legal privilege, protection of personal or commercial rights, safety or security. Finally information cannot be labeled CUI for the purposes of concealing violation of law, inefficiency, or administrative error. The designation cannot be used to prevent embarrassment to the Federal Government or an official, organization or agency, improperly or unlawfully interfere with competition in the private sector or prevent or delay the release of information that does not require such protection.
What does this mean for affected businesses and government agencies? Be prepared to implement the program to allow for proper storage and dissemination. This requires the ability to properly mark the material or provide proper warning before discussing the information. Things to think about include: training employees, developing mail, fax, email and reception procedures, and ordering marking supplies. Also, keep information technology and other business units in the loop of communication. They will need to provide the right support at the right time.
Post 9/11 America is experiencing many new changes as directed from the executive government level. These changes include new ethics, security, safety, and business practices. Those who work with the Federal Government on contract should be prepared to meet the challenges quickly.

Wednesday, June 25, 2008

The Contract Security Classification Specification


As we have addressed over the course of this blog space, industrial security specialists and FSO’s play a vital role in protecting our Nation’s secrets. Aside from guidance in the NISPOM, there is another critical piece of information necessary to practicing good classification management; enter the DD Form 254.
The Contract Security Classification Specification (DD Form 254) is a basic agreement between the Contractor/Subcontractor and the User Agency. It conveys the security classification specifications and guidelines for classification, regrading, and downgrading of documents used in the performance of a classified contract.
This agreement authorizes access to classified information in performance of a contract. The DD Form 254 will be provided to both the supplier and cognizant security offices when work is subcontracted to a supplier/vendor requiring access to or generation of classified material.
So why is this important to you? First of all it provides authorization for a contractor company to hold and or perform on classified contracts. The DD 254 justifies the need to access classified information and how and where the contractor is expected to perform. This justification also addresses the level of clearance at which the facility and employees should be approved.
It also provides the following information:
• The classification level the work will be performed.
• Any caveat access or any special briefing needed.
• Whether we can receive or generate classified information at our facility.
• Whether or not AIS processing is allowed.
• Exchange classified information/or visit another facility.
• Classify/declassify information and what Security Classification Guides will be used.
• Disposition of classified material involved with the contract
• Whether or subcontracting is authorized
• Any other requirements as set forth by the User Agency.
The DD Form 254 is and should be important to you as the security manager. This tool cuts through the fog of classification management and if addressed correctly, provides a detailed expectancy. This will allow you to better control and account for the materials supporting the work. The DD Form 254 serves as a basis for constructing a detailed and efficient security awareness program.
Be familiar with the contract(s) you are working on. Know the contract numbers as well as what is allowed since each contract is unique. Be able to provide contract or subcontract numbers to security for logging in documents, processing clearances, and preparing visit requests. Better yet, use this tool to become and expert on protecting what your company has been awarded.
The FSO is most effective when involved prior to the contract award. During the premeetings, the FSO can coordinate with other business units and the customer to contribute and request critical information involved in the performance of the contract. The earlier the involvement, the more detailed and less confusing the requirements of the contract.

Friday, June 20, 2008

Elicitation, One Fine Example

The Washington Post ran an article called, Man, 84, Is Charged With Spying for Israel in 1980s. Ben-Ami Kadish had worked for the Army as an engineer. For some years in the 1980’s until 1985, he passed documents to his contact, named as Yosef Yagur. Yosef was an experienced agent who had also handled Pollard, another spy convicted and sentenced to life in prison.

Elicitation is a recruiting method using subtleness to gain information. It is not an overt or threatening type of interrogation, but one of building relationships and creating consent for further communication and finally dedication or commitment to providing information. In the case of Kadish, his handler paved the way by asking Kadish to provide documents to help Israel maintain her security.

Kadish never accepted payment other than small gifts. Thiers was a relationship of socializing. According to the article, Kadish removed documents from his office and provided them to his handler.

You may recall a more recent article where we discussed assessing and addressing real threats to national security. Government agencies and DoD contractors spend incredible amounts of money building fortified structures to keep people out. However, the main threats of secrets leaving the buildings remain.

Industrial Security Professionals can make a difference by providing proper security training and putting controls in place to prevent the removal of classified material. For example, Kadish may or may not have attended training on how to recognize recruiting methods. He may have been an engineer who had a soft spot for Israel. An effective training program would have helped him recognized a recruitment effort and given him options of how to handle it. Many training programs skip over this very important concept.

For example, the training I had received in the 80’s warned us of recruiting effort putting emphasis on blackmail and more aggressive means of foreign recruitment. However, not much was said about relationship building or how to recognize subtle attempts to gain information. Please do not misunderstand, I am not giving Kadish a break here, he violated national security and should be punished. I am, however, advocating having a security awareness program that addresses real and not perceived threats.

As far as controls, have them in place. Education will create a positive and hopefully voluntarily compliant security culture, but administrative, physical and technical controls need to be in place. For example, Kadish, and others engaged in espionage left controlled environments with classified material. How can that go unnoticed? Proper controls to prevent such action include but are not limited to:
• Lock printers and copying devices until approved reproduction occurs. Open printers and copy machines can be used without control and accountability. Assign access codes and monitor the meter.
• Use two person rule for classified processing at all levels.
• Conduct a regular inventory. NISPOM requires annual inventory in all cases, but a risk assessment may indicate need for monthly or quarterly. Inventories will tell exactly what is missing and can provide timely investigation data
• Account and receipt all classified material at all levels. Review access logs to make sure material has been returned at the end of the day


Spectacular security depends on training and controls that matches the legitimate threat. A fortified building is good, but when was the last time the news reported someone blasting a safe to get to classified materials? The education and controls program should reflect your analysis of the threat.

Thursday, June 12, 2008

Reinvigorating the Network

Even after reading Dig Your Well Before You’re Thirsty by Harvey Mackay; Brag!: The Art of Tooting Your Own Horn Without Blowing It! by Peggy Klaus, nothing less than experience can prepare the professional for the necessity of good old fashion networking. This is especially true if security is a new career field, or you are continuing your career in a new company or location.

A career in security is rewarding and challenging. The work is important and people genuinely appreciate our service. The security profession requires a high degree of interaction as our paths cross in training or through contractual execution. However, we are somewhat guarded discussing our business with new or otherwise unknown persons. Security professionals require time to develop trusting working relationships. It’s the nature of the business. Try conducting business over the phone with someone you don’t know. Chances are you had to be cautious and it took a few more interactions before finally recognized names and working relationships.

So, how do we accelerate this networking curve? That’s right, through fostering relationships on the job and professional organizations such as NCMS or ASIS. Security professionals have a lot of experience that is definitely worth sharing. You may also consider joining committees, volunteering in the community, or sharing your expertise in a few key areas. There are skills that you have and others who are willing to learn.

Some of us are the only ones in the security department. Others are part of a huge security organization. In either case, chances are that you rely on teamwork within your industry, the community and the government. To help become more influential in the good fight of “selling security”, it is necessary to involve all the players. Those in the security industry should network with each other, business leaders, police, firefighters, public safety, local and national government agencies and any other members of the community. The best way to protect our industry and our national resources is to use our force multipliers.

It doesn't take much to network; just willingness to both help and to learn. What you contribute is invaluable and you are never too old to learn from others.

Hire and build the perfect security team

The best case scenario, your company is growing and you find yourself reassessing your security team needs. In the worse case, you find yourself severely lacking the personnel required to effectively perform security functions. In either case, it is up to you to hire the perfect employee.

Find the perfect employee? Though a daunting task, it is important that you hire and build a team of excellent security managers. Never, ever settle for a warm body just to get the job done. Many of you know from experience the issues of hiring the wrong candidate bring about.

There are a few good observations about potential candidates that can further them into the hiring process. These include: What does the company value and what do you value as a security manager? We will also cover where to find potential candidates, the interview process and building the team.

First and foremost, all qualified applicants must reflect the company culture. What kind of employee does the company value? You must know this before you begin the search process. If your company values initiative, make sure your prescreen selects thinkers who can execute security functions with limited supervision.

Know yourself and what you value. Obviously your values support the company culture, but here is where you use your “gut” to identify successful people. The successful person must also be mindful of the Government regulations required for the job. For example if you need to hire someone to manage classified material, they should have an excellent knowledge of the National Industrial Security Program Operating Manual. Your job is to filter technically proficient applicants with initiative to learn and execute security procedures. Then, recommend them for the interview.

How do you find these successful people? First you identify the need and post it with the company. Review your job announcement and make sure it specifically identifies the need and requirements. If not, spend some time editing it. This will prevent wasted time reviewing unqualified resumes.

Word of mouth and networking is another great resource. You never know who might be looking for a career boosting job or different work experiences. Also, consider temporary agencies. They are a resource full of qualified potential applicants.

The next step is the interview. Alright, here is where you need to be the most prepared. Rehearse, rehearse, rehearse! Here is your first impression of the applicant and vice-versa. It is important to find out everything about this applicant considering company culture and qualifications.


Tell the applicant about the job description and the company. Use this time to evaluate their posture, bearing and interest. Then use open ended questions to assess their capabilities. For company culture consider: Describe at time you made a decision; or, what security initiatives have you implemented and how were they received by management? For industrial security qualifications ask: How do you wrap classified material? Describe how you open a safe? What steps do you follow to send a visit request? Be as specific as possible. Remember, you want to identify someone who supports company culture and is capable of either learning or performing the job.
Finally, once you have made a decision to hire, assimilate this person onto the team. On day one, spend a few hours with your new hire to review company values, introduce to the team, and further outline the job requirements. Be quick to welcome this person and involve the rest of the team. Later, help foster relationships between coworkers. The best way is have them train and cross train. This builds cohesion and breaks down pre-existing barriers. Your team will communicate better and appreciate your decision to hire this applicant.

With practice and the right skills your journey to hiring the perfect candidate and building a great team will be rewarding. Know your company, your requirements, identify qualifications, rehearse and conduct the interview, then build your team.

Jeff Bennett is the founder of ISPCert.com and currently serves as the Vice Chair of a local chapter of NCMS (Society of Industrial Security Professionals). He has written a study manual for the NCMS' Industrial Security Professional Certification. For more information on Jeff's articles and ISP Certification, please visit www.ispcert.com. If you desire to schedule a speaking engagement, please contact Jeff at www.ispcert.com

Travel should include a "plan b"

An article in the Post Tribune, Diverted United passengers stuck at Gary airport six hours, demonstrates the uncertainty of weather, airline schedules and logistics for passengers travelling within the united states. This is not the first report of unscheduled layovers or flight delays and some reports indicate that passengers could face many more. With this in mind, security managers and company employees who travel should be aware of implications and have back up plans.

These back up plans are especially vital when traveling with sensitive and classified materials. When employees travel with classified material, they have a responsibility to account for it 100% of the time. This is a difficult under trying circumstances filled with stress and disappointments. Passengers can experience long lines through TSA checkpoints, cramped cabins and times when maintaining visibility over carryon items is extremely difficult.

When at all possible, classified items should be stored in an approved location. The traveler makes every attempt to make it to the indicated destination in the appointed time. If not, plans should include making arrangements ahead of time with a government entity. Good travel plans included contacting approved locations for storage arrangements in case of delays or missed flights. The Facility Security Officer or other security entity can contact their cognizant security agency to find approved locations or help coordinate temporary storage should travel plans suddenly change.

Contingency plans are an extremely vital part of transporting classified material. The FSO plays a vital role in helping the company courier make the necessary plans to deliver the information to the destination at the appointed time. Work out the plans with the courier, rehearse those plans, and coordinate for alternate storage locations with the cognizant agency

Monday, June 2, 2008

Are you ready for the challenge?

According to the headline from Defense News, U.S. Defense Tech Security Called 'Swiss Cheese', the defense industry is in for increased challenges with international operations. Obviously this should alert FSO’s and security specialists to a whole new world of subcontracting or outsourcing defense work to foreign countries. This story has been going on for a while now as major news sources report the “benefits” of a weaker U.S. dollar. These benefits include, the ability of foreign countries to do business with U.S. Industry.

Foreign countries now have more money to pay for our products and services. This is very attractive and appealing to U.S. companies needing the cash. This can be good news if the business is conducted properly. Well prepared industrial security professionals know how to address these challenges and lead their companies to compliance success.

What can security do? First of all, stay abreast of company activities and develop relationships with contracts, purchasing, business development, and program managers. Part of the relationship is ensuring that they know the compliance issues raised with conducting business with foreign countries. Foreign Ownership Control and Influence as well as International Security Operations are detailed in the National Industrial Security Program Operating Manual (NISPOM). Exporting technology is addressed in the International Traffic in Arms Regulations (ITAR).

Learn to speak the language of business and discuss the security and compliance issues in the language of the business unit. Selling security through fear or spouting regulations is not the most successful policy. Business leaders at all levels want to be successful and know that they have to follow government regulations. You can develop tremendous credibility guiding them through the many requirements.

Finally, security practitioners conduct continuous risk assessments. Industrial, corporate and other types of espionage are a real threat. Train employees to be responsible with proprietary and national secrets. Make the training contract specific to prevent any unauthorized disclosure of those secrets. Also, develop technology control plans to prevent accidental export violations and practice, test and re-assess continuously.

It is up to industrial security professionals to ensure that DoD contractors do not contribute to the Swiss Cheese description. Know what the business trends are, learn how to work them into the requirements of NISP, and work closely with your oversight agency or Defense Security Services representative.