The Opportunity
If
employed by a defense contractor, chances are that you perform work on
goods
and services for research and development of a weapon system or other new capabilities.
That being the case the DEFAULT focus as a Facility Security Officer (FSO) or
security specialist is on technical data.
The
problem is: while there is abundant guidance on protection of classified information
(proscriptive regulation aka NISPOM) bridging the GAP between classified and
sensitive, protecting unclassified is of utmost concern. Here is where FSOs can really provide value
to the enterprise.
The Problem
Take
a look at this paraphrase from Allen Dulles' book The Craft of
Intelligence:
In
the 1950's the US Congress was concerned that there was just too much technical
information available on government programs.
From that concern, they commissioned researchers to assemble as much
information from public domain about a particular program as they could. The
group scoured libraries, newsstands, TV, radio and other media common to the
decade and provided a report. As a result, the government determined the
information to be classified, safeguarded the information and disbanded the
group. The lesson; intimate program details were not properly identified,
marked and protected.
The
best result is we learned a valuable lesson and no longer have to worry about
sensitive information appearing in the public domain, NOT. Here is a modern day
example:
Recently
the State Department reacted to an ITAR violation where
Georgia Tech Research Institution made ITAR protected training available on
their website.
In
this case, the US Government had identified the information as ITAR controlled,
but GTRI mistakenly made it available to both US and foreign nationals. See
story here:
In
the first example, sensitive information was not properly identified and therefore
could not be handled appropriately. As a result, compiled information became
classified. The second example demonstrates what can happen when information is
properly identified and marked, but handling is not fully understood.
There
are many other accounts of technology that is passed through theft, public
release, presentations, white papers, patents and etc. How do we solve such
problems?
Incorporate
an enterprise-wide, comprehensive system of identifying sensitive information
by owner and technology, then limiting distribution. For example, where NISPOM gives
guidance on how to protect information already identified as classified, Proprietary
information, ITAR controlled technology, intellectual data and others aren't
always given the same level of scrutiny.
Protecting company
sensitive information
This
may need to be performed at the contractor level. Once sensitive items are identified,
intimate program details should be cataloged and documented. Those who work
with and handle the technical information can fully understand who owns it, how
to get access to it and how to properly limit distribution.
Be
sure to include technical information owned by customers and vendors.
Employees
should understand how to properly handle sensitive information of outside
organizations. If it's not clear, ask.
Finally,
any technical information that is legitimately distributed should only be done
so with a joint understanding of how to use and further distribute the
technical data.
Jeffrey W. Bennett, SFPC, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM