Friday, February 22, 2013

Using Traditional Security Tools in Unique Ways-Moving from Security to Risk Management


When Facility Security Officers and security specialist build security programs, we tend to use tools to remind employees of their responsibilities. We use security training to get the information out, enforce clean desk policies and post reminders of classified information in progress. Each tool notifies the holder of classified information that they are in possession of classified information, to protect that information and properly dispose of it when they are done. They can also be used to protect proprietary data, intellectual property and personnel information.

But sometimes even tools become mundane, no longer giving the impact they once did. Sometimes tools are misused, never giving the impact they were originally designed to give.

Let's look at a few tools from a risk management perspective with some "out of the box suggestions. What unique ways can you employee traditional security methods.

Security training-Cleared employees performing on classified contracts for any length of time are experts in the programs and technologies they are working on. They probably know the classification guide back and forth and probably understand how to protect it. Newly cleared employees may not understand it so well. It's important for the FSO to understand these differences and train accordingly.
Out of the box: Develop training to meet your employee needs based on your analysis of capabilities. One way to do this is to survey employee experience level. You might get supervisors and HR professionals involved.

Enforce clean desk policy-Even experts can become complacent and perhaps forgetful. Develop a policy that classified information should be used in a designated area. This designated area could be an approved room or even the employee's office. Cleared employees should understand that as such, only materials assigned to the contract should be out so that there is no confusion of clearance or need to know. At the end of the day, the program information gets locked up properly.
Out of the box: If classified information is centralized, use a sign out process to track the removal of classified information. If a cleared employee accesses a classified document, then that transaction can be annotated. The custodian will also ensure the classified information is turned in prior to end of day, lunch or other occasion. If there is no centralized storage or no custodian, the document can still be annotated with a signature and linking the document to the SF 702 (if container is opened, it's probably to take out or replace a document.)

Post reminders of classified information in progress-A desk tent or door handle reminder helps. If a rushed employee has to take lunch, meet a spouse or attend a last second meeting, they will be met with a notification that "Classified Work in Progress", and dispose of it properly. Also, if the phone rings, they'll remember to respond with "phone is up".
Out of the box: If classified information is centralized, the custodian can issue the desk tents or door hangers. When there is no centralized area or custodian, the cleared employee would pick up a conveniently located reminder (near security container).


You might already employ imaginative and unique ways. Tools not only provide training and reminders, but they can also be programmed to provide metrics for program improvement.

We'll have more examples in future posts and articles. However, for more information on security management and NISPOM see our book DoD Security Clearance and Contracts Guidebook.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, February 13, 2013

Understanding Export Compliance by Technology, Not Intended Purpose


Several years ago I became aware of a situation where a defense contractor’s export compliance officer was approached by a business development manager about an opportunity. The business manager stated that the company was pursuing a contract with a foreign country to sell them an export regulated material. Though the material was clearly designed for military use, the business manager rationalized that the application was for civil and not military use. She rationalized that since the transaction would not be for defense application, the company should not need to seek an export license.

Though there is guidance for what and how to export, many export issues are unique and may not be fully understood, until the export compliance officer asks the right questions and gets the full story. It’s not the intent of the transaction, but the technology, product or item being transferred.

Recently a company was fined for violating an export law by shipping a controlled chemical. In another case, a company was charged with providing technical drawings to a foreign country. A few years ago a US citizen brought his laptop containing export controlled information to a foreign country. Though he had no intention of sharing the information, he still had no license to export it.

While on travel Chinese officials accessed his computer and downloaded technical information. The employee faced charges even though he did not willingly provide the data. He had brought the computer and technical information to China without approval.

Lack of understanding in the above cases did not provide a good defense. The lesson is that though the US Government values international business, US companies must understand export laws and operate within them.

In the above cases, the individuals involved could have prevented violations had they understood how to identify technical data under export controls. Such information is available in the International Traffic in Arms Regulation (ITAR). The ITAR contains the United States Munitions List (USML). The USML is a listing and explanation of export controlled defense items and services.
Also, those involved in the above offenses may not have understood the definition of export. A familiar export example is providing a product or service to a foreign entity for a fee. Usually the exporter understands that a license and other permissions are necessary.

However, export examples are more expansive. Just like in the example of the employee inadvertently providing information while on travel, exports do not have to involve a formal sale. Exports can be performed by shipping items, oral and written communications, messenger service and etc. It also includes bringing a technical item or service to another country, providing information on a paper, through multi-media presentations or an interview. Something as mundane as a non US person viewing controlled information on an unattended computer screen constitutes an export. In all situations, US Persons should protect and control the defense products and services according to the ITAR.

The ITAR states, “Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register...”. This wording does not leave much room for any other interpretation. All US persons or organizations involved with making Defense articles or providing defense services must register with the State Department’s Directorate of Defense Trade Controls (DDTC).

Additionally, the Defense Federal Acquisitions Regulation (DFAR) states, “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.” It is in the company’s best interest to understand export laws and how it applies to the organization’s mission. The responsibility to identify export controlled information and provide proper protection falls exclusively on the organization. The company should provide due diligence and know when and how to seek export approval.

Some defense contractors may not immediately understand these responsibilities. The primary resource for guidance concerning the export of defense goods and services is the ITAR. The ITAR walks a defense contractor through their responsibilities including:

Which defense contractors should register with the DDTC?

Which defense commodities require export licenses?

Which defense services require export licenses?

What are corporate and government export responsibilities?

What constitutes an export?

How does one apply for a license or technical assistance agreement?

Remember the earlier example of my business manager? Fortunately I was able to reference the controlled item in the ITAR while consulting our business development manager. I was able to demonstrate that the item had a dual use application. One use was civil and the other was military. In such situations, the State Department has jurisdiction. We were able to request and receive proper authorization to export the item.

Each export situations is unique. Always refer to the source (ITAR) and consider employing knowledgeable export compliance officers, attorney’s or consultants experienced in export of defense articles and services.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, February 12, 2013

Aggressive Anti-Insider Threat Programs for The Rest of Us


Engage your company with an aggressive insider threat countermeasures that the government and contractors apply to ensure a good security program. One of the best applications is the continuous evaluation program used by cleared contractors and their cleared employees.

Though applied to those with government security clearances, it can be adopted to benefit other enterprises as well. Of course you will have to consider legal guidance and protection of personal information.

Here’s how it works in the defense contractor community.  An employer determines an employee requires a security clearance based on a defense contract requirement. Once the contractor submits a security clearance request, the employee is subject to a rigorous background investigation and adjudication process. If results are favorable, the employee is granted a security clearance.

 So, why not continue this process through the cleared employee’s employment?

Responsibilities don’t stop with granted access. These now cleared employees are given a periodic review every 5 to 15 years depending on clearance level. During the periodic review, the investigation and adjudication process is repeated.

Throughout the employment, cleared employees are required to report any information that would lead to a decision that involved cleared employees could become a security risk. This is called adverse information reporting. Cleared employees are required to report adverse information on themselves and other cleared employees. Failure to report could be discovered during the review.

Why the drastic measures?

You might recall news articles about captured spies. Many were enterprise employees who provided unauthorized information to unauthorized persons. Experience demonstrates that these employees had displayed signs and habits related to their intent. Extra time at the copy machines, unauthorized collection of data on storage devices, taking work home, emailing sensitive information and etc provided indicators of mal-intent. These days, it should be well understood in the National Industrial Security Program (NISP) community that employees help monitor insider threat

The NISP has tied such reporting to job performance and future employment through (think report or perish). To be successful, FSOs provide NISPOM based programs with well trained, knowledgeable and dedicated employees. This plan will help curb insider threat.

Continuous evaluation involves identifying reportable information. So, why not apply a degree of continuous evaluation to address any behaviors that would identify a employee security risks or insider threats. If your company performs sensitive work, you are already aware of risks to product, proprietary information, trade secrets, personal information and etc.     
So, why go through the excruciating work of identifying classified, sensitive, proprietary, intellectual data or other information, only to be unable to control what employees do with it?

How does reporting help?

Reportable information involves a long list of events that may be way too involved to memorize. That’s where your NISPOM training comes in. It’s not so important to be able to recite the reportable incidents as it is to just understand what is reported. In other words it’s the impact of adverse information over the laundry list of reportable items.

The best approach is to explain the impact that spies have had. Many cleared employees had observed reportable behavior and failed to report it. The impact of not reporting cost lives, programs and damage to national security.

What’s the best method for instituting a reporting program?

Break down the long list of events into bite size portions or categories and define the impact to the enterprise and national security failure to report the adverse information.

As an example, you will not see an exhaustive list of the reportable information in this article. However, I can relay to you that:
Continuous evaluation involves identifying reportable information. Though you might not have employees with security clearances, you’ve hopefully instituted background checks. These checks typically look into:

  • Credit
  • Education
  • Past jobs
  • References
  • Criminal records


Many sources are used to get a clear 360 degree understanding of the person that the company is hiring. So, why not apply a degree of continuous observation to address any behaviors that would identify a risky employee. If your company performs sensitive work, you are already aware of risks to product, proprietary information, trade secrets, personal information and etc. The following is a list of events you might adopt into your continuous observation criteria:

  • Corporate espionage
  • Theft
  • Sabotage
  • Sexual harassment
  • Drug and alcohol abuse
  • Employee relations


Some reporting requires a great deal of personal integrity because subjects are co-workers, friends or personal violation issues justifying security violations

The point is that the greatest risk to proprietary information and product comes from within the organization. Yes, trusted and vetted employees pose a significant risk. The cloak and dagger image of spies is just a small portion.
Since this is the greatest threat, why not take time to develop a program to ensure employees continue to demonstrate ethical and legal activity that ensured their employment in the first place. Identify what needs to be protected, enforce clearance and need to know, and foster a healthy reporting environment.  If not, an employee could volunteer, be pressured or coerced to steal data or items.

For more information on the NISPOM and related security matter, see DoD Clearances and Contracts Guidebook. Many of the lessons can be applied at non-DoD enterprises.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM