Monday, November 23, 2015

Unclassified Controlled Technical Information



What to protect; decisions, decisions. It seems that there are acronyms developed with the ingenuity and fluidity of American innovation. The same innovation that enhances our military capability also comes with a set of warnings and new titles and acronyms that demand increased attention. While new acronyms and technology protections are identified, reliance continues on fundamental protection measures that rarely change.

More and more evident is the growing volume of U.S. defense information categories that demand protection and are not necessarily classified. If not identified and protected, unclassified U.S. defense information could be accessed by unauthorized persons.

Unclassified defense information comes in many forms and acronyms includes military critical technology, proprietary information, intellectual property, company secrets, Export Administration Regulation (EAR), International Traffic in Arms Regulation (ITAR) controlled technology, controlled unclassified information (CUI) and the most recent unclassified controlled technical information (UCTI).

Some U.S. defense information categories and definitions include:

  • Espionage
    • Gathering, transmitting or losing defense information 
    • Gathering or delivering defense information to aid foreign government 
    • Photographing and sketching defense installations 
    • Use of aircraft for photographing defense installations 
    • Publication and sale of photographs of defense installations 
    • Disclosure of classified information 
    • Economic Espionage Sec. 1831 of Economic Espionage Act of 1996
      • Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--
        • steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;
        • without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;
        • receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;
      • Trade Secret Theft Sec. 1832 of Economic Espionage Act of 1996
        • Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly
          • steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
          • without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
          • receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization
      • ITAR Violations
        • Export means: 
          • Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or 
          •  Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or 
          • Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or 
          •  Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or 
          •  Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad. 

      The lesson is that significant effort and thought should go into protecting sensitive unclassified U.S. defense information. Developing a security program to protect sensitive unclassified information may require more innovation than that of understanding how to protect classified information. Classified information handling instruction provides much stronger wording. For example, recipients of TOP SECRET, SECRET, and CONFIDENTIAL information are directed to protect this information with GSA approved security containers, security in depth, intrusion detection devices and much more depending on the classification level. In fact, there are entire manuals written depending on agency and their contractors. For the Department of Defense the National Industrial Security Program Operating Manual (NISPOM) provides a few hundred pages on how to protect classified information.

      However, for unclassified U.S. defense information the defensive measures depend primarily on the analysis and innovation of those holding it. True, the ITAR, EAR and some DoD publications speak to protection of sensitive unclassified information, but the guidance is high level and subjective. For example, the NISPOM limits access to classified information to security clearance and need to know and a time proven classification system. It also requires specifications for locks and security containers that protect classified information. On the other hand, sensitive unclassified information does not address background investigation or requirements for industry other than to prevent access by non-U.S. persons. Also, unclassified hard copy requires securing in a locked desk or drawer and shredding or ripping into pieces. These might be adequate in general terms but are subjective to the quality of desk and size of the shredded pieces as well as any credible threat.

      At this point it is good to consider the guidance as a minimum and plug in a risk analysis of the defense information within organization as the added ingredient. Once established, the FSO should develop a security awareness training program to assist with enforcing the message.

      Unclassified U.S. defense information should be protected with a well-designed security system. Though not classified, this information could impact national security if access by unauthorized persons. Therefore, it should be identified by title and location and limited not only to U.S. persons but also by need to know of the information.



      Stay plugged in for future articles and information on building that security program to protect sensitive unclassified U.S. defense information. Sign up for our newsletter to keep up to date.


      Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

      Monday, November 9, 2015

      Approval of Open Storage-The Self Inspection Handbook for NISP Contractors

      HTTP://www.redbikepublishing.com
      In this installation of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we’ll review the  National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-306b. Here is the question:                                          
               
      5-306b       Has DSS approval been granted for the open shelf or bin storage commonly known as “open storage” of documents in Closed Areas?

      Though we have covered the storage of classified information in earlier articles, this writing will address storage of classified information specific to these closed areas. See if you can find the differences.

      According to NISPOM paragraph 5-306b, open shelf or bin storage (hereinafter or “open storage” of SECRET and CONFIDENTIAL documents in closed areas requires Cognizant Security Agency (CSA) approval. Prior to approval, DSS will consider open storage of material and information system (IS) media based on the cleared contractor meeting the following:
      • Limited storage space required for storing classified information (product is too large to fit in a GAS approved security container); or, the performance of classified work (operational environment) requires open storage.
      • Access to the open storage area is limited to those with adequate security clearance and need to know of all information in the open.
      • The entrance doors to the area are equipped with GSA-approved electromechanical combination locks that meet Federal Specification FF-L-2740.
      •  For SECRET material, the area is protected by an approved intrusion detection system with a 30-minute response time, as well as security-in-depth (SID) as determined by DSS. For open storage areas lacking sufficient SID, a 5-minute response time is required.
      • For CONFIDENTIAL material, no supplemental protection or SID is required.
      •  The open storage area is within a facility, or specific portion of a facility, determined by DSS to have security-in-depth based on the following criteria:
      •  The contractor has documented the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility in which open storage is approved. During self-inspections, the contractor must review the effectiveness of these controls and report any changes affecting those controls to DSS.
      • At a minimum, the contractor has considered the following elements in their security-indepth assessment:
      • Perimeter controls
        • Badge systems when the size of the population of the facility render personal recognition impracticable
        • Controlled access to sections of the facility in which classified work is performed
        • Access control devices when circumstances warrant

      The difference between storage of classified information in a GSA approved storage contain and open storage could be addressed by considering the outer perimeter of the closed area as a “GSA approved container” requiring additional supplemental controls. Where the storage SECRET is adequate in a GSA approved security container (unless a risk assessment requires supplemental security), open bin storage of the same level of classification requires proper construction of the closed area plus the additional alarms and monitoring to provide the secure barrier.

      For example, XYZ Contractor may store SECRET and CONFIDENTIAL information for one contract in 5 drawer GSA approved security container. All documents, hard drives, and other classified media fit nicely and are checked out and turned in as appropriate.

      However, on another contract the classified material is large and bulky and will not fit in a GSA approved container.  The closed area is inside of an access controlled facility and constructed as outlined in the NISPOM. Additionally, access is limited to those with the appropriate security clearance and Need to Know of all classified information. At night the room is safeguarded with the intrusion detection and security in depth.

      RESOURCE:  ISL 2012-04 Open Shelf or Bin Storage under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html



      VALIDATION:

      Pose all closed area requests, justifications, and inspections where they can be easily and readily accessed for audit, inspection or review.

      Post all closed area approvals where they can be easily and readily accessed for audit, inspection, or review.

      Provide demonstration and documentation of specific layered and complementary security controls where open storage is approved. Consider the following:

      • Perimeter controls

      • Badge systems when the size of the population of the facility render personal recognition impracticable
      • Controlled access to sections of the facility in which classified work is performed
      • Access control devices when circumstances warrant
      Demonstrate and document the self-inspection review of the security controls and their effectiveness

      Document any report any changes affecting those controls to DSS for review, inspection, or audit.