Friday, May 17, 2019

Risk Management without Threat Reports



The insider threat by the very concept is a difficult threat to face. As professionals operating in a National Industrial Security Program Operating Manual environment, we pay homage to these deviant but trusted employees without really addressing the issue. Of course we conduct the required insider threat program training, document it, and report the existence of our insider threat programs as required. In other words, it is easy to recognize the existence of the potential of an insider threat. We can even assign an impact level should we have an insider that goes to the dark side, but few can go beyond the recognition to implementing preventative measures.

What if you can’t identify a threat, do you still have a risk?
Insider threat programs and training requirements spend much effort on convincing that the insider threat is “real” and that if activated, they can cause a level of “damage” to national security, depending on the level of classified information exploited.  However, the mitigations are not well discussed. Many are looking for a level of threat assessment required prior to assigning a risk rating. It’s the old, Likelihood / Feasibility x Impact / Severity = risk (L x I =R or F x S =R) formula so often used. This is typically derived from an identified threat associated with the feasibility or likelihood part of the formula. However, the danger occurs with not having a smoking gun or specifically identified threat; which, we usually don’t. For example, if we don’t have any indication of employee x as going rogue, we have no threat report or adverse information on an employee, then we don’t have countermeasures to implement. In this case, well-meaning security managers may not see the need of applying countermeasures.

This is what the continuous evaluation process should expose. However, the logic would have you remove the threat that the evaluation process revealed. The truth may very well be, if you had a credible threat or report on your cleared employees, the mitigation would be to fire them or separate them from the classified work. Thus you get rid of the risk and no longer have a threat.

Let’s propose another way to perform risk management.

What if there was no smoking gun? What if you had no threat report? What’s the next step?
One solution is to assume a threat. Consider Manning and Snowden. Both are poster models for the insider threat; trusted cleared employees, one military and one contractor. Both performed their missions successfully and were probably rewarded for great work. However they exfiltrated classified information without anyone’s knowledge until the damage was done. By then it was too late.

Many who perform risk assessments absolutely capture the impact of how the insider can damage the mission of the organization as well as national security.  Without an actual threat report from a credible source, they are still able to consider that a threat may exist from the inside and assign a risk level. We can see this application of notional threat applied often with loss prevention disciplines in major corporations, banks, casinos, and stores. Even though most employees are honest and hardworking, some may be rogue. 

These risk managers are not tasked to identify which employees will go bad, they are only tasked with how to make it harder for rogue employees to steal. They employ mitigations such as audits, security cameras, anomaly searches and high tech solutions to catch thieves in the act.

How can this be applied by Security Managers?
Security managers can make it more difficult for an insider to sabotage a program or steal classified information using the following steps:
  •        Determine what high value items exist: classified information, personal identifiable information, technical data, proprietary data, etc.
  •       Determine where high value items exist: security container (s), location in building, in computers, in warehouse, etc.
  •       Identify who has access to the high value items by name and location
  •       Use technology or locking devices to prevent access to unauthorized persons: GSA Security container, high security locks, password protection, segregated networks, segregated computers and hard drives.
  •       Control access to printers, faxes and computers. System administrators, ISSMs, ISSOs and others can use technology to limit downloads, print jobs, copying and etc. Technology can monitor and approve who conducts these tasks, time of day, and amount of data transferred.
  •       Require permission to access high value items: An employee’s use of information technology should be treated as a privilege, approved, monitored, audited, by and authority and violations reported.


The traditional risk model includes identifying a threat. Many who use the traditional risk model find themselves inadequately protecting high value information because there has not been a history of adverse activity and they have not identified adverse activity from trusted employees. However a good risk assessment assumes that a threat exists, working to ensure authorized employees operate only as permitted. 

If you would like more information on insider threat training, just visit http://www.redbikepublishing.com/insiderthreat/

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Security Responsibilities, Extra Duties and CDCs

Periodically, Defense Security Services conducts reviews of the Cleared Defense Contractors (CDC) under their pervue to ensure classified information is protected according to NISPOM and contractual requirements. Inherently, there are tasks that the CDC must complete to demonstrate requirements, and these tasks are outside of the scope of what the contractor usually charges their customer. If the CDC does not account for costs of maintaining classified information, it could come out of hide. In many cases, small CDCs of just a few employees perform full time on classified work and then spend extra hours on demonstrating compliance that extend beyond the 8 hour day.

Documenting evidence of compliance is a challenge that many Cleared Defense Contractors (CDC) face. Compliance is checked through reviews and audits conducted by customers to ensure contractual and government requirements are met. The best practice for CDCs include conducting self-inspections and documenting events to demonstrate how the CDCs incorporate the inspectable items into their daily practices and weave them into the corporate culture.

Depending on the CDC size and scope of work, the administrative and compliance challenges increase according to the size of the staff. The fewer supporting staff, the larger the work requirement for the employee. For example, in a CDC with 1000 or more employees, the security staff may include a Facility Security Officer with a dedicated staff of 4 our more employees dedicated to a security program designed to protect classified information. This staff addresses personnel and facility security issues including classified contracts and subcontracts, security awareness training, maintenance of security clearances and investigation, annual self-inspections, and etc. The dedicated staff of overhead employees can focus on Defense Security Services (DSS) reviews and customer security requirements.

For smaller CDCs, this work may be spread out to those employees that perform security functions in addition to other duties. It’s not unusual in these cases to see a CEO or other senior executive function as an FSO or an engineer performing on classified work also charging to overhead to conduct FSO duties. Smaller CDCs are still required to perform the functions of an FSO regardless of the size of the organization. Even if they have a full time job running the company or designing the latest high tech weapon, they still need to carve out valuable time to address the personnel and facility security issues and meet customer and DSS requirements.

Some excellent ways to meet these administrative requirements is to have employees log on to the DSS CDSE website and take classes and print off the certificates of completion. This requires the employees to create an account and register for the classes. Another method is for the CDC to create their own training, present to the employees, and create a sign in sheet to show that they attended required training.

Some events that are required to occur prior to each DSS inspection include:
·         Performing a self inspection-DSS has a self inspection guide book that CDCs can download and use.
·         Conduct required training-DSS has courses employees can take these courses include the following topics: These training topics are also available to download and present from Red Bike Publishing
o   SF312 briefing for cleared employees. Newly cleared employees must be briefed on how to protect classified information.

      
   While larger CDCs have a dedicated staff of security professionals to address security and compliance, smaller CDCs don’t have that luxury. More time and effort is required to research, implement and then document the compliance. There are some things small CDCs can do to better manage the requirements and we hope that these newsletters and articles better assist. If you know of someone who can benefit from these articles and newsletters, please share.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Wednesday, May 8, 2019

How FSOs can Influence SCGs and DD Forms 254

I recently interviewed Joe and Terri Farkas, the owners of The Management Analysis Network. Both have built a thriving business based on their expertise in risk management, program protection, and security.

Security Classification Guides (SCG) and DD Forms 254 are there to provide classification guidance and an expectation of how the Cleared Defense Contractor (CDC) is expected to perform on classified work. The MAN, recommends that the CDC and FSO become involved in classification guidance activities such as helping build SCGs and set expectations for the DD Form 254. Some practical ways to participate include asking classification questions, challenging classification guidance as appropriate, and other measures to ensure classified information is classified appropriately to protect it as well as ensure resources are not wasted through over-classification efforts.

FSOs can sit in on classification discussions and provide guidance on what should and should not be classified to include at what levels the classification should be. For example, they can provide stick and rudder guidance to ensure information is not classified to hide embarrassing activity or cover up a crime.

Those participating in classification guidance should first determine what to protect and how to protect it. Then they should consider where the classified information exists while assuming that there is a genuine threat; especially those that exist as insider threat. Assume also that the practical vulnerabilities exist that make the classified information available to be exploited.

Once the classified informaton is identified and threats and vulnerabilities are determined, the working group should consider impact to unauthorized disclosure as level of "damage" to national security. Traditionally, an Original Classification Authority will determine classification levels based on the perceived "damage" to national security. However, the level of damage is a gut check and should be based on something more precise.

So, how should one ascertain impact?

When making a classification decision, participants should not do so based solely on damage, serious damage, or extremely grave damage. They should have a methodology to quantify the impact. It helps to develop a way to measure real damage, such as loss of operational ability or something specific to the operational environment. Not just "damage" so folks will have  a good understanding of the impact, bu the amount of loss unauthorized disclosure could cost.

The class guide process can apply to company processes.

FSOs can assist with creating an enterprise or program specific matrix or other tool to determine what unclassified, proprietary, personal identifiable, ITAR, EAR, or USML, information exists and how to protect it using a similar process.

They should ask the question, "which items on the list reflect what we do? The answer could be RADAR, Rockets, armor, and the list goes on. The next step would be to capture sensitive information.

FSOs can assist with the determining the cleared defense contractor facility storage capability. For example, there may be good arguments for a company to pursue either status as a Possessing or Non-Possessing company; it's a deliberate decision.

A risk assessment should identify the type of classified work necessary and where it should be performed. Building and storage should be considered. Is classified information more at risk at the contractor or customer site. Can work be performed in a government or prime contractor location instead of at the sub contractor? 

At The MAN, the FSO determined that they could better perform classified work at their customer location instead of becoming a possessing facility; part of risk assessment. They were able to demonstrate with their customer that the classified information is more secure at the customer location and less impacting on the CDC.

The CDC can be more in control of their security and classification destiny. 

FSOs should recognize their risk based decisions for negotiation power with customer on the DD Form 254 requirements; doing what they do best with what they have. No need in being intimidated, you can negotiate how best to meet your company needs.

Many small CDCs have employees with multiple hats such as CEO serving as FSO. Both have many tasks that must be balanced. In a two person company such as The MAN, both employees must access STEP and take CDSE training and document the results with certificates. They print of CDSE training certificates and document their required. 

Another idea is for FSOs to write their own training or use training available from Red Bike Publishing that FSOs can download and present; Annual Security Awareness, Insider Threat, Derivative Classified and other training.

For simplicity and better efficiency each has JPAS access to manage each other's clearances. When DSS conducts reviews, Joe and Terri maintain files on all training, and security clearance documentation ready and available for security vulnerability assessments or DSS reviews. Additionally, they conduct their own self-inspections using the DSS self-inspection guides. Have insider threat program and training in place.

Here are a few bullet comments Joe and Terri offer as advice:

Ask questions
Negotiate 254 requirements
Conduct and document self inspection
Conduct and document security awareness training
Log into all the security systems (jpas) before you get locked out
Have all inspect-able items available and ready to present.

Hear the podcast:



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".