Security Executive Blog

The insider threat by the very concept is a difficult threat to face. As professionals operating in a National Industrial Security Program Operating Manual environment, we pay homage to these deviant but trusted employees without really addressing the issue. Of course we conduct the required insider threat program training , document it, and report the existence of our insider threat programs as required. In other words, it is easy to recognize the existence of the potential of an insider threat. We can even assign an impact level should we have an insider that goes to the dark side, but few can go beyond the recognition to implementing preventative measures. What if you can’t identify a threat, do you still have a risk? Insider threat programs and training requirements spend much effort on convincing that the insider threat is “real” and that if activated, they can cause a level of “damage” to national security, depending on the level of classified information exploited....

Periodically, Defense Security Services conducts reviews of the Cleared Defense Contractors (CDC) under their pervue to ensure classified information is protected according to NISPOM and contractual requirements. Inherently, there are tasks that the CDC must complete to demonstrate requirements, and these tasks are outside of the scope of what the contractor usually charges their customer. If the CDC does not account for costs of maintaining classified information, it could come out of hide. In many cases, small CDCs of just a few employees perform full time on classified work and then spend extra hours on demonstrating compliance that extend beyond the 8 hour day. Documenting evidence of compliance is a challenge that many Cleared Defense Contractors (CDC) face. Compliance is checked through reviews and audits conducted by customers to ensure contractual and government requirements are met. The best practice for CDCs include conducting self-inspections and documenting events to ...

I recently interviewed Joe and Terri Farkas, the owners of The Management Analysis Network. Both have built a thriving business based on their expertise in risk management, program protection, and security. Security Classification Guides (SCG) and DD Forms 254 are there to provide classification guidance and an expectation of how the Cleared Defense Contractor (CDC) is expected to perform on classified work. The MAN, recommends that the CDC and FSO become involved in classification guidance activities such as helping build SCGs and set expectations for the DD Form 254. Some practical ways to participate include asking classification questions, challenging classification guidance as appropriate, and other measures to ensure classified information is classified appropriately to protect it as well as ensure resources are not wasted through over-classification efforts. FSOs can sit in on classification discussions and provide guidance on what should and should not be classified to in...