I recently interviewed Joe and Terri Farkas, the owners of The Management Analysis Network. Both have built a thriving business based on their expertise in risk management, program protection, and security.
Security Classification Guides (SCG) and DD Forms 254 are there to provide classification guidance and an expectation of how the Cleared Defense Contractor (CDC) is expected to perform on classified work. The MAN, recommends that the CDC and FSO become involved in classification guidance activities such as helping build SCGs and set expectations for the DD Form 254. Some practical ways to participate include asking classification questions, challenging classification guidance as appropriate, and other measures to ensure classified information is classified appropriately to protect it as well as ensure resources are not wasted through over-classification efforts.
FSOs can sit in on classification discussions and provide guidance on what should and should not be classified to include at what levels the classification should be. For example, they can provide stick and rudder guidance to ensure information is not classified to hide embarrassing activity or cover up a crime.
Those participating in classification guidance should first determine what to protect and how to protect it. Then they should consider where the classified information exists while assuming that there is a genuine threat; especially those that exist as insider threat. Assume also that the practical vulnerabilities exist that make the classified information available to be exploited.
Once the classified informaton is identified and threats and vulnerabilities are determined, the working group should consider impact to unauthorized disclosure as level of "damage" to national security. Traditionally, an Original Classification Authority will determine classification levels based on the perceived "damage" to national security. However, the level of damage is a gut check and should be based on something more precise.
So, how should one ascertain impact?
When making a classification decision, participants should not do so based solely on damage, serious damage, or extremely grave damage. They should have a methodology to quantify the impact. It helps to develop a way to measure real damage, such as loss of operational ability or something specific to the operational environment. Not just "damage" so folks will have a good understanding of the impact, bu the amount of loss unauthorized disclosure could cost.
The class guide process can apply to company processes.
FSOs can assist with creating an enterprise or program specific matrix or other tool to determine what unclassified, proprietary, personal identifiable, ITAR, EAR, or USML, information exists and how to protect it using a similar process.
They should ask the question, "which items on the list reflect what we do? The answer could be RADAR, Rockets, armor, and the list goes on. The next step would be to capture sensitive information.
FSOs can assist with the determining the cleared defense contractor facility storage capability. For example, there may be good arguments for a company to pursue either status as a Possessing or Non-Possessing company; it's a deliberate decision.
A risk assessment should identify the type of classified work necessary and where it should be performed. Building and storage should be considered. Is classified information more at risk at the contractor or customer site. Can work be performed in a government or prime contractor location instead of at the sub contractor?
At The MAN, the FSO determined that they could better perform classified work at their customer location instead of becoming a possessing facility; part of risk assessment. They were able to demonstrate with their customer that the classified information is more secure at the customer location and less impacting on the CDC.
The CDC can be more in control of their security and classification destiny.
FSOs should recognize their risk based decisions for negotiation power with customer on the DD Form 254 requirements; doing what they do best with what they have. No need in being intimidated, you can negotiate how best to meet your company needs.
Many small CDCs have employees with multiple hats such as CEO serving as FSO. Both have many tasks that must be balanced. In a two person company such as The MAN, both employees must access STEP and take CDSE training and document the results with certificates. They print of CDSE training certificates and document their required.
Another idea is for FSOs to write their own training or use training available from Red Bike Publishing that FSOs can download and present; Annual Security Awareness, Insider Threat, Derivative Classified and other training.
For simplicity and better efficiency each has JPAS access to manage each other's clearances. When DSS conducts reviews, Joe and Terri maintain files on all training, and security clearance documentation ready and available for security vulnerability assessments or DSS reviews. Additionally, they conduct their own self-inspections using the DSS self-inspection guides. Have insider threat program and training in place.
Here are a few bullet comments Joe and Terri offer as advice:
Ask questions
Negotiate 254 requirements
Conduct and document self inspection
Conduct and document security awareness training
Log into all the security systems (jpas) before you get locked out
Have all inspect-able items available and ready to present.
Hear the podcast:
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing .
He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures.
He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment