The Defense Counterintelligence and Security Agency (DCSA) is responsible for evaluating vulnerabilities of classified information at a Cleared Defense Contractors (CDC) facility. This includes not only the policy to review a contractors capability to protect classified information, but now includes the handling and protection of items identified as well as controlled unclassified information (CUI).
If it appears that there are acronyms developed to cover concerns at an alarming rate, you are correct. The vulnerabilities of technology that enhances our military capability also comes with a set of warnings and new titles and acronyms that demand increased attention. We have critical program information, critical components, critical technologies, controlled unclassified information, and etc. Each one with similar yet different definitions and requirements. While we may have new names and acronyms, the fundamentals of protection remain.
As detailed above, it is evident that technology poured into products enhancing any capabilities must be protected above being in the public domain. Identifying sensitivities and required protections will make the difference between what will be added to flyer, sales pamphlet or website.
Information, raw data, files, etc. exists in many forms and this information has acronyms covering military critical technology, proprietary information, intellectual property, company secrets, Export Administration Regulation (EAR), International Traffic in Arms Regulation (ITAR) controlled technology, controlled unclassified information (CUI) and the most recent unclassified technical information (UCTI).
A CDC has more to worry about than just classified information. Where they have the security classification guide to provide explicit instruction on how to protect classified information, there is no such guide covering the other categories. However, the CDC should go through an exercise to determine sensitive or critical unclassified information, as it is also useful during the vulnerability assessment from DCSA and the Cybersecurity Maturity Model Certification (CMMC) that evaluates how the contractor protects information residing on the networks.
This information should be identified by format and location as it resides in the organization or transit. This simply means identify information developed as a result of performing work on a defense contract (reports, designs, blueprints, etc.), where these products reside (cabinet, room, computer, network) and format (paper, software, system, cyber). At the very minimum, this information should be identified and a plan in place to protect from casual observation, from ending up on a screen at a seminar or on the public homepage.
Countermeasures should include security training, policies, and procedures that consider the following scenarios. We have defined these threats in earlier articles, but find they are useful for clarity and instruction in this situation:
Espionage
The unauthorized collecting, transmitting or stealing information for the purpose of aiding other governments, business or entities.
This espionage can include actions found in the Economic Espionage Sec. 1831 of Economic Espionage Act of 1996
Whoever, intending or knowing that the offense will benefit any foreign government, foreign instrumentality, or foreign agent, knowingly--
(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains a trade secret;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys a trade secret;
(3) receives, buys, or possesses a trade secret, knowing the same to have been stolen or appropriated, Obtained, or converted without authorization;
Trade Secret Theft Sec. 1832 of Economic Espionage Act of 1996
(a) Whoever, with intent to convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly--
(1) steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information;
(2) without authorization copies, duplicates, sketches, draws, photographs, downloads, uploads, alters, destroys, photocopies, replicates, transmits, delivers, sends, mails, communicates, or conveys such information;
(3) receives, buys, or possesses such information, knowing the same to have been stolen or appropriated, obtained, or converted without authorization
ITAR Violations
(a) Export means:
(1) Sending or taking a defense article out of the United States in any manner, except by mere travel outside of the United States by a person whose personal knowledge includes technical data; or
(2) Transferring registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the United States or abroad; or
(3) Disclosing (including oral or visual disclosure) or transferring in the United States any defense article to an embassy, any agency or subdivision of a foreign government (e.g., diplomatic missions); or
(4) Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad; or
(5) Performing a defense service on behalf of, or for the benefit of, a foreign person, whether in the United States or abroad.
The lesson is that significant effort and thought should go into protecting the information that could otherwise be vulnerable. Just identifying the information reduces risk of uncertainty, developing countermeasures to protect it further quantifies and reduces significant risk. Developing a security program to protect sensitive unclassified information may require more innovation than that of understanding how to protect classified information.
For unclassified U.S. defense information, the defensive measures depend primarily on incorporating the experience of those who practice the innovation and including them in the risk reduction process.
Ray DICE Man Semko developed a process called Defensive Information Countering Everything. This is his anchor point to assisting others implement the risk reduction cycle. Perhaps you can develop your own as you implement security at your facilities. Remember the risk reduction cycle, it applies to almost everything:
1. Identify assets
2. Determine impact if exploited
3. Assess risk
4. Implement countermeasures
5. Assess countermeasure effectiveness
6. Do it all over again.Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment