Security Clearance and Foreign Employment

 

I’ve recently received many emails from people who are curious about security clearances and working for foreign owned companies. Though the volume of those questions have increased, I guess the topic is no longer surprising in content as it could have been many years ago.

 

Many years ago, we might automatically assume that working for a foreign owned company would be indicative of highly questionable practices, but maybe not any longer. 

Things have changed. More foreign owned companies are opening doors in the U.S. Internet opportunities open doors to employment. Working for foreign companies provides new opportunities regardless of boarders such as: investment, teleworking, and creative content services that allow artists to bid on customer jobs have made this more of a possibility. 

But the questions have been pretty vague and hard to answer. 

• Am I allowed to work for a foreign company if I have a security clearance?
• Will I be able to get a security clearance if I work for a foreign company?

 

The questions are vague because there are so many scenarios that the questions can reflect. Some scenarios include:

• You are currently employed by a cleared defense contractor and have a security clearance and want to quit and work for a foreign owned company, and would one day like to return to working with a clearance. This scenario is very risky as you could lose out on future employment, but can be mitigated.
• You do not have a security clearance, but may one day like to work on classified contracts in some capacity. However you want to apply to work for a foreign owned company. This scenario is less risky because you have nothing to lose other than the possibility of getting a clearance “one day”.

 

There are many other scenarios and reasons describable and all are different and my answer would be, “It depends on the scenario”. Additionally, it may depend on the security clearance level such as SECRET, TOP SECRET SCI, etc.

The bottom line is, can you be entrusted with national secrets because of  employment with a foreign owned company? Having a security clearance is a very important responsibility. The security clearance holder is responsible for protecting classified information and supporting the security program to protect that classified data. 

This opportunity is based on the adjudication process. Security clearance award is provided after the adjudication of the investigation results. Allegiance to the United States and Foreign Influence are two very important considerations that would have to be addressed prior to awarding the security clearance.

There are many ways to adjudicate risks under Allegiance to the United States, Foreign Influence and other adjudicative criteria. There are no automatic answers to these questions since it depends on the situation. Get all the facts prior to taking on such a job, determine your risk level, and develop a strategy to mitigate the risk to your security clearance. 

If you have questions about this or other security clearance topics, visit my consulting site https://www.jeffreywbennett.com or email me at editor@redbikepublishing.com

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and training:  NISPOM Fundamentals/FSO Training" and  Cleared Employee Training".Jeff is available to consult. Consulting Website"

Controlled Unclassified Information

A buzz is sweeping the security community since the industry has been notified of the recent updates to DoD's CUI program based on the presidential memorandum with the subject, Designation and sharing of Controlled Unclassified Information (CUI). This memorandum implements a program designed to encourage the speedy sharing of information to those authorized and to better protect the information, privacy and legal rights of Americans. The CUI program is designed to promote proper safeguarding and dissemination of unclassified information.  

    Many readers may be familiar with the program CUI has replaced. Sensitive But Unclassified (SBU) information had enjoyed protection to a certain level but was not conducive to the necessary information sharing. Controlled Unclassified Information (CUI) directives provide procedures for a more appropriate Information Sharing Environment.

    CUI is a designation of unclassified information that does not meet the requirements of Executive Order 12958, as amended (Classified National Security Information). However the protection is necessary for national security or the interests of entities outside the Federal Government. The unclassified information also falls under the law or policy advocating protection from unauthorized disclosure, proper safeguarding and limiting dissemination. Though not a classification, the controls in place may prove to require significant administrative action.

    Designation of CUI can only be based on mission requirements, business prudence, legal privilege, protection of personal or commercial rights, safety or security. Finally, as with the classified information, sensitive information cannot be labeled CUI for the purposes of concealing violation of law, inefficiency, or administrative error. The designation cannot be used to prevent embarrassment to the Federal Government or an official, organization or agency, improperly or unlawfully interfere with competition in the private sector or prevent or delay the release of information that does not require such protection.

    What does this mean for affected businesses and government agencies? Be prepared to implement the program to allow for proper storage and dissemination, and provide required CUI training. This requires the ability to properly mark the material or provide proper warning before discussing the information. Things to think about include: training employees, developing mail, fax, email and reception procedures, and ordering marking supplies. Also, keep information technology and other business units in the loop of communication. They will need to provide the right support at the right time.

Join our reader list for more articles.

 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "How to Get U.S. Government Contracts and Classified Work", "ISP(R) and ISOC Master Exam Prep", and NISPOM/FSO Training".

Managing Export Violations

Let’s test your knowledge of international operations. The following situation is pure fiction, but is based on issues facing businesses everyday. This situation is tricky enough with unclassified contracts, but the addition of possible classified work may complicate the issue. Try to answer the following question:

As the security manager of a classified facility, you have many responsibilities including approving classified visits. Not a problems since most visit requests are handled through agency approved data bases . Besides, you have a very large staff and the process is pretty much routine until….

A program manager enters your office and informs you that her foreign customer wants to send an employee to work onsite on a classified program for six months. The program manager wants you to give her a visit request form that the foreign company can use to submit a visit request. You think about this for a moment and realize that though the situation is unusual, it should be a workable solution. Do you provide the visit request form? Why or why not?

In the course of business, it is not unusual for a foreign entity to request a visit to a U.S. company. Foreign business employees may desire to visit a U.S. contractor in furtherance of a contract. When the business is related to a classified contract, involves classified information or relates to a government to government agreed upon plant visit, the foreign entity requests the visit through their embassy. The only way these types of visits are authorized is through government to government channels. Unclassified visits are sent through commercial channels and are conducted through licenses with the Department of State or the Department of Commerce.

Visit requests submitted by a foreign entity pass through their government channels to the U.S. government for approval. The U.S. government agency having jurisdiction over the classified contract submits the request to the U.S. contractor for their approval. The request also includes guidance and limitations of the information and items the foreign national will be allowed to access. The contractor reviews the limitations and determines whether or not they concur with the request. The contractor has the final say of whether or not the foreign national will access their facility.

Security managers, exports compliance officers, technology control officers, etc will face more challenges as our market becomes global. In future topics we will discuss is once a visit is authorized, what does a contractor need to do in preparation for the visit? How does one prepare employees and the visiting foreign person from exporting unauthorized technical data?

Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Export Compliance and Leadership

A few years ago I facilitated a short but very rewarding eight hour seminar on the International Traffic In Arms Regulation (ITAR) Overview. I am grateful to the staff at the University of Alabama in Huntsville and the North Alabama Trade Association for both sponsoring the event and allowing me to present. I found the course rewarding as I presented to a mixed audience of 30 professionals ranging from shipping and receiving specialists to executive vice presidents. The mix also consisted of professionals with various degrees of know-how as consultants, attorneys, technology control officers and those brand new to the field shared experiences and learned from one another. As a compliance officer in various disciplines, I have had the privilege of leading security and compliance teams and seminars on multiple topics

Though this was my first of hopefully many export regulations seminars, I noticed the similar need in the compliance field. Regardless of the discipline, compliance works best when driven from the top down. No matter the program a compliance officer intends to build or support, Influence is key when developing it whether security, privacy protection, safety, export, etc. Experience and technical savvy are great to have however, minus influence; the person is just an administrator playing catch-up in a crucial game.

Like other compliance disciplines, export compliance first and foremost helps companies and individuals successfully earn profits while playing by the rules. Our government encourages international business. The opportunities for lucrative business and growing employee experience pools make international trade an attractive endeavor. The benefits are huge as long as enterprises know the rules and are able to implement them into every program. The reality is that a license will most likely be granted when given the time and consideration required. Unfortunately, the routes people take to avoid licenses probably take more energy and export violations cause significant damage to our defense and economy

Influence comes in where the whole team understands the mission and each business unit and employee role. The compliance officer trains the company and keeps the empowered official abreast on licensing and technical assistance issues. They also establish trigger mechanisms to ensure international travel, business, or employment opportunities come to their attention early in any endeavor involving technology transfer. 

Check out our book series: Security Clearance and Defense Contractorsd

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Using anecdotes to convey your security message.

The skill of storytelling is one of the most successful methods of conveying a message. Public speakers, teachers, and mentors draw on personal experience to relate to their audiences. Performed with skill and confidence a story can enhance training by making tasks teachable and relatable to the audience. However when the message is misrepresented or poorly delivered with bad storytelling, the messenger becomes the focus as they lose credibility and the good message is obscured.

Storytelling for the purposes of this article does not necessarily mean creating a work of fiction or spinning a tale. The term storytelling is used as an example to assist with creating a logical flow of tasks conducted to complete a function. For example, a bad story teller may say, “protect classified information or else you could be fired or worse.” A good story teller will convey the task of introducing, using, storing, and destroying classified information throughout its lifecycle in a logical sequence. They could do so with such relevance that it is easily applied within the company culture.

The Story Setting

The speaker who speaks with or trains and audience of peers or having similar skill sets, gain almost instant credibility. The same profession, the same topic, and the same faces most often makes it unnecessary to cultivate a relationship from scratch. Everyone already has something in common as they share like interests. This setting can occur in a professional organization or club where everyone has a similar skill set or hobby.

On the other hand, a speaker who discusses topics to an audience of various expertise may have a harder time relating to their audience. For example, a college night school teacher may have an audience of skilled laborers of various disciplines and the only thing they have in common is the text book. In these instances, the speaker relies on their expertise in the subject matter and anecdotes to make the subject material relevant or teachable. It would be ridiculous for this speaker to try to engage in a topic they know nothing about. They will simply lose credibility the first time they misuse an anecdote.

Applying Story Telling to NISPOM 

Beyond supporting a common corporate culture, a Facility Security Officer (FSO) could have difficulty conveying a message of protection to those who use classified information for a more specific purpose if they do not discover common ground. While the FSO is an expert at NISPOM, the engineer or practitioner is an expert at how the classified information is used. So what can an FSO do to create common ground and use that common ground to develop training anecdotes?

I’ll use a personal story. A few years ago I was invited to speak at an NCMS local chapter event. I wanted to discuss program protection, but went in heavy on explaining National Industrial Security Program Operating Manual (NISPOM) requirements. The briefing charts I developed just dripped with NISPOM requirements and I used the requirements to demonstrate the application and need form program protection planning. I thought I had a good presentation, but wanted to verify with a colleague. 

His assessment was truth, but not what I wanted to hear. His explained that my message was wrong and I risked losing my audience. What I had inadvertently done was assert myself as a NISPOM expert when in reality I should be showcasing my program protection experience. He rightly pointed out that the room would be full of NISPOM experts that could argue any NISPOM topic interpretation to the detriment of my presentation. He further explained that the NISPOM could be our common ground, but the majority of the presentation should reflect my program protection expertise and get buy in on NISPOM interpretation. Thankfully I listened, resulting in a successful presentation and great question and answer sessions.

Establishing Credibility

FSOs are the experts at NISPOM and how to apply the classification management guidance at the cleared contractor facility. Cleared contractor facilities are required to designate a capable person to conduct the duties of the FSO. This can be interpreted as the requirement to pick an existing employee to perform the additional duties as an FSO. It can also be interpreted as the requirement to hire an additional person to conduct full time duties as an FSO.

Appropriate message

The primary purpose of the FSO should establish their credibility with applying NISPOM guidance to the defense contractor facility. In some situations where the FSO is a designated task bestowed upon an existing executive, engineer, or other professional, the FSO may be an expert in the development of a weapon system. They are an expert in the weapons system and may be able to beautifully weave security anecdotes into the fabric of weapon system development. In this situation, it would be a mistake not to showcase the expertise as a system engineer to relay the importance of apply security task to protecting classified information on the specific system. Every attempt should be made to discuss intimate details of performance, cost, and schedule and convey the security message while doing so. Being an expert in security and weapon system development and telling the story accurately using technical language and engineer speak will help fellow weapon system designers better apply security to protect classified and export controlled information.

On the other hand, a non-technical FSO attempting to lecture the engineer on specific details of the unfamiliar task of developing software would not be wise. Any attempt to do so could result in loss of credibility as terms might become misused or tasks communicated in a way to insult the professional. In this case the non-technical FSO could conduct security training and security tasks with the frame of reference that they are the experts at NISPOM guidance and the engineers are the weapon system and development experts. Together as a team they can develop an effective security program to protect classified information. 

In the second scenario the FSO can establish credibility as a security expert and create captivating stories using the common ground of working in a cleared defense contractor facility and the facility’s core culture. Where the audience is made up of scientists and engineers, there is no need for an FSO to attempt to discuss areas they are not an expert in. This could unfortunately provide an opportunity for the audience to argue the FSO’s level of understanding of the weapon system outside of the scope of the security discussion.  

The art of storytelling should be used in communicating the security message to help make it easily digestible to cleared employees. Storytelling is simply finding and using common ground to establish training or develop a culture in a relatable and logical flow. This is a great skill to practice and develop to help implement security programs to protect classified information.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Four Tools Every Cleared Defense Contractor Needs

Cleared defense contractors provide the technology and know-how that delivers products and services to our defense industry. CDCs and be a prime contractor or subcontractor and are contracted to support government organizations. The designation of CDC indicates that the organization is a government contractor with a facility clearance and is made up of employees with personnel security clearances. With classified contracts, the CDCs are required to protect their government customer’s classified information while performing on classified contracts.

The CDCs are part of the National Industrial Security Program (NISP). The National Industrial Security Program Operating Manual (NISPOM) provides guidance on how to perform on classified contracts. The guidance includes topics such as employee responsibilities, required training, continuous evaluation, maintaining security clearance, and much more. The Defense Counter-Intelligence and Security Agency (DCSA) formally known as DSS provides most DoD agency oversight and compliance reviews. They perform vulnerability assessments and determine how well a CDC protects classified information according to the NISPOM.

Cleared Defense Contractors have a big job not only performing on classified contracts, protecting classified information, but also documenting or validating compliance. The following tools should be in the CDC’s toolbox and can be employed to help them remain in compliance and demonstrate their level of compliance.

1. National Industrial Program Operating Manual (NISPOM)

The National Industrial Security Program Operating Manual (NISPOM) is the Department of Defense’s instruction to contractors of how to protect classified information. This printing of the NISPOM includes the latest from the Defense Security Services to include an Index and Industrial Security Letters. The NISPOM addresses a cleared contractor’s responsibilities including: Security Clearances, Required Training and Briefings, Classification and Markings, Safeguarding Classified Information, Visits and Meetings, Subcontracting, Information System Security, Special Requirements, International Security Requirements and much more.

2. International Traffic in Arms Regulation (ITAR)

“Any person who engages in the United States in the business of either manufacturing or exporting defense articles or furnishing defense services is required to register…” ITAR “It is the contractor’s responsibility to comply with all applicable laws and regulations regarding export-controlled items.”-DDTC  

Companies that provide defense goods and services should understand how to protect US technology; the ITAR provides the answers. The International Traffic in Arms Regulation (ITAR) is the defense product and service provider’s guide book for knowing when and how to obtain an export license. This book provides answers to:

Which defense contractors should register with the DDTC?
Which defense commodities require export licenses?
Which defense services require export licenses?
What are corporate and government export responsibilities?
What constitutes an export?
How does one apply for a license or technical assistance agreement?

3. Self Inspection Handbook For NISP Contractors

The National Industrial Security Program Operating Manual (NISPOM) requires all participants in the National Industrial Security Program (NISP) to conduct their own security reviews (self-inspections). This Self-Inspection Handbook is designed as a job aid to assist you in complying with this requirement. It is not intended to be used as a checklist only. Rather it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company. You will also find they have included various techniques that will help enhance the overall quality of your self-inspection. To be most effective it is suggested that you look at your self-inspection as a three-step process: 1) pre-inspection 2) self-inspection 3) post-inspection.

4. Training for Cleared Employees

a. Initial Security Awareness Training and Security Awareness Refresher Training

Initial Security Awareness Training and Security Awareness Refresher Training

The main presentation is great for initial training or for refresher annual security awareness training required of all cleared employees.

NISPOM requires the following training topics during initial training and refresher training:

• Threat Awareness Security Briefing Including Insider Threat
• Counterintelligence Awareness Briefing
• Overview Of The Security Classification System
• Employee Reporting Obligations And Requirements, Including Insider Threat
• Cybersecurity awareness training for all authorized IS users

NISPOM Training contains requirements for the Annual Security Awareness and Initial Security Training.

b. Derivative Classifier Training

The NISPOM outlines requirements for derivative classification training to include… the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. Those without this training are not authorized to perform the tasks.

Contractor personnel make derivative classification decisions when they incorporate, paraphrase, restate, or generate in new form, information that is already classified; then mark the newly developed material consistently with the classification markings that apply to the source information.

c. Insider Threat Training

This training program includes the NISPOM identified Insider Threat Training requirements. The NISPOM has identified the following requirements to establish an Insider Threat Program. Download and present the training here and meet the training requirements:

• Designate an Insider Threat senior official
• Establish an Insider Threat Program / Self-certify the Implementation Plan in writing to DSS.
• Establish an Insider Threat Program group
• Provide Insider Threat training
• Monitor classified network activity
• Gather, integrate, and report relevant and credible information; detect insiders posing risk to classified information; and mitigate insider threat risk
• Conduct self-inspections of Insider Threat Program.

d. SF 312 Briefing

This Training is for Newly Cleared Employees and should be given prior to Initial Security Briefings

Newly cleared employees must sign an SF-312, Non Disclosure Agreement. Instead of just having them sign the box, why not give them the appropriate SF-312 Briefing describing what exactly is on the form and why they are signing it.

As mentioned earlier, CDCs not only have to perform on classified contracts according to contractual requirements, but they are evaluated on how well they are protecting classified information. The tools mentioned above are designed to assist the CDCs in meeting requirements. Red Bike Publishing is pleased to be a partner in the NISP and provides tools to assist CDCs in their efforts. More information can be found at www.redbikepublishing.com

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Gather, integrate, and report insider threat information

This article addresses the NISPOM based Insider Threat Program (ITP) compliance requirements and is inspired by questions from the Self Inspection Handbook for NISP Contractors. The article uses the handbook’s format to through the self-inspection criteria. We begin the topic question, the NISPOM reference, an explanation of requirements, and finally how to inspect compliance.

Topic Question(s):

Does your program include a capability to gather, integrate, and report relevant and credible information, which falls into one of the 13 adjudicative guidelines indicative of a potential or actual insider threat?

 EVIDENCE: Explain process to gather and integrate data and provide procedures

VALIDATION:

NISPOM Reference(s):

1-202a

a. The contractor will establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat, consistent with E.O. 13587 (reference (ac)) and the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (reference (ad)), as required by the appropriate CSA.

One might ask the question of what is reportable as far as insider threat indicators. Aside from actually catching a culprit redhandedly sabotaging company resources or stealing government secrets, the employee is asked to report suspicious but credible observations. The Facility Security Officer (FSO) of the cleared defense contractor organization should develop a methodology for reporting insider threat behavior and training on how to recognize the behavior and then report it.

To do so, there is an existing methodology that leverages a current requirement. The “go to” for a resource for standardized process or policy of relevant and credible information is to follow the 13 Adjudicative Guidelines. Any one of these guidelines can serve as indicators of authorized employees with malicious intent.

A review of the available 13 Adjudicative Guidelines can provide data points for a risk manager to build upon. The guideline topics and a simple description of each topic are provided so that behaviors can be identified and if credible, reported to Insider Threat Program Senior Official.

Employees can be trained to observe certain behavior and recognize them as triggers for whether or not to report. When an employee observes credible high risk behavior they should understand who to and how to report it.

Her the 13 Adjudicative Guidelines that should be employed to recognize reportable behavior.

Guideline A: Allegiance to the U.S.

A cleared employee should demonstrate unquestionable allegiance to the United States. Any behavior or other indications of involvement in, training to commit, support of, or advocacy of any activity that demonstrates loyalty to other countries should be reported. Examples of behavior could include questionable internet searches, club memberships, or charitable donations to organizations with allegiance to other countries that would bring demise on the United States.

Guideline B: Foreign Influence Foreign contacts and interests may be a security concern if a cleared employee demonstrates divided loyalties or foreign financial interests. The concern is they may be influenced to help a foreign person, group, organization, or government in a way that is not in the U.S. interests. The cleared employee could also be vulnerable to pressure or coercion by any foreign interest.

Guideline C: Foreign Preference

Here the cleared employee could be demonstrating behavior that could serve the interests of a foreign person, group, organization, or government that is in conflict with the national security interest.

Guideline D: Sexual Behavior

A cleared employee could be engaged in sexual behavior that involves a criminal offense. Or the behavior could indicate a personality or emotional disorder, reflects lack of judgment or discretion, or which may subject the individual to undue influence or coercion, exploitation, or duress. If in violation of Guideline D, the behavior could raise questions about an individual's reliability, trustworthiness and ability to protect classified information.

Guideline E: Personal Conduct

This is a catch all behavior. Cleared employees demonstrating any personal conduct or concealing information about their conduct. Such behavior creates a vulnerability to exploitation, manipulation, or duress.

Guideline F: Financial Considerations

A cleared employee who is financially overextended could be at risk of having to engage in questionable behavior to improve their situation. This behavior could reflect the other Guidelines.

Guideline G: Alcohol Consumption (

This is one of the more obvious and easier to recognize in most situations. Alcohol-related incidents at work, such as reporting for work or duty in an intoxicated or impaired condition or drinking on the job.

Guideline H: Drug Involvement

The use of illegal drugs or misuse of prescription drugs can raise questions about an individual’s reliability and trustworthiness, both because drug use may impair judgment and because it raises questions about an individual’s willingness to comply with laws, rules, and regulations.

Guideline I: Psychological Conditions

Certain emotional, mental, and personality conditions can impair judgment, reliability, or trustworthiness.

Guideline J: Criminal Conduct

Criminal activity creates doubt about a person’s judgment, reliability, and trustworthiness and calls into question a person’s ability or willingness to comply with laws, rules, and regulations.

Guideline K: Handling Protected Information

This can be accidental, repetitive, as well as malicious. Any situation where a cleared employee mishandles classified information should be addressed per the investigative findings. Forgetful employees can be trained, but problem employees demonstrating repetitive offenses may lose their clearances. Insider threats with malicious intents could be reported to law enforcement.

This behavior can be demonstrated through a long list of NISPOM or ITAR violations such as loading, drafting, editing, modifying, storing, transmitting, or otherwise handling classified reports, data, or other information.

Guideline L: Outside Activities

Any foreign, domestic, or international organization or person engaged in analysis, discussion, or publication of material on intelligence, defense, foreign affairs, or protected technology organization that analyzes, discusses, or publishes material. This can be held in close regard with Guidelines A and B as well as others, depending on motivation.

Guideline M: Use of Information Technology

Cleared employees should handle classified information appropriately and Guideline K demonstrates activity that violates of NISPOM guidance. Here, use of any classified or unclassified information technology system to gain unauthorized access to information or a system. This includes hacking into servers, emails, networks or computers.

The next step is to develop a method of investigating and reporting the behavior. One scenario is that an employee reports suspicious activity to the FSO per earlier NISPOM guidance. The FSO could receive the report and begin an inquiry based on NISPOM requirements. However, with recent NISPOM updates the FSO can now engage the Insider Threat Team as part of that inquiry. Credible violations of the Guidelines can at the very least result in addressing the protection of classified information or be raised to another level of addressing potential insider threat issues.

Ideas to demonstrate compliance:

Develop a reporting process for receiving credible reports of suspicious behavior

Document reports and investigations

Document results of investigations

Create and deliver training to employees

Document training

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".