Annual Industrial Security Briefing
advertisement
Annual Industrial
Security and Export
Compliance Briefing 2014
This briefing is unclassified
Presented by:
Jamie Fisher
FSO
Contact information
FSO contact:
Jamie Fisher jfisher@innssi.com
937-630-3012 x100
DSS Rep
Richard Leger
Special Agent
Industrial Security Representative
Defense Security Service
513-243-9336
Export Controlled contacts:
Steve Palluconi spalluconi@innssi.com
937-630-3012 x104
Grant McMillan gmcmillan@innssi.com
937-630-3012 x106
Purpose:
This training is an annual requirement for any ISSI employee holding
a clearance to enhance their security knowledge and raise
awareness level
To remind you of your responsibility and obligations while working
with classified information
Remote Training Instructions:
How to Receive Credit
Read through all course modules.
E-mail SEC100 Completion Record to SecurityEd@sandia.gov or
fax to (505) 844-7802 for credit.
Completion Time
Course completion time is estimated to be between 30-40
minutes. However, course completion times vary greatly,
depending upon familiarity with the content, reading speed,
number of interruptions, and number of optional links
accessed.
Employees may charge up to 30 minutes to 0701-000 for their
time to complete this training.
Topics
Welcome to your annual training! The topics you will review are….
• Industrial Security Program Overview
• Know your work
• Know your surroundings
• Security Classification System
• Threat Awareness
• Safeguarding Classified
• Classified Visits
• Foreign Travel
• Reportable Information
• Adverse Information
• Security Violations
• Discipline Policy
• Export Compliance
Overview of the National Security Program
As a Government Contractor, we are bound by Executive Order
12829, National Industrial Security Program. The NISP
establishes rules and regulations to properly protect and
control all classified material in our possession or under our
immediate control.
Our information is threatened by cyber hackers, foreign
adversaries, malicious insiders, or inadvertent release. Some of
the work that is done at ISSI is information that others want—
whether classified or not.
Security requirements are about ensuring that information and
materials are kept from those who don’t have a need to know
and the proper clearance.
The Company Facility Clearance
A Facility Clearance (FCL) is a determination that a company is eligible
for access to classified information or award of a classified contract.
The process involves an evaluation of the corporate organization; key
leadership; outside corporate relationships; foreign influence, etc.
The FCL means that the company may have access to contract specific
classified information based on a government need and at a
government approved location.
ISSI is currently cleared at a top secret facility.
Current contracts that ISSI has with classifications (DD254) are:
FA8650-13-D-2343: Top Secret (Hoke’s group)
FA8650-13-D-2337: Secret (Hsu’s group)
FA8650-14-D-2317 TO 0001: Secret (Hsu’s group)
Subcontract with GDIT:
2601: Secret (Lynn’s group)
DD Form 254
DD Form 254 outlines the security specifications for each classified
contract issued to a prime contractor from the government. This form
is also flowed down to any and all subcontractors that require access
and or storing to classified information. Below is a copy of the DD 254
that is issued.
FA8650-13-D-2343
Atch 2
24
Jan
Page ; 1 of 5
2013
i
1. CLeARANCE AND SAFEGUARDING
DEPARTMENT OF DEFENSE
CONTRACT SECURITY CLASSIFICATION SPECIFICATION
a.
(The requirements of the DoD Industrial Security Manual apply
10 all security aspects of this effort-)
b
2. THIS SPECIFICATION IS FOR: (X and complete as ppticabte)
a PRIME CONTRACT NUMBER
X
I
YES
DAT!! (YYYYMMOD}
c FINAL (Complete Item 5 In all cases)
L K _ j N O . II Yes, complete lhe !ollowino:
(Preceding Contract Number) is transferred to !his follow-on cor)tract.
Classified material received or generated under
5. IS THIS A FINAL CD FORM 254?
:!OprJJ I4
OATE ('ftr'YYMMDD)
I
REVISION NO.
(Suporselles 811
previous specs)
DUE DATE (YYYYMMDD)
_j
I
None
b. REVISED
4. IS THIS A FOLLOW-ON CONTRACT?
I
LEVEL OF SAFEGUARDING REQUIRED
X
FA8650-13-D-2343
c SOLICITATION OR OTHER NUMBER
I
TOP SECRET
3. THIS SPECIFICATION IS: (X and complete as applic bte)
01\TE (YYYYMMDD)
a ORIGINAL (Complete date In all cases)
b SUBCONTRACT NUMBER
I
L X _ j N O . II Yes. complete tile lollowtng:
l _ j Y E S
• retention of the elassllied material is authorized for Ihe period cf
In response to the contractors request dated
6. CONTRACTOR (Include Commerr;i,1f Bnd Government En lily {CAGE) Code)
·b. CIIGECOOE
a. NAME, ADDRESS-:- AND ZIP CODE
lnnnvnlivc Scientilic Solutions Inc. (ISS I)
0:12G3
I
c. COGNIZANT SECURITY OFFICE (Nome, Aric!IeS$ . and·ZJp Cocie)
Deft!nsc Security Services (lOFN D)
423
I
17177 N. Laurel Park Drive, Suite
Livonin, MI48152-265Y
2766 lmlian Ripple Rd. D
>IUIL
FACIU1Y CLEARANCE REQUIRED
U1145·H0-363X
I
734-793-2320 Fax: 734-464-0490
I
'
'
7. SUBCONTRACTOR
a NAME. ADDRESS . AND ZIP CODE
b. CAGE CODE
NIA
N/A
c. COGNIZANT SECURITY OFFICE (Namo, lit/dress, M d Zip C cie)
Nil\
!
6. ACTUAL PERFORMANCE
a LOCATION
b. CAGE CODE
N/A
Nlt\
c COGNIZANT SECURITY OFFICE (Name, Address. ami Zip Coda;
N/A
'
9. GENERAL IDENTIFICATION OF THIS PROCUREMENT
Ad v nced l'rupulsinn Concep ts ami Cycles • Develo p mal evuluak mly;mced Gnmbu tiOI'I und propulsion C(liiCCpts l(,,r uir-bn:athing 5y ten.s . These id
;1s iii'C often pur. ued with I hi! i n\'oh• :menl ot' .:nginc manu1ilctur.:rs through contract - Ocsign, lilt>ricalc. wwlyz.:. lest. and cvuhmtc conccp1s.
util izitl!; A FRI. fhcili l ics. tn invcslignte t chnolt>gi ::; Lhut cnublc
10. CONTRACTOR WILL REQUIRE ACCESS TO:
a COMMUNI(;ATIQNS CUR IT'((COMSF.C) INFORMATION
b
--YES NO
X
RESTRICTED DATA
c CRITICAL NUCLEf\R VI€APON DESIGN INI'ORMATION
d FORMERLY RESTRICTED DATA
-._
e INTEtUG NCE INFORMATION
X
X
(1) SenSIIive Compartmented lnlotTnotion !SCI)
(2)NOI\-SCI
r SPECIAl ACCESS INFORMATION
g NATOINFORMATION
h
FOREIGN GOVERNMENT INFORMATION
i
LIMITED 0\SSEMINA fiON INFOHMATION
FORQFr.ICIAL USEONLY 1Nf'ORI\1ATIQN
k. OTHER !Specify!
I
DO FORM 254, DEC 1999
advanced propul
.
• COI-1'1t<A<.;IUK:>C J , x
I'! J X ' & W l ' F f J I .
w
YES NO
I
lJIHt:H
x ·1
-
b. RECEIVE CLASSIFIED DOCUMENTSONLV
X
c RECEIVE AND GENERATE CLASSIFIF.C MATERIAl
X
X
o. FABRICATE, MODIFY,ORSTORECLASSIFIED HARDWARE
X
I
e. PERFORM SERVICES
I
ONLY
r _pUERTO RII:_CL(£' up:;,
17JEU1f ,! jJ J'f.sH u-
h
'
j
oW\ R1S1I1'C1O;N.:DiAtAtY
-..l.IS'.t- gB}i I T f•H I:Wl
INFORMATIOtl
1
N 1:t< IUII'-'1 cLU
1.»<0 H o1
hn
REQUIRE ACOMSEC ACCOVNT
I
liAVE TEMPEST REQUIREMENTS
Q
X
X
11. IN PERFORMING THIS CONTRACT, THE CONTRACTOR W ILL :
X
X
X
X
X
-
ion cycles.
2
,
-
X
X
X
I. OTHER (Specify)
PREVIOU "' EDITION IS OBSOLETE.
X
X
X
I
i- HAVEOPERATIONS SECURITY (Q EC) REQUIREMENTS
k BEAUTHORIZED TOUeE lHGOEFE!N!l!! CCl\JiliER SERVICE
X AI'FARS 5352.20-1-9000 applies.
X
X
Sec B l k
13.
.>dot.! Prarewontt
70
Security Procedures and Duties Applicable to
Employee Job
A person who has become a cleared and briefed employee has certain
responsibilities. These responsibilities include, but are not limited to:
Completion of initial and annual refresher briefings
Be knowledgeable of Reporting Requirements as well as classified
Security Violations or Infraction policies and procedures
Periodic Reinvestigation, in accordance with level requirements
(conducted every 5 years for Top Secret, 10 for Secret and 15 for
Confidential)
Adhere to Classified Safeguarding Guidelines and Restriction
Safeguarding Classified
You are the first line of defense in protecting our nation’s
information. An easy way to do this is by applying the core principles
of Operations Security, or OPSEC:
• Think: recognize and acknowledge that you are at risk
• Assess: Evaluate your routines and environment. Where are you
vulnerable?
• Protect: Make security part of everything that you do. Protect
information.
Never hesitate to call your FSO, Jamie Fisher, 937-630-3012 x100 or
DSS rep Richard Legere 513-243-9336 with questions on any security
related issues.
Security Classification System:
Classified information is official government information that has been
determined to require protection in the interest of national security. All
classified information is under sole ownership of the US
Government, and employees possess no right, interest, title, or claim to
such information.
– Confidential: Information which, in the event of unauthorized
disclosure, could reasonably be expected to cause identifiable
damage to national security
– Secret: Information which, in the event of unauthorized
disclosure, could reasonably be expected to cause serious
damage to the national security
– Top Secret: Information which, in the event of unauthorized
disclosure, could reasonably be expected to cause exceptionally
grave damage to the national security
Access Requirements
•
•
•
•
Security clearance does not give you approved access to all classified information.
It gives you access only to:
– Information at the same or lower level of classification as the level of
clearance granted; and
– Information that you have a need-to-know in order to perform your
work
Failure in implementing the need-to-know principle can cause serious damage
to our organization
Need-To-Know imposes a responsibility on you and all authorized holders of
protected information
You are expected to refrain from discussing protected information in hallways,
cafeterias, elevators, any place where the discussion may be overheard by persons
who do not have a need-to-know
Report any violations to your security office
What causes mistakes?
• Being in a hurry: rushing causes us to lose focus. Slow down to stay safe and
secure.
• Not taking the risk seriously: If you don’t believe there’s a threat, you won’t
implement protections.
• Disruption in routine: Establishing routines helps us, whether it’s storing our
personal electronic devices in the morning or locking our computers when we
leave our offices. It is when we do something out of the ordinary that we make
mistakes, such as rushing to an appointment and leaving classified unattended.
Stop and take a few moments to make sure that everything is securely put away.
• Being interrupted/distracted: A coworker walking in to discuss an urgent issue or
receiving an emergency call form home can cause us to forget what we were
doing. Be mindful of when your actions may disrupt others and cause them to
make an error.
Did you know?
New Mexico is a hot spot for spies. Counterintelligence expert and Acting
NNSA Director Bruce Held says, “For many international intelligence
operatives, the state’s name is nearly synonymous with espionage.”
Know your work
When you start new work or criteria for current work has changed, be
sure to know the following:
• What is sensitive or classified in your area
• What may be subject to export controls
• Who has a need-to-know for my program’s information
If in doubt on current work or new work, ask questions. It’s better to be
safe than sorry.
Some common indicators that could lead an adversary down a pathway
to more information:
• Increased program activity that can be seen by the public
(announcement of new contracts, sales/shipments of commercial
items)
• Information in presentations, articles, research papers, and journals.
• Remember that all information intended for release outside of
ISSI must go through Review and Approval, even open source or
unclassified.
Key Points
If you have any doubt, check with your supervisor before releasing any
classified information
Possessing a badge that indicates clearance does not automatically grant
individuals a Need-To-Know
Determine the degree of Need-To-Know before sharing program or project
information
Need-To-Know principle applies to computers as well.
Classified Visits
How to access classified information “elsewhere”
• A VAR (visit access request) must be submitted in JPAS
(Joint Personnel Adjudication System)
• Visit requests, both inbound and outbound, shall be forwarded
to Security no later than 5 business days before the visit.
–
–
–
–
Name of visitor(s)
Destination’s SMO Code (A must for the JPAS VAR)
Dates of the visit (Start and end)
Point of Contact name and phone number (can’t be the security
office)
– Purpose of the visit (meeting, conference, etc.)
• International visitors shall allow at least 30 days notice for
classified visits abroad
Foreign Travel
Overseas travel increases the risk of being targeted by foreign
intelligence activities. You can be the target of a foreign intelligence or
security service at any time and place; however, the possibility is
greater when you travel overseas.
Foreign Travel
Examples of spying tools include:
• Wired hotel rooms
• Intercept of fax and email transmissions
• Recording of telephone calls/conversations
• Unauthorized access and downloading, theft of hardware
and software
• Break-ins and/or searches of hotel rooms, briefcases, luggage,
etc.
• Bugged airline cabins
• Substitution of flight attendants by spies/information collectors
Foreign Travel
A favorite tactic for industrial spies is to attend trade
show/conference type events. This environment allows them to ask
a lot of questions, including questions that might seem more
suspect in a different type of environment. One estimate reflected
that one in fifty people attending such events were there specifically
to gather intelligence.
Foreign Travel
The overseas traveler and the information in their possession are
most vulnerable when on the move. Stealing laptops is a common
tactic. These portable devices may contain access capabilities that
serve as doorways to additional information and systems.
To avoid this type of situation:
• Refrain from bringing portable electronics
• Use removable hard drives
• Data on portable electronic devices should contain only what is
needed for the purpose of your travel
Foreign Travel
Remember that it is always cheaper for any country to elicit,
improperly obtain or buy a new technology than it is for them to pay
for the research and development of that technology themselves.
There are more funds expended on R&D by the US Government
and Industry than any other country in the world. This makes us a
prime target.
Think Defensively
• Being mindful and thinking defensively will make it difficult for
someone to obtain technical and/or classified information from
you. As an ISSI employee, you are considered to be a source of
information by those people involved in both classic and
industrial or economic espionage.
• Your increased awareness is essential when meeting with
foreign nationals domestically and abroad or while vacationing
outside the US. For current requirements and warnings for
international travelers, visit http://travel.state.gov
• When you travel, refrain from discussing business in public
places. Report to Security any suspicious contacts from
individuals that you do not know.
Key Points
Remember it is against the law to:
– Disclose classified information to unauthorized persons.
– Fail to report a known or suspected compromise of classified
information
Reportable Information
Cleared employees shall contact Security if any of the following
apply:
• Name change
• Change in marital status
• Change in family status which results in having a foreign
national as a relative
• Reoccurring contacts with Foreign Nationals, or
relationships with foreign businesses
• Requests from anyone for unauthorized access to classified or
export-controlled technical information
Adverse Information
Adverse information is any information that adversely
reflects on the integrity or character of a cleared employee.
Such information would suggest that his or her ability to
safeguard classified information may be impaired, or, that
his or her access to classified information clearly may not
be in the interest of national security.
It is the responsibility of all employees to report to Security
any adverse information concerning another cleared
employee.
Examples of Adverse Information:
• Criminal activity
• Use of illicit drugs or misuse of controlled substances
• Any pattern of security violations or disregard for security
regulations
• Excessive indebtedness/recurring financial difficulties
• Knowledge or suspicion of anyone providing or requesting
sensitive, classified, export-controlled, or proprietary information
to an unauthorized person or entity.
• Obtaining a foreign passport or a business partnership with a
foreign national.
Security Violations
• Minor violation-an unintentional or negligent failure to
comply with security requirements which does not result in
compromise, or suspected compromise of classified
information
• Major violation-a willful disregard of security
requirements or a failure to comply with security
procedures, regardless of intent, which results in
compromise or suspected compromise of classified
information
Discipline Policy
– Violation was not deliberate—the employee will receive a
verbal discussion and be retrained on security
– Violation was not deliberate but a pattern of negligence is
noticed—written reprimand and may receive uncompensated
furlough
– Violation involved gross negligence—employee will receive a
written reprimand and may receive uncompensated furlough
and possible termination
– Violation involved deliberate negligence—employment will be
terminated
Export Compliance – A Growing Requirement for
ISSI
• Foreign sales is the fastest growing component of
ISSI’s commercial product success.
• In 2012, commercial sales were responsible for 10 %
of ISSI revenue and 49% of profit.
• Although encouraged by State and Federal agencies,
exporting involves potential threats to national
security, foreign policy, and non-proliferation,
• Compliance with U.S. export regulation is carefully monitored by
multiple organizations within the Dept. of State, Dept. of Commerce,
Dept. of Treasury and the Census Bureau.
• ISSI is developing an Export Compliance Management System to ensure
our compliance with the myriad regulations.
• One requirement is that all ISSI employees have recurring training
and basic familiarity with this program.
What ISSI Base Employees Need to Know
• The U.S. Government takes export laws very seriously.
• Penalties for non-compliance are steep and can be ruinous to a small
business.
• Penalties can be levied on ISSI and/or on individual employees who
were responsible for the violation.
• Non-compliance by ISSI’s Commercial Products Group could directly
impact our ability to engage in government contracting.
• Non-compliance by ISSI Base employees could result in ISSI debarment
from exporting.
• Base employees can violate U.S. export laws even though you have
no relationship to foreign sales.
A Broad Range of Items
are Subject to Export
Controls…
Exports can be …
•
•
Physical – taking / sending / giving a part
/ data to a foreign countr y or pers on.
Verbal - telling foreig n person
•
information about a controlled part /
data.
Visual - a foreig n p erson seeing
controlled information – even if they see
it on your laptop in a public place.
Potential Export Violation Scenarios
Example 1:
– One of the AFRL/RQ test facilities is being upgraded
and you need to obtain components for that
upgrade.
– To speed up the process of getting quotes, you
contact potential U.S. suppliers, who request more
information in order to customize the components to your requirements.
– You provide them with facility drawings or specifications, with no
statement about export restrictions…after all it is not a classified facility.
– One U.S. company forwards this information to their
manufacturer/supplier in China, who you are not even aware of.
– Since U.S. military test equipment is typically covered by ITAR restrictions,
but you did not alert the U.S. supplier, you potentially violated U.S. export
laws.
• What you should have done:
– Before providing unclassified technical data on base equipment to a
potential supplier, contact Tracy Frecker. She will work with Steve
Palluconi (Export Empowered Official) to determine the applicable export
restrictions and screen the potential suppliers.
Potential Export Violation Scenarios (cont’d)
• Example 2:
– You are participating in a technical
conference in the U.S. or overseas.
– A foreign national approaches you who is
interested in ISSI instrumentation for
aerodynamic measurements in wind
tunnels.
– Although you are not involved with commercial sales, you have general
information on our products and want to help ISSI build new business.
– You proceed to share this information with the foreign national.
– The foreign national is from a country that requires a license before we
can market or sell to them.
– You have potentially violated U.S. export laws.
• What you should have done:
– Thank the foreign national for their interest in ISSI instrumentation and
refer them to a member of the Commercial Products Group, such as Steve
Palluconi or Grant McMillan (Export Compliance Officer).
Certification
I have received, reviewed and understand the contents of this industrial
security and export compliance briefing. Any questions that I raised were
addressed by ISSI’s FSO and EO.
Print Name:
Signature:
Date:
