Saturday, December 29, 2012

Protecting Proprietary Data and Intellectual Property-FSO Task


The Opportunity
If employed by a defense contractor, chances are that you perform work on
goods and services for research and development of a weapon system or other new capabilities. That being the case the DEFAULT focus as a Facility Security Officer (FSO) or security specialist is on technical data.
The problem is: while there is abundant guidance on protection of classified information (proscriptive regulation aka NISPOM) bridging the GAP between classified and sensitive, protecting unclassified is of utmost concern. Here is where FSOs can really provide value to the enterprise.

The Problem
Take a look at this paraphrase from Allen Dulles' book The Craft of
Intelligence:

In the 1950's the US Congress was concerned that there was just too much technical information available on government programs.  From that concern, they commissioned researchers to assemble as much information from public domain about a particular program as they could. The group scoured libraries, newsstands, TV, radio and other media common to the decade and provided a report. As a result, the government determined the information to be classified, safeguarded the information and disbanded the group. The lesson; intimate program details were not properly identified, marked and protected.

The best result is we learned a valuable lesson and no longer have to worry about sensitive information appearing in the public domain, NOT. Here is a modern day example:

Recently the State Department reacted to an ITAR violation where Georgia Tech Research Institution made ITAR protected training available on their website.

In this case, the US Government had identified the information as ITAR controlled, but GTRI mistakenly made it available to both US and foreign nationals. See story here:

In the first example, sensitive information was not properly identified and therefore could not be handled appropriately. As a result, compiled information became classified. The second example demonstrates what can happen when information is properly identified and marked, but handling is not fully understood.

There are many other accounts of technology that is passed through theft, public release, presentations, white papers, patents and etc. How do we solve such problems?

Incorporate an enterprise-wide, comprehensive system of identifying sensitive information by owner and technology, then limiting distribution. For example, where NISPOM gives guidance on how to protect information already identified as classified, Proprietary information, ITAR controlled technology, intellectual data and others aren't always given the same level of scrutiny.

Protecting company sensitive information
This may need to be performed at the contractor level. Once sensitive items are identified, intimate program details should be cataloged and documented. Those who work with and handle the technical information can fully understand who owns it, how to get access to it and how to properly limit distribution.

Be sure to include technical information owned by customers and vendors.
Employees should understand how to properly handle sensitive information of outside organizations. If it's not clear, ask.

Finally, any technical information that is legitimately distributed should only be done so with a joint understanding of how to use and further distribute the technical data.


Jeffrey W. Bennett, SFPC, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Tuesday, December 18, 2012

Proscribed Regulations and a Sensible Security Assessment, Cleared Contractor Protection Measures


Cleared contractor facility security officers (FSO) and security specialists have a unique challenge. They protect classified information and have lots of guidance on how to do so. However, they also have to figure out how to best protect sensitive information based on competitive budget requirements. Some of the forces acting on the budget include NISPOM, ITAR and other regulatory requirements as well as actions required by a thorough risk assessment

The NISPOM is a proscriptive policy, meaning that FSOs and security specialists have a list of “to do” countermeasures to protect Government identified classified contract information. For example, a secret document should be stored in a GSA approved security container.

Other solutions that appear proscribed are standard practices. Some industry standards include access control, alarms and CCTV. One might think they were required based on the general acceptance and wide use. For example, the NISPOM states that SECRET should be stored in a GSA approved container. However, some might find it shocking that alarms are NOT required. It is important to distinguish the difference as non-proscribed countermeasures protect classified information, but the trade off is high cost and focus on the wrong protection measures.

Security is meant to provide the right amount of countermeasures at the right place. Blanket countermeasures are costly and burdensome; thereby abusing the intent of NISPOM.

Assigning security measures without real risk or security assessment seemingly provides protection and makes us feel better.  Such actions result in construction or modifications of cleared facilities to create reinforced security fortresses built to withstand repeated break in attempts. However, the threat of these break-ins has not be established.

It makes sense to provide overwhelming physical security; if the security assessment requires it. However, there may be more pressing issues and real threats to address that compete with the same budget. Following the proscriptive measures of NISPOM may be the minimum and engaging tougher physical security measures may be the wrong course of action.

Suppose your risk assessment determines that the greatest threat to sensitive information is forgetful and irresponsible employees. Adding badge readers and alarms to negate the actions of a non existing threat of theft doesn’t address the insider issue.

However an aggressive procedure, policy and training program to focus on the real threat (bad habits) does help. For example, the real threat may be lack of understanding of protecting intellectual property. How do cleared employees work with, discuss, or demonstrate their technology through reports, tradeshows, patents or press release without inadvertently transferring technical information? An intellectual property identification, security training and compliance program would do more to protect the information than guns and guards.




Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Wednesday, December 5, 2012

World Class FSO


Olympic competition is just another step in the journey of a world class athlete. The competitors didn’t just wake up and perform spectacular feats; they incorporate winning performance into their daily rituals. They won a seat on the team because of conditioning, determination and dedication. If an athlete breaks records or fails to qualify, the success or failure isn’t the onetime performance. They didn’t just wake up as champions, they prepared.

Leaders are successful for the same reason. Consider the following questions about leaders: What makes them successful? Why are ideas they present more contagious than mine? How are they able to influence major decision makers?

Successful Facility Security Officers (FSO) and other security executives are no different. Just as a world class athlete performs to win; the FSO demonstrates world class security programs designed to protect classified information. These champions impact organizational policy, generate buy in at all levels and successfully integrate security programs into the organization’s DNA. They also are able to demand higher compensation, more impacting positions and stature within the company.

These winners exhibit these four characteristics of world class FSOs:

1. Tie-in security functions with the goals and mission statement

Successful leaders don’t limit themselves to busy work or focus on individual tasks. For example, they focus priorities on supporting the company’s mission instead of touting success with the amount of JPAS transactions or combination changes.

They demonstrate effectiveness by linking security and professional goals with the senior officer’s priorities. For example, suppose the defense contractor’s mission statement is “Provide the warfighter with superior night fighting capability”. The FSO would implement a security program to prevent unauthorized disclosure of classified and unclassified program information. But they don’t stop there. They ensure that everyone understands how the security program is vital to “providing the warfighter with superior night fighting capability”.

The message to the top might go like this:

“Before we proceed with this business development plan, we should review the press release for program information and anything not authorized for public release. Failure to do so may compromise our efforts to provide the warfighter…”

“Let’s considered the ITAR implications for your speech to the World Wide Night Fighter Research Symposium. Since there will be non US persons attending we should…”

“I’ve reviewed the government’s requirements. Are you aware that winning this contract will require us to enhance our security posture? Let me brief you on what you might expect per the NISPOM:”

2. Demonstrate the value of security program to the ability to perform on classified contracts

The first step is to understand the acquisition process and the requirements found in the statement of work, contract and Contract Security Classification Specification (DD Form 254). The proactive FSO gets involved early in contract negotiations and contributes to the customer’s requirements. Without the proper understanding the FSO will not be able to properly advise and guide business development or program actions.

Protecting the nation’s secrets is not just a job for the security department; it should be integrated into the cleared contractor’s culture. When cleared employees understand their roles in protecting the facility security clearance, the entire organization wins. To do this the FSO has to demonstrate his function’s value to protecting classified contracts. It’s not enough for the FSO and staff to protect classified information, but the entire enterprise must own the process.

3. Ensure the FSO reports to the senior executive.

If that’s not possible, then at least report to the same level management as contracts, human resources and other overhead managers. Successful leaders are not buried under many layers of management and bureaucracy, but report directly to the senior officer. When they speak people listen. Business development, engineering, research and development, program management, contracts and others seek out their guidance.

4. Develop policies that are supported and enforced from the top down.

Policies only work when they are owned and supported at the highest levels. Take for example, in processing by human resources, helpdesk requests by the IT department or accident reporting by safety. Those policies are some of the most effective and successful because they have been vetted and accepted by the entire organization. Along with the policies are well published procedures identifying what and how to meet requirements.

Success in any organization is not an overnight accomplishment. Just as the athlete trains to become the world’s best, FSOs should put in the focused work to become champions in their industry. The key is creating security goals and demonstrating how they support the organization’s mission. Create buy in of those goals and communicate goals regularly. Once senior leaders understand the security mission, they can make it part of the corporate make up and easier to execute.

For more information, why not check out DoD Security Clearances and Contracts Guidebook



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM