|
ABOUT
THIS BRIEFING
Your security clearance involves many responsibilities. This includes
the requirement to be aware of basic guidelines concerning classification
of information, marking of materials and security of information in
your possession.
This briefing gives you the basics about these subjects and is being
provided to you as a reference. By reading the information in the briefing,
understanding it, and returning an electronic acknowledgment (see end
of this briefing for instructions), you will meet Department of Defense
(DoD) requirements for periodic security refresher training.
WHAT IS THE ANNUAL SECURITY REFRESHER BRIEFING?
The Foundation has agreed to conform to all security regulations and
requirements of various Federal sponsors. Individuals who possess security
clearances must receive annual refresher briefings. These briefings
reinforce and update awareness of DoD safeguards and security policies
and remind individuals of their security responsibilities.
Your
Responsibility
We encourage
you to carefully review the material provided in this briefing to renew
your understanding of the security policies that you are required to
follow in the performance of your duties involving access to classified
information.
Due
Date
Please
return your required briefing acknowledgement (see last page) by time
stated in the email notifying you of this requirement.
CONTENTS
Introduction (Articles denoted by an * are considered mandatory reading
for this briefing)
1. *The Threat
2. *The Threat from Foreign Intelligence Services
3. The Threat from hackers and disgruntled insiders
4. *The Threat from individuals engaged in industrial espionage
5. Why is there a Security Clearance Backlog?
6. What is the "Smith Amendment" and what impact will it have
on our hiring practices?
7. The Security Classification System
8. Executive Order 12958
9. Properly marking classified documents
10. Derivatively-classified documents
11. *Employee reporting obligations
12. *Is my voluntary participation in a alcohol or drug abuse rehabilitation
program considered to be adverse information and reportable?
13. Duties of the Escort
14. Handcarrying classified materials
15. *Using computers to process classified information
16. *Protection of laptops
17. *Summary/Wrap-up/Documentation
*Acknowledgement to FSO of completion of the annual security refresher
briefing
INTRODUCTION
The National Industrial Security Program Operating Manual (NISPOM)
dated January 1995 prescribes requirements, restrictions, and other
safeguards that are necessary to prevent unauthorized disclosure of
classified information.
Paragraph 3-107 of the NISPOM states, "The contractor shall provide
all cleared employees with some form of security education and training
at least annually. The refresher training shall reinforce the information
provided during the initial security briefing and shall keep cleared
employees informed of appropriate changes in security regulations. Contractors
shall maintain records about the program offered and employee participation
in them".
This year we are providing the required refresher briefing in electronic
form. We hope that you will find the briefing enlightening and thought-provoking.
This is a "Collateral" (not SCI, or SAP) briefing. Individuals
holding SCI or SAP require a more detailed and technical classified
refresher briefing. For any person having difficulty accessing the internet,
this briefing is also available in hardcopy at your request. Additional
security briefing materials and security forms are available on the
Internet.
If you have any questions about any of the subjects discussed in the
briefing, please contact the Facility Security Officer, Dawn
Laws, or the Associate Facility Security Officer, Bob
Wolfe.
*1. The Threat. The Threat today comes in a number of different
forms and threatens different parts of our corporate mission. There
is the traditional Threat from Foreign Intelligence Services (FIS) who
are pursuing our classified and proprietary information. We also have
the Threat from hackers and their malicious code and disgruntled insiders
who perhaps desire to damage or compromise our information systems.
*2. The Threat from Foreign Intelligence Services. The technologies
generating the most foreign interest in 1999 included information systems,
sensors and lasers, electronics, aeronautics systems, and armaments
and energetic materials. The majority of countries targeting our Institution
has limited military capabilities and is seeking technological advancement.
In 1997 this list of countries was 37; in 1998 the list had grown to
47; and in 1999 there were 56 countries associated with suspicious collection
activities targeted at cleared contractors. Many of the Foreign Intelligence
Services are now being primarily tasked to collect information that
will allow their country to better compete on the world economic stage.
This often means they are after both classified and unclassified information.
The most frequently reported Method of Operation is the request for
scientific and technical information. This often comes in the form of
an email message. The requestor may indicate they are from a foreign
university or research institute or a graduate student who needs assistance
with their thesis. He/she may indicate they have noted from our web
page that we have competencies in a certain area and they desire additional
information related to a business opportunity for us, or they are asking
for sensitive or export-controlled information or copies of technical
articles that appeared in trade journals and periodicals.
*3. The Threat from hackers and disgruntled insiders. As you
all are aware, we are also concerned about the threat from individuals
who would do undesirable things to the information residing on our information
systems. It seems every week there is a new virus or Trojan horse coming
into our lives via the Internet. You can do your part by:
--ensuring your computer has current anti-virus signatures loaded on
it
--paying attention to the periodic warnings about malicious code provided
by the computer center folks
--understanding that there are virus "hoaxes" out there and
do not "pass them to everyone on your distribution list" (pass
them instead to the computer center folks or your security officer)
--creating strong passwords
--not disclosing remote login numbers and procedures to personnel who
do not have a need to know
--granting access privileges only to those personnel who have a need
to know
--remembering that you leave tracks when you surf the web, converse
in chat rooms, or post to user groups.
*4. The Threat from individuals engaged in industrial espionage.
Even though we are a research and educational institution, we still
must be mindful about protecting any sensitive business information
that we may possess - ours or that of others in our keeping. When you
pass information over the Internet, it is susceptible to interception
by other than the intended recipient. Sensitive proprietary information
stored on a laptop could be worth 100 times what the laptop itself is
worth if stolen. If you generate sensitive company information (e.g.,
proposals, salary information, labor rates, network configurations,
countermeasures to intruders, private personnel information, strategic
plans, etc.), please think about physical protection for the information,
how you are marking it to indicate it is sensitive and needs special
protection, and access controls you are placing on the information.
5. Why is there a Security Clearance Backlog? This is a question
that is asked every year. The Defense Security Service is still behind
on processing clearances. Although the DSS software is now capable of
moving 2500 cases per day through their system, this is now causing
a large backlog at the adjudicator's desk (the person who looks at the
investigation report and decides if the person will get a clearance).
In September 1999, DSS contracted with two private sector entities to
augment DSS investigative capabilities. This year, DSS has contracted
investigations out to three other vendors. The DSS has done a number
of things to improve the issuance time for a final clearance but we
still have at least a year to go before they will be back to the pace
they were on before they implemented the Case Control Management System
(CCMS). The CCMS, since its implementation on October 29, 1998, has
experienced significant operational problems with numerous software
fixes.
6. What is the "Smith Amendment" and what impact will it
have on our hiring practices? The Senator Bob Smith (from New Hampshire)
Amendment to the FY2001 DoD Appropriations bill sets new limitations
on personnel who are eligible for a security clearance. It says that
the following people are ineligible for a security clearance.
--Someone who has been convicted in any court of the U.S. of a crime
and sentenced to imprisonment for a term exceeding one year
--An unlawful user of, or someone who is addicted to, a controlled substance
--Someone who is mentally incompetent, or who has been determined by
a mental health professional to be mentally incompetent
--Someone who has been discharged or dismissed from the Armed Forces
under dishonorable conditions
Since these are absolute disqualifying conditions, questions concerning
these conditions might be asked of a candidate for certain positions
requiring DoD clearances prior to employment or appointment.
7. The Security Classification System. Security classification
by a nation's government is based on the government's responsibility
for the survival of the nation and its people. In the United States,
information is classified either by Presidential authority, currently
Executive Order 12958, or by statute, the Atomic Energy Act of 1954,
as amended (Atomic Energy Act). The first Executive Order dealing with
classification was EO 8381 issued on March 22, 1940 by President Franklin
Roosevelt. In this EO, there were three levels of classification - Secret,
Confidential, and Restricted. On February 1, 1950, President Truman
issued the second EO (10104) dealing with protecting classified information.
This EO added a fourth level - Top Secret. On September 24, 1951, he
issued his second EO (10290) that simply dropped any citation of a specific
statutory authority.
In November 1953, President Eisenhower replaced EO 10290 with EO 10501.
It eliminated the "Restricted" level. The British and other
allies have kept their "Restricted" classification level.
This EO was the ruling authority for 20 years until President Nixon's
EO 11652 issued on March 8, 1972. This Executive order was a result
of an interagency committee study initially headed by William H. Rhenquist
- the current chief Justice of the U.S. Supreme Court. Executive Order
12065 replaced EO 11652 on December 1, 1978. For the first time, this
EO talked about "Derivative Classification". The next Executive
Order was 12356 issued by President Reagan on April 6, 1982. On April
17, 1995, President Clinton issued the current EO 12958. This EO required
that Executive Branch Agencies review their classified holdings and
declassify as many as possible to support the Administration's "Openness
in Government" initiative.
8. Executive Order 12958. EO 12958 took effect in FY 1996. Since
that time, Executive Branch Agencies have declassified 720 million pages
of classified information. The government declassified 127 million pages
in FY 1999 alone. The number of "original classification authorities"
decreased by 57, to 3,846. Steve Garfinkle, Director of the Information
Security Oversight Office (ISOO) believes this is about as low as the
Government can go. The CIA accounted for 44 percent of all classification
decisions last year; DoD, 27 percent; NRO, 24 percent; Justice, 2 percent;
State, 2 percent; and all others, 1 percent.
What can one do to help with this problem? Do not overclassify and place
classified portions of documents in appendices whenever possible. The
Executive Order tells us, "If there is significant doubt about
the need to classify information, it shall not be classified".
Too often, we take the easy road and just classify everything that is
generated. Take the time to think about your classification decisions
and ask the security staff to assist you in properly marking a classified
document.
DCID
1/7 directs us to "prepare reports and products at the lowest
classification level commensurate with expected damage that could be
caused by unauthorized disclosure. When necessary, the material should
be prepared in other formats (e.g., tear-line form, attachments) to
permit broader dissemination or release of information." They practice
what they preach in that the body of DCID
1/7 is unclassified but it has a Confidential supplement.
*9.
MARKING:
Marking documents is a precise process. Any document containing classified
information, even working papers and briefing notes, must be accurately
and appropriately marked. For more on marking classified materials,
refer to DoD
5200.1-PH.
Letters
of Transmittal
When attached to classified matter, the first page of transmittal documents
must be conspicuously marked with the highest classification level of
any information transmitted by it; and must also contain the appropriate
instructions indicating its level of classification when separated from
the classified attachments.
Marking Information Other than Documents
For marking special types of material, such as computer hardware and
software, objects, charts, maps, drawings, photographs, film, and recordings,
please contact the your program manager or contracting officer representative
(COR).
Your responsibility…
If you believe that information in your possession is inappropriately
classified (or unclassified), you are expected to bring your concerns
to the attention of the FSO.
There are many circumstances for marking contents, such as multiple
sources for classification, reports, binders, unclassified pages within
a classified document. This is why it is essential to contact the program
manager or COR for current rules.
10. Derivatively-classified documents. Industry creates only
derivatively-classified documents. A derivatively-classified document
must have at least two lines - the "Derived From" line and
the "Declassify On" line but you may include the "Reason"
line also.
The purpose of the "Derived From" line is to link the derivative
classification applied to the material and the source document or classification
guide under which it was classified.
In some cases, you may have extracted information to go in your report
from more than one source document or you may have used more than one
Security Classification Guide (SCG) for security guidance. In this case,
you would put "Multiple Sources" in the "Derived From"
line and maintain a record that supports the classification for the
duration of the contract. This record may be a bibliography in the document
itself or a listing maintained with the record copy of the document.
The "Declassify On" line will reflect an event or a date that
is no more than 10 years from origin of the document. For example, "Declassify
On: Cessation of Desert Storm Operations". But, we know some information
is so sensitive that it must remain classified for longer than 10 years.
EO 12958 recognizes this and says, "An original classification
authority may extend the duration of classification or reclassify specific
information for successive periods not to exceed 10 years at a time
if such action is consistent with the standards and procedures established
under this order". This is when the "Exemption Categories
1-8" are used. When an X1-8 follows the "Declassify On"
line, it means that document will probably remain classified for at
least 20 years.
11. Employee Reporting obligations. Cleared individuals have
a responsibility to report any suspicious contacts to the FSO. This
includes:
--efforts by any individual, regardless of nationality, to obtain illegal
or unauthorized access to classified information or an attempt to compromise
you in any way
--All contacts with known or suspected intelligence officers from any
country
--Any contact which suggests you may be the target of an attempted exploitation
by the intelligence services of another country
In addition to reporting suspicious contacts, you are also required
to report:
--A change in your name
--If you get married or divorced
--There is a change in your citizenship
--If you enter into a business relationship with a foreign national,
a foreign company, or a foreign country or one of its Agencies
If you enter into a business relationship with a foreign national, a
foreign company, or a foreign country or one of its Agencies, then you
have become a "Representative of a Foreign Interest" or RFI.
You must report this to the Facility Security Officer. For instance,
if you pump gas for British Petroleum on the weekend - you are an RFI
and this must be reported. Does this mean you will lose your security
clearance? Not necessarily and in the above case, probably not - each
case is examined independently.
*12. Is my voluntary participation in a alcohol or drug abuse rehabilitation
program considered to be adverse information and reportable?
--Self-enrollment in a rehabilitation program is not necessarily reportable.
However, alcohol and drug abuse, or observation of behavior which is
indicative of alcohol or drug abuse is reportable.
--Mandatory enrollment in the Foundation Employment Assistance Program
is reportable.
--Refusal to accept rehabilitation assistance when offered is reportable.
--Incomplete or unsuccessful participation in a rehabilitation program
is reportable.
--Keep in mind that an adverse information report is not the sole basis
for suspension or revocation of a clearance.
13. Security Escorts. Sometimes it is necessary to bring an uncleared
person into a secure area. Although not probable, the uncleared person
could be a threat to sensitive and/or classified information and is
required to be escorted. If you are the escort, what are your responsibilities?
--Make sure the occupants of the area to be entered understand that
you are about to bring an uncleared person into their area
--Notify the occupants BEFORE you bring the person in so the area can
be sanitized, things can be put away, doors can be closed, etc. to preclude
the person obtaining visual access to classified information or overhearing
a classified conversation
--Accompany the person everywhere he/she needs to go
--Ensure the visitor removes no classified information or materials
from the area
--Make sure the visitor does not tamper with any security equipment
unless they are there for that purpose
--Ensure the visitor does not access to any Information System (IS)
unless it has been coordinated with the Security Staff and/or the computer
support staff
--Do not answer any curious questions about what is going on in the
spaces
--Ensure that upon leaving, the visitor is not lagging behind you and
that you have close control over their movement
--Ensure the occupants know when you have escorted the uncleared person
out of the spaces
--Report any anomalies to the security staff
*14. Handcarrying classified materials. Sometimes mailing or
faxing a document is not sufficient to meet time or other constraints
and you are designated (must be in writing) as a courier to handcarry
the classified document to its destination. The following are some basic
rules to remember if you are a courier:
--If you have an early morning flight, you cannot take the materials
home with you the night before
--The materials must be double-wrapped with the recipient's name on
the inside wrapper
--You must obtain a receipt for the package when you turn it over to
the recipient
--If you must stay overnight at your destination, you must store the
materials at a cleared contractor facility or at a government facility
- you cannot keep it in your hotel room
--Your trip itinerary should be directly to the storage facility - do
not go out to dinner or stop by the hotel first.
--If you return with your package, ensure you take it directly back
to the specified facility for storage - do not keep it at your home
overnight
--If you left the package at your destination, give the receipt to the
security staff upon your return
*15. Using computers to process classified information. This
is our biggest security challenge. As information technology has changed,
the Government has tried to keep up as evidenced by the new Chapter
eight (AIS) to the NISPOM. The first thing you need to understand are
the three attributes of information: Confidentiality, Integrity, and
Availability.
Confidentiality - this is something we are used to - safeguarding the
information - ensuring that only individuals with a "need-to-know"
get to see the information in question. The "Level of Concern"
for Confidentiality is characterized as either High, Medium, or Basic.
If you are processing any kind of Intelligence information, then your
Level of Concern for Confidentiality is always "High".
Integrity - this is protection against unauthorized modification or
destruction of information. It is easy to see that the Level of Concern
for the Integrity of threat data files is high since an F-15, F/A-18,
or F-16 pilot dies when his radar warning receiver or Jammer does not
work properly due to the integrity of the threat data being modified.
On the other hand, the concern for Integrity may be Basic or Medium
for other classified information we are processing.
Availability - this is the timely, reliable access to data and information
services for the authorized user. Availability pertains to both the
information itself and the information systems or networks. If we are
providing real-time support to tactical programs, our Level of Concern
for Availability may be High. If we are simply accomplishing research
for which there is a great tolerance for delay, our Level of Concern
may be Basic.
*16. Protection of laptops. Since we are purchasing and using
more and more laptop computers, we must remember that with the mobility
of the machines comes a threat. Please protect your laptop when you
are on the road. Unscrupulous individuals are not only interested in
your hardware but also the information you store on that laptop. The
article below emphasizes why any sensitive information on your laptop
should be encrypted or stored on removable media.
http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54791,00.html
*17. Summary/Wrap-up/Documentation. This completes your annual
security refresher briefing for TBD. We discussed that the Threat is
very much alive and is especially threatening to our information systems.
We know from this briefing that the policies for protection of classified
information originate from Executive Orders. We learned there is a new
NISPOM Chapter 8 that dictates the implementation of a number of technical
countermeasures depending on the "Protection Level" of the
system or network. We were reminded of the threat to the information
we store on our laptops. We reviewed the rules for handcarrying documents
and escorting an uncleared visitor. We were told about our reporting
responsibilities as cleared personnel.
ACKNOWLEDGEMENT
Please email Dawn
Hamilton to acknowledge that you have read this version of the Old
Dominion University Research Foundation Security Refresher Briefing.
Include the following statement in the body of your message:
I acknowledge that I have received and read the Old Dominion University
Research Foundation Security Refresher Briefing in compliance with U.S.
Department of Defense security training requirements.
It is
important to include your name after the above statement.
I will be contacting you if your email statement is not received by
the time stated in the email notifying you of this requirement.
|
