initial security briefing - allqsecure.com · initial security briefing last updated april 2016....
TRANSCRIPT
Purpose
Personnel Security
Physical Security
Information Security
The Threat
Cybersecurity
Public Release of Information
Operations Security
Policies
TOPICS
To understand National and DoD security policies to counter threats. Safeguarding classified information is a serious matter … and we are all responsible to protect it.
This briefing will help you to identify threats to classified and unclassified government assets including, but not limited to:
• Insider Threats• Criminal and Terrorist
Activities• Foreign Intelligence
Entities• Foreign Governments
PURPOSE
We are bound by Executive Order 12829, National Industrial Security Program (NISP) which establishes rules and regulations to properly protect and control all classified material in our possession or under our immediate control.
We have been granted a Facility Clearance (FCL) by the Defense Industrial Security Clearance Office – a division of the Defense Security Service. This process requires the company to agree to standards outlined in a DD441 which is issued when a company becomes cleared.
Not only does the company need to be cleared, employees and consultants requiring access to classified information in order to perform work on classified contracts need to be granted “eligibility” by DSS and “access” by the company based on the issued contract & the “Need to Know”.
Government Contractors – Facility Clearances
PERSONNEL SECURITY | SECURITY CLEARANCE
Contract DD254, position sensitivity and/or duties determine level of clearance and access.
Clearance levels are:
• Top Secret, Secret, or Confidential
Additional access may be needed for IT Levels, NATO, COMSEC, etc. and are defined in the contract and/or DD254.
Position Legal Status Access Levels Allowed
Requires access to classified information
US Citizen Secret, Top Secret, SCI
Requires access to Controlled Unclassified Information (CUI)
US CitizenLawful Permanent Resident Aliens
CUI – no government IT systems or technical data access
Requires access to CUI/Government IT Systems/ITAR Technical Data
US Citizen CUI/Government IT Systems/ITAR Technical Data
General Positions – no access to classified information
Anyone authorized to work in the US
Low sensitivity information
PERSONNEL SECURITY | BACKGROUND INVESTIGATION
Department of Defense Central Adjudication Facility (DoD CAF) grants a security clearance based upon the personal information provided on your application (eQIP) and appropriate back ground investigation.
• Completed SF86 forms are reviewed to determine suitability for granting a security clearance and are subject to continuous evaluation submitted by company FSO’s
• Tier 5 – Top Secret, SCI
• Tier 3 – Secret, Confidential
• Completed SF85 forms are reviewed to determine Public Trust suitability and are submitted by government agencies:
• Tier 1 – NACI with favorable results
• Tier 2 or 4 – MBI/BI : NACI with favorable results and credit check
PERSONNEL SECURITY | BACKGROUND INVESTIGATION
Once cleared, you are required to sign a non-disclosure contract (SF312) with the US Government.
A SPECIAL TRUST IS PLACED IN YOU
LIFELONG AGREEMENT
YOU MUST PROTECT FROM UNAUTHORIZED DISCLOSURE
SERIOUS CONSEQUENCES FOR NON-COMPLIANCE
PERSONNEL SECURITY | BRIEFING REQUIREMENTS
• Coordination of access briefings and trainings will be
completed with your PM and/or security team:
Only those applicable to your position will be required
• Indoctrination/Orientation
• NATO
• COMSEC
• SAP
• SCI
• Any contract specific trainings or briefings
PERSONNEL SECURITY | REPORTING REQUIREMENTS
• Changes to:
• Name
• Marital Status
• Citizenship
• Adverse information
• Based on facts NOT rumors
• Self or co-worker
Includes but not limited to:
- Criminal activities
- Alcohol or drug related incidents
- Financial difficulties
Potential Espionage Indicators Exhibited by Others
PERSONNEL SECURITY | REPORTING REQUIREMENTS
• Unexplained affluence
• Keeping unusual work hours
• Divided loyalty or allegiance to the U.S.
• Willfully disregarding security procedures
• Unreported foreign contact and travel
• Pattern of lying
• Attempts to enlist others in illegal or questionable activity
• Verbal or physical threats
• Inquiring about operations/projects where no legitimate need to know exists
• Unauthorized removal of classified information
• Fraud/Waste/Abuse of government credit cards
PERSONNEL SECURITY | REPORTING REQUIREMENTS
• Loss, compromise, or suspected compromise of classified information
• Includes tampering of or unlocked & unguarded security containers
• Secure information immediately
• Report immediately to security or supervisor
• Lost or stolen badges
PERSONNEL SECURITY | REPORTING REQUIREMENTS
• Foreign contacts
• Continuous contact with foreign nationals
Includes, but is not limited to:
- Cohabitation
- Marriage
• Suspicious contacts with or by foreign nationals
• Member of immediate family or spouse’s immediate family is a citizen of a foreign country
• Member of immediate family or spouse’s immediate family has taken residence outside the United States
• Foreign Travel
• You are required to report all foreign travel for business and personal trips. Coordinate with your security team for briefings and reporting forms.
• Foreign Interest, employment or service
• Foreign government, national, organization or entity, or a representative of any foreign interest (paid or unpaid. Any business enterprise organized under laws of another country. Any form of business that is foreign owned or controlled. Contact from a non-US Citizen or national.
PERSONNEL SECURITY | REPORTING REQUIREMENTS
PHYSICAL SECURITY
Includes, but is not limited to:
• Perimeter Fences
• Antiterrorism
• Employee and visitor access
controls
• Badging
• Intrusion Detection Systems
• Guards/patrols
• Prohibited items
• Entry/exit inspections
• Escorting
• Local procedures varied by
contract/site requirements
INFORMATION SECURITY | CLASSIFICATION LEVELS
TOP SECRET Exceptionally Grave Damage to the National Security
SECRET Serious Damage to the National Security
CONFIDENTIAL Damage to the National Security
There are other categories of information which, while not classified, also deserve mention: For Official Use Only (FOUO) is unclassified government information
which is exempt from general public disclosure and must not be given general circulation.
Company private or proprietary information is business information not to be divulged to individuals outside the company.
Recently DoD has placed great emphasis on protecting Controlled Unclassified Technical Information. The treatment of this type of information will be addressed in follow on slides
INFORMATION SECURITY | CLASSIFICATION LEVELS
Controlled unclassified technical information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. The term does not include information that is lawfully publicly available without restrictions. There are no exceptions for commercial items. Examples of technical information include research and engineering data, engineering drawings, and
associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
Contractors are required to safeguard unclassified controlled technical information and to report the compromise of such information to the DoD within 72 hours of discovery.
Contractors subject to the clause are required to implement data security controls identified in National Institute of Standards and Security (NIST) publication SP 800-53
Contractors are responsible for assuring that their subcontractors that are provided with controlled technical information also comply with the data security standards. The new contract clause is a mandatory “flow-down” clause to subcontractors. This includes so-called “cloud” data storage providers.
INFORMATION SECURITY
• Classified information basics:
It is your personal responsibility to know that the person you are dealing with is both properly cleared and has a need to know. You must never reveal or discuss classifiedinformation with anyone that is not properly cleared and has a need to know.
Classified information:
• Must never be left attended
• Must never be discussed in public areas
• Must be under the control of an authorized person
• Stored in an approved storage container
• Never be processed on your computer unless approved by the US Government
INFORMATION SECURITY
• Based on the contract that you work on you may have classified and controlled unclassified information (CUI) that must have protection from unauthorized disclosure, including, but not limited to:
• Marking
• Handling
• Transmission
• Storage
• Destruction
• Machinery
• Documents
• Emails
• Models
• Faxes
• Photographs
• Reproductions
• Storage media
• Working papers
• Sketches
• Maps
INFORMATION SECURITY | TYPES OF MATERIAL
Includes, but is not limited to:
INFORMATION SECURITY | MARKING
Appropriately marked to alert recipients of the
information’s classification
TOP SECRET (TS)
SECRET (S)
CONFIDENTIAL (C)
THIS IS A COVER SHEETTHIS IS A COVER SHEET
FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
CONFIDENTIALCONFIDENTIAL
CONFIDENTIALCONFIDENTIAL
SECRETSECRET
SECRETSECRET
THIS IS A COVER SHEETTHIS IS A COVER SHEET
FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVE
ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVE
ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
TOP SECRETTOP SECRET
TOP SECRETTOP SECRET
THIS IS A COVER SHEETTHIS IS A COVER SHEET
FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
CONFIDENTIALCONFIDENTIAL
CONFIDENTIALCONFIDENTIAL
THIS IS A COVER SHEETTHIS IS A COVER SHEET
FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
CONFIDENTIALCONFIDENTIAL
CONFIDENTIALCONFIDENTIAL
SECRETSECRET
SECRETSECRET
THIS IS A COVER SHEETTHIS IS A COVER SHEET
FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVE
ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
SECRETSECRET
SECRETSECRET
THIS IS A COVER SHEETTHIS IS A COVER SHEET
FOR CLASSIFIED INFORMATIONFOR CLASSIFIED INFORMATION
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVE
ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVE
ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
TOP SECRETTOP SECRET
TOP SECRETTOP SECRET
ALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECALL INDIVIDUALS HANDLING THIS INFORMATION ARE REQUIRED TO PROTECTT
IT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONALIT FROM UNAUTHORIZED DISCLOSURE IN THE INTEREST OF THE NATIONAL
SECURITY OF THE UNITED STATES.SECURITY OF THE UNITED STATES.
HANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHEDHANDLING, STORAGE, REPRODUCTION AND DISPOSITION OF THE ATTACHED
DOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVEDOCUMENT MUST BE IN ACCORDANCE WITH APPLICABLE EXECUTIVE
ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.ORDER(S), STATUE(S) AND AGENCY IMPLEMENTING REGULATIONS.
TOP SECRETTOP SECRET
TOP SECRETTOP SECRET
INFORMATION SECURITY
How Is Information Classified?
• Original Classification
• Only specific positions within the U.S. Government can originally classify information
• Derivative Classification
• All cleared and trained DoD and contractor personnel can be derivative classifiers
INFORMATION SECURITY
What Information Can Be Classified?
Only Information that falls under one or more categories of section 1.4 of Executive Order 13526 may be eligible to be classified:
a) military plans, weapons systems, or operations
b) foreign government information
c) intelligence activities (including covert action), intelligence sources, methods, or cryptology
d) foreign relations or foreign activities of the United States, including confidential sources
e) scientific, technological, or economic matters relating to the national security
f) United States Government programs for safeguarding nuclear materials or facilities
g) vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to the national security
h) the development, production, or use of weapons of mass destruction
INFORMATION SECURITY
Information cannot be classified to:
• Conceal violations of law, inefficiency, or administrative error
• Prevent embarrassment to a person, organization, or agency
• Restrain competition
• Prevent or delay the release of information that does not require protection in the interest of the national security
• Classify basic scientific research information not clearly related to national security
INFORMATION SECURITY
Classification Challenges
• You have a responsibility to report information that you believe is improperly or unnecessarily classified.
• Contact your security official for additional guidance for submitting a classification challenge.
INFORMATION SECURITY
Safeguarding Classified Information
• Must be under the positive control by an authorized person or stored in a locked security container, vault, secure room, or secure area
• Must respect and understand the markings and the downgrade/declassification instructions on classified material
• Must receive appropriate training prior to performing derivative classification duties and refresher training every two years thereafter
• Discuss or send via secure communications
• Process on approved equipment
• Destroy by approved methods
• Discuss in an area authorized for classified discussion
INFORMATION SECURITY
Controlled Unclassified Information (CUI)
• CUI is unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulation, and Government-wide policy.
• Departments and agencies within the U.S. Government assign different CUI designations.
• CUI designations include, but are not limited to:
• For Official Use Only (FOUO)
• Law Enforcement Sensitive (LES)
• Sensitive But Unclassified (SBU)
INFORMATION SECURITY
Sanctions
• You may be subject to criminal, civil or administrative sanctions if you knowingly, willfully, or negligently:
• Disclose classified information to unauthorized persons
• Classify or continue the classification of information in violation of DoD regulations
• Create or continue a Special Access Program (SAP) contrary to the requirements of DoD regulations
• Disclose controlled unclassified information (CUI) to unauthorized persons
• Violate any other provision of applicable DoD regulations
INFORMATION SECURITY
Disciplinary Graduated Scale Actions for Security Violations
• Progressive Disciplinary actions may include, but are not limited to:
• First instance: Verbal Counseling
• Second instance: Written Warning and Performance Improvement Plan
• Third instance: Final Written Warning
– For Major Violations
• Same as minor violations and may include suspension/termination of employment
• Loss of security clearance
• Arrest
• Imprisonment and/or fines
Based on the violation, disciplinary action may not include all steps listed and may necessitate immediate dismissal.
For additional information refer to the Employee Handbook; Policy 211 Employment – Performance Improvement/Conduct;
and Policy 212 Employment – Termination of Employment.
THE THREAT
America's role as the dominant political, economic, and military force in the world makes it the Number 1 target for foreign espionage. It’s not just intelligence sources that are targeting us. Other sources of the threat to classified and other protected information include:
Foreign or multinational corporations.
Foreign government-sponsored educational and scientific institutions.
Freelance agents (some of whom are unemployed former intelligence officers).
Computer hackers.
Terrorist organizations.
Revolutionary groups.
Extremist ethnic or religious organizations.
Drug syndicates.
Organized crime.
ECONOMIC & INDUSTRIAL ESPIONAGE
What Are They After?The increasing value of technology and trade secrets in the global and domestic marketplaces, and the temporary nature of many high-tech employments, have increased both the opportunities and the incentives for economic espionage.
The rapid expansion in foreign trade, travel, and personal relationships of all kinds, now makes it easier than ever for insiders to establish contact with potential buyers of classified and other protected information.
The development of automated networks and the ease with which large quantities of data can be downloaded from those networks and stored and transmitted to others increases exponentially the amount of damage that can be done by a single insider who betrays his or her trust.
Foreign governments’ continued ability to acquire state-of-the-art U.S. technology at little or no expense has undermined U.S. national security by enabling foreign firms to push aside U.S. businesses in the marketplace and by eroding the U.S. military lead.
WHAT ARE WE DEFENDING?
Information concerning military capabilities, locations, equipment; and technology is protected for a reason. Unauthorized release of this information, whether classified or sensitive can have a detrimental effect on the Warfighters’ survivability.
ANTITERRORISM ACTIONS
• Antiterrorism includes defensive measures used to reduce the vulnerability of individuals and property to terrorist acts, including limited response and containment by local military and civilian forces.
• Additionally, antiterrorism includes actions taken to prevent or mitigate hostile actions against personnel (including family members), information, equipment, facilities, activities, and operations.
CYBERSECURITY
• Cybersecurity prevents damage to, protects, and restores information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation.
• Information systems include, but are not limited to:
• Computers
• Electronic communications systems/services
• Personal Digital Assistant (PDA) (i.e. BlackBerry)
• Cell phones
• Your responsibilities include:
• Comply with password policy directives and protect passwords from unauthorized disclosure
• Complete training through your contract site.
PUBLIC RELEASE OF INFORMATION
• Release of government information must be approved by the Public Affairs Office (PAO)
• Do not discuss classified or sensitive information with the media; refer inquiries to your local PAO
OPERATIONS SECURITY - OPSEC
• Operations Security (OPSEC) is a systematic process that is used to mitigate vulnerabilities and protect sensitive, critical, or classified information. It is just as applicable to an administrative or R&D facility as a military operation. The five components are:
• Identify Critical Information• Analyze Threats • Analyze Vulnerabilities • Assess the Risks• Apply Countermeasures
IDENTIFY CRITICAL INFORMATION
Critical information is the core secrets of an activity, capability, or intention that if known to the adversary, could weaken the operation. Usually this information involves only a few key items that stolen could impact the way we conduct business. It is information required to be successful in our jobs and is collected in a variety of ways including monitoring conversations; financial or purchasing documents; job announcements; travel documents; blueprints and drawings; and even personal information online or items found in the trash.
Some examples of critical information are: Employees’ Safety (9/11) Fleet of ships and aircraft (USS Cole) Facilities Design (Oklahoma City) Security Vulnerabilities (Anthrax mailings) Satellite Data (Weather, Environmental Data) Law Enforcement Activities (Fisheries) Management Decisions (All levels)
ANALYZE THREATS
Adversaries have changed over the years but the intent is the same. They are former allies; terrorists, some of whom receive high level training including principles of espionage and counterintelligence; as well as those who are political and economic competition.
How do they do it? Signals Intelligence (SIGINT) – transmitted information Imagery Intelligence (IMINT) – photographic imagery Human Intelligence (HUMINT) – traditional spies Open Source Intelligence (OSINT) – public sources & social
media
ANALYZE VULNERABILITIES
Vulnerabilities are defined as the characteristics of a system which can cause it to suffer degradation as a result of having been subjected to some level of a hostile threat. We must look at ourselves as the adversary would. This perspective allows us to determine what are true, rather than hypothetical vulnerabilities.
ANALYZE RISKS
Vulnerabilities and specific threats must be matched or ranked by risk.
Where the vulnerability is great and the threat is evident, the risk of exploitation should be expected. A high priority for protection should be assigned and corrective action taken.
Where the vulnerability is slight and the adversary has a marginal collection capability, the priority should be lowered.
APPLY COUNTERMEASURES
Countermeasures need to be developed that eliminate the vulnerabilities, threats, or utility of the information to the adversaries. The possible countermeasures should include alternatives that may vary in effectiveness, feasibility and cost.
These may include anything that is likely to work in a particular situation. The decision of whether to implement must be based on cost/benefit analysis and an evaluation of the overall program objectives.
POLICIES
Reference Security Policies and Regulations (not all inclusive):
• Executive Order 13526 - Classified National Security Information
• Executive Order 12968 - Access to Classified Information
• DoDD 5205.02E, DoD OPSEC Program
• DoDI 2000.12, DoD Antiterrorism (AT) Program
• DoDI 8500.01, Cybersecurity
• DoDM 5200.01, Vol. 1-4, DoD Information Security Program
• DoD 5200.2-R, DoD Personnel Security Program
• DoD 5200.08-R, DoD Physical Security Program
• Homeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification Standard for Federal Employees and Contractors
REPORT IT! Hotline Numbers
Defense Department 1-800-424-9098, (703) 693-5080 Defense Intelligence Agency (703) 907-1307 National Security Agency (301) 688-6911 Department of Army 1-800-CALLSPY (1-800-225-5779) Naval Criminal investigative Service 1-800-543-NAVY (1-800-543-6289) Air Force Office of Special Investigations (202)767-5199 Central Intelligence Agency Office of the Inspector General (703) 874-2600 Department of Energy (202) 586-1247 US Nuclear Regulatory Commission Office of the Inspector General 1-800-233-3497 US Customs Service 1-800-BE-ALERT (1-800-232-5378) Department of Commerce/Office of Export Enforcement (202) 482-1208 or 1-800-424-2980 (to
report suspicious targeting of US export-controlled commodities) Department of State Bureau of Diplomatic Security (202) 663-0739 When traveling overseas, suspect incidents should be reported to the Regional Security Officer
(RSO) or Post Security Officer (PSO) at the nearest U.S. diplomatic facility
Submit Your Completion Record
Now that you have reviewed this presentation click here to enter your completion record:
The Security Team will get an email confirmation attesting your completion of this briefing.
Thank you.