Docstoc

ANNUAL SECURITY REFRESHER BRIEFING - JAUNARY 2001

Document Sample
ANNUAL SECURITY REFRESHER BRIEFING - JAUNARY 2001 Powered By Docstoc
					        ANNUAL SECURITY REFRESHER BRIEFING - JANUARY 2001



This product is to be used as a series of “sound bite” emails to be sent to your cleared
employees. It is best to send no more than one email per day. It is also best to send the
emails out at the end of the day. That way the employees will open and read the email first
thing in the morning before they get involved in other tasks. This method of
accomplishing the annual refresher briefing was very well received at the author’s multi-
facility organization.



Introduction.       The National Industrial Security Program Operating Manual
(NISPOM) dated January 1995 prescribes requirements, restrictions, and other
safeguards that are necessary to prevent unauthorized disclosure of classified
information. The NISPOM is our security bible.

Paragraph 3-107 of the NISPOM dictates, "The contractor shall provide all
cleared employees with some form of security education and training at least
annually. The refresher training shall reinforce the information provided during
the initial security briefing and shall keep cleared employees informed of
appropriate changes in security regulations. Contractors shall maintain records
about the program offered and employee participation in them"

This year, as we have in the two previous years, I will be providing you the
required refresher briefing as a series of emails that hopefully you will find
enlightening and thought-provoking. If you have a question about any of the
emails I send, please respond because it probably means someone else does
also and I can then clarify the information I was trying to convey.

Remember, this is a "Collateral" (not SCI, or SAP) briefing. Even if you only work
on SCI projects, you still are subject to the NISPOM and must receive this
briefing. Additional briefings will be given later on this year for special Programs.

When we finish the briefing, I will post the complete Microsoft Word file of all of
the messages on the Security page of the Intranet. The last email will contain a
request for you to forward it to the security officer at your location, indicating you
have participated in this briefing. He/she will put your response in your security
record so we have our required documentation for the refresher briefing. Hope
you find this fun and interesting.


1.     The Threat. I believe we will start with talking about the Threat. The
Threat today comes in a number of different forms and threatens different parts
of our corporate mission. We have the traditional Threat from Foreign Intelligence
Services (FIS) who are pursuing our classified and proprietary information. We
also have the Threat from hackers, crackers, their malicious code and
disgruntled insiders who perhaps desire to do bad things to our information
systems. Finally, we have the Threat from our competitors who would like to get
their hands on our proprietary information so they can better compete with us for
Customer contracts.

Russia is our bud, right? Then who was/is Edmond Pope and what did he want
with a torpedo that cuts through the water like a bullet through air? Click here to
find out? http://www.russiatoday.com/news.php3?id=243579&section=default



2.       The Threat from Foreign Intelligence Services. The technologies
generating the most foreign interest in 1999 included information systems,
sensors and lasers, electronics, aeronautics systems, and armaments and
energetic materials. The majority of countries targeting our Corporation have
limited military capabilities and are seeking technological advancement. In 1997
this list of countries was 37; in 1998 the list had grown to 47; and in 1999 there
were 56 countries associated with suspicious collection activities targeted at
cleared DoD contractors. I feel our classified information is well protected
because it is disconnected from the Internet, however, many of the Foreign
Intelligence Services are now being primarily tasked to collect information that
will allow their country to better compete on the world economic stage. This often
means they are after our unclassified proprietary products, processes, and
information.

The most frequently reported Method of Operation is the request for scientific
and technologic information. This often comes in the form of an email message.
The requestor may indicate they are from a foreign university or research
institute or a graduate student who needs assistance with their thesis. He/she
may indicate they have noted from our web page that we have competencies in a
certain area and they desire additional information related to a business
opportunity for us, or they are asking for classified, sensitive or export-controlled
information or copies of technical articles that appeared in trade journals and
periodicals.

Traditionally, our activities have been isolated from the general population but
with the advent of the Internet and our need to advertise our capabilities, we are
now more vulnerable to exploitation. Am I saying every request for information
represents a collection attempt by a Foreign Intelligence Service? Absolutely not!
I am only saying that of the reported incidents clearly associated with the
activities of an FIS, this was the most popular method of operation. Please report
any suspicious emails to your local security officer.

For more information on this problem go to http://www.dss.mil/cithreats/
3.      The Threat from hackers, crackers and disgruntled insiders. As you
all are aware, we are also concerned about the threat from folks who would do
undesirable things to our information residing on our information systems. It
seems every week there is a new virus or Trojan horse coming into our lives via
the Internet. You can do your part by:

      ensuring your computer has current anti-virus signatures loaded on it
      pay attention to the periodic warnings about malicious code provided by
       the computer center folks
      understand that there are virus "hoaxes" out there and do not "pass them
       to everyone on your distribution list" (pass them instead to the computer
       center folks or your security officer)
      create strong passwords
      do not disclose remote login numbers and procedures to personnel who
       do not have a need to know
      grant access privileges only to those folks who have a need to know
      remember that you leave tracks when you surf the web, converse in chat
       rooms, or post to usegroups.

Do you have cable modem access at home? Thinking about getting cable
modem access? If so, you might want to look at the below article that will tell you
how to keep crackers out of your home computer for free!

   http://www.info-sec.com/internet/01/internet_010401a_j.shtml


4.      The Threat from competitors engaged in industrial espionage. Even
though we are a not-for-profit company, we still must be concerned about
protecting our sensitive business information. Information passed over the "frame
relay" will be encrypted but when you pass information over the Internet, it is
susceptible to interception by other than the intended recipient. Sensitive
proprietary information stored on your laptop could be worth 100 times what the
laptop itself is worth if stolen. If you generate sensitive company information
(e.g., proposals, salary information, labor rates, network configurations,
countermeasures to intruders, private personnel information, strategic plans,
etc.), please think about physical protection for the information, how you are
marking it to indicate it is sensitive and needs special protection, and access
controls you are placing on the information.

Today's deep thoughts: Looks like our new president will have a tough job
proving he really isn't as ignorant as some obviously think… George W. Bush
was asked if he knew what Roe vs. Wade was about, and he answered that he
thought it was the decision George Washington had to make when he decided to
cross the Delaware…
5.      I like to "surf" and use the Internet while at home - does this present
a threat to classified information I may carry around in my head? At our
company, information assurance is a big part of our business; we do classified
processing during the day, use secure STU III telephones, close doors to our
offices when we have classified conversations, place classified trash in safes to
be destroyed using approved shredders, and even provide information assurance
services to our customers. However, when we are home, using our PC to access
the Internet, with our feet kicked up on the desk, drinking a cold beverage, we
tend to let our guard down. This is when we are most prone to commit a security
violation.

What can we do to remain as security conscience at home and on the net as we
are at work?

      Don't transmit classified or proprietary information over the Internet
      Don't go looking for classified information on the Internet by searching for
       certain "dirty" (classified) words
      Don't make references to classified information or imply you know some
       classified information
      Think before you respond - especially in chat rooms
      Don't talk about your work or indicate that you have a security clearance
      Be discrete in the sites you visit and the issues on which you comment
      Don't select just postings from usegroups related to your classified work -
       download more than you actually want, then read selectively


6.        So What's Up With the Security Clearance Backlog? Didn't you ask
this question last year? Well, the bad news is that the Defense Security Service
is still behind on their clearances. The good news is that we can now get an
"Interim" Secret clearance is less than two weeks. With a Secret Interim, an
employee can see all the Secret documents he/she has a need-to-know for
except NATO, SCI, COMSEC, and Restricted Data. Note that an individual with
an interim clearance CAN see Foreign Government Information (FGI). However,
this does not help us for those folks who need SCI access.

The other good news is that the DSS software is now capable of moving 2500
cases per day through their system. However, this is now causing a large
backlog at the adjudicator's desk (the person who looks at the investigation
report and decides if the person will get a clearance).

In September 1999, DSS contracted with two private sector entities to augment
DSS investigative capabilities. This year, DSS has contracted investigations out
to three other vendors. The DSS has done a number of things to improve the
issuance time for a final clearance but it is my opinion that we still have at least a
year to go before they will be back to the pace they were on before they
implemented their flawed Case Control Management System.

For more on DSS augmentation click here:
http://www.dss.mil/aboutdss/augmentation.htm

We have options if the person is to be cleared with NSA. We can pay $2,000 for
a contractor vendor to accomplish the background investigation which they
guarantee to be accomplished in less than 30 days. (DSS' goal is to be able to
complete the background investigations in less than 180 days). Also, if a new
employee was previously cleared with another contractor or Agency, we have a
waiver in place that allows us to give him access as soon as we get his Letter of
Consent and DD Form 562 from his previous employer.


7.     Speaking of security clearances, what is this "Smith Amendment"
and what impact will it have on our hiring practices? The Senator Bob Smith
(from New Hampshire) Amendment to the FY2001 DoD Appropriations Bill sets
new limitations on folks who are eligible for a security clearance. It says that the
following people are ineligible for a security clearance:

      The person has been convicted in any court of the U.S. of a crime and
       sentenced to imprisonment for a term exceeding one year
      The person is an unlawful user of, or is addicted to, a controlled substance
      The person is mentally incompetent, as determined by a mental health
       professional (oh oh! That sounds like a few folks I know)
      The person has been discharged or dismissed from the Armed Forces
       under dishonorable conditions

Since these are absolute disqualifying conditions, we may be able to ask these
questions of a candidate prior to employment (we must get a reading on this from
our attorneys first). In fact, based on the Smith amendment and other input from
Jim Schweizer and Larry Strang, we are reviewing our employment application
and the process we use to accomplish pre-employment screening so that
perhaps we can do a better job of identifying those individuals who we can get
cleared expeditiously.

8.      Will there be changes soon relative to access to CNWDI information?
Controlled Nuclear Weapons Design Information (CNWDI) is information that can
presently be accessed by someone who has a final clearance. We also have you
sign a special briefing prior to access. Some of the information is at the Secret
level. The Department of Energy and DoD are looking at a small subset of
nuclear weapon design information that warrants "enhanced" protection. What
does this mean? - we don't know at this time but in the future it may entail having
to have a Top Secret clearance or an Single Scope Background Investigation
(SSBI) or both to see CNWDI. For more on this story, click here:
       http://www.fas.org/sgp/news/secrecy/2001/01/010401.html


9.     The Security Classification System. The first Executive Order dealing
with security classification was EO 8381 issued on March 22, 1940 by President
Franklin Roosevelt. In this EO, there were three levels of classification - Secret,
Confidential, and Restricted - yes, "Restricted". On February 1, 1950, President
Truman issued the second EO (10104) dealing with protecting classified
information. This EO added a fourth level - Top Secret. On September 24, 1951,
he issued his second EO (10290) whose purpose was to drop any citation of a
specific statutory authority (keeping Congress out of the "Protecting National
Security Information" ballgame).

In November 1953, President Eisenhower replaced EO 10290 with EO 10501. It
eliminated the "Restricted" level. Note that our British and other friends have kept
their "Restricted" classification level. This EO was the ruling authority for 20
years until President Nixon's EO 11652 issued on March 8, 1972. This Executive
order was a result of an interagency committee study initially headed by William
H. Renquist - the current chief Justice of the U.S. Supreme Court. Executive
Order 12065 replaced EO 11652 on December 1, 1978. For the first time, this
EO talked about "Derivative Classification". The next Executive Order was
12356 issued by President Reagan on April 6, 1982. On April 17, 1995, President
Clinton issued the current EO 12958. This EO will/has become famous for its
dictation that Executive Branch Agencies will review their classified holdings and
declassify as many as possible to support the Administration's "Openess in
Government" initiative. Do you think the George W. Bush administration will issue
yet another Executive Order?


10.    Executive Order 12958. Now let's talk about how we are doing in the
implementation of the objectives of EO 12958. You may recall that EO 12958 is
the real security legacy of the Clinton administration (other than the scandals).
This administration (rightfully) recognized that we have way too many classified
documents. EO 12958 took effect in FY 1996. Since that time, Executive Branch
Agencies have declassified 720 million pages of classified information! (To give
you a feel of the magnitude of this accomplishment, there were only 977 million
pages declassified during the period of 1980 - 1999). The government
declassified 127 million pages in FY 1999 alone.

The number of "original classification authorities" (OCAs) decreased by 57, to
3,846. Steve Garfinkle, Director of the Information Security Oversight Office
(ISOO) believes this is about as low as the Government can go. These OCAs
are mostly very senior folks in the government and they are the signatures we
see on the Security Classification Guides we receive for some of our contracts.
The CIA accounted for 44 percent of all classification decisions last year; DoD,
27 percent; NRO, 24 percent; Justice, 2 percent; State, 2 percent; and all others,
1 percent.

What can you do to help with this problem when you "derivatively" classify? Do not over
classify and place classified portions of documents in appendices whenever possible. The
Executive Order tells us, "If there is "significant doubt" about the need to classify
information, it shall not be classified". Too often, we take the easy road and just classify
everything we generate and that is not right. Take the time to think about your classification
decisions and ask the security staff to assist you in properly marking a classified document.

DCID 1/7 directs us to " prepare reports and products at the lowest classification level
commensurate with expected damage that could be caused by unauthorized disclosure.
When necessary, the material should be prepared in other formats (e.g., tear-line form,
attachments) to permit broader dissemination or release of information." They practice what
they preach in that the body of DCID 1/7 is unclassified but it has a Confidential
supplement. For more on how the Executive Order is being implemented, click here
http://www.fas.org/sgp/isoo/isoo99.html



11.  Properly marking classified documents. We mark classified
documents to ensure the reader understands:

      the magnitude of the damage to national security that could incur if the
       information was to be disclosed to unauthorized personnel (OVERALL
       MARKINGS)
      the highest level of information within a section, part, or paragraph
       (PORTION MARKINGS)
      identity of the original classifier ("CLASSIFIED BY" line)
      the authority under which we derivatively classified the information
       ("DERIVED FROM" line)
      the reason (from section 1.5a-g of EO 12958) the information is classified
       (CLASSIFICATION REASON line)
      for how long the document should remain classified. ("DECLASSIFY ON"
       line)

The "Classified By" and "Reason" Lines are normally only on originally classified
documents.


12.     Derivatively-classified documents. Industry creates only derivatively-
classified documents. A derivatively-classified document must have at least two
lines - the "Derived From" line and the "Declassify On" line but you may include
the "Reason" line also.
The purpose of the "Derived From" line is to link the derivative classification
applied to the material and the source document or classification guide under
which it was classified.

In some cases, you may have extracted information to go in your report from
more than one source document or you may have used more than one Security
Classification Guide (SCG) for security guidance. In this case, you would put
"Multiple Sources" in the "Derived From" line and maintain a record that supports
the classification for the duration of the contract. This record may be a
bibliography in the document itself or a listing maintained with the record copy of
the document.

The "Declassify On" line will reflect an event or a date that is no more than 10
years from origin of the document. For example, "Declassify On: Cessation of
Desert Storm Operations". But, we know some information is so sensitive that it
must remain classified for longer than 10 years. EO 12958 recognizes this and
says, "An original classification authority may extend the duration of classification
or reclassify specific information for successive periods not to exceed 10 years at
a time if such action is consistent with the standards and procedures established
under this order". This is when the "Exemption Categories 1-8" are used. When
an X1-8 follows the "Declassify On" line, it means that document will probably
remain classified for at least 20 years.


13.    What is the status of the perhaps "tens or hundreds of thousands" of
classified documents (over 25 years old) expected to be declassified as a
result of EO 13142 (which extended the deadline for declassification from
last May until at least October 14, 2001)? As you may recall, I told you last
year that EO 12958 tasked all Executive Branch Agencies to review all of their
holdings over 25 years old and to declassify them or seek exemption before April
17, 2000. I also told you that this effort has not gone as well as hoped. EO
13142 extended the deadline for most documents to next October. For
documents in which "two or more Agencies have an equity" and documents
"pertaining to intelligence sources and methods", the new deadline is now April
17, 2003.

The bad news is that declassification, heretofore a subject of broad bipartisan
political support, has increasingly been adversely affected by partisan politics. An
estimated 612 million pages of records subject to automatic declassification at
the initial deadlines remain to be reviewed. We have a number of these
documents in house and it remains to be seen what perspective the Bush
administration will bring to this initiative. Stay tuned.
14.    Employee reporting obligations. As a cleared employee, you have a
responsibility to report any suspicious contacts to the security office. This
includes:

      efforts by any individual, regardless of nationality, to obtain illegal or
       unauthorized access to classified information or an attempt to compromise
       you in any way
      All contacts with known or suspected intelligence officers from any country
      Any contact which suggests you may be the target of an attempted
       exploitation by the intelligence services of another country

In addition to reporting suspicious contacts to the Security Office, you are also
required to report:

      A change in your name
      If you get married or divorced
      There is a change in your citizenship

If you enter into a business relationship with a foreign national, a foreign
company, or a foreign country or one of its Agencies, then you have become a
"Representative of a Foreign Interest" or RFI. You must report this to the Security
Staff. For instance, let's say that you pump gas for British Petroleum on the
weekend - you are an RFI and this must be reported. Does this mean you will
lose your security clearance? Not necessarily and in the above case, probably
not - each case is examined independently.


15.   Is my voluntary participation in a alcohol or drug abuse rehabilitation
program considered to be adverse information and reportable?

      Self-enrollment in a rehabilitation program is not necessarily reportable.
       However, alcohol and drug abuse, or observation of behavior which is
       indicative of alcohol or drug abuse is reportable.
      Mandatory enrollment in our Employment Assistance Program is
       reportable.
      Refusal to accept rehabilitation assistance when offered is reportable.
      Incomplete or unsuccessful participation in a rehabilitation program is
       reportable.
      Keep in mind that an adverse information report is never the sole basis for
       suspension or revocation of a clearance.


16.   Duties of the Escort. Sometimes it is necessary to bring an uncleared
person into a secure area. Although not probable, this person could be a threat to
our sensitive and/or classified information so we provide them with an escort.
Most of the time, the escort will be from Security. However, if you are the escort,
what are your responsibilities?

      Make sure the occupants of the area to be entered understand that you
       are about to bring an uncleared or undercleared person into their spaces
      Notify the occupants BEFORE you bring the person in so the area can be
       sanitized, things can be put away, doors can be closed, etc. to preclude
       the person obtaining visual access to classified information or overhearing
       a classified conversation - don't forget sensitive stuff hanging on the walls!
      Accompany the person everywhere he/she needs to go
      Ensure the visitor removes no classified information or materials from the
       area
      Make sure the visitor does not tamper with any security equipment unless
       they are there for that purpose
      Ensure the visitor does not access any IS unless it has been coordinated
       with the Security Staff and/or the computer support staff
      Do not answer any curious questions about what is going on in the spaces
      Do not let the visitor socialize while in the spaces - intent is to get them in
       to accomplish their mission and then get them out as soon as possible
      Ensure that upon leaving, the visitor is not lagging behind you and that
       you have close control over their movement
      Ensure the occupants know when you have escorted the uncleared
       person out of the spaces
      Report any anomalies to the security staff



17.    Importance of wearing your security badges. We go to great lengths
to make you a security badge. We make these things so you can wear them. We
ask that you wear them so we can ask the person without a badge what they are
doing in our Facility. What is the color scheme for the badges?

      A red (SRC/NYSTEC) or maroon (SMI) badge means that the person
       has a security clearance. It does not indicate any special accesses a
       person may have nor his/her clearance level.
      A green badge means the wearer has access to Confidential Business
       Information handled in the Environmental Science Center (ESC).
      A yellow badge means the person is a visitor with no clearance
       certification on record.
      Finally, a blue badge is an employee with no clearance.

Please wear your badge at all times while within the Facility and make it a safer
work place for everyone.
18.     Handcarrying classified materials. Sometimes mailing or faxing a
document is not sufficient to meet time or other constraints and you are
designated (must be in writing) as a courier to handcarry the classified document
to its destination. The following are some basic rules to remember if you are a
courier:

      If you have an early morning flight, you cannot take the materials home
       with you the night before
      The materials must be double-wrapped with the recipient's name on the
       inside wrapper
      You must obtain a receipt for the package when you turn it over to the
       recipient
      If you must stay overnight at your destination, you must store the materials
       at a cleared contractor facility or at a government facility - you cannot keep
       it in your hotel room
      Your trip itinerary should be directly to the storage facility - do not go out to
       dinner first or stop by the hotel lounge for a couple of drinks
      If you return with your package, ensure you take it directly back to our
       facility for storage - do not keep it at your home overnight
      If you left the package at your destination, give the receipt to the security
       staff upon your return


19.     Notification to recipients regarding the inadvertent dissemination of
classified as unclassified. When classified information is transmitted or
disseminated as unclassified, notification of the actual classification to recipients
who are cleared for access to the material is, at a minimum, classified
CONFIDENTIAL. Therefore, if the material was originally transmitted
electronically, we must provide the classification notification via secure channels
(e.g., STU-III or secure fax). The notification should also provide the classification
source as well as declassification instructions. When control of the material has
been lost, or if unauthorized personnel have had access to the information, such
as when the recipient is not cleared for access, the matter must be reported to
our Cognizant Security Authority by the Security Staff.

So…if you are involved with us in the inadvertent dissemination of classified
information as unclassified…remember that we must communicate that
externally as Confidential information so the bad guys cannot exploit the mishap.

20.    Using computers to process classified information. This seems to be
the area in which we have our biggest security challenge. As information
technology has changed, the Government has tried to keep up as evidenced by
the new Chapter eight (IS) to the NISPOM and a new DCID 6/3 for SCIF
information systems (IS) operations. I am going to take the next few emails to
introduce you to some of the new Chapter eight security concepts. The first thing
I want to talk about is the three attributes of Confidentiality, Integrity, and
Availability.

Confidentiality - this is something we are used to - safeguarding the information
- ensuring that only individuals with a "need-to-know" get to see the information
in question. The "Level of Concern" for Confidentiality is characterized as either
"High", "Medium", or "Basic". If you are processing any kind of Intelligence
information, then your Level of Concern for Confidentiality is always "High".

Integrity - this is protection against unauthorized modification or destruction of
information. It is easy to see that the Level of Concern for the Integrity of the
EWIRDB or AFMSS threat data files is "High" since an F-15, F/A-18, or F-16 pilot
dies when his radar warning receiver or jammer does not work properly due to
the integrity of the threat data being modified. On the other hand, the concern for
Integrity may be "Basic" or "Medium" for other classified information we are
processing.

Availability - we are talking here about timely, reliable access to data and
information services for the authorized user. Availability pertains to both the
information itself and the information systems or networks. If we are providing
real-time support to tactical programs, our Level of Concern for Availability may
be "High". If we are simply accomplishing research for which there is a great
tolerance for delay, our Level of Concern may be "Basic".

In the next few messages, I will demonstrate why determining our Levels of
Concern for Confidentiality, Integrity, and Availability is important to our secure
use of the computers and networks.


21.    Protection Level for Confidentiality. You probably remember the old
Security Modes of Operation - "Dedicated", "System High", "Compartmented",
and "Multi-Level". These modes were authorized variations in security
environments in which the systems/networks were operated. These have now
been replaced by Protection Levels I, II, and III.

Protection Level I - Equivalent to the old "Dedicated Security" mode of
operation

      All users have the required level of clearance
      All users have all formal access approvals (NATO, CNWDI, COMSEC,
       etc.)
      All users have a need to know for everything on the system

Protection Level II - equivalent to the old "System High" mode of operation

      All users have the required level of clearance
      All users have all formal access approvals
      NOT all users have a need to know for everything on the system

Protection Level III - equivalent to the old "Compartmented" mode of operation

      All users have the required level of clearance
      NOT all users have all formal access approvals
      Need to know does not contribute to the decision


**For collateral operations, there are just the three above Protection Levels. For
processing SCI (DCID 6/3), there are two additional Protection Levels.


22.    Technical Protection Requirements. The Protection Level for
Confidentiality (I, II, or III) and the Level of Concern for Integrity and Availability
(Basic, Medium, or High) will dictate which of the 15 "Protection Requirements"
from chapter eight (or from DCID 6/3 for SCI) we will have to implement on our
information systems. These 15 requirements include:

Alternate power source (UPS and/or backup generators)
Audit capability (configuration control measures)
Backup and restoration of data (measures to ensure users have continued
access to the information)
Changes to data integrity (deterring, detecting, and reporting attempts to
change data, etc.)
Data transmission (encryption)
Access controls (who gets access to which objects/files)
Identification and authentication (userIDs and passwords)
Resource control (getting rid of residual data on media before letting it out of
controlled channels)
Session controls (banners, denying access after 3 consecutive unsuccessful
attempts to logon, etc.)
Security documentation (how much documentation is required)
Separation of function (ISSO and system administrator not the same person)
System recovery (functions that respond to interruptions in operations)
System assurance (protecting the security support structure of the system)
Security testing (certification and verification of correct operations of protective
measures)
Disaster recovery planning (identifying how we will bring back up mission
essential systems and operations)

**Most of the above protection requirements have multiple levels. Each level
becomes more involved. E.g., there is a Power 1 and Power 2; Audit 1,2,3, and
4; or Backup 1,2, and 3. For example: for Protection Level I, we only have to
implement Audit 1; Protection Level II requires Audits 1 and 2; Protection Level III
requires Audits 1, 2, 3 and 4.


23.    Interconnected Networks and SIPRNET. As information technologies
mature, we find we are establishing more and more interconnected networks. An
interconnected network is one in which:

         There are two or more separately accredited systems and/or networks
         Each IS or network has its own IS Security Officer (ISSO)
         There are a minimum of two machines but there also may be 400
          machines

SIPRNET (Secret IP Router Network) is DoD's primary command and control
network. SIPRNET is that part of the Defense Information System Network
(DISN) limited to Secret and below collateral traffic. To connect to SIPRNET, you
must have a Government sponsor and that organization must be willing to pay a
monthly connection charge. We are currently working to get a 256kb throughput
SIPRNET connection in Syracuse. This connection will cost our sponsor a one-
time $2,500 installation fee plus a $1,215 per month recurring charge. If you
think you need to be connected to the SIPRNET, please talk to your security
officer.


24.       Protection of laptops. I see that we are purchasing and using more and
          more laptop computers. This is good but we must remember that with the
          mobility of the machines comes a threat. Please protect your laptop when
          you are on the road. Unscrupulous folks are not only interested in your
          hardware but also the information you store on that laptop. Please do not
          store passwords, sensitive memos, or other proprietary information on
          your laptop. The below article emphasizes why any sensitive corporate
          information on your laptop should be encrypted or stored on removable
          media.

http://computerworld.com/cwi/story/0,1199,NAV47_NLTam_STO43946,00.html


25.   I understand that cell phones could present a risk to classified
information. How is this? A cellular phone is a radio transmitter/receiver and a
computer combined into a small, very portable unit. It is a convenience and a
major vulnerability - two conflicting qualities that indicate a need for solid risk
management efforts when dealing with classified or proprietary information.

Cellular phones are subject to eavesdropping, improper use or configuration, and
even hacking. Anyone with a radio receiver tuned to the proper frequencies can
intercept and listen to cellular transmissions (just ask Newt Gingrich whose cell
calls while in Florida were placed in the public domain). The newer phones can
be programmed to "mute" the ring (just like a pager) and to automatically answer
an incoming phone call. Thus, a phone may ring and be inadvertently activated in
locations that are inappropriate to receive calls, such as a SCIF or other secure
areas where classified conversations are ongoing. Here are a few suggestions
for minimizing your cell phone vulnerabilities:

      Never discuss proprietary or classified information while using a cellular
       telephone.
      Ensure that your cell phone is switched off prior to entering any office or
       conference room where proprietary or classified conversations may occur
      Never use a cell phone within a SCIF or secure area
      Check your cell phone's feature programming to ensure that its
       configuration is consistent with good security practices



26.    What is the latest on the Mas-Hamilton X08 locks and our use of the
steel file cabinets with iron bars? Well, Congress is pretty upset with the
Department of Defense over this issue. Seems they gave the DoD $10 million
last year to retrofit Industry's safes with the new Mas-Hamilton X-08 locks. DoD,
who does not think this is a worthwhile expenditure of their monies, has refused
to spend the $10 million and it expired in September 2000.

I still think that Congress will get its way and all of our black S&G locks on our
existing safes will be replaced by the Government at no expense to us. Directors:
hold on to those safes and if you can acquire used ones for less than $200 - buy
them. The use of the steel file cabinets with iron bars will be discontinued in
2012. I believe we only have those containers in Syracuse.


27.   Combinations to your security safes. Some of you have been around
long enough to know that we used to change the combinations to safes annually.
You may have noticed that we do not do that so often anymore. This is because
we now change the safe combination:

          Upon receipt of a new safe
          If we suspect the combination has been compromised
          Annually, if you have Secret-level NATO documents in your safe (FYI,
           these should not be commingled with U.S. classified documents. They
           should be stored in a separate drawer or otherwise segregated from
           your U.S. classified documents)
          Whenever someone who knows the combination no longer has a
           reason to enter the safe
This means that if you are the only person who uses the cabinet, it is possible for
you to have the same combination for years.

The combination is classified at the level of the most sensitive document you
have in the safe. You should never write the combinations down anywhere but
should memorize them. If you forget your combination, consult with the Security
Staff and they will give the combination to you. You should never store money,
jewelry, coins, or other high-value materials in your safe or security cabinet - this
will only provide additional motivation for someone to attempt to break into the
cabinet. Do you have a safe whose combination needs to be changed? If so,
please bring this to the attention of your security officer and they will change it for
you.


28.   Disposition of classified documents upon completion of a contract.
Did you know that all classified material received or generated in the
performance of a classified contract has to be returned upon completion of the
contract unless the material has been declassified, destroyed, or retention of the
material has been authorized?

If we desire to retain classified material received or generated under a contract,
we may do so for a period of two years after completion of the contract simply by
notifying the Government of our intent - provided the Government Contracting
Office (GCA) does not advise to the contrary.

If we desire retention beyond the two year period, we must request this in writing
and receive written retention authority (a "Final" DD Form 254) from the GCA.
Our written request must reflect one of the seven justifications found in
paragraph 5-702(b) of the NISPOM.

Finally, the NISPOM tells us that we, "should review our classified holdings on a
recurring basis to reduce these classified inventories to the minimum necessary
for effective and efficient operations. Multiple copies, obsolete material, and
classified waste shall be destroyed as soon as practical after it has served its
purpose." Program managers should be reviewing their holdings periodically and
instructing the Security Staff as to which documents should be dispositioned as
directed above.

29.    Use of FEDEX. As a last resort, when the U.S. Postal Service cannot
meet our needs, FEDEX can be used for overnight deliveries of classified
documents (if the DSS has approved the local Facility's written procedure).
Consequently, there is a likelihood that a FEDEX package containing classified
materials may be delivered to other than the Security Staff. If you receive a
FEDEX package with no name on the outside, you should deliver the package to
Security for processing. If you open the package and the inner wrapper contains
security markings, you should deliver it to Security (even if your name is the
intended recipient).

30.    Summary/Wrap-up/Documentation. This completes your annual security
refresher briefing for 2001. We discussed the fact that the Threat is very much
alive and is especially threatening to our information systems. We talked about
the continuing problem with the security clearance backlog, the possible impact
of the new "Smith Amendment", and the Government review of access to
CNWDI. We know from this briefing that the policies for protection of classified
information originate from Executive Orders - the latest being 12958. We are
waiting to see rather or not we (Industry) will need to retrofit our safes with the
new X08 Mas-Hamilton lock. We learned there is a new NISPOM Chapter 8 that
dictates the implementation of a number of technical countermeasures
depending on the "Protection Level" of the system or network. We were
reminded of the threat to the information we store on our laptops. We know the
circumstances under which our safe combination must be changed and to let our
security officers know if we have an outdated combination. We were told that as
Program Managers, we need to periodically review our classified holdings to
ensure they are kept to a minimum. We reviewed the rules for handcarrying
documents and escorting an uncleared visitor. We were told about our reporting
responsibilities as cleared personnel. We were also reminded of the reason we
should wear our badges at all times while within the Facility. Finally, we talked
about the vulnerabilities presented by using cell phones in secure areas and the
inherent danger of letting our guard down when we use the Internet for pleasure
at home.


ACTION FOR YOU: Please "forward" this email message to your Security Officer
to confirm that you have participated in this annual security refresher briefing.