Security Awareness & Refresher Briefing - Bowhead … · Security Awareness & Refresher Briefing....

1Proprietary Information – Do not distribute WWW.BOWHEADSUPPORT.COM 1Proprietary Information – Do not distribute WWW.BOWHEADSUPPORT.COM

Security Awareness & Refresher Briefing

2Proprietary Information – Do not distribute WWW.BOWHEADSUPPORT.COM

• Bowhead is a cleared company in the National Industrial Security Program (NISP)

• Employees are bound by Department of Defense (DoD) rules and regulations to properly protect and control all classified material in their possession per the National Industrial Security Program Operating Manual (NISPOM) and as appropriate, other Cognizant Security Agency directives.

• You must familiarize yourself with specific contract provisions on ‘how’ protection and control measures apply to each program you support.

Overview


• The NISPOM requires that you be provided:

– with an Initial Security Briefing prior to being permitted access to classified

information,

– and that you be provided with an Annual Security Refresher Briefing.

• The NISPOM also states that personnel granted clearances are

required to sign a Classified Information Nondisclosure

Agreement (Standard Form 312)

– which further outlines responsibilities for the protection and safeguarding of

classified information.

– This is essentially an agreement between the individual and the U.S.

Government (discussed later in this briefing).

• Additionally, government site security managers may require

other security briefings specific to the needs of the onsite

government client.

Security Breifings


• This briefing reviews some of the obligations you have when

holding a security clearance, as well as other pertinent

information.

• The items covered are:

– An Overview of the Security Classification System

– SF 312 (Classified Information Nondisclosure Agreement)

– Personnel Security Clearance notes

– Reporting Obligations

– A Threat Awareness & Defensive Security Briefing

Briefing Outline


• U.S. industry develops and produces the majority of our nation’s

defense technology – much of which is classified – and thus

plays a significant role in creating and protecting the information

that is vital to our nation’s security. The National Industrial

Security Program (NISP) was established by Executive Order

12829 to ensure that cleared U.S. defense industry safeguards

the classified information in their possession while performing

work on contracts, programs, bids, or research and development

efforts.

• The Defense Security Service (DSS) administers the NISP on

behalf of the Department of Defense and 23 other federal

agencies within the Executive Branch. There are approximately

12,000 contractor facilities that are cleared for access to


Introduction


• To have access to U.S. classified information and participate in the NISP,

a facility – a designated operating entity in private industry or at a

college/university – must have a bona fide procurement requirement.

Once this requirement has been established, a facility is eligible for a

Facility Security Clearance (FCL). A Facility Security Clearance is an

administrative determination that a facility is eligible to access classified

information at the same or lower classification category as the clearance

being granted.

• The Facility Security Clearance may be granted at the Top Secret, Secret

or Confidential level.

• In order to obtain the clearance, the contractor must execute a Defense

Security Agreement which is a legally binding document that sets forth

the responsibilities of both parties and obligates the contractor to abide

by the security requirements of the National Industrial Security Program

Operating Manual (NISPOM).

Introduction (continued)


• Bowhead maintains a facility clearance (FCL).

Just as you are required to sign an agreement with the U.S.

Government, as a defense contractor, the company has signed a

Security Agreement with the U.S. Government.

• Your security responsibilities are real:

– They are magnified as a result of your employment in a vital

defense industry. It is essential that you realize the importance

of this.

– Unauthorized disclosure or failure to properly safeguard

classified information is punishable under the Espionage Laws

and Federal Criminal Statutes.

– Your responsibilities affect the security of our government and

the technological advancement of our nation.

Clearance Information


• Bowhead processes three different types of investigations:

– Collateral: Confidential, Secret and Top Secret clearance

– SCI: Caveat sometimes attached to Top Secret clearances, to

allow access to Sensitive Compartmented Information (SCI);

processed through the government

– Public Trust: Employees may have a need to work on a project

that is Controlled Unclassified Information, and may be

processed for a background investigation that does not result in

clearance, but gives access to CUI material for work in a Position

of Trust.

» FAA

» VA

» DHS

Clearance Information


• As outlined by the new Executive Order 12958,

classified information is official government

information that has been determined to require

protection in the interest of national security.

• All classified information (with only one exception)

is under sole ownership of the U.S. Government,

and employees possess no right, interest, title, or

claim to such information.

Overview of Security Classification System


Classified National Security Information (“classified information”): information that

has been determined pursuant to Executive Order 12958 to require protection against

unauthorized disclosure and is marked to indicate its classified status when in

documentary form.

• A major change was the automatic 10 year declassification unless exemption

category is applicable; then 25 years for formerly classified information.

• Information is classified when it is determined that its unauthorized disclosure

can reasonably be expected to cause damage to national security. Such

information is assigned a classification of TOP SECRET, SECRET, or

CONFIDENTIAL and is appropriately marked.

• Unauthorized disclosure means disclosure to someone NOT authorized by the

government to have access to classified information. Unauthorized disclosure is

punishable as detailed in the Extracts of the Espionage and Sabotage Acts.

Introduction to Classified Information


• Three levels have been established based on the criticality of the

information or material to national interests:

1. TOP SECRET: Information or material whose unauthorized

disclosure could be expected to cause exceptionally grave

damage to the national security.

2. SECRET: Information or material whose unauthorized

disclosure could be expected to cause serious damage to

the national security.

3. CONFIDENTIAL: Information or material whose

unauthorized disclosure could be expected to cause

damage to the national security.

Classified Information (continued)


• Information or material that requires protection against

unauthorized disclosure in the interest of national security

shall be classified with one of the four designations:

– Unclassified

– Confidential

– Secret

– Top Secret

– Top Secret

Security Classifications


• Unauthorized disclosure may be expected to cause

“damage” to national security

• EXAMPLE: Release of information that might cause foreign

government to hesitate confiding in the United States

Confidential



“serious damage” to national security

• EXAMPLES:

– Disruption of foreign relations significantly affecting

national security

– Significant impairment of programs or policy directly

related to the national security

– Revelation of significant military plans or intelligence

operations

Secret



“exceptionally grave” damage to national security

• EXAMPLES:

– Obstruction of programs directly related to national

security

– Revelation of significant military plans or intelligence

operations

– Compromise of significant scientific or technological

developments relating to national security

Top Secret


• Classified documents are boldly marked with

the highest classification on the top and bottom

of each page.

• Individual Paragraphs have markings: (U), (C),

(S), (TS).

• Use the Program Security Classification Guide

for help when marking classified for your

contract. This guide will instruct you on what

types of information should be classified at

which levels.

• If you believe information is over-classified,

contact the FSO/SSO for guidance.

Identifying Classified Information


Always attach a COVER Sheet when material is out of the safe

Examples of Classified Cover Sheets


• Classified information exists in many forms. It may be a

piece of hardware, a photograph, a film, recording tapes,

notes, a drawing, a document or spoken words.

• Material is classified by the originator.

• It comes to industry via security classification guides.

• The degree of safeguarding required depends on the

information's classification category.

Classified Information


• Detailed instructions will be provided to you by the

client/site security officer before you access classified

information.

• You will be advised about identifying, handling and

safeguarding classified information.

• Always ask questions when in doubt.

Procedures for Handling Classified Information


• One of the most fundamental requirements

of the NISP is the proper safeguarding and

storage of classified information. It is

essential that classified information be at

all times properly safeguarded or stored

in accordance with the requirements of

the NISPOM.

• “Safeguarding” means measures and

controls that are prescribed to protect


Safeguarding Classified Information


• The method of destruction of

classified information depends

on the level of classification of

the information and what type of

material it is.

• Check with your local security

office before destroying

classified material to ensure

proper procedures are being

followed.

Destruction of Data


• Determining access to classified material - When an individual is granted a

security clearance, it means that an individual is eligible to have access to

classified information on a “need-to-know” basis. Access is granted only when

the following two conditions are met:

1. The recipient has a valid and current eligibility at least as high as the

information to be released. Contact your FSO if in doubt about a

person’s clearance status.

AND

2. The recipient requires access in order to perform tasks essential to the

fulfillment of a classified Government contract or program. This is

called “need-to-know.” Contact the recipient’s supervisor if in doubt

about a person’s “need-to-know.”

• Note: It is the responsibility of the possessor of classified information to

ensure that the prospective recipient meets BOTH of these conditions.

Sharing of Classified Information


• Need-to-know confirmation for both internal employees and

visitors should come from a security department advisor or

representative.

• If there is doubt as to whether or not a person has a need-to-

know, you should check with the proper authority prior to

release of any classified information.

• Establishment of need-to-know is essential.

• It is far better to delay release to an authorized person than

to disclose classified information to one who is

unauthorized.

Need-to-Know


• Warrants a degree of protection and administrative control

that meets the criteria for exemption from the public

• CUI information includes, but is not limited to:

– Medical, Personal, Financial, Investigatory, Visa,

and Law Enforcement Records

– CUI designations can include Sensitive but Unclassified (SBU), For

Official Use Only (FOUO), Law Enforcement Sensitive (LES), DoD

Unclassified Controlled Nuclear Information (DoD UCNI), and Limited

Distribution (LD), as well as other designations developed by other

executive branches.

– If released, could result in harm or unfair treatment

to any individual or group, or could have a negative

impact upon foreign policy

Controlled Unclassified Information (CUI)


CUI information should be transmitted through means that

limit the potential for unauthorized public disclosure

Secure FAX, Phone, or other encrypted means is preferable

Custodian of CUI data needs to make this determination

During off-duty hours, CUI information must be secured

within a locked office, or in a locked container

Check with your local security office for specific information.

CUI Handling Procedures


• The SF312 is essentially a lifetime contract between you and the U.S. Government

in which you agree to protect U.S. classified information from unauthorized

disclosure.

• The agreement may limit you from freely discussing your work with colleagues,

relatives, and others.

• Violation of the agreement can result in a wide array of legal action against you,

ranging from civil suits to a succession of more severe penalties. Penalties for

breaking the nondisclosure contract may include loss of clearance, fines and

criminal prosecution under several statutes.

• The original signed copy of the SF312 is forwarded to DSS for their records, while

a copy is maintained in the individual’s security file by the company.

• Failure to sign the agreement will result in revocation of your clearance.

SF-312(Classified Information Nondisclosure Agreement)


• Top Secret clearances are good for

5 years, at which time a PR is required.

• Secret and Confidential clearances are

good for 10 years, at which time a

PR is required.

• The PR requires that a new SF86 be

completed; however, no new

fingerprint card is necessary.

Personnel Security ClearancesPeriodic Reinvestigation (PR)


An approved “Visit Request” must precede classified visits made to Bowhead

by non-employees.

If you receive or are expecting a visitor with the expectation of discussing

classified information, contact Security to verify the visitor’s security

clearance. Similarly, a “Visit Request” must precede visits made to

Government agencies, or facilities of other companies that involve the

disclosure of classified information.

Make sure to notify the Security Office within a reasonable time, preferably

72 hours, if possible, so that the request gets completed and submitted prior

to departure.

EMPLOYEES CANNOT HAND CARRY THEIR OWN VISIT REQUEST

Visit Requests


Reporting

Requirements


YOU are responsible

for reporting certain information toSecurity. This includes information aboutyourself and other cleared individuals.Items you must report are…

Report Changes in Status


• Personal Life Changes

– e.g. Name Change, Marital Status Change,

Citizenship Change, Cohabitation Change

• Any close and continuing Foreign Contacts

• Suspicious Contacts

• Foreign Travel

• If you are separating employment or if you are going on an

extended leave of absence

• And any changes to questions that were filled out on the SF86

(ex. Financial, Mental health, criminal, civil/legal actions, etc.)

You Must Report…


• Adverse Information concerning yourself or a co-worker. Examples are:

– Financial … this includes garnishments, lawsuits, bankruptcies, unexplained affluence and excessive indebtedness.

– Arrests … even if you are arrested and found “not guilty” this needs to be reported. In addition, any traffic violation with a fine over $300 should be reported.

– Psychological … mental or emotional counseling, or counseling for personality disorders (marital, family and grief counseling are excluded).

– Substance Abuse … this includes the use of illegal drugs and/or excessive use of alcohol.

You Must Report…


• The NISPOM (1-302a) requires that

cleared contractor employees report

to their respective security

department, any adverse information

regarding other cleared employees.

• As a general rule, adverse

information is that which reflects

unfavorably on the trustworthiness or

reliability of the employee and

suggests that the person's ability to

safeguard classified information may

be impaired.

Reporting Requirements (continued)Adverse Information


• Employees are required to report any suspicious behavior or occurrences that

may occur at any time. This includes all contacts with known or suspected

intelligence officers from any country, or any contact that suggests you may be

the target of an attempted exploitation by a foreign intelligence service (NISPOM

1-302b). More specifically, employees must report to security any of the following

events:

– Any efforts, by any individual, regardless of nationality, to obtain illegal or

unauthorized access to classified or controlled unclassified information

(CUI).

– Any efforts, by any individual, regardless of nationality, to compromise a

cleared employee.

– Any contact by a cleared employee with a known or suspected intelligence

officer from any country.

– Any contact which suggests an employee may be the target of an attempted

exploitation by the intelligence services of another country.

– If there is any problem as to whether any specific situation is reportable,

questions should be directed to your Bowhead representative.

Reporting Requirements (continued) Suspicious Contacts


• If you travel to another country, whether for business or pleasure,

if at all possible, you must report your travel to your Bowhead

representative prior to departure. Information regarding travel in a

foreign country will be provided to you. Foreign travel must be

reported; if not prior, then immediately after travel.

• Bowhead form, “Foreign Travel Reporting Form” should be

completed and returned to the Security Office at least 30 days

prior to foreign travel, whether personal or for business. Keep in

mind you may have additional contract specific requirements for

reporting and approvals prior to departure.

• Don’t forget this requirement includes Mexico and Canada…

anywhere NOT in the United States.

Reporting Requirements (continued)Foreign Travel


• Employees are required to report any loss, compromise or

suspected compromise of classified information, foreign or

domestic, to the appropriate security office (NISPOM 1-303).

Reporting provides employees with an opportunity to extricate

themselves from a compromising situation and enhances the

protection of national security information.

• Not reporting a known security compromise may in itself

constitute a major security violation, regardless of the severity of

the unreported incident.

• Violations may include acts such as misplacing, losing,

improperly storing, improperly transmitting, and leaving

classified material unattended.

Reporting Requirements (continued)Loss or Compromise


• Employees are required to report any

– act of sabotage or possible sabotage,

– espionage or attempted espionage,

– and any subversive or suspicious activity.

• Employees should also

report any

– attempts to solicit classified information,

– unauthorized persons on company property,

– unwillingness to work on classified information,

– and disclosure of classified information to an unauthorized person,

– along with any other condition that would qualify as a security violation

or which common sense would dictate as worth reporting.

Other Reporting Requirements


Threat Awareness


• Any potential danger to a

system

– A person (insider/outsider)

– A thing (Internet access)

– An event (flood, lightning,

spilled coffee cup, etc.)

• Exploiting a weakness in a

system

– Intentional or unintentional

General Threats


The FBI reports that nearly 100 countries are currently running

economic espionage operations against companies in the USA.

Targets are shifting away from the classified military information sought

during the Cold War days toward basic research and development

processes.

Espionage targets also include technology and trade secrets of

U.S. high-tech companies. Our adversaries are desperate to get their

hands on everything from cost analyses, marketing plans, contract bids

and proprietary software to high-tech data itself.

Any information or process that leads to cutting-edge technology –

whether classified, proprietary or unclassified – is in high demand.

Some products are bought (or stolen) inside the US and then smuggled

overseas. Often the stolen technology is transmitted electronically.

Threat AwarenessForeign intelligence Threat


Physical threats occur both inside and outside our places of work.

• Our world is getting more and more difficult to navigate. The “bad guy”

looks just like we do – you cannot tell by looking at someone what they

are thinking! We must remain vigilant in our efforts to thwart an unknown

enemy’s efforts.

• Overseas travel, foreign contact, and joint ventures increase our exposure

to the efforts of foreign intelligence collectors.

Workplace Violence: Violent acts (including physical assaults and

threats of assaults) directed toward persons at work or on duty.

• Workplace violence can ranges from offensive language to Homicide.

• Contributing Conditions: Bad Economy, Job Layoffs, Rigid Management,

Pressure for increased productivity, Mental Illness, Increased Stress,

“Toxic” work environment.

• Most workplace violence is the result of disagreements or personality

conflicts between co-workers. Have a plan for what you would do….

Physical Threats – Our World Today


Actual threats - verbal, non-verbal, written

Irrational or radical beliefs and/or ideas

Unwarranted perception of unfairness

Displays of unwarranted anger

Self-image of being “irreplaceable”

Isolation - depression, suicide threats

Erratic job performance, inability to take criticism

History of drug or alcohol abuse

Obsession with weapons

Recent family, financial or other personal problems

Physical Threats – Warning Signs


You may be required to handle proprietary or other types of sensitive

information via email, electronic source, or hard copy. It is expected

that you take the utmost care in protecting this information - not

only to protect yourself and the Company, but also to protect our clients.

If you think no one would be interested in your work or your personal

information, think again! Anyone, AT ANY TIME can become a victim of

blackmail, coercion and/or identity theft – often in the blink of an eye.

BEFORE YOU SHARE INFORMATION:

• Ask WHY particular information is needed & how the information will be

protected.

• Be cautious of unknown email senders; it could be a phishing scam or

a virus. Don’t click on or install anything if you’re unsure.

• Utilize anti-virus software and a firewall, and make sure that is updated

regularly.

Protecting Company & Personal Information


An “insider” is anyone who has access to company proprietary information and / or

customer data, systems or other information; each of us is an insider.

Insiders can threaten the company’s success – often without realizing it – but not all

insider breaches are inadvertent or accidental.

Anyone with access can exploit any level of their permissions to steal, damage,

sabotage or manipulate company or customer data.

An example would be a trusted employee with access and need-to-know accessing

classified information for purposes of removing classified items unhindered and providing

such information to an unauthorized person(s).

Every individual must be diligent in recognizing and reporting insider

threat incidents.

Whether intentional or unintentional, inside actors can

harm the organization just as tangibly as an external threat

would – often with devastating results.

Insider Threats – You, Me, We


Classical espionage cases still occur, but now we are seeing an increase in a

different kind of spying, an espionage based not just on the theft of classified

information, but on theft of high-technology information.

There are many ways in which an adversary can acquire information:

• Not all spies have been recruited. Some past or present employees of U.S.

companies, have stolen materials and then sold them to competitors, foreign

governments or other entities.

• A spy or mole can get a job at a targeted company and hope that their elicit

activities go undetected as they work to gather information.

• Another method is to blackmail or coerce vulnerable employees of a targeted U.S.

company or to recruit foreign nationals working with U.S. subsidiaries abroad.

• Equally as unscrupulous, and also patently illegal, is the outright bribing of

employees to steal plans, reports and other proprietary documents, or hiring so-

called consultants to spy on competitors, a practice that can include bugging

competitors' offices.

• Other methods include theft and smuggling of goods, theft of intellectual

property, tampering with companies' electronics, extortion, and so forth.

Insider Threat Awareness


The insider threat poses great danger to the company’s information and

people. Each of us must assist in detecting, identifying, and stopping espionage

activity by recognizing and reporting the following indicators of espionage:

Unnecessary after hours access

Attempts to circumvent security procedures

Unauthorized removal of classified material

Substance abuse

Unexplained affluence

Financial hardship

Unreported foreign national association(s)

Drastic changes in behavior, demeanor, or work habits

Inappropriate use of photocopy equipment, computer, or printer

Unusual, unreported or excessive foreign travel

Insider Threats – What To Watch For


Insider Threats – Specific Actions


Threat Awareness – External Threats

Following are some external threats that you need to be aware of:

Foreign Intelligence Services – identify people who have access to

sensitive information or cutting-edge technology and invest time to

pursue someone of interest, and/or show interest in their employment.

Report suspicious behavior and foreign national associations to

your Security Team.

Computer Attacks – occur on both classified and unclassified

networks. Information on the Internet is extremely vulnerable because

of its accessibility- use extreme caution when accessing, clicking, and

saving information.

Terrorists – threats come from international and domestic terrorists.

Suspicious individuals, vehicles, or activities in or around our facilities

must be reported immediately to the Security Team.


Hackers and Crackers

Malicious Code

Viruses, Worms, Trojans, Time Bombs

Terrorism

Internet Access

Social Engineering

Insider Threat

Cyber Threats


• A vulnerability is a weakness that can be exploited to develop an

attack against a system, network or individual computer.

• Examples:

▪ Users ▪ Out-of-date patches

▪ Software ▪ Unneeded services

▪ Improper storage ▪ Poor management

▪ Weak passwords

There is no such thing as

a completely secure system!

Vulnerabilities


Comply with Bowhead guidelines for use of Internet and E-mail

No outside Instant Messaging applications (IM), cryptography, music or

software downloads unless approved by IT

Change your network log-on password regularly (as applicable)

– Make it easy to remember but hard to crack

– Try a “sentence” password – 1st letter of each word

[ For example: “I went down to 3rd street yesterday.” = iwdt3sy ]

Lock your workstation when you leave your desk

– CTRL+ALT+DELETE, then choose “Lock”

or

– “Windows” key + L

– For Mac users press CONTROL+SHIFT+EJECT (or with newer macs, press

power instead of eject.)

Ways to Protect the Network


Environmental Concerns

– DO protect your work area; keep liquids away from

PC/keyboard

Software Accountability

– DON’T load unauthorized software

– DO report any unauthorized personnel loading software

on your workstation

– DON’T be afraid to question technicians if you don’t know

them

Network Access

– DO be aware of visitors to your site

Responsibilities of the User(DOs and DON’Ts)


Contingency Planning

– DO save your work to the network drive, not local drive.

– DO remember that you are ultimately accountable for

activities that occur under your user name

Anti Virus Program

– DO check your update file regularly

– DON’T bring files from other computers

Responsibilities of the User(DOs and DON’Ts continued)


• Portable Electronic Devices (PEDs) and Removable Media include: Blackberry, cell phone, PDA, thumb/flash drive, CD/DVD, external hard drive, Bluetooth devices (Apple Watch, Fitbit, etc.)

• PEDs are prohibited in controlled spaces

• See site security officer for site-specific requirements and approved government issued hardware

PEDs and Removable Media Handling


• You should know who your company security team is:

– Jennifer Reichelt, Facility Security Officer (FSO)

• 703-578-5579

– Heather Davis, Assistant FSO (AFSO)

• 540-709-2103

– Monika Rice, Assistant FSO (AFSO)

• 540-709-2104

• Any security related questions should be brought to the

security team at [email protected]

Know Your Security Team

mailto:[email protected]


• To report any of the instances previously cited, or other suspicious

acts, contact:

– Your immediate supervisor

– Your FSO

• In the event you cannot reach the above, you may contact the

HOTLINE…

DEFENSE HOTLINE

(800) 424-9098

The Pentagon

Washington, D.C. 20301-1900

DoD Hotline


I confirm that I have read and understood the Bowhead

Awareness Briefing, as revised for 2016.

_______________________________________

Printed Name

_______________________________________

Signature

_______________________________________

Date

Please complete and return to:

[email protected]

Send upon completion.

Security Briefing Certificate

Date post:	06-May-2018
Category:	Documents
Upload:	vukhue
View:	220 times
Download:	1 times

Security Awareness & Refresher Briefing - Bowhead … · Security Awareness & Refresher Briefing....

Documents