Security for Project Management Professionals National Industrial Security Program
Purpose The purpose of this briefing is to provide Project Management Professionals and others engaged in project management with an overview of the National Industrial Security Program (NISP). The goal of any industrial security program is the protection of classified information. Physical safeguards are important in this effort – but just as important – is the education of those entrusted with the safeguarding of classified information. Policies and procedures tells us what and how to do something, but we also need to understand WHY things are done a certain way.
What you will learn • At the end of this briefing the Project Management Professional will: • Have an understanding of the National Industrial Security Program (NISP) and the Operating Manual (NISPOM) • Become familiar with the requirements imposed by the Contract Security Classification Specification (DD Form 254) • Have an understanding of the difference in requirements between those stated in Section H of the contract and those imposed by the DD 254. • How do we get the people with the right clearances in the right positions in a timely manner. • Become familiar with Joint Personnel Adjudication System (JPAS) and requirements for Visit Authorization Letters / Requests.
What is a facility (in NISPOM-speak)? The solicitation states that the company must have an active TOP SECRET facility clearance at time of award. In NISPOM-speak, this means that the company awarded a contract must have gone through a vetting process with the Department of Defense (or other Cognizant Security Agency – DNI; DOE and NRC*) based upon a valid contractual need to access classified information. NOTE: The NISPOM is applicable to ALL executive branch departments and agencies. Once this process is favorably completed the company is granted a “Facility Clearance” (FCL) at the level required by contract (generally SECRET or TOP SECRET). For our purposes, this information is then entered into the Industrial Security Facilities Database together with the company CAGE code; location of the company and Facility Security Officer (FSO) information. This would be an industrial security version of the Central Contractor Registration (CCR). * Director of National Intelligence (DNI); Department of Energy (DOE); Nuclear Regulatory Commission (NRC)
FCL Level v. Storage Authorization The solicitation states that the company must have classified storage authorized for classified information up to the SECRET level. The fact the we have a TOP SECRET Facilities Clearance (FCL) covers us – right? Actually, NO! Having a TS FCL means that the company may enter into contracts and have access to classified material at a level up to an including TS. It may also employee “cleared” personnel for that purpose. The storage, processing, safekeeping, manufacturing, etc., of classified material and information is a separate process. In order to be authorized classified storage, the cleared company must demonstrate they have sufficient safeguards (physical, personnel, procedural, etc.) in place prior to receiving authorization and have a contractually based NEED for maintaining classified information on-site. In this case, the company would need authorization to store and process SECRET material
As a PM, where do I find security related information in the contract? For the FSO the only source of information is the DD 254 (Contract Security Classification Specification). In most cases though – at the time of solicitation a DD 254 will not be available. So your sources are: Section H of the solicitation / contract will normally have general information regarding security requirements: type of personnel clearance required; type facility clearance required; IT access requirements; policies regarding access to facilities, etc. The Statement of Work (SOW) will also have general requirements – hopefully specific to the position being filled or the security access required for a particular location. Generally one or both of these documents will also let us know if we need approval of the government to subcontract – and if so, do we need approval of the government security group to subcontract security requirements. (Mandatory for Department of State; FBI and some Naval activities)
The DD 254 – Why is this so important? As a PM, you understand that without a contract in place, work does not start, people don’t get paid and invoices don’t get submitted. The contract includes all of the specifications needed to be met. The DD 254 is a part of that contract – just as the statement of work; your proposal; invoicing instructions, etc. The Government Contracting Activity (GCA) is responsible for incorporating appropriate security requirements clauses in a classified contract, Invitation for Bid (IFB), Request for Proposal (RFP), Request for Quotation (RFQ), or other solicitation, and for providing the contractor with the security classification guidance needed during the performance of the contract. This guidance is provided to the contractor by the Contract Security Classification Specification. The Contract Security Classification Specification must identify the specific elements of classified information involved in the contract that require security protection.
DD 254 v. Section H or SOW • Typical Section H / SOW Security Requirements: Contractor must have a TS FCL and provide personnel with access authorized to TS or TS/SCI level. Normally just a paragraph or two. • The DD 254 can range from 2 to ?? pages depending on the contract. It tells us (or at least should tell us): • Basic Requirements (See follow on slides) • Who has security cognizance. • If SCI, COMSEC, or other, specific guidance • Who the Security POC is on site; for the contract and how visit requests will be managed.
FIRST TO BE CHECKED DD 254 Example:
Section 10: What information is protected? Requires Special Briefings Requires Agency Vetting Process
Section 11: Location; needs and instruction on how: Storage / processing authorization required if YES block is checked
A Special Note about SCI This contract states that everyone must be cleared to the TS/SCI level or be SCI eligible. What is SCI and what is the difference between TS/SCI and “eligible?” There are only three levels of classified information: TOP SECRET (TS); SECRET (S) and CONFIDENTIAL (C). SCI implements tighter safeguards for some TS information. SCI refers to Sensitive Compartmented Information and the DNI is the proponent for SCI access for the federal government. To have access to SCI, the agency holding that information (FBI; DoD; CIA; DOJ) will conduct a separate background investigation before you may be granted access. The individual may be asked to undergo a polygraph – generally limited to National Security matters.
Who’s a SAP? One part of this project is referred to as a Special Access Program (SAP) and information is considered Special Access Required (SAR). As mentioned, there are only three levels of classified information: TS; S and C. SAPs are the responsibility of the CSA – and require special oversight by the CSA. They may be acknowledged or unacknowledged. As is the case with SCI information – additional safeguards and requirements are applied prior to granting access. Consider secret programs used for the development of weapons systems – or information regarding a Delta classified operations mission; or the intelligence platform added to that new Gulfstream that can find a penny in your pocket. These are all types of Special Access Programs. There will be additional safeguards – some physical; some personnel security and dependent upon the program – the guy down the hall will have no idea what you are working on.
Billets The DD 254 in my case states that we have been provided four (4) “billets.” What is a billet? For SAP and some SCI programs, a set number of people may have access to part or all of the information within that program. These are referred to as billets – or positions. In this case, no more than four individuals may be read on to the program and provide support to the program at any one time. A person leaves – the replacement must be nominated and accepted by the agency before access is granted.
IT Access Levels I, II or III We have an IT Services support contract pending. The SOW states that some personnel will require IT Level I access while others require levels II or III. This is not a classified contract. What’s this all about? Vulnerability. That’s what it is all about. Where is our system most vulnerable; who could be the biggest threat to the system and what can we do to protect the system or network from compromise or damage? If you think about the financial industry – none of their information is classified information by National Security standards. Yet, protections imposed on access to financial systems, networks, transactions, etc. are super tight. Generally – the government will identify the AIS level of the system which sets the stage for who can get access.
Access and Investigation Chart NOTE: Agencies may also require – in addition to the above – a suitability investigation be completed prior to granting full access. The investigative requirements are agency and information dependent. Generally interim access is granted while the suitability investigation is being completed.
The Joint Personnel Adjudication System (JPAS) JPAS is the system of record for personnel clearances within the Department of Defense and its contractors. If our company has a classified contract with DOD and most federal agencies – they require us to submit a JPAS record. If “it ain’t in JPAS – then it ain’t” • WHAT IT DOES DO: • Displays all relevant information regarding background investigation and adjudication dates. • Displays the association between an individual and a company • Displays what access the person has been granted. Displays any special accesses – NATO, Nuclear, etc. • Allows for Visit Requests to be submitted electronically. • WHAT IT DOES NOT DO: • Does not link with other agency databases (Scattered Castles). • Does not track “favorable” access determinations (no access to classified) • Does not allow contractors to initiate SF 85 for suitability determinations..
Clearance Processing Have a new employee with no clearance? Requires access to Secret? If all is well with his eQIP submitted on Monday – your employee can be sitting at your client’s desk with an Interim Secret on Wed or Thu at the latest! TOP SECRET SECRET • HR provides completed security questionnaire to Security. Upon receipt, applicant is added to JPAS and investigation request is initiated under the contract number provided. (1 Day) • Applicant completes eQIP and submits to FSO. (up to applicant – after 90 days – start over) • FSO reviews and either returns for correction or submits to DSS for processing. (1 day) • DSS grants Interim SECRET clearance and submits eQIP to OPM for investigation. (3 days) • Investigation completed. (Many variables – generally 6 - 12 months) • DSS adjudicates investigation and grants final TOP SECRET clearance (within 30 days) • HR provides completed security questionnaire to Security. Upon receipt, applicant is added to JPAS and investigation request is initiated under the contract number provided. (1 Day) • Applicant completes eQIP and submits to FSO. (up to applicant – after 90 days – start over) • FSO reviews and either returns for correction or submits to DSS for processing. (1 day) • DSS grants Interim SECRET clearance and submits eQIP to OPM for investigation. (3 days) • Investigation completed. (Many variables – generally 3 to 6 months) • DSS adjudicates investigation and grants final SECRET clearance (within 30 days) A Tip 4 U! Make all hiring agreements contingent upon the applicant being able to obtain and hold on to eligibility to access classified.
JPAS Record Employed by; investigation & adjudication summaries Who you are; levels of access granted
Visit requests OK – the contract is in place; we have hired the right person with the right clearance. Now, how do we get our employee on site? • We are required to show a contractual relationship between the government and our company and a link between the person and our company. This is generally managed through the submission of a Visit Authorization Letter (or Visit Request) – prepared by the company security staff and submitted to the government client’s security staff. • With the development of JPAS – this can be done electronically if the government client is a user of JPAS. If not, a hard copy letter (on company letterhead) is submitted via fax. • Data included in the letter: • Contract Number; Security POC at agency; Project POC at Agency; Period of visit. • Employees Full Name; DOB; POB; SSN • Employee background investigation data; access granted and indoctrination. • Company CAGE; FCL; Date Granted and information concerning the Cognizant Security Office.
Subcontractor Responsibilities • Are security requirements passed down to subcontractors? How do we know they are cleared? If not cleared can they get cleared? • If the subcontractor is required to have access to classified information, then YES, the security requirements will be passed down to that company. This is accomplished via a Sub-Contractor DD 254 – which is prepared by the company and signed by the FSO – which is then submitted to the sub. • The Sub-Contractor is responsible for the security program for its own employees and will submit visit requests based on our DD 254. • In order to issue the subcontractor DD 254, the following must be provided to security: • A copy of the sub-contract signed by both the company and the subcontractor. • Period of performance. • We will then verify the subcontractor’s FCL in the ISFD, prepare and issue the DD 254.
Project Phases – Security Concerns OVERVIEW OVERVIEW OVERVIEW OVERVIEW Exploratory phase. BD evaluation of government requirements. Develops recommendation of GO / NO-GO. NISP info minimal at this time – expressed in broad terms “Requires personnel with eligibility up to an including TS” Statement of Work is available. Proposal team should have an idea of expected sub-contractors; personnel, etc. FSO involved in the process to provide advice on meeting security requirements. Agency (end user) security requirements should be developing and available. Development of the company proposal – ensuring that all requirements are met or exceeded. FSO should be consulted to ensure we have addressed all security concerns correctly. Contract has been awarded and sub-contracts issued. DD 254 has been received from the government and evaluated to ensure requirements have not changed. DD 254s issued to subs; personnel added to JPAS and Visit Requests submitted to the end-user. PRE-PROPOSAL PHASE PROPOSAL DEVELOPMENT PERFORMANCE PHASE PRE-SOLICITATION PHASE FSO INVOLVEMENT FSO INVOLVEMENT • Security requirements will not be finalized. However, in general terms, we should be able to evaluate: • Does the company have the correct FCL? • Proposed Subs – are they cleared? To what level? • Proposed staffing – any issues with PCL? • Will interim clearances be accepted? • Is there sufficient lead time to get a new employee cleared? • Are there agency requirements that may cause a delay? • Has the DD 254 been received and evaluated? • Prepare and issue sub-contractor DD 254s – submit to agency if required. • JPAS completed for all employees. • Initiate investigations / re-investigations where needed. • Prepare visit requests and submit. • All staff undergo security education / in-briefings, etc.
Required Reports The reality is that life happens. Sometimes what does happen may have an adverse affect on the ability of an individual to maintain a clearance. In some situations, the conduct of an employee brings his ability to maintain a clearance into question. We are required to report certain matters – like it or not – regardless of the government client’s decisions. TO THE FBI: TO THE CSA: • actual, probable or possible • espionage, • sabotage, • terrorism, or • subversive activities at any of its (contractor) locations. Employee Status • Adverse information concerning a cleared employee • Suspicious contacts • Change in status: Name; citizenship; marital status; termination • Refusal of a cleared employee to work on classified contracts • Refusal to sign the SF 312 (Non-Disclosure Agreement) Company Status • Change of name; address; ownership • Change in Key management Personnel • Change in FOCI Status (Foreign Ownership, Control , Influence) • For possessing companies, any change in the ability to properly safeguard classified information
Due to foreign policy considerations and the need to protect sources, the U.S. Government does not publicly name the countries that are most active in conducting espionage against the United States. However, several European and Asian countries have stated openly that their national intelligence services collect economic intelligence to benefit their industries at the expense of foreign competition. Considerable information on this subject is available in public sources. What Are They After? It would be nice to know exactly what classified, proprietary or other sensitive information foreign countries are trying to collect, so that we could then concentrate on protecting that information which is most at risk. Unfortunately, waiting for that kind of specific information before taking appropriate security measures would usually mean locking the barn door after the horses have left. The Threat – Economic & Industrial Espionage March 7, 2008: a Reston, VA company, pleads guilty in federal court to illegally exporting "controlled power amplifiers," which have military applications
The increasing value of technology and trade secrets in the global and domestic marketplaces, and the temporary nature of many high-tech employments, have increased both the opportunities and the incentives for economic espionage. The rapid expansion in foreign trade, travel, and personal relationships of all kinds, now makes it easier than ever for insiders to establish contact with potential buyers of classified and other protected information. The development of automated networks and the ease with which large quantities of data can be downloaded from those networks and stored and transmitted to others increases exponentially the amount of damage that can be done by a single insider who betrays his or her trust. Facilitators For example, a memory stick, also known as a keychain drive or thumb drive because of its small size, can be plugged into a computer's USB port and be used to download up to 16 GB of data (at the moment!). (The entire Encyclopedia Britannica requires only 4.3GB). 2 - 4 - 8 - 16 - 32GB?
Foreign governments’ continued ability to acquire state-of-the-art U.S. technology at little or no expense has undermined U.S. national security by enabling foreign firms to push aside U.S. businesses in the marketplace and by eroding the U.S. military lead. A clear line must be drawn to protect information that is: classified, or subject to export controls because it concerns militarily critical technologies, or proprietary information that is the intellectual property of a specific firm or individual. The Threat – Economic & Industrial Espionage March 24, 2008: a former engineer at a naval contractor, is sentenced to 24 1/2 years in prison for conspiring to export warship technology. Aug. 1, 2007: Engineer pleads guilty to violating the Economic Espionage Act to benefit China's Navy Research Center. He exported source code for simulation software for the precision training of fighter pilots.
“Globalization and growing economic interdependence, while creating new levels of wealth and opportunity, also create a web of interrelated vulnerabilities and spread risks even further… Department of Defense National Defense Strategy July, 2008
METHODS EMPLOYED Listed in order of foreign entity interest. Defense Security Service “Targeting US Technologies: A Trend Analysis of Reporting From Defense Industry, 2008” TECHNOLOGIES TARGETED
Let us not forget who we support. Information concerning troop rotations, locations, equipment; and technology is classified for a reason. Unauthorized release of this information can have a detrimental effect on the Warfighters’ survivability.
This concludes the briefing for Project Management Professionals. If you have questions, please do not hesitate to contact us.