Security for Project Management Professionals

1
Security for Project Management Professionals

• National Industrial Security Program

2
Purpose
The purpose of this briefing is to provide
Project Management Professionals and others
engaged in project management with an overview of
the National Industrial Security Program
(NISP). The goal of any industrial security
program is the protection of classified
information. Physical safeguards are important in
this effort but just as important is the
education of those entrusted with the
safeguarding of classified information. Policies
and procedures tells us what and how to do
something, but we also need to understand WHY
things are done a certain way.
3
What you will learn

• At the end of this briefing the Project
  Management Professional will
• Have an understanding of the National
  Industrial Security Program (NISP) and the
  Operating Manual (NISPOM)
• Become familiar with the requirements imposed
  by the Contract Security Classification
  Specification (DD Form 254)
• Have an understanding of the difference in
  requirements between those stated in Section H of
  the contract and those imposed by the DD 254.
• How do we get the people with the right
  clearances in the right positions in a timely
  manner.
• Become familiar with Joint Personnel
  Adjudication System (JPAS) and requirements for
  Visit Authorization Letters / Requests.

4
What is a facility (in NISPOM-speak)?
The solicitation states that the company must
have an active TOP SECRET facility clearance at
time of award. In NISPOM-speak, this means that
the company awarded a contract must have gone
through a vetting process with the Department of
Defense (or other Cognizant Security Agency
DNI DOE and NRC) based upon a valid contractual
need to access classified information. NOTE The
NISPOM is applicable to ALL executive branch
departments and agencies. Once this process is
favorably completed the company is granted a
Facility Clearance (FCL) at the level required
by contract (generally SECRET or TOP SECRET).
For our purposes, this information is then
entered into the Industrial Security Facilities
Database together with the company CAGE code
location of the company and Facility Security
Officer (FSO) information. This would be an
industrial security version of the Central
Contractor Registration (CCR).
Director of National Intelligence (DNI)
Department of Energy (DOE) Nuclear Regulatory
Commission (NRC)
5
FCL Level v. Storage Authorization
The solicitation states that the company must
have classified storage authorized for classified
information up to the SECRET level. The fact the
we have a TOP SECRET Facilities Clearance (FCL)
covers us right? Actually, NO! Having a TS FCL
means that the company may enter into contracts
and have access to classified material at a level
up to an including TS. It may also employee
cleared personnel for that purpose. The
storage, processing, safekeeping, manufacturing,
etc., of classified material and information is a
separate process. In order to be authorized
classified storage, the cleared company must
demonstrate they have sufficient safeguards
(physical, personnel, procedural, etc.) in place
prior to receiving authorization and have a
contractually based NEED for maintaining
classified information on-site. In this case,
the company would need authorization to store and
process SECRET material
6
As a PM, where do I find security related
information in the contract?
For the FSO the only source of information is the
DD 254 (Contract Security Classification
Specification). In most cases though at the
time of solicitation a DD 254 will not be
available. So your sources are Section H of the
solicitation / contract will normally have
general information regarding security
requirements type of personnel clearance
required type facility clearance required IT
access requirements policies regarding access to
facilities, etc. The Statement of Work (SOW) will
also have general requirements hopefully
specific to the position being filled or the
security access required for a particular
location. Generally one or both of these
documents will also let us know if we need
approval of the government to subcontract and
if so, do we need approval of the government
security group to subcontract security
requirements. (Mandatory for Department of
State FBI and some Naval activities)
7
The DD 254 Why is this so important?
As a PM, you understand that without a contract
in place, work does not start, people dont get
paid and invoices dont get submitted. The
contract includes all of the specifications
needed to be met. The DD 254 is a part of that
contract just as the statement of work your
proposal invoicing instructions, etc. The
Government Contracting Activity (GCA) is
responsible for incorporating appropriate
security requirements clauses in a classified
contract, Invitation for Bid (IFB), Request for
Proposal (RFP), Request for Quotation (RFQ), or
other solicitation, and for providing the
contractor with the security classification
guidance needed during the performance of the
contract. This guidance is provided to the
contractor by the Contract Security
Classification Specification. The Contract
Security Classification Specification must
identify the specific elements of classified
information involved in the contract that require
security protection.
8
DD 254 v. Section H or SOW

• Typical Section H / SOW Security Requirements
  Contractor must have a TS FCL and provide
  personnel with access authorized to TS or TS/SCI
  level. Normally just a paragraph or two.
• The DD 254 can range from 2 to ?? pages depending
  on the contract. It tells us (or at least should
  tell us)
• Basic Requirements (See follow on slides)
• Who has security cognizance.
• If SCI, COMSEC, or other, specific guidance
• Who the Security POC is on site for the
  contract and how visit requests will be managed.

9
FIRST TO BE CHECKED
DD 254 Example
DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) 1. CLEARANCE AND SAFEGUARDING 1. CLEARANCE AND SAFEGUARDING 1. CLEARANCE AND SAFEGUARDING
DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) a. FACILITY CLEARANCE REQUIRED a. FACILITY CLEARANCE REQUIRED a. FACILITY CLEARANCE REQUIRED
DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) DEPARTMENT OF DEFENSE CONTRACT SECURITY CLASSIFICATION SPECIFICATION (The requirements of the DoD Industrial Security Manual apply to all security aspects of this effort.) b. LEVEL OF SAFEGUARDING REQUIRED b. LEVEL OF SAFEGUARDING REQUIRED b. LEVEL OF SAFEGUARDING REQUIRED
2. THIS SPECIFICATION IS FOR (x and complete as applicable) 2. THIS SPECIFICATION IS FOR (x and complete as applicable) 2. THIS SPECIFICATION IS FOR (x and complete as applicable) 3. THIS SPECIFICATION IS (x and complete as applicable) 3. THIS SPECIFICATION IS (x and complete as applicable) 3. THIS SPECIFICATION IS (x and complete as applicable) 3. THIS SPECIFICATION IS (x and complete as applicable) 3. THIS SPECIFICATION IS (x and complete as applicable)
a. PRIME CONTRACT NUMBER a. PRIME CONTRACT NUMBER a. ORIGINAL (Complete date in all cases) a. ORIGINAL (Complete date in all cases) a. ORIGINAL (Complete date in all cases) DATE (YYMMDD)
b. SUBCONTRACT NUMBER b. SUBCONTRACT NUMBER b.) b.) Revision No. DATE (YYMMDD)
c. SOLICITATION OR OTHER NUMBER DUE DATE (YYMMDD) c. FINAL (Complete Item 5 in all cases) c. FINAL (Complete Item 5 in all cases) c. FINAL (Complete Item 5 in all cases) DATE (YYMMDD)
6. CONTRACTOR (Include Commercial and Government Entity (CAGE) Code) 6. CONTRACTOR (Include Commercial and Government Entity (CAGE) Code) 6. CONTRACTOR (Include Commercial and Government Entity (CAGE) Code)
NAME, ADDRESS, AND ZIP CODE CAGE CODE c. .COGNIZANT SECURITY OFFICE (Name, Address, and Zip Code)
7. SUBCONTRACTOR 7. SUBCONTRACTOR 7. SUBCONTRACTOR
NAME, ADDRESS, AND ZIP CODE b. CAGE CODE c. COGNIZANT SECURITY OFFICE (Name, Address, and Zip code)
8. ACTUAL PERFORMANCE 8. ACTUAL PERFORMANCE 8. ACTUAL PERFORMANCE
a. LOCATION b. CAGE CODE c. COGNIZANT SECURITY OFFICE(Name, Address, and Zip Code)
9. GENERAL IDENTIFICATION OF THIS PROCUREMENT 9. GENERAL IDENTIFICATION OF THIS PROCUREMENT 9. GENERAL IDENTIFICATION OF THIS PROCUREMENT
10
Section 10 What information is protected?
10. THIS CONTRACT WILL REQUIRE ACCESS TO YES NO
a. COMMUNICATIONS SECURITY (COMSEC) INFORMATION
b. RESTRICTED DATA
c. CRITICAL NUCLEAR WEAPON DESIGN INFORMATION
d. FORMERLY RESTRICTED DATA
e. INTELLIGENCE INFORMATION
(1) Sensitive Compartmented information (SCI)
(2) Non-SCI
f. SPECIAL ACCESS INFORMATION
g. NATO INFORMATION
h. FOREIGN GOVERNMENT INFORMATION
i. LIMITED DISSEMINATION INFORMATION
j. FOR OFFICIAL USE ONLY INFORMATION
k. OTHER (Specify)
Requires Special Briefings
Requires Agency Vetting Process
11
Section 11 Location needs and instruction on
how
11. IN PERFORMING THIS CONTRACT, THE CONTRACTOR WILL YES NO
a. HAVE ACCESS TO CLASSIFIED INFORMATION ONLY AT ANOTHER CONTRACTORS FACILITY OR A GOVERNMENT ACTIVITY
b. RECEIVE CLASSIFIED DOCUMENTS ONLY
c. RECEIVE AND GENERATE CLASSIFIED MATERIAL
d. FABRICATE, MODIFY, OR STORE CLASSIFIED HARDWARE
e. PERFORM SERVICES ONLY
f. HAVE ACCESS TO U.S. CLASSIFIED INFORMATION OUTSIDE THE U.S., PUERTO RICO, U.S. POSSESSIONS AND TRUST TERRITORIES
g. BE AUTHORIZED TO USE THE SERVICES OF DEFENSE TECHNICAL INFORMATION CENTER (DTIC) OR OTHER SECONDARY DISTRIBUTION CENTER
h. REQUIRE A COMSEC ACCOUNT
i. HAVE TEMPEST REQUIREMENTS
j. HAVE OPERATIONS SECURITY (OPSEC) REQUIREMENTS
k. BE AUTHORIZED TO USE THE DEFENSE COURIER SERVICE
l. OTHER (Specify)
Storage / processing authorization required if
YES block is checked
12
DD 254 Reverse and Continuation Pages
12. PUBLIC RELEASE. Any information (classified or unclassified) pertaining to this contract shall not be released for public dissemination except as provided by the iNISPOM or unless it has been approved for public release by appropriate U.S. Government authority. Proposed public releases shall be submitted for approval prior to release Direct Through (Specify) IN ALMOST ALL INSTANCES PUBLIC RELEASE WILL NOT BE AUTHORIZED to the Directorate for Freedom of Information and Security Review, Office of the Assistant Secretary of Defense (Public Affairs) for review. In the case of non-DoD User Agencies, requests for disclosure shall be submitted to that agency.
13. SECURITY GUIDANCE. The security classification guidance needed for this classified effort is identified below. If any difficulty is encountered in applying this guidance or if any other contributing factor indicates a need for changes in this guidance, the contractor is authorized and encouraged to provide recommended changes to challenge the guidance or the classification assigned to any information or material furnished or generated under this contract and to submit any questions for interpretation of this guidance to the official identified below. Pending final decision, the information involved shall be handled and protected at the highest level of classification assigned or recommended. (Fill in as appropriate for the classified effort. Attach, or forward under separate correspondence, any documents/guides/extracts referenced herein. Add additional pages as needed to provide complete guidance.) This section will contain (or should contain) detailed information on what is being protected how it must be protected the types of information specific instructions, Security Points of Conduct, etc. Typical continuation pages and attachments Refer to Annex A for instructions regarding SCI Information Refer to Annex B for instructions on non-SCI intelligence information Refer to Annex C for instructions on handing Controlled Unclassified Information (CUI) Sensitive But Unclassified (SBU) information For Official Use Only (FOUO Information). Refer to Annex D for information regarding COMSEC instructions Refer to Annex E for information regarding access to NATO information.
13
A Special Note about SCI
This contract states that everyone must be
cleared to the TS/SCI level or be SCI eligible.
What is SCI and what is the difference between
TS/SCI and eligible? There are only three
levels of classified information TOP SECRET
(TS) SECRET (S) and CONFIDENTIAL (C). SCI
implements tighter safeguards for some TS
information. SCI refers to Sensitive
Compartmented Information and the DNI is the
proponent for SCI access for the federal
government. To have access to SCI, the agency
holding that information (FBI DoD CIA DOJ)
will conduct a separate background investigation
before you may be granted access. The individual
may be asked to undergo a polygraph generally
limited to National Security matters.
14
Whos a SAP?
One part of this project is referred to as a
Special Access Program (SAP) and information is
considered Special Access Required (SAR). As
mentioned, there are only three levels of
classified information TS S and C. SAPs are
the responsibility of the CSA and require
special oversight by the CSA. They may be
acknowledged or unacknowledged. As is the case
with SCI information additional safeguards and
requirements are applied prior to granting
access. Consider secret programs used for the
development of weapons systems or information
regarding a Delta classified operations mission
or the intelligence platform added to that new
Gulfstream that can find a penny in your
pocket. These are all types of Special Access
Programs. There will be additional safeguards
some physical some personnel security and
dependent upon the program the guy down the
hall will have no idea what you are working on.
15
Billets
The DD 254 in my case states that we have been
provided four (4) billets. What is a
billet? For SAP and some SCI programs, a set
number of people may have access to part or all
of the information within that program. These
are referred to as billets or positions. In
this case, no more than four individuals may be
read on to the program and provide support to the
program at any one time. A person leaves the
replacement must be nominated and accepted by the
agency before access is granted.
16
IT Access Levels I, II or III
We have an IT Services support contract pending.
The SOW states that some personnel will require
IT Level I access while others require levels II
or III. This is not a classified contract.
Whats this all about?
Vulnerability. Thats what it is all about.
Where is our system most vulnerable who could be
the biggest threat to the system and what can we
do to protect the system or network from
compromise or damage?
If you think about the financial industry none
of their information is classified information by
National Security standards. Yet, protections
imposed on access to financial systems, networks,
transactions, etc. are super tight. Generally
the government will identify the AIS level of the
system which sets the stage for who can get
access.
17
Access and Investigation Chart
Position Requires Access to Type of Investigation required Company authorized to request investigations? Comments
NATIONAL SECURITY POSITIONS NATIONAL SECURITY POSITIONS
SCI SSBI YES TS Required for SCI - Interim TS is not accepted
TOP SECRET SSBI YES Unless noted by contract, Interim TS allows access to TS
SECRET NACLC YES Unless noted by contract, Interim S allows access to S
CONFIDENTIAL NACLC YES  
INFORMATION TECHNOLOGY / INFORMATION SENSITIVITY POSITIONS   INFORMATION TECHNOLOGY / INFORMATION SENSITIVITY POSITIONS   INFORMATION TECHNOLOGY / INFORMATION SENSITIVITY POSITIONS   INFORMATION TECHNOLOGY / INFORMATION SENSITIVITY POSITIONS  
IT Level I / Critical Sensitive SSBI Only in conjunction with a need to access classified information Same inv requirements as for TS 
IT Level II / Non-Critical Sensitive NACLC Only in conjunction with a need to access classified information Same inv requirements as for S
IT Level III / Non-Sensitive NAC NO Requesting agency must process
       
NOTE Agencies may also require in addition to
the above a suitability investigation be
completed prior to granting full access. The
investigative requirements are agency and
information dependent. Generally interim access
is granted while the suitability investigation is
being completed.
18
The Joint Personnel Adjudication System (JPAS)
JPAS is the system of record for personnel
clearances within the Department of Defense and
its contractors. If our company has a classified
contract with DOD and most federal agencies
they require us to submit a JPAS record. If it
aint in JPAS then it aint

• WHAT IT DOES DO
• Displays all relevant information regarding
  background investigation and adjudication dates.
• Displays the association between an individual
  and a company
• Displays what access the person has been
  granted. Displays any special accesses NATO,
  Nuclear, etc.
• Allows for Visit Requests to be submitted
  electronically.

• WHAT IT DOES NOT DO
• Does not link with other agency databases
  (Scattered Castles).
• Does not track favorable access
  determinations (no access to classified)
• Does not allow contractors to initiate SF 85
  for suitability determinations..

19
Clearance Processing
Have a new employee with no clearance? Requires
access to Secret? If all is well with his eQIP
submitted on Monday your employee can be
sitting at your clients desk with an Interim
Secret on Wed or Thu at the latest!
TOP SECRET
SECRET

• HR provides completed security questionnaire to
  Security. Upon receipt, applicant is added to
  JPAS and investigation request is initiated under
  the contract number provided. (1 Day)
• Applicant completes eQIP and submits to FSO.
  (up to applicant after 90 days start over)
• FSO reviews and either returns for correction
  or submits to DSS for processing. (1 day)
• DSS grants Interim SECRET clearance and submits
  eQIP to OPM for investigation. (3 days)
• Investigation completed. (Many variables
  generally 6 - 12 months)
• DSS adjudicates investigation and grants final
  TOP SECRET clearance (within 30 days)

• HR provides completed security questionnaire to
  Security. Upon receipt, applicant is added to
  JPAS and investigation request is initiated under
  the contract number provided. (1 Day)
• Applicant completes eQIP and submits to FSO.
  (up to applicant after 90 days start over)
• FSO reviews and either returns for correction
  or submits to DSS for processing. (1 day)
• DSS grants Interim SECRET clearance and submits
  eQIP to OPM for investigation. (3 days)
• Investigation completed. (Many variables
  generally 3 to 6 months)
• DSS adjudicates investigation and grants final
  SECRET clearance (within 30 days)

A Tip 4 U! Make all hiring agreements contingent
upon the applicant being able to obtain and hold
on to eligibility to access classified.
20
JPAS Record
Employed by investigation adjudication
summaries
Who you are levels of access granted
21
Visit requests
OK the contract is in place we have hired the
right person with the right clearance. Now, how
do we get our employee on site?

• We are required to show a contractual
  relationship between the government and our
  company and a link between the person and our
  company. This is generally managed through the
  submission of a Visit Authorization Letter (or
  Visit Request) prepared by the company security
  staff and submitted to the government clients
  security staff.
• With the development of JPAS this can be done
  electronically if the government client is a user
  of JPAS. If not, a hard copy letter (on company
  letterhead) is submitted via fax.
• Data included in the letter
• Contract Number Security POC at agency
  Project POC at Agency Period of visit.
• Employees Full Name DOB POB SSN
• Employee background investigation data access
  granted and indoctrination.
• Company CAGE FCL Date Granted and information
  concerning the Cognizant Security Office.

22
Subcontractor Responsibilities

• Are security requirements passed down to
  subcontractors? How do we know they are cleared?
  If not cleared can they get cleared?
• If the subcontractor is required to have access
  to classified information, then YES, the security
  requirements will be passed down to that company.
  This is accomplished via a Sub-Contractor DD 254
  which is prepared by the company and signed by
  the FSO which is then submitted to the sub.
• The Sub-Contractor is responsible for the
  security program for its own employees and will
  submit visit requests based on our DD 254.
• In order to issue the subcontractor DD 254, the
  following must be provided to security
• A copy of the sub-contract signed by both the
  company and the subcontractor.
• Period of performance.
• We will then verify the subcontractors FCL in
  the ISFD, prepare and issue the DD 254.

23
Project Phases Security Concerns
OVERVIEW
OVERVIEW
OVERVIEW
OVERVIEW
Exploratory phase. BD evaluation of government
requirements. Develops recommendation of GO /
NO-GO. NISP info minimal at this time
expressed in broad terms Requires personnel with
eligibility up to an including TS
Statement of Work is available. Proposal team
should have an idea of expected sub-contractors
personnel, etc. FSO involved in the process to
provide advice on meeting security requirements.
Agency (end user) security requirements should be
developing and available.
Development of the company proposal ensuring
that all requirements are met or exceeded. FSO
should be consulted to ensure we have addressed
all security concerns correctly.
Contract has been awarded and sub-contracts
issued. DD 254 has been received from the
government and evaluated to ensure requirements
have not changed. DD 254s issued to subs
personnel added to JPAS and Visit Requests
submitted to the end-user.
PROPOSAL DEVELOPMENT
PERFORMANCE PHASE
PRE-PROPOSAL PHASE
PRE-SOLICITATION PHASE
FSO INVOLVEMENT
FSO INVOLVEMENT

• Security requirements will not be finalized.
  However, in general terms, we should be able to
  evaluate
• Does the company have the correct FCL?
• Proposed Subs are they cleared? To what
  level?
• Proposed staffing any issues with PCL?
• Will interim clearances be accepted?
• Is there sufficient lead time to get a new
  employee cleared?
• Are there agency requirements that may cause a
  delay?

• Has the DD 254 been received and evaluated?
• Prepare and issue sub-contractor DD 254s
  submit to agency if required.
• JPAS completed for all employees.
• Initiate investigations / re-investigations
  where needed.
• Prepare visit requests and submit.
• All staff undergo security education /
  in-briefings, etc.

24
Required Reports
The reality is that life happens. Sometimes what
does happen may have an adverse affect on the
ability of an individual to maintain a clearance.
In some situations, the conduct of an employee
brings his ability to maintain a clearance into
question. We are required to report certain
matters like it or not regardless of the
government clients decisions.
TO THE FBI
TO THE CSA

• actual, probable or possible
• espionage,
• sabotage,
• terrorism, or
• subversive activities at any of its
  (contractor) locations.

Employee Status

• Adverse information concerning a cleared
  employee
• Suspicious contacts
• Change in status Name citizenship marital
  status termination
• Refusal of a cleared employee to work on
  classified contracts
• Refusal to sign the SF 312 (Non-Disclosure
  Agreement)

Company Status

• Change of name address ownership
• Change in Key management Personnel
• Change in FOCI Status (Foreign Ownership,
  Control , Influence)
• For possessing companies, any change in the
  ability to properly safeguard classified
  information

25
Targeting US Technologies
26
The Threat Economic Industrial Espionage

• Due to foreign policy considerations and the need
  to protect sources, the U.S. Government does not
  publicly name the countries that are most active
  in conducting espionage against the United
  States. However, several European and Asian
  countries have stated openly that their national
  intelligence services collect economic
  intelligence to benefit their industries at the
  expense of foreign competition. Considerable
  information on this subject is available in
  public sources.
• What Are They After?
• It would be nice to know exactly what classified,
  proprietary or other sensitive information
  foreign countries are trying to collect, so that
  we could then concentrate on protecting that
  information which is most at risk. Unfortunately,
  waiting for that kind of specific information
  before taking appropriate security measures would
  usually mean locking the barn door after the
  horses have left.

March 7, 2008 a Reston, VA company, pleads
guilty in federal court to illegally exporting
"controlled power amplifiers," which have
military applications
27
Facilitators

• The increasing value of technology and trade
  secrets in the global and domestic marketplaces,
  and the temporary nature of many high-tech
  employments, have increased both the
  opportunities and the incentives for economic
  espionage.
• The rapid expansion in foreign trade, travel,
  and personal relationships of all kinds, now
  makes it easier than ever for insiders to
  establish contact with potential buyers of
  classified and other protected information.
• The development of automated networks and the
  ease with which large quantities of data can be
  downloaded from those networks and stored and
  transmitted to others increases exponentially the
  amount of damage that can be done by a single
  insider who betrays his or her trust.

For example, a memory stick, also known as a
keychain drive or thumb drive because of its
small size, can be plugged into a computer's USB
port and be used to download up to 16 GB of data
(at the moment!). (The entire Encyclopedia
Britannica requires only 4.3GB).
2 - 4 - 8 - 16 - 32GB?
28
The Threat Economic Industrial Espionage

• Foreign governments continued ability to acquire
  state-of-the-art U.S. technology at little or no
  expense has undermined U.S. national security by
  enabling foreign firms to push aside U.S.
  businesses in the marketplace and by eroding the
  U.S. military lead.
• A clear line must be drawn to protect information
  that is
• classified, or
• subject to export controls because it concerns
  militarily critical technologies, or
• proprietary information that is the intellectual
  property of a specific firm or individual.

March 24, 2008 a former engineer at a naval
contractor, is sentenced to 24 1/2 years in
prison for conspiring to export warship
technology.
Aug. 1, 2007 Engineer pleads guilty to violating
the Economic Espionage Act to benefit China's
Navy Research Center. He exported source code for
simulation software for the precision training of
fighter pilots.
29
Globalization and growing economic
interdependence, while creating new levels of
wealth and opportunity, also create a web of
interrelated vulnerabilities and spread risks
even further
Department of Defense National Defense
Strategy July, 2008
30
Listed in order of foreign entity interest.
Defense Security Service Targeting US
Technologies A Trend Analysis of Reporting From
Defense Industry, 2008
TECHNOLOGIES TARGETED
31

• Let us not forget who we support.

Information concerning troop rotations,
locations, equipment and technology is
classified for a reason. Unauthorized release of
this information can have a detrimental effect on
the Warfighters survivability.
32
RESPONSE FORMPlease be sure to use your web
browsers back button to access the RESPONSE
FORM. Be sure to complete all requested
information and submit in order to receive credit
for this briefing.
Sample screen shot of RESPONSE FORM
33
This concludes the briefing for Project
Management Professionals. If you have
questions, please do not hesitate to contact us.