September 20, 2014

SF 701 Instructions

The Standard Form (SF) 701, Activity Security Checklist, is a standard form used within the U.S. Government security classification programs. Many agencies, such as the Department of Defense, use it to provide a visual reminder to conduct required end-of-day inspections when closing for the day a space that processes classified information. These inspections, or checks, are conducted to ensure classified information and material are properly secured prior to the office being vacated for the day. The form also allows for some accountability in the event that irregularities are discovered.

It is a fairly easy form to fill out once you get the hang of it. Typically, organizations prominently post it near the office's main entrance. The last person to leave for the day must conduct the end-of-day checks and annotate these checks on the SF 701. Within the Department of Defense, this is an inspectable item and required under DoD 5200.01, Volume 3.
SF 701 instructions

If you're using a SF 701, then you will need to use a SF 702 form as well. These two forms go hand-in-hand.

DSS Targeting U.S. Technologies Report

Recently the Defense Security Service (DSS) released its annual report, Targeting U.S. Technologies: A trend analysis of cleared Industry Reporting. Each year DSS publicly publishes trend analysis of the previous year's foreign collection attempt reports from the cleared contractor community supporting the Department of Defense (DoD).  This year's report on foreign collection activities in 2013 demonstrates the threat is still there.

In 2013, the US saw a steady rise in reporting of foreign collection attempts with over 30 percent increase from 2012 reporting numbers. Fortunately 2013 did not have the dramatic increases as previous years. In 2010 reporting increased by 50 percent; in 2011 reporting increased by 74 percent; and, reporting increased by 60 percent in 2012. East Asia and the Pacific still remains the most prolific collector region accounting for approximately 45 percent of the reports from cleared industry. Considering this is the region with China, nobody should be surprised about this finding. Their modus operandi continues to be suspicious computer network activity and academic solicitation with commercial entities being targeted over 50 percent of the time. Interestingly, the reported suspicious contacts with a Europe or Eurasia nexus increased over 50 percent. Their primary focus was on commercial entities and individuals. The infograph below provides a brief summary of the report.
DSS Targeting U.S. Technologies Report Infograph Summary
Top 5 methods of operations

Reports showed foreign collectors used various forms methods of operations, but these top five were consistently used.
  • Academic Solicitation. This includes requests for, or arrangement of, peer or scientific board reviews of academic papers or presentations, or requests to study or consult with faculty members, or applications for admission into academic institutions, departments, majors, or programs, as faculty members, students, fellows, or employees.
  • Suspicious Network Activity. This includes cyber intrusion, viruses, malware, backdoor attacks, acquisition of user names and passwords, and similar attempts to access cleared contractor networks and exfiltrate protected information.
  • Attempted Acquisition of Technology. This occurs through agencies of front companies or third countries or direct purchase of firms. They are attempts to acquire protected information in the form of controlled technologies.
  • Seeking Employment. This is done through resume submissions, applications, and references. They are attempts to introduce persons who, wittingly or unwittingly, would thereby gain access to protected information that could prove useful to foreign government agencies.
  • Requests for Information. This occurs via phone, email, or webcard approaches. They are attempts to collect protected information under the guise of price quotes, marketing surveys, or other direct and indirect efforts.
Top 5 targeted technologies

Foreign entities targeted many different technology aspects, but the top five targeted technologies are:
  • Electronics. This includes radiation-hardened integrated circuits, monolithic microwave integrated circuits, semiconductors, enabling components (radar), noise diodes, microprocessors, microelectronics, and power amplifiers.
  • Command, Control, Communication, and Computers. This includes waveguides, airborne data acquisition systems, electronic warfare platforms, communication intercept and jamming, data links, global positioning system jamming, secure communications equipment, encrypted smartphones, and man-portable satellite communications terminals.
  • Aeronautic Systems. This includes fighter aircrafts, unspecified source code information, unmanned aerial system platforms, and unmanned aerial vehicles.
  • Marine Systems. This includes autonomous underwater vehicles and academic programs (computational fluid dynamics)
  • Software. This includes T-Rex software, SpecTRM software, and modeling and simulation software.
As cleared industry continues to try to apply emerging technologies to military and commercial programs, foreign collectors will likely increase their collection efforts. Foreign entities continue to demonstrate their intentions and ability to vigorously target U.S. technologies in 2014. In order for the US to maintain it edge, contractors and other supporting commercial companies must continue their vigilance in protecting their information and facilities. Additionally, security professionals must continue to educate their workforce on the threat, appropriate security measures, and reporting requirements.

September 14, 2014

SPeD Certification: Industrial Security

These questions are intended to be a study guide for security professionals going for their SPeD certification. These are NOT actual questions from the test(s).

What Executive Order established the National Industrial Security Program (NISP)?
E.O. 12829 dated January 6, 1993

Why was the NISP established?
It was established to ensure that cleared US defense industry safeguards the classified information in their possession while performing work on contracts, programs, bids, or research and development efforts.

What regulation governs the DoD Industrial Security Program?
What are the four Cognizant Security Agencies (CSAs) and describe their role in the NISP?
  • Department of Defense (DoD)
  • Director of National Intelligence (DNI)
  • Department of Energy (DOE)
  • Nuclear Regulatory Commission  (NRC)
  • Establish an industrial security program to safeguard classified information under its jurisdiction
What agency is charged with oversight of the DoD NISP?
Defense Security Services (DSS)

What is a facility clearance?
A facility clearance (FCL) is an administrative determination that, from a national security standpoint, a facility is eligible for access to classified information at the same or lower classification category as the clearance being granted.

What levels may FCLs be granted at?

  • Confidential
  • Secret
  • Top Secret

What three things does a contractor need prior to having access to classified information?

  • FCL
  • Personal security clearance
  • Contractual requirement for access 

What are some factors for determining whether US companies are under Foreign Ownership, Control, or Influence (FOCI)?
  • Record of economic and government espionage against the US targets
  • Record of enforcement/engagement in unauthorized technology transfer
  • Type and sensitivity of the information that shall be accessed
  • The source, nature, and extent of FOCI
  • Record of compliance with pertinent US laws, regulations, and contracts
  • Nature of bilateral and multilateral security information exchange agreements
  • Ownership or control, in whole or part, by a foreign government
Briefly describe the purpose of the DD Form 254.
Convey security requirements and classification guidance, and provide handling procedures for classified material received and/or generated on a classified contract.

SPeD Certification

Within the past few years, the Department of Defense established their own security certification as part of its initiative to professionalize its government and support industry security workforce. It is known as the Security Professional Education Development Program (SPeD). As the Defense Security Service website states, "this initiative is intended to ensure that there is a common set of competencies among security practitioners that promotes interoperability, facilitates professional development and training, and develops a workforce of certified security professionals. As a security professional going for my certification, I prepared this online study guide. As I go through study guides and resources in preparation, I consolidated helpful information in an attempt to help keep all this swirling information straight. I am posting question and answers categorized the following disciplines:
If the hyperlink is active, it means the page is active. As I publish the study pages, I'll modify this post to link to them. These questions are not on the certification test, but they do help in preparing for the certification test.