2020 Annual Refresher Security Education and Awareness Training

2020 Annual Refresher Security Education and Awareness Training Revised January 2018

Course Objectives Upon completion of this training, you will be able to: • • Define counterintelligence in the context of industrial security Identify what information is targeted by adversaries Identify current and potential threats in the work and personal environments Describe known vulnerabilities in protecting U. S. classified information Explain the security classification system Identify and apply countermeasures Identify reporting obligations and continued evaluation Recognize members of the Raz Logic security team.

Security Education and Training Requirement • In accordance with the National Industrial Security Program Operating Manual (NISPOM), cleared defense contractors are required to receive annual security education and training to reinforce security procedures and inform employees of changes in security regulations. • Raz Logic utilizes risk management principles to implement the applicable requirements of the NISPOM.

Your Facility Security Officer (FSO) • Throughout this training, you will be reminded of your reporting obligations and events that must be reported to your FSO. • Your FSO is • Blake Ross • Office Phone: (210) 797 -0670 • Email: blake. [email protected]. com

Counterintelligence Awareness • Counterintelligence (CI) is the process of identifying, understanding, prioritizing, and counteracting foreign intelligence threats to the U. S. • CI applies risk management for protecting classified and sensitive information. • Risk management steps are: 1. 2. 3. 4. 5. Identifying assets Identifying threats Identifying vulnerabilities Assessing risk Developing and applying countermeasures.

Identifying Assets (Defensive Security Briefing) • Foreign competitors deliberately target information regarding: • • U. S. intelligence Foreign affairs U. S. Government officials Critical technology U. S. industrial trade secrets and intellectual data Defense establishments National preparedness Proliferation of special weapons of mass destruction If you become aware of or suspect any foreign intelligence activity aimed at the above list, notify your FSO.

Identifying Threats (Threat Awareness) • A threat is an adversary with the intent and capability to act against U. S. interests including: • • • Foreign Governments and Foreign Intelligence Services Terrorists Criminals Hackers Insiders • Adversaries may fall into more than one category. For example, a terrorist may employ criminal hackers

Identifying Threats (Insider Threats) • An Insider Threat is someone with authorized access to the information or things an organization values most, and who uses that access, either wittingly or unwittingly, to inflict harm to the organization or national security. • When an insider becomes a threat, it can have far-reaching consequences on both an organization and national security.

Insider Threat Indicator • A potential Insider Threat indicator is a behavior or fact about an individual that is characteristic of an Insider Threat. • Not every display of an Insider Threat indicator behavior means that an individual is an Insider Threat. • The Insider Threat Program is designed to gather and assess Insider Threat indicators and respond only to validated Insider Threats. • Be aware of potential Insider Threat indicators and report suspicious behaviors.

Insider Threat Indicator Categories • Threats come in many different forms, with many different motives. • Potential insider threat indicators are separated into four categories: • • Recruitment Information Collection Information Transmittal General Suspicious Behavior

Indicator Category: Recruitment • Unreported request for critical assets outside official channels. • Unreported or frequent foreign travel. • Suspicious foreign contacts. • Contact with an individual who is known to be, or is suspected of being, associated with foreign intelligence or terrorism. • Unreported offer of financial assistance, gifts, or favors by a foreign national or stranger. • Suspected recruitment by foreign or domestic competitive companies to convince employees to work for another company.

Indicator Category: Information Collection • Unauthorized downloads or copying of files. (Especially for employees who are terminating employment. ) • Keeping critical assets at home or any other unauthorized place. � Acquiring access to information systems and/or networks without authorization. • Operating unauthorized cameras, recording devices, computers, or modems in areas where critical assets are stored, discussed, or processed. • Asking to obtain critical assets for which the person does not have authorized access. • Seeking to obtain access to critical assets inconsistent with present duty requirements. • Asking for witness signatures certifying the destruction of classified information when the witness did not observe the destruction.

Indicator Category: Information Transmittal • Removing critical assets from the work area without appropriate authorization. • Extensive use of copy, facsimile, or computer equipment to reproduce or transmit critical asset-related information that exceeds job requirements. • Discussing critical asset-related information in public or on a nonsecure telephone. • Information transmittal actions/behaviors specific to classified information: • Using an unauthorized fax or computer to transmit classified information. • Attempting to conceal foreign travel. • Improperly removing the classification markings from documents

Indicator Category: General Suspicious Behaviors • Attempts to expand access: • Attempting to expand access to critical assets by repeatedly volunteering for assignments or duties beyond the normal scope of responsibilities. • Performing repeated or unrequired work outside of normal duty hours, especially unaccompanied. • Questionable behavior: • Exhibiting behavior that results in repeated security violations. • Engaging in illegal activity or asking another to engage in any illegal activity.

Indicator Category: General Suspicious Behaviors • Changes in financial circumstances: • Displaying unexplained or undue affluence explained by inheritance, luck in gambling, or some successful business venture. • Displaying sudden reversal of financial situation or sudden repayment of large debts. • Attempts to compromise individuals: • Attempting to entice personnel with access to critical assets into situations that could place them in a compromising position. • Attempting to place personnel with access to critical assets under obligation through special treatment, favors, gifts, money, or other means.

Indicator Category: General Suspicious Behaviors • Questionable national loyalty: • Displaying questionable loyalty to U. S. Government or company. • Making anti-U. S. comments. • Exhibits actions or behaviors associated with disgruntled employees: • • Conflicts with supervisors and coworkers. Decline in work performance. Tardiness. Unexplained absenteeism

Insider Threat Reporting • Possible insider threats must be reported to the FSO. Depending on the situation, the FSO will report the possible threat to the Defense Security Service or, if the threat involves known or suspected espionage, to the FBI. • Failure to report weakens the U. S. military’s battlefield advantage and can jeopardize war fighters; increases vulnerabilities to fraud, terrorist activities, and cyber-attacks; and could result in the loss of business and jobs.

Identifying Threats (Common Collection Methods) • The following are common methods used to gain access to classified/sensitive information and technologies: • Cyber exploitation – spear phishing, water hole attacks, removable media, interception of electronic communications. • Requests for information – directly emailing, faxing, cold calling U. S. cleared contractor employees. • Solicitation – foreign companies soliciting or marketing services to cleared U. S. companies. • Elicitation – strategic use of conversation to subtly extract information about personnel, work, and a company. • Eavesdropping – an unobtrusive bystander, concealed audio and visual devices.

Identifying Vulnerabilities • Lack of knowledge of proper security procedures. • Failure to follow established security procedures and/or deliberate disregard of security requirements. • Apathetic attitude towards security procedures which may not be deliberate in nature, but exhibit a pattern of negligence or carelessness. • Inadequate security equipment, i. e. security hardware and software used to protect classified material is not working properly.

Assessing Risk (Security Classification System) • Executive Order (E. O. ) 13526 prescribes a uniform system for classifying and safeguarding national security information. �National defense requires that certain information be maintained in confidence in order to protect our citizens, democratic institutions, homeland security, and interactions with foreign nations.

Assessing Risk (Security Classification System) • Information is classified in one of two ways: • Original Classification Authority (OCA) makes a determination that the unauthorized disclosure of the certain information could reasonably be expected to result in damage to the national security and the OCA is able to identify or describe the damage. • Derivative Classification is the act of incorporating, paraphrasing, restating, or generating in new form, information that is already classified and making the newly developed material consistent with the markings of the source material.

Assessing Risk (Security Classification System) • Classified material must relate to one or more of the following categories: 1) military plans, weapons, or operations 2) foreign government information 3) intelligence activities, intelligence sources or methods, or cryptology 4) foreign relations or foreign activities of the U. S. , including confidential sources 5) scientific, technological, or economic matters relating to the national security 6) U. S. Government programs for safeguarding nuclear materials or facilities 7) vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to national security • 8) the development, production, or use of weapons of mass destruction • •

Assessing Risk (Security Classification System) Information is classified at one of three levels. • Top Secret is the designation that is applied to information that the unauthorized disclosure of could reasonably be expected to cause exceptionally grave damage to national security. • Secret is the designation that is applied to information that the unauthorized disclosure of could reasonably be expected to cause serious damage to national security. • Confidential is the designation that is applied to information that the unauthorized disclosure of could reasonably be expected to cause damage to national security Except as otherwise provided by statute, no other terms shall be used to identify U. S. classified information

Classification by Compilation • The assembling of items of information that are individually unclassified may be classified if the compiled information reveals an additional association or relationship that meets the standards for classification under the E. O. This means that it may be possible to have a document in which the individual portions are unclassified, but because the compilation of the unclassified information reveals an association or relationship not otherwise evident when portions are used individually, the document containing the compiled unclassified information now becomes classified.

Declassification • OCA will establish a specific date or event for declassification based on the duration of the national security sensitivity of the information. • If the OCA cannot determine a specific date or event for declassification, information will be marked for declassification 10 years from the date of the original decision or up to 25 years depending on the sensitivity of the information. • No information may remain classified indefinitely.

Controlled Unclassified Information • Controlled Unclassified Information (CUI) is unclassified information that meets the criteria for safeguarding and dissemination controls under E. O. 13556 For proper CUI marking information, visit: www. archives. gov/cui.

Applying Countermeasures (Security Procedures) • Follow all established security procedures for safeguarding classified information. When not sure, ask for guidance from the FSO. • For facility-specific procedures, contact the FSO for a copy of the Security Practice and Procedures (SPP). • Report security violations, adverse information and suspicious contacts to the FSO. • Report security equipment malfunctions to the FSO. • Be observant of your surroundings. If you see something unusual, contact the FSO

Applying Countermeasures (Security Procedures) • Always verify clearances and need-to-know before discussing classified information. • Never leave documents unattended; secure them in an approved container when not in use or have an appropriately cleared individual take custody of the document. Desks and file cabinets are NOT approved containers. • Never leave a safe open. • Always bring classified material to Security for destruction. • Do not reproduce or copy classified material on an unauthorized copier. • Do not remove/transmit classified material outside the facility without processing through Security/Document Control. • Never hand-carry classified documents without a Courier Authorization Letter or Card. • Do not write down combinations and passwords or store them on an electronic device.

Classified Spills • Classified spills occur when classified data is introduced to an unclassified computer system or to a system accredited at a classification lower than the data. Upon recognition and/or identification of a classified spillage: • • cease work on the system; shut the system down; disconnect from the network; notify the FSO immediately. Never delete, forward, print or save the data. Do not discuss details of the spill outside a secure setting.

Employee Reporting Obligations • U. S. defense contractors are required to report adverse information coming to their attention concerning any cleared employee. • Adverse information is any information that: • adversely reflects on the integrity or character of a cleared employee, • suggests that the employee’s ability to safeguard classified information may be impaired, • suggests the employee’s access to classified information may not be in the interest of national security, or • the individual constitutes an insider threat.

Reporting Obligations – Adverse Information • Adverse information can include the following: • • • Any illegal drug involvement DWI (Driving While Intoxicated)/DUI (Driving Under the Influence) Misuse/abuse of alcohol Bankruptcy Wage garnishments Any arrest, even if not formally charged Security violations Financial difficulties to include late payments of 120 days or more Mental Health Conditions

Reporting Obligations – Suspicious Contacts • A suspicious contact is an unsolicited request for sensitive or classified information from an unknown person or company by email, in person, or by telephone. The request could be as simple as questions about: • • Customers Work locations Classified and unclassified programs Staffing numbers Report all Suspicious Contacts immediately to [email protected]. com or your local Facility Security Officer by using DSS submission form.

Reporting Obligations – Changes and Travel • Cleared employees must report the following: • • • Change in name Change in citizenship Change in marital status Termination of employment Foreign Travel – report both business and pleasure foreign travel to your FSO

Continuous Evaluation • U. S. defense contractors are responsible for the continuous evaluation of employees with access to classified information. • Information pertaining to a cleared employee’s inability to safeguard classified material must be reported to the FSO.

Security Changes and Updates • Defense Security Service (DSS) In Transition • DSS is moving to an intelligence-led, asset-focused, and threat-driven approach that will: • Identify assets at each cleared facility • Prioritize assets and facility engagement based on national intelligence information • Consider the threat and vulnerabilities • Partner with cleared industry to develop a tailored security program New Security Reinvestigation Scope • Contractor periodic reinvestigation for Tier 5 (T 5 R) has been moved from the 5 year mark to the 6 year mark. The only exception is a caveat reinvestigation remains at the 5 year mark.

Guidelines for Security Violations • Raz Logic defines the disciplinary actions that may be imposed on an employee for a security violation: • Minor: Unintentional or negligent failure to comply with security requirements which does not result in compromise or suspected compromise of classified information. • Major: Willful disregard of security requirements or failure to comply with security procedures, regardless of intent, which results in compromise or suspected compromise of classified information. Violation Minor Major 1 st Counseling, retraining, and verbally reprimanded Suspension without pay for a period determined by management and HCM, or dismissal 2 nd Counseling, retraining, and written reprimand Written reprimand stating employee may be transferred to a non-sensitive position or may be dismissed upon an other violation 3 rd Written reprimand, retraining, and discipline progresses to the standards established for major violations A third violation within any twelve (12) month period from the date of a second violation requires a review of the facts by the Corporate Security Director.

Hotlines • Hotlines provide an unconstrained avenue for reporting known or suspected instances of serious security irregularities and infractions without fear of reprisal. • Report concerns through established company channels first. • The defense hotline is there when established channels do not respond properly. • Hotlines should be used for reporting matters of national security.