Sam DeSante Manager, Security Administration Lockheed Martin Aeronautics Security Incidents
Sam DeSante
Manager, Security Administration
Lockheed Martin Aeronautics
Security Incidents
Categories Of Security Incidents
• Security Violations
• Security Infractions
• Inadvertent Disclosure
Security Violation
• Any Loss, Compromise or Suspected
Compromise of Classified Information Foreign or
Domestic
• Any Knowing, Willful, or Negligent Action
– That Could Reasonably be Expected to
Result in an Unauthorized Disclosure of
Classified Information
Examples Of Loss, Compromise, Or Suspected
Compromise Of Classified Information
• Unclassified Information Sent or Received Across the Internet That is Determined to be Classified at a Later Time
• A Closed Area That is Not Attended and the Alarm is Not Activated
• Classified Documents Left in a Non-secure Area
• Classified Material Hand Carried Off the Facility Complex Without Being Properly Packaged and/or Controlled
• Closed a Security Container or Closed Area, But Failed to Spin the Spin Dial Lock
• Processing Classified Information on a Non-accredited Information System
• Weekly Audits Not Conducted on an Accredited Information System
Infraction
• Incidents That Do Not Involve the Loss,
Compromise, or Suspected Compromise of
Classified Information
• These Are Also Known as Administrative
Deficiencies or Practices Dangerous to Security
Examples Of Infractions
• Not Using Cover Sheets
• Not Applying Media Stickers
• Not Utilizing the Open/Close Logs
• Not Applying Warning Notice on the Inner Envelope
• Not Marking Paragraphs
• Note That Incidents May Very Well Start as Infractions and
Result in Violations, I.E., Not Applying a Media Sticker on a
Classified Disk and Inserting it Into a Unclassified System
Inadvertent Disclosure
• Involuntary Unauthorized Access to Classified
Information
• This is Still a Violation and Requires All Applicable
Reports
Examples Of Inadvertent Disclosure
• Fire Department/EMT Personnel in an Area That is
Not Sanitized
• Repair/Janitorial Personnel in Area That is Not
Sanitized
• The Individual Gains Involuntary Unauthorized
Access to Classified Information
Compromise
• An Unauthorized Disclosure of Classified
Information
“A Communication or
Physical Transfer of
Classified Information
to an Unauthorized
Recipient”
Examples
• Information is Found and Returned From an
Unauthorized Recipient
• Information is Transmitted Over Unsecured
Communications, I.E., Fax, Email, Voice
• Information is Published in the Media (Note: do
Not Assume the Information is Unclassified)
Reporting
• Violations
– Report “Through CSA Channels” Defense Security Service (DSS)
Representative
• Infractions
– Document & Make Available for Review by the DSS Rep During
Visits/Reviews
• Inadvertent Disclosure
– Interview, I.E. Emergency Response Situations, Guard Personnel or Local
Emergency Authorities
– Inadvertent Disclosure Statement
– Report Refusal to Sign
Cause
• Classified Assets Are Protected By Many Policies and Procedures
• The Cause of the Incidents is Simple
• Breakdown or Disregard For Security Requirements
Policy & Procedures
• OPSEC Plan
• Component Guidance
• NISPOM
• Standard Security Procedures
• Security Classification Guide
• Transportation Plan
Reasons For Failure
Unaware Carelessness
Deliberate
Disaster
Accident
Resources
Damage…National Security
• When We Talk About Damage,
We Are Talking About the
Damage to National Security
• National Security is Information
Relevant to Our Foreign
Relations and National Defense
• We Don’t Live in a Bubble…
What We do, Not Only Affects
Us, it Normally Affects at Least
One Other Person, and What
Happens if That One Other
Person is the War Fighter Losing
His/Her Life
Impact
What is the Impact of a Security Incident?
• Program Integrity:
‒ What is the Integrity of the Assets Protected Within
Your Programs?
‒ Is the Information Totally Compromised or Just a
Portion Thereof?
• Cost:
‒ Dollars For Development, Design, and Testing
‒ Dollars to Conduct Investigations and Damage
Assessments
‒ Loss of Production Time
‒ Loss of Life
Discoverer’s Responsibilities
• Immediate Action
– The Individual Who Discovers the Incident Must Take
Immediate Action to Take Control, Protect, and Report Through Official Channels
– One Must Consider OPSEC Indicators Through the Reporting Process
• A Weakness Such as a Security Violation Could Uncover a Vulnerability Within and to Your Program
Discoverer’s Responsibilities
• An Incident May Appear Minor at First; However, Each Incident Must be Documented to
Ensure Future Investigations and/or Damage Assessment. The Discoverer is the First
Line of Reporting the Details. Don’t Assume You Will “Remember” All the Fine Details -
Document!
• Who, What, Where, When, How, and Why
– Do Not Destroy or Interrupt Anything That May Support an Investigation
• An Example May be Receipt of a Classified Document Over Unsecured Communications.
The Recipient Would Immediate Obtain The Guidance From Their Information System
Security Manager (ISSM) or Information System Security Officer (ISSO). The Recipient
Does Not Want to Simply Just Delete
Facility Security Officer’s Responsibilities
• Train Employees to Know What Constitutes a
Security Incident
• Train Employees to Report All Security Incidents
(Classified or Unclassified) to the FSO
Facility Security Officer’s Responsibilities
• Once the FSO Receives the Report of an Incident He/She Will Take
Control of the Situation and Safeguard the Information
• Immediate Assessment is Warranted for Each Incident. Of Course if
Classified Information is Not in Control (I.E., Someone Has Lost
Possession or Information is Transmitted Over Unsecured
Communication) Time is of the Essence
• Do You Have a “Blazing Fire” (Lost Control) or a Small “Camp Fire”
(Probability of Compromise is Remote)
Facility Security Officer’s Responsibilities
• The FSO Will Conduct a Classification Review of the
Information. Is the Information Still Classified? Has the
Security Class Guide (SCG) Declassified the Information?
• Notify Defense Security Service (DSS)
• Review Available Details of the Incident
• Identify Investigative Requirements
Investigating Official
• The FSO Appoints the Investigating Official Based on Internal Policies. However, the Person is Always a Disinterested Person That:
– Is Competent to Conduct a Solid Inquiry Into
the Incident
– Has the Proper Security Clearance Level
Preliminary Inquiry
What is a Preliminary Inquiry?
• It’s an Examination Into a Reported Security
Incident
• A Preliminary Inquiry is a Review of the Details of
an Incident That is Not Complex or Serious
Preliminary Inquiry…When???
• Immediately on Receipt of a Report of Loss,
Compromise or Suspected Compromise to
Determine the Facts
Facts • Meet With All Parties Involved and Request Written Statements
• When Required, Request “Alarm Activity Report” from Alarm Company
• When Required, Retrieve a Copy of Visitor Sign-In Logs, Safe Open/Close Log, Document Control Logs, and Facility Access Control Records for all Information Involved
• When Required, the ISSM should become Involved to Determine Proper Procedures to follow Regarding Computer Equipment, Printers, Servers, Internet, Audit Logs, Etc.
• Review DD Form 254 to Determine if the Contract Requires Notification of Security Incidents Over and Above NISPOM Requirements
Initial Report…When??
• The Initial Report Occurs Immediately if the Preliminary Inquire Confirms That a Loss,
Compromise, or Suspected Compromise of Any Classified Information Occurred
• It’s Submitted to the Defense Security Service (DSS)
• You do Not Want to Defer Pending Completion of the Entire Investigation
• An Initial Report May Be a Telephone Call or E-mail With the Immediate Details
• You Do Not Want DSS to Learn of a Reportable Incident Through Other Means
Initial Report Criteria
• Authority: Cite The Reason for the Investigation
Including: When, Where and by Whom it was
Reported and Conducted
• Essential Facts: Arrange Facts, not Opinions or
Assumptions, in Chronological Order
• Nature of the Violation: What Happen and When
and Where Did it Take Place
Initial Report Criteria
• When, By Whom, and to Who Was the Violation Reported
• What Actions Were Taken to Secure the Classified Information and/or
Limit the Damage Before the Inquiry Began
– Examples: Inventories, Securing of Materials, Changing
Combinations of Locks, ETC.
• Identify the Classified Information
– User Agency
– It’s Location
– Contract Number & Contracting Officer
Initial Report Criteria
– Classification of the Information Involved
– When and How Long, and Under What Circumstances Was the Classified Information Vulnerable to Unauthorized Disclosure? Determine Identity of Unauthorized Disclosures. Identify Unauthorized Persons Likely to Have Had Access to the Classified Information. Obtain All Necessary Records:
– Access Control Records
– Open/Close Records
– Witness Statements
Final Report
Your Final Report Will Include Any New Information Not Previously Reported Plus the Remainder of the Bulleted Details:
– Primary Responsible Person
• Name
• Position
• SSN
• Date/Place of Birth
• Date of Clearance
• Prior Incidents
Final Report
The Final Report Will State:
• Statement of The Corrective Actions
– How Can You Prevent the Incident From Reoccurring?
• Is Disciplinary Action Warranted?
– Hold People Accountable, Based on the Facts and Regulatory Guidance
• Did a Loss, Compromise, or Suspected Compromise Occur?
Individual Culpability Report
The Culpability Report Will State:
• Includes the Administrative Actions Taken Against the Individual(s) Responsible For the Incident and One or More of the Factors Are Evident:
– Violation Involved a Deliberate Disregard of Security Requirements
– Violation Involved Gross Negligence in Handling Classified Material
– Violation Was Not Deliberate in Nature, But Involves a Pattern of Negligence or Carelessness
• Normally, a Company’s Standard Practices And Procedures Will Identify a Graduate Scale of Disciplinary Actions to be Followed
Disciplinary Actions/Sanctions
• Warning
• Reprimand
• Suspension Without Pay
• Forfeiture of Pay
• Removal
• Termination
• Loss or Denial of Access to Classified Information
• Removal of Classification Authority
Countermeasures
• An Action Taken or a Physical Entity Used to
Reduce or Eliminate One or More Vulnerabilities
– Procedures
– Equipment
– Manpower
Procedures
• Procedure Changes Are the Most Cost Effective to
Implement
– Standard Operating Procedures
– Security, Education & Awareness
– Conduct Oversight For Compliance
– Administer Sanctions
Equipment
Equipment as a Countermeasure Could Be Costly From
Procurement to Maintenance on the System
• Transportation Equipment
• Locks
• Fences
• Safes
• Access Control
• Closed-circuit TV
• Doors
Manpower
Manpower: Civilian, Military, Contractors, Guards, Police Force
• Is Your Program Vulnerability Due to Limited Manpower?
• Is an Increase in Manpower Warranted?
• Are All Individuals Trained Properly?
• Are All Individuals Alert to Their Responsibilities?
Example Written Preliminary Inquiry, Synopsis
INCIDENT: Improper marking and safeguarding of classified material
PERSON(s) RESPONSIBLE: Joe Doe, Sr. Member Engineering Staff
SSN: 123-45-6789, D/POB 02 May 1956, Philadelphia, PA
Clearance: SECRET, granted 01 July 2004
LOCATION: Building 123/106
FINDING: On Monday, January 6, 2009, Mr. Tom Thumb, Manager, Project Engineer advised
the writer, that Mr. Joe Doe, a Lockheed Martin employee under his supervision had been
storing classified information in an inappropriate manner. Mr. Thumb and Ms. Jane Day, a co-
worker were interviewed. Ms. Day notified Mr. Thumb that she had noticed that Mr. Doe has
been keeping notes in an unauthorized file cabinet and thought that he notes contained
classified information. Therefore, Ms. Day removed the notes from the unauthorized file
cabinet and reviewed them. As she suspected, the notes contained SECRET information. Ms.
Day turned the notes over to Mr. Thumb.
Example Written Preliminary Inquiry, Synopsis
Mr. Thumb turned the notes over to the writer. The notes
were safeguarded in the Information Master Control Center
until a complete classification review was conducted by Mr.
Sam Smart. On January 7, 2009 Mr. Smart reviewed the
notes for classification determination. Mr. Smart found
SECRET information on six pages.
Mr. Doe was interviewed by the writer and questioned about
the notes (see attached statement. This is where you write
your interview with the subject and all witnesses. Note: Make
sure you obtain a written statement from each person
interviewed bearing the date and their signature.)
Example Written Preliminary Inquiry, Synopsis
If AIS systems are involved, make sure that you include the
ISSO and him/her findings and actions. Identify all contract
numbers (Government and subcontracts to Document
Control.) In accordance with paragraph 1-303 of the National
Industrial Security Program Operating Manual, Mr. Doe is
found culpable of the following security violations.
List the security violation(s).
Failure to safeguard SECRET information.
Improper markings, etc.
Example Written Preliminary Inquiry, Synopsis
Due to the circumstances and extended period of time, the
compromise of classified information cannot be ruled out.
This statement is your determination of compromise,
suspected compromise and or; loss of classified information.
Report submitted by:
Don’t forget to sign and date it.
Your Name Today’s Date:
Initial Report, Example of Letter to DSS
(Date)
(DSS Reps Name)
(DSS Reps Address)
Subject: Initial Report – Suspected Compromise of Classified Material
Dear (DSS Reps Name):
In accordance with paragraph 1-303 of the National Industrial Security Program
Operating Manual, the following written report is submitted (verbally submitted
01/20/09). Lockheed Martin employee Mr. Jo T. Doe, SSN 123-45-6789, cleared SECRET,
01 Jul 04, D/POB 02 May 1956, Philadelphia, PA was found responsible for the following
Security violation.
List the violation(s)
/////////////////////////////////////////////
/////////////////////////////////////////////
Initial Report, Example of Letter to DSS
On January 5, 2009, it was reported to the LM Aero Security Department that Mr. Doe had
been storing classified notes in an unapproved container. The attached synopsis describes
the events and their circumstances in our conclusion. Due to the circumstances and the
extended period of time, the compromise of classified information cannot be ruled out.
Mr. Doe worked on the following contracts, ////////////////////////////////, //////////////////////////////// during
this period of time.
I will advise your office of the disciplinary action taken. Should you have any questions,
please contact the undersigned at (your phone number).
Sincerely,
Your Name
Your Title
Attachments: As Stated
Final Report, Example of Final Report Letter
(Date)
(DSS Reps Name)
(DSS Reps Address)
Subject: Final Report – Joe Doe (01/06/07), suspected compromise
Dear (DSS Reps Name):
In accordance with paragraph 1-303 of the National Industrial Security Program Operating
Manual, the following Final Report is submitted. Mr. Joe Doe received the following
disciplinary action for the subject security violation. Mr. Doe was suspended without pay
from work for five days beginning April 1 through April 6, 2009. Mr. Doe has received
remedial training in his responsibilities as a cleared individual, to include proper handling,
safeguarding storage and destruction of classified media and information.
Final Report, Example of Final Report Letter
He will be monitored on a random recurring basis by his
supervisor and from a member of the LM Aero Security Staff.
Should you have any questions, please contact the
undersigned at (your phone number).
Sincerely,
Your Name
Your Title
Culpability Report, Example Letter
(Date)
Defense Security Service – Columbus Operations
PO Box 2499
Columbus, Ohio 43216-5006
Attn: Special Programs Branch
Subject: Culpability Report – NISPOM paragraph 1-304
Reference: January 5, 2009 Violation
Responsible Individual: DOE, Joseph
SSN: 123/45/6789
D/POB: 02 May 1956, Philadelphia, PA
Clearance Level/Date: SECRET, 24 JUL 2004
Facility Code: 02769
Culpability Report, Example Letter
Gentleman:
In accordance with paragraph 1-304 of the National Industrial Security
Program Operating Manual, the following report is submitted.
This is where you explain why this individual is culpable. Don’t forget to
explain that you have already submitted a report to DSS. Make sure you
state if this is a first security violation or what number.
Should you have any questions, please contact the undersigned at (your
phone number).
Sincerely,
Your Name
Your Title
Keep in Mind!
• Security Incidents Can Not Always be Prevented
• Don’t be That Proverbial Ostrich and Stick Your Head in the Sand!
• The Key is When an Incident Occurs, Take Immediate Control of the Information
and Conduct an Assessment to Minimize the Impact of the Incident.
• Conduct Reviews & take Corrective Action to Prevent or Minimize Future
Incidents
• Remember, an Unreported Security Incident Could Jeopardize the Safety of Our
Men and Women Who Defend Our Great Country
Questions