How can employees at the Department of Defense (DOD) look to help safeguard critical infrastructure (Cui)? How will they know how to respond to an attack, whether it be an initial response or follow-up measures? What do DOD employees need to know about cybersecurity and how it affects Cui? These are just some of the questions that DOD employees need answers to when it comes to safeguarding Cui. Luckily, there are several resources available through the DOD that they can turn to for answers and guidance.
DoD Pamphlet 3450.09
If you work in a building that has Centralized Verification and Validation (CVV) procedures, check with your Security Manager to find out if there are any specific protocols, they need you to follow. If so, that information will be in DoD Pamphlet 3450.09. It’s also important to note that while CVV is required at each Department of Defense facility with a mission to protect high-risk electronic and electrical equipment, not all facilities have it yet, so you may have different guidance on what CUI requirements are.
The following resources might also be helpful:
- National Industrial Security Program Operating Manual (NISPOM)
- The Risk Management Framework For Electronic Information (RMF-EI)
- Office of Management
- Budget Circular A-130
NIST Special Publication 800-171 is an example document used by organizations to perform risk assessments based on RMF or NIST SP 800-53A. Remember, these are just examples – some places may require other forms or documents for their risk assessments or different processes for managing their risks once identified. And again, check with your Security Manager about specifics within your organization.
DoD Directive 5200.52
The Department of Defense (DoD) Directive 5200.52, Information Assurance (IA), defines IA as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. DoD IA policy can be found in DoDD 8500.
Information Assurance (IA) Implementation. It states that IA shall be an integral part of DoD planning and decision-making processes related to national security systems and shall be integrated into policy development for such systems so that risk assessments, standards and guidelines are included in all aspects of system acquisition; development; operation; maintenance; training; procedures and management. The goal is to ensure that there is constant attention to appropriate safeguards throughout each stage of system development.
In order to achieve and maintain IA, organizations must establish an effective IA program. Such a program requires leadership at all levels, top-down direction from senior officials within an organization and continuous awareness by everyone in it of their responsibilities under its program.
An effective information assurance program will include regular updates on current policies and directives concerning safeguarding activities for both hard copy documents as well as electronic media with regard to storage media and servers used by DOD components.
These safeguarding activities are performed primarily by technical staff who often have little knowledge about what constitutes legal issues regarding records management, including discovery obligations associated with court orders, subpoenas or other formal requests requiring them to produce records relating to their work product generated during employment at DOD.
Department of State Background Checks
Before granting final clearance, a detailed background investigation is conducted on all department employees to ensure their trustworthiness and reliability. While investigations are performed by several agencies, one of these agencies is the Office of Personnel Management (OPM). This office conducts personnel security checks which serve as a basis for granting or denying access to classified information.
These types of background investigations include comprehensive reviews of employees’ full-time employment records and interviews with immediate supervisors and co-workers. It also includes a national agency check by contacting personal references, previous employers and neighbours.
The applicant’s credit history is examined along with arrest records in various states where he or she may have lived to assess for any evidence of falsification, fabrication or untruthfulness in statements made during an interview.
To gain access to sensitive material, you must be able to pass a polygraph test. A polygraph exam is used to measure your heart rate, blood pressure and breathing patterns while you answer questions about your honesty and integrity. If you fail the test, you will not be granted access. Additionally, if there is reason to believe that someone has been less than honest with their answers during an initial interview, they may undergo further questioning before being granted clearance.
Medical Exam Steps for Security Clearances
Each year, thousands of people join DOD and start working for DOD contractors who have contracts with DOD. With that increase comes an increase in security clearances. Security clearance background investigations are thorough and can require more than one application step.
Clearances granted by DOD go through periodic renewal, so DOD employees should take care to safeguard their clearance credentials after receiving them. Steps must be taken to protect a DOD employee’s security clearance from being compromised or lost. DOD employees should know where they can find information on safeguarding their security clearance from being compromised or lost.
The following is a list of places DOD employees can look for guidance on safeguarding their personnel security files (PSF) or Central Adjudication Facility (CAF) Investigative Repository:
- Department of Defense 5200 Series Publications
- Information Assurance Technical Implementation Guides
- Department of Defense Directive (DoDD) 5200.02
- DOD 5200.1-R
- Department of Defense Instruction (DoDI) 5200.2-R 6.
- DoD 5220.22-M
- Department of Defense Directive 5220.22
- DoD 5220.22-R
- National Industrial Security Program Operating Manual
- Office of Personnel Management (OPM) Policy Letter dated February 10, 2009, on Guidance for Industry and Government Agencies on How to Protect Sensitive Information in Personnel Security Files and OPM’s Protection Guide for Sensitive But Unclassified Information dated May 12, 2008, and revised March 23, 2010
Identity Proofing
The DOD requires all DOD components and contractors to identity proof their DOD-connected personnel and DOD contractor employees. In March 2014, DoD updated its guidance on personnel identity proofing, IJP 4 Volume 2 Part 1 (DoD 5200.54-M), to account for ID cards with RFID chips that can be read by a cell phone or other mobile device.
Also known as near field communication (NFC) technology, RFID chips can store information like an individual’s name and security clearance level along with a photograph of that person’s face. Many smartphones have NFC technology built-in, so personnel could theoretically use their own phones to read information from another individual’s ID card or badge.
This capability is intended to make it easier for DOD personnel and DOD contractor employees to verify each other’s identities without having to share sensitive information such as social security numbers or date of birth. As more organizations adopt these new technologies, they will need guidance on how best to safeguard them against compromise.
This post is meant to help those organizations determine where they should look for guidance on safeguarding credential management systems and networked devices that are used in conjunction with these systems.
CIA Job Application Process
A typical step in applying for a job with the CIA is to complete an application form. The agency accepts multiple applications at once, so you can apply online via USAJobs.gov. The form can be filled out and saved before it is submitted electronically through a secure site. Applicants also may mail their completed applications to Central Intelligence Agency, Attention Human Resources Office, Washington, DC 20505.
Once your application has been received and reviewed by human resources staff at CIA, your name will be placed on a list of eligible candidates in case any positions become available for which you are qualified. You may be contacted about those positions or offered interviews if jobs are available that match your experience and interests as identified on your resume and in your application materials.
Conclusion
Presently, protecting the CONFIDENTIALITY, SECURITY and PRIVACY of DOD Cui is a multi-pronged effort. There is a security component where DOD uses physical security, network security and audit trail procedures to protect DOD systems and networks from outside threats. Additionally, there are administrative controls that prevent the inadvertent disclosure of information on cui. There are specific laws that deal with legal protection for cui, such as FOIA and Privacy Act. This can be further enforced by using non-disclosure agreements signed by those who work directly with sensitive cui.