DoD Secure-Working with National Industrial Security Program

Developing a Communication Strategy to Protect Sensitive Information

jeffrey W. Bennett, ISP, SAPPC, SFPC, ISOC Season 1 Episode 5

Send us a text

One of the best ways to protect proprietary, export controlled, or other sensitive information is through a communications strategy. Learn what a communication strategy is and how to apply it in today's podcast.

Support the show

FSO Consulting:
https://thriveanalysis.com/nisp/

NISPOM Compliance
https://www.nispomcentral.com

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

  • How to get a clearance
  • What to expect once you get a clearance
  • What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

Speaker 1:

Hello and welcome to dod secure the podcast discussing hard hitting national industrial security program issues. We tackle security clearances, insider threat classification, security training, and more. And your host security discipline and author and publisher Jeff Bennett. This podcast is sponsored by security clearance defense lawyer.com and attorney Ron 60th Ron consultant, all area of security clearance concerns and he can't be reached by phone at(256) 398-3316 or through his website by security first and associates who provide FSO, CSSO consulting and training services. Hiring a full time FSO can be expensive and less expensive. Alternative is to use our managed security services. Our team of security professionals can help to minimize risk by assisting with many vital services for fingerprinting background checks to DSS security vulnerability assessment. We also offer jpegs FSO in CSS. So training fee, don't see the services you need. Just ask the security is our life. And by red bike publishing.com security resources in buildings. Get your copy of miss mom and[inaudible] in training to download and present to cleared employees. Hello again and welcome to dod secure. And I'm your host, Jeff Bennet, and this is episode five and we are continuing the interview with Joe and Terry Farkas of the management analysis network. We continue our discussions on operations security and today's focus is on communication strategies. All right. Once again, welcome to clearcast and I'm your host, Jeff Bennett. And I'm with Terry and Joe Farkas. How are you? Welcome to the show. Good. Jeff Hardy. Done a really good, for those of you who don't know, um, I've been working with Joe and Terry for many years and Joe has given me a lot of my training on risk assessments and upset. And so we're going to talk to you today during this program about those topics. Um, we used to work together in another organization and now you two are on your own with your own company. Uh, can you tell us a little bit about that?

Speaker 2:

Yeah. Um, well, we a startup drone company, uh, several years ago, about six years ago or so, um, and we, uh, provide support to various customers and operational security information operations, uh, strategies, technology protection, more of the risk management aspects of, uh, protection. Um, and that's what we've been doing word from what, six years now? Yeah. I think we provide, are trying to provide a holistic kind of approach to now security. Yes, exactly.

Speaker 3:

Okay. Well what is a communication strategy?

Speaker 2:

G A communication strategy is a tool that programs can use or companies, whatever, whoever is the, the focal. But for us we do a lot of support with department of Defense in terms of research and development acquisition program. So you know, building the Nexgen stargate or the next Gen aircraft or whatnot and uh, what people are naturally going to do as inquire about that. And you're going to get media that inquires, you're going to get people who look at open source intelligence and we do from a foreign intelligence perspective, they really, uh, rely heavily on, was published from an open source perspective. So the, the question is, you know, how do we talk about the program to meet the requirements, to convey information to Congress, to oversight to others and to tell the good news story to the American people about how their tax dollars are being spent. Uh, two eight in national security. But at the same time keep back information that, uh, is very beneficial and could, uh, help an, an adversary or competitor, uh, capitalize on that information and start chewing through deductive reasoning, figure out where we're going and what we're doing, how we're doing. So the communication strategy is something we developed that kind of sets the pools an occasion or for how you deal with the media or contracting or other elements. Uh, it's got left and right limits, you know, things you want to emphasize, things you don't want to emphasize that I have structured talking points and messages that you want to reiterate over and over again and areas that you want to avoid. So we put that together. We coordinate that with the program office, we coordinate that with a pao public affairs for sure. And then we enable people to go forward and, and uh, talk about their program, but at the same time feel comfortable that they're not going to disclose any information that may not be classified but still may be a significantly by. Yeah.

Speaker 3:

So I mean, I was going to say that sounds interesting. Um, I wasn't FSO once and I worked in security before and my, um, dd form two, five, four, um, said if I want to share anything, I just had to go through the peo. And also that, you know, I know not to talk about something if it's secret or if it's classified. So what's the gap that the um, that the communication strategy might fill in? One

Speaker 2:

question, Jeff, the gap is your, you're like, we're a little bit older and we remember the show$100,000 paramedic. And if you look at from a perspective, if people know something's classified, they won't talk about it, but they still may relate facts about it. So let's say there's a term and this term is classified. I'm going to mention other terms like bark fetching whack. You had absolutely no idea what I'm talking about. Correct. Or

Speaker 3:

it sounds like an animal

Speaker 2:

that's like a dog, but I can't say dog because I always classify it. The thing is this, as we start to try and navigate around those areas and we'll say, I'm not going to talk about that, but I'll talk about this. We may in fact be revealing information. So what we're doing with the communication strategy is looking at what is it you're saying? And from there we'll then information disclosed aspects through deductive reasoning. People aren't dumb. And when you deal with people from other countries who are scientists and engineers and they're bound by physics, just like we are telling them one thing, kid, take them well down the path even though it may not be classified into itself.

Speaker 3:

Well I think that gives a little bit of freedom what you're talking about. One thing I like about youtube is you tell good stories and analogies to help us understand what you're talking about. This one thing I've always appreciated and one things that I've noticed when I was new on a program or new to a company is if I didn't know what to say, I froze. I'm one of those guys. You stick a camera and microphone in my face, I'm going to freeze because I don't know what I can see. You want it can't see. And in the army they always tell us, you're not allowed to say no comment. You're just allowed to see. I'll talk to my pee pao for example. But what you're doing kinda gives me freedom. I know what to talk about.

Speaker 2:

Well, if you having a structured approach, your structured themes, you know, what your boundaries, so they let you guys consistency in communications. So Jeff is saying the same thing that I'm saying. The seemed the same thing we're saying. And so the more people hear the same message over and over, the more it becomes ingrained. And that works. On the flip side too, if someone says something and you know, leader of another country or Gel or a program manager and then suddenly someone else's, something different, you start to go, wait a second, it's not consistent. And because it's not consistent then are they trying to potentially Lee? So what do you want to, again, not to ally's what we're trying to do is bound the discussion. So we focused on those things that are more benign and avoid the things that are more of a concern. But it does give people freedom of movement and it also reinforces those things. Um, uh, which is very beneficial.

Speaker 3:

So it sounds like we need to walk it back a little bit. I think I asked you a question to deal with what is an outcome and I think the communication strategy might be an outcome of something. Uh, and we've talked to before and I think you mentioned also offset and um, risk management. So it sounds like communication strategy is something that would come out of that. Um, why would you do to develop that product called a communication strategy?

Speaker 2:

It's really good questioning and your assumption is actually correct. In this case, what we do is we take a look at, uh, the materials that are produced. First and foremost is class guy. The glass guy kills you what is and is not available to be publicly disclosed. IEF is classified. You don't get to poke great scholars at. And so firstly we'll look at it as the class guy and what's out of bounds, what's on the left or right. And they said, how do we structure that? Then we'll also look at, um, and some guides when we build class gets for programs. We actually will include any export controlled information that relates. So, um, the class guy becomes kind of a one stop shop, but you can't disclose export controlled technical information to a four national in the United States. That's a deemed export and people don't understand that. If I went to a conference in New York City and started talking technical details with four national, that's technically an export control violation. I don't ever have to send a box somewhere outside the confines of the United States. So we'll look at what's class five we'll look at was export control and then we'll talk to the program about what they have seen to be critical as an enabler. And a lot of times in the Department of Defense, these are things that aren't as critical information from an offset perspective or critical program information from a program protection technology protection perspective and some programs I've looked at that and had been able to identify what was the main hurdle that they had to overcome through engineering, science research, materials analysis, etc. Integration manufactured in, what was that one or two or three things that they overcame? Irrespectable classification that really they want to hold back. If you're talking to a company, they would call that their trade secret. The thing that gives them their true competitive advantage. It's not a org chart with a bunch of phone numbers on. It's truly detailed information that we would include in the comm strategy as well relative to the left and right limits. Uh, and that's, that's what we would do. We would take that Corpus of information that's available that helps guide us from export control, which is a criminal violation, just like classifications, a criminal violation and then on to, uh, the stuff that program or your organization's identified itself as not wanting to disclose their quote critical information. And we'll use that. We'll construct the left and right limits and we'll construct that messages and themes and then we will develop, um, standard questions and answers that are tailored to that program. So yeah, it's, it's very much leveraging the things that a traditional security environment gives us.

Speaker 3:

Is this something, this skill that you're talking about? Um, is this something you find that, um, in general defense contractors actually put into practice or you think it's something that should be practiced? It's a innate ability or learn to behave?

Speaker 2:

I haven't seen it's learned behavior. Yeah, I agree. I think it's smart and I think it's learned because people who've gotten bit, um, the, the people who are are, are very, um, responsive to this are people who've experienced it firsthand. I would say that most organizations don't think about it. Um, they've got public affairs office. Their job of note is to put information out. They don't always look at it from what is the consequences of this information if they do the one up against a class guy. But as we've talked about, bark fish and wag aren't classified, whereas the term dog is. So to them it may be fully compliant. Uh, but I have an issue. The other thing is we find a lot of, especially companies will look at things from a reactive perspective. This information gets out, we will respond for this route of litigation primarily will use legal means. The downside there is, uh, if someone releases information or steals it or whatnot, it's too late. The cat's out of the bag and if they're actually being paid for being uh, you know, uh, worked by a foreign entity, good luck trying to tell country x or y that you're going to sue them. Right? So yeah, it's to be a very, it's something that everyone should know it. And let me put it to you this way. If, if I asked you what's your favorite ice cream flavor, what would you say? Probably pray leans in cre prayers here. What's your favorite color? Chocolate. Oh, I'm sorry, Todd or blue. Blue. Which favorite ice cream flavor. Chocolate. Jeff, what's the pen G or 18 part? See, it's innate in each of us to know implicitly what immediately of course wants to risk at an individual level. The difficulty is when we get into an organizational mindset, we start to assume other people are doing that task. We start to break down. I think it's someone else's job. And at that point, what we would naturally have the hair on the back of our neck stand up. We may or we made a, we may not even think about because it's part of a bigger entity and that's why I think it's gotta be learned behavior. It's, it's, it's there for everyone to implicitly drawn, but for whatever reason, the organization psychology or whatnot, they don't,

Speaker 3:

yeah, I agree. I think, um, it seems like right now things are centralized and some I think may, as you stated, think it's somebody else's duty to protect information. But if you decentralize it, I see the benefit of measurement cleared employee working on a program. Um, and I'm working unclassified information, but it might be sensitive. Um, you know, and I could use your principles that you're talking about too determined, you know, where do I want to store that on my network? Um, can somebody tunnel in and get it cause somebody exfiltrated yeah.

Speaker 2:

More if you're working on something that is maybe just sensitive and not class, that's it. Cause you when you work in a classified environment, you're used to knowing what which you can and can't do when you're working with maybe just sensitive information. If you don't know your boundaries and in two things there and what Jerry's bring up is really good. Then this whole governors classified information. I mean it's prescriptive in nature. This is how you handle it. There's no guidance for sensitive information for Fyu over even export control. They'll come up with terms like you have to protect it with correspondence of blah, blah, blah. They store some legal terms in that I can't pronounce, but it doesn't give you a how to. It doesn't tell you what to do with that and think about this way, especially talking about the networks you tried, you can yell at and she put it on there, but how many times have we heard of hacks going on at different military programs? Unclassified networks, right? Yeah. When the results are out excluding the individuals that did it, but the results is what was common was that analysis is classified and it goes back to the compilation issue. We always talk about classified by compilation, but so do, do we sit there and a class guy and say, okay, let's take an aspect of, we'll let's just take armor armor integration. Okay. The armory integration aspect, that secret, but what does that mean? Is it material analysis? Is it a specific bonding technique? So you can look at that. If you don't break it down to the different piece parts, you may have five things that are totally in classified, but when you put those five things that are on all glass slide on the table or on that network drive, they equate to that classified data. That's the biggest problem we're having that with our networks. And, uh, it's something that can be overcome fairly quickly. Uh, once you explain to people how to, how to start approaching it.

Speaker 3:

Excellent. Yeah. And uh, um, I imagine that if somebody does understand that something may be classified by compilation, um, I hear you're a line. Okay. Uh, organizing these falls together. They might be classified, but I just don't know why it is or if it is even classified. Why would you recommend um, a contract to do if they suspect something may be classified by compilation but they don't have any guidance? Well,

Speaker 2:

yes, if they suspect is classified by compilation that they should really look at how do I pull this information off? I mean if they truly have a strong feeling that yes, it is how I pull it off and then treat it as such. But that's easy to say. Very difficult to do. So what we talked to programs about is can you identify one or two key pieces of information that relates to that? Yeah. And segregated. So thinking of like a recipe for cookies, you eat butter, any sugar, any flour, and eat chocolate chips because everyone loves chocolate chip cookies. What are the things that if you took out, you couldn't get cookies, you could get a gooey mess but maybe not a cookie. And if you can pull those out, separate those, segregate those password, protect those, encrypt those at risk. Using fairly simplistic means Microsoft Office for, for or Adobe or whatnot. But if you can do that and segregate that, then if someone can come in and get the other pieces, parts, they still can't make cookies that they don't have all the components to the recipe. And so what we tell people what to do first things first, identify who actually needs access to that information. Not everyone needs to know how to make cookies. Everyone needs no eat cookies, but not everyone needs to know how to make them. So identify like a KFC 11 herbs and spices. Yeah. Who actually needs access to that tightly control that. And then if it is in one place, figure out how often do you get that. So maybe you add an additional, I don't know, 15 additional gradients. So someone comes in, they're looking at, I don't know, 26 ingredients, which was the real ingredients and one of the proportions of education is that a simple thing they can do. The other thing is by separating out two or three key ingredients, leaving them out of the recipe. You can do a lot of that through your networks, through your files already. But the first step is figuring out who needs access and then how do I pull back the key parts of that.

Speaker 3:

Well, good, thank you for that. Um, just to make some mind spend at how many things that we can do that we just don't know how to do or how to apply things. And so I appreciate you breaking that down for us. Um, can we shift topics a little bit too to um, security clearances? Sure. So Terry, are you the FSO or is Joe deficit or gea point? Huh?

Speaker 4:

We're a two man. All of it. I'm the FSO and Josie assistant so,

Speaker 3:

well, so you have, um, two, two persons running everything including the security duties. Yeah. And so for those of us who, um, may desire to one day have our own company and I get a lot of emails from people like, Hey, Jeff, I wanted to get a clearance. How do I do that? Um, what is the first step to getting a clearance?

Speaker 4:

Well, to gave your security, Claire, I don't know. I have the perception that people think, they see that there's all these jobs out there that required security plants. So Hey, I'll just, I'll get a security clearance and then I can apply for these jobs and it doesn't work that way. You have to get the job that requires a clearance and then, uh, then you, you go through the steps to get the call.

Speaker 2:

It's just like the facilities. So say you're going to start up your own company. Yeah. For a facility clearance, you don't say, okay, I've got a company I want to get to do business. You've got to win a contract or be a subcontractor that requires access to classified and then you can get sponsored and go through that. But the first step is to get work and that requires access to that. That's, yeah. It's cart. Before the horse, you had to write a lot of people.

Speaker 3:

Yeah. I get asked a lot, um, hey, I want to work on in class by contracts. How do I get my clearance? I said, well, it's the other way around. You get the classified contract first and it took a lot of, people are surprised that they can bid on classified contracts without a clearance in place.

Speaker 2:

Yeah, yeah, that's, that's absolutely true. Um, and, and I, I think once they start to see that, that process kicks in and it's a fairly well oiled machine. I mean, there, there are some hiccups that can take time. But Jeff, last I heard there's what tens of thousands of clear defense contractors in the United States? Yes.

Speaker 3:

Yeah. The last time I checked is about 12,000, but has a couple of years ago. So it doesn't, it's a lot.

Speaker 2:

It's a lot. So if, if you bid on a classified contracts, then they can get you to be a clear facility that, that, that can happen. That's a very good point.

Speaker 3:

And in your process, and just speaking from you long, what was the surprisingly easiest part about getting a clearance? Was it paperwork? Was it actually getting sponsored? Was it the whole process?

Speaker 4:

Yeah, the facility. Our facility. Right. You did the work on wow.

Speaker 2:

Yeah, we, but it was easy for us because we literally were told, uh, a prime contractor came to us and say, you know, we've been told we really should bring you on to help out with this. And so, um, that happened. And because that happened with the prime contractor, uh, sponsored us for a facility clearance in the paperwork. And I gotta tell you, um, the lady who's the Fso at that facility, and I don't know if I'm supposed to say that. She actually fantastic. She is answers all of our questions because again,

Speaker 4:

we heard a lot of questions. The two of us, we're not, and we're not,

Speaker 2:

you know, security people 24, seven. We do a whole bunch of other things from accounting to supporting the customers, taking the trash out, all that other stuff.

Speaker 4:

Well, she was fantastic. Three weeks out of the mom's snow. Yeah. Security's a, you know, for us as a small, small part of our jobs. So I think being an FSO and all at a large company where that's what you do all day every day, right. You're going to be, I think a lot more, um, maybe knowledgeable, not with the right word, but you're maybe better at it then the two of us that way. More experienced. Yeah. Experience.

Speaker 2:

If you're speaking of that real quick, I'll say this and then I'll be done. Um, to the people that are working at DSS and for gay pass and all that other stuff, they're actually fantastic. And I know in this day and age we like to send emails or text or tweet or do whatever, but they have people that are at the phones and every phone call away. Seriously. Every time we have called them and asked for help, we have never been disappointed. So that's the thing I would tell anyone who's getting into this, don't hesitate to reach out to the experts they want to help and that we've never had them not help us ever. Sometimes I think we amused that[inaudible] that helps their day. But yeah, they're, they're awesome DSS, the guys there, they're not out to get you or to, you know, Dean, you are, uh, they're there to help you. They want you to be successful. Then once your company to succeed. So, um, yeah, you can always contact those guys and then they'll point you in the right direction. Did they get the help you need?

Speaker 3:

Well, excellent. Well I appreciate your time and explain, um, some very good things about how to protect your classified and unclassified information including the opposite principles and what does that communication strategy. In other words, I can't say obs you scale or something like that. Anyway, we'll spell it out. Um, you'll see the article that accompanies this. Um, and so appreciate you both being here and if you need to do to get in contact or would like to ask for the questions to Joe and Terry, you can email me@editoratredbikepublishing.com and I'll make sure they get that. Any parting thoughts or words?

Speaker 2:

Thanks. Yeah, thank you.

Speaker 3:

Oh, you're welcome.

Speaker 1:

Thank you for joining. Dod secured the podcast that talks about security clearances and protecting classified information. According to the this mom. For more information, visit us@vodsecuredotcomoremailusateditoratredbikepublishing.com where they, again like to thank our sponsors, security clearance defense, liar.com and security first and associates@wwwdotsecurityfirstassociatec.com[inaudible].