How often do you think about what happens to the paper you shred at work? Have you ever considered the policies in place to protect your security clearance when it is up for review? Although there is annual training on operations security and incoming briefs for new employees, the reality is many individuals let go of their responsibility with the paper at the shredder. However, for members of Defense Logistics Agency Intelligence at Defense Supply Center Richmond, Virginia, these questions are at the core of operations security.
Although there are many facets of security under the DLA Intelligence umbrella, the four critical areas that DLA employees will encounter are personnel, operations, information and industrial security.
Personnel security exists to ensure only trustworthy individuals are assigned to sensitive positions at DLA. Sidney Simpkins, security specialist, is most DLA employees’ first encounter with personnel security.
"Personnel security is a background investigation done on government employees, contractors and military personnel, so they can meet the suitability requirements to be employed based on trust, reliability, honesty and the willingness to follow rules and regulations,” said Simpkins.
Simpkins explained that every employee has a position sensitivity depending on their position and duties performed for the federal government. There are three sensitivity levels: non-sensitive, non-critical and critical sensitive. Each level requires a corresponding background investigation tier, ranging from 1 to 5, for the sensitivity rating.
“No matter what part of the federal government you work for, you are required to have a background investigation,” said Simpkins. “After the investigation, you fall into the continuous evaluation and if something was to happen in your life, you would need to self-report.”
Simpkins explained that self-reporting is letting the government know what’s going on, so someone can’t use that information to blackmail or coerce you into doing something. Incidents that need to be reported are crimes with fines that exceed $300, marriages and foreign travel.
“When traveling abroad, what we are looking for it probing,” said Simpkins. “If someone is asking you about your job, what you do for the federal government, or offer you something for free that seems suspicious then you should report that activity when you get back.”
A new challenge that traveling employees may face is conflicting state and federal laws. One such conflict is the new recreational and medical marijuana laws that have passed in more than 25 states and the District of Colombia.
“As a federal employee, you fall under federal guidelines,” said Simpkins. “If you do something that is illegal federally when you are traveling than you are on the hook for those actions when you return.”
Simpkins explained that employees have to be reinvestigated every five years and that self-reporting is essential to maintaining your clearance.
“Investigators are assigned to your case and begin to collect personal information,” said Simpkins. “This now includes your social media accounts and presence.”
Simpkins explained that self-reporting and monitoring your social media presence is important for employees’ careers.
After the initial investigation and being hired, DLA employees will be handling information based on their sensitivity rating.
Information security, or INFOSEC, pertains to the protection of classified and controlling unclassified information from unauthorized disclosure.
The INFOSEC program promotes the proper and effective, protection of, downgrading and declassification of classified information by the entire workforce.
Industrial security ensures the safeguarding of classified information in the hands of industrial organizations, educational institutions and all organizations and facilities used by prime and subcontractors by defining essential security requirements for contractors.
“Industrial security is important because you don’t want your adversary to know that critical information,” said Stephen Robinson, security manager (OPSEC, INFOSEC, INDSEC), DLA Intelligence, DSCR.
Robinson described the effects of compromised industrial information. At one point, information was obtained by foreign parties and counterfeit parts were created and put into the market at a lower price. This caused vulnerabilities in security because the parts were made to appear to standard, but had faults by poor craftsmanship or by intent to sabotage the equipment.
“Many employees won’t have to worry about industrial and information security, because they won’t have access to that information,” he said. “However, everyone is responsible for [operations security], because it deals with unclassified information. Its primary goal is to increase mission effectiveness by identifying and protecting critical information.”
OPSEC, is the process designed to protect unclassified information that can be used against DLA. OPSEC challenges employees to look through the eyes of an adversary (individuals, groups, countries and organizations).
He explained that some of the biggest vulnerabilities he has caught in OPSEC were not encrypting emails, assuming that critical information would be shredded at the recycling center, not safeguarding the critical information.
“Let’s say you get a power bill,” he said. “You know you’re going to pay it online, so you throw it in the trash. Now, someone goes through your trash and gets that bill and has your personal information. If you throw away something with your social security on it, someone can destroy your life with that information.”
Fortunately, the DLA Intelligence team at DSCR, has put together guidelines to help protect security. Some of the recommendations provided to all new employees are reviewing information for sensitivity prior to posting on social networks, look at information before throwing it in the recycle or trash bins, and conduct an annual clean out each year.
“Information was being put into DSCR’s recycling center, and you have to remember that not all information gets shredded. [DLA Intelligence] followed the material from the recycling center, from point A to point B. They followed that information all the way to a barge, where it was loaded onto a ship headed to China,” said Robinson. “When you are dealing with OPSEC, a lot of it is common sense. You have to understand the information you are working with that your adversary could use to get the big picture.”
From the office to the barge, security matters at DSCR. A compromise in any of the four critical areas can cause repercussions to the individual and the organization.
“We always see those old posters that say OSPSEC saves lives,” said Robinson. “People need to realize that’s a reality and not a fantasy.”