Alternate Compensatory Control Measures (ACCM)

Transcript

welcome and thank you for standing by at this time all participants are in a listen only mode today's conference is being recorded if you have any objections you may disconnect at this time and now I'd like to introduce your host for today's conference Mr Anthony Lee sir you may begin before we get started I would like for you to be Please be aware that the video portion of this webinar is being recorded once the red light appears we will be begin good morning and welcome to cdsd information security webinar today's presentation we'll discuss alternative compensatory control measures or accm my name is Anthony Lane I am instructor and a course manager with the center for development and security accents I have several years of experience as a security manager before we begin today's presentation I have a few administrative announcements as you are looking at the screen please become familiar with their layout you will find a question and answer box on the right in which you can submit questions but do to the large number of participants we may not be able to answer the questions postposed during this webinar but in a few days following the webinar frequently asked questions will be posted on our website you'll also see that you can download the presentation slides if you select a file and the file share box below you can print the presentation and take notes as I discuss the slides you will also find the dod manual 5200.01 which will be referenced during this webinar now while I conduct this webinar you'll notice that questions will appear on the screens these are po questions these to help me learn a little bit more about you please respond to each question as it is presented and I'll discuss the answers after several responses as I just said let's begin with poll question number one to check no knowledge in regards to accm where can you find information regarding alternative compensatory control measures or accm is it in D d 5200.00 2 is it in DOD 52008 R DOD manual 5200.01 volume3 DOD manual 5200.01 volume4 what is your answer all right look like we are all on our right track right now looks like most most of you are familiar with the information in volume 3 of the manual and number c is right the information is found and DOD manual 5200.01 volume 3 thanks for your quick response now DOD manual 5200.01 volume3 enclosure 2 Section 18 says that the heads of DOD components with original classification Authority ocas may use accm when the determination has been made that the standard security measures are insufficient to enforce the need to know of classified information where sap and or SEI protections are not warranted now this is key accm are not saps or seci not a proponents for accm usdp is over the accm management and oversight and Congressional reporting usdi is over the accm security policy now given this sharing of accm responsibility Staffing elements in USD and usdi will Implement mechanisms or policies to ensure transparencies of all accm actions now when approving an accm we have already established that the heads of DOD components May approve accm to use of classifi information on which they have authority over that but prior to the establishment of accm they must also look at several items such as what is the criticality of the information that they're trying to get that they're tring to protect what is the sensitivity and what type of damage would it ca to National Security what is the value of the information that they're trying to protect and they're going to also analyze the threats both known and anticipated they're going to determine the vulnerabilities to expectation they're also going to assess the counter measures and cost benefits now why would an organization use an accm all right these measures can be used to assist in forcing the need to know of classified DOD intelligence matters classified operations or sensitive support and other non-intelligence activities hcms are also used to preclude the duplication of unclassified nicknames and to ensure nicknames are consistent with policy a roster or listing of all Personnel accessing accm will be maintained by the control officer we going to talk about who that is later on the access roster will list individuals with active who are active and those who are currently inactive it is important to note that accm are not to be used for the acquisition programs or activities progressing through the acquisition process now we will discuss some prohibited security measures is it is prohibited to use personal security investigation or judicat standards that are more stringent than those normally required for a comparable level of classifications in other words you do not use the Strang security measures that we would use for a sap or SEI program some additional security measures while using Code words or other abbreviated approves approvals of the nickname it is also prohibited to use specialized non-disclosure agreements and lastly we are not allowed to use a buil structure or system that controls the positions or number of persons that's going to be afforded access with accm now let's discuss some prohibited usages of accm do not use accm for NATO or non-intelligence forign government information or fgis uh there are some exceptions to this policy to this policy for NATO usage can be granted only by the secretary defense for non-intelligence fgi usage may be granted only by usdp it is also prohibited to use accm to protect classify information and acquisition programs accm can also cannot I do apologize ACM also cannot be used to protect technical or operational requirements of systems and acquisition process however systems that are already and operational uses can can be viewed as being in in the acquisition process now material or operational systems that are fielded in items not items in the acquisition process and improvements in two field items are eligible for the accm status as long as they are properly Justified and accm cannot be used to protect restricted data or formally restricted data or comac SEI or SE information accm cannot be used to protect unclassified information now unclassified information there's other programs that are already in place for the ones that I just mentioned above accm cannot be used to preclude or impede Congressional officer of the Secretary of Defense OSD or other appropriate oversight or programs command functions or operations accm cannot be used to justify funding to procure or maintain accm communication systems now poll question number two we just discussed the prohibited usages of acms this poll questions I would like for you to consider which are approved uses of accm are they uh classified DOD intelligence matters classified information in acquisition programs uh foreign government information classified operations uh sensitive support and other non challenges activities please all right all of our answers we're we're on the right track this is not a trick question but our answers are we can choose one more than one answer also there we are we on the right track now all right the answers are a d and e uh thank you thank you very much for your quick responses uh we're on the right track a d and e now next we will be discussing some roles in of a accm sponsor and this next poll question I would like for you think about the position that qualifies as the ACM sponsor who can accm sponsor be a general flag officer a a senior executive or equivalent or all of the above all right all right well less than 1% of us have chosen uh see executive equiv equivalent it's all of the above and which is correct now some of our documentation or con correspondence this is what we're going to discuss to establish a accm first the use of accm must be approved in writing the designation of accm sponsor is afforded to the position and not to the person at a minimum will be a general or a flag officer or a senior executive equivalent who has OCA at the level or higher than the information that's being protected by the accm the documentation will also designate the accm control officer who is who is the organization's point of contact on all matters concerning the accm The Correspondents will also include the effective activation date and expected accm duration has any also any planed participation by Foreign Partners BCM sponsor will also develop and distribute a program security plan a security classification guidance also a participation briefing at a minimum The Briefing will address information that going to be pertained within the accm now just like any uh many of our DOD programs accm are really no different as it pertains to annual reports some of the basic annual reporting elements are uh the use of the ACM accm unclassified nickname what is the purpose or the general description of the program how long is it expected to last who is the accm sponsor and who is the accm control officer now if some of you were wondering uh if accm protected information can be shared with other U DOD components and and or federal government departments and agencies well it can but only when the recipient organization agrees to abide by the accm security requirements whole question number four are dood sponsored contractors allowed to have access to accm yes no or does it depend all right we're we're back and forth but we do have some good answers all right thank you the answer is it really depends now bod contractors May participate in accn only when such access and Associated security plans are identified in the DD Form 254 contract security classification specification it must say it in the dd254 if you need additional information on the dd254 please visit the cdsc resource page next we going to discuss the requirements for maintaining an accm program first as the accm sponsor you must maintain a updated listing of of primary and alterate accm Control Officers the accm control officer will maintain and updated accm Access Control list additionally contact between organizations will be between the organizations accm Control Officers anyone that needs or requir access to ACC and protect the information will receive specialized refresher training on an annual basis these are just some of the minimum things that will be covered during this training we're going to cover some of the procedures for Access con the control measures uh properly transmitting and transportation of uh accm information various methods will storage the information they're going to recover the marking requirements and it's also a good practice to have individual sign and acknowledgement of training and also maintain this in their um training folder additionally to maintaining accm program your documentation also the print the security plan and the security classification guidiance it must be maintained at a updated at a minimum of every 5 years the accm sponsor will also provide the following information concurrently with the accm annual report en listing of primary and Alternate accm Control Officers any updated accm documentation or confirmation that the program documentation has been reviewed and it is also current in regards to safeguarding now we're going to consider uh how to safeguard accm information the provisions are found in volume two of the 5200.01 the cover sheet it must be approved by the director of security usdi prior to use as you can see the image you can see the images of a current currently inuse coverage sheet these are the SF 703 704 and the 705 these covered sheets must be covered and stamped with accm with the appropriate nickname ACC material should be handled and stored onto security classification and the information contained therein and the material that separates it from non accm classified information separate approved GSA containers are not required as long as everyone with access to the container is also approved for the accm material that is stored within but measures to help separate the non accm material classified material and ACM classified material you want to separate those with SE with by the control drawers or or just make sure that it is properly identified by all persons so proper training has to be received by all persons when you're storing it in the same GSA storage container all right as you can see there's a track C I want you to type what are some of the methods for transmitting accm don't be shy just type your questions in the box and I'll just read a few of them you go bu CET J Wix deura um secure facts secure email all right we're we're really on the right track these are a lot of the ways that we can transmit seems to be that we're choosing the same ones because we all we all know our information that's right okay so we're all choosing CET J Wix secure facts um all right that's good in regards to transmission and Transportation uh ACM accm information will be transmitted just like any other classified information at the same classification level but with some modifications you mark the inner envelope with the appropriate classification caveat accm with the assigned nickname and address to the attention of the individual that is going to be authorized to access the accm information in regards to the DMS and using accm nickname the nickname will be used in a text message of the traffic or the cover sheet accompany the securefx transmission to assist in alerting the recipient of the transmission that involves accm protected information now as the sender you you will ensure that the person is going to be receiving also has the is awaiting the transmission Now when using the defense message system or DMS the material must also be marked as specat which is special category in accordance with the requirements and the procedures now automated information systems or electronic files containing ACC and protected information will be configured with the appropriate discretionary access controls to ensure that access is restricted to individuals with authorized access in regards to portion markings uh as you can see on the top of the screen the banner marking uh that is being used accm protect the information it will be is is overall classification and the caveat accm and the program's nickname and this example on on the screen as you can point out the classification level is secret followed by the caveat accm and the two program nicknames with this which is fictitious effort and te Leaf we're going to use a hyphen without interjections or you're not going to separate it there's no space in between accm and the caveat and the program's nickname so we're going to use secret 4/4 SL accm no space with a dash victitious effort and we're going to close that out now if more than one nickname is going to be used you're going to separate them with a for slash so as I just said secret for SL slash accm no space with a dash no space again fictitious effort and then the next uh uh code uh name will be Tea Leaf on the full nickname may be used after the accm no abbreviations such as diagraph or typ graphs with nicknames may be used to in place with the full nickname and the banner line or the portion markers of the accm information now if any of you attended last month's webinar uh we discuss security incidents we will now talk about security incidents as they pertain to accm right compromise of accm program information it it will present and a meeting a real threat to National Security so uh proper finding of anyone that finds the information or the material that is out of proper control will take actions to properly Safeguard their material and immediately notify the local accm control officer or the security manager that will follow up on whatever your local element security uh policies are I want you to remember the accm program information is not sap or SEI and reasonable risk management procedur should be followed when accm program information is incorrectly placed on non-approved electronic systems or electronically transmitted on non-authorized Personnel or systems usually deleting the file or the material from an effective systems is normally sufficient action to take unless the question unless the material is at a higher level than which the system is accredit for so when your people make a mistake or uh in fact something on an unclassified effects or copier machine we'll make sure that we get with our IT staff and notify them when doing so now we also also uh we're going to make the proper reporting and inquiry and investigation a damage assessment will be conducted part the guidance contained and the DOD manual 5200.01 volume 3 it's also located it's located in enclosure 6 reporting reports containing accm information will be handled in accordance with the requirements of this manual now section 13 of enclosure 6 this man it states that action should be taken if unauthorized person are inly afforded access to accm information you're going to remember that invert and disclosure forms are not used as for accm they are used for a SEI or sa program now at any time that the uh program sponsor knows that the accm is near and its end and it must be terminated as I stated earlier that the notification must be submitted in writing within 30 days of doing so now also at any point in time that the accm requires further protection such as being transitioned into a sap program authorization to establish a dld sa it must be requested in accordance with DOD director 5200 52577 which is also the special Access program policy now I would like to thank you for taking your time out this morning and um with cdsc and on discussing [Music] accm now more information about our upcoming webinars or other uh information security related training resources will be posted on the handouts frequently asked questions on our webinar you may also email information security related training questions to DSS at information securitytraining dss.mo our next webinar will be IT issues with for the security manager which shall take place on Thursday May 16th 2013 thank you very much for joining and please enjoy the remainder of your day