1. In support of the National Industrial Security Program (NISP) Presenter: Kenneth McKnight, FSO Presentation Date: May 2016

2. The contractor shall provide all cleared employees with some form of security education and training at least annually. Refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations. National Industrial Security Program Operating Manual (NISPOM) Chapter 3, Section 1, Paragraph 3-107

3. PURPOSE To remind you of your responsibility and obligations while working with classified information To satisfy the requirement for a periodic security refresher briefing as outlined in the National Industrial Security Program Operating Manual (NISPOM) It is a part of InterImage’s security program

5. Review of the National Security Program As a Government contractor, we are bound by Executive Order 12829, National Industrial Security Program, which establishes rules and regulations to properly protect and control all classified material in our possession or under our immediate control. InterImage has been granted a TS Facility Clearance by the Defense Industrial Security Clearance Office – a division of the Defense Security Service (DSS) (a.k.a. Cognizant Security Agency - CSA). Employees and consultants requiring access to classified information in order to perform work on classified contracts are granted‚ eligibility by DSS and‚ access by the Company (in conjunction with the needs of our government client). Background Investigations are conducted by the Office of Personnel Management (OPM) (or their contractors) based upon the employee’s ‚ Need to Know and the company’s security requirements imposed by contract.

6. The Company Facility Clearance A Facility Clearance (FCL) is a determination that a company is eligible for access to classified information or award of a classified contract. This process involves an evaluation of the corporate organization; key leadership; outside corporate relationships; foreign influence, etc. In other words, an FCL means that a company (or better said, its cleared personnel) may have access to contract specific classified information based on a government need and at a government approved location. An ability to STORE classified information or process classified information requires separate reviews and authorizations. Companies are required to complete a DOD SECURITY AGREEMENT (DD Form 441) which outlines its security responsibilities.

7. Personnel Clearances Once the company receives its FCL, select employees may be granted access to classified information based upon:

8. The Non-Disclosure Agreement – Standard Form (SF) 312

9. DD Form 254 DD Form 254 outlines the security specifications for each classified contract issued to a prime contractor from the government. If you are unaware of the security requirements and levels of classification associated with the contract you are directly supporting, ask the FSO to review a copy of the DD 254.

10. As outlined by Executive Order 12958, as amended, classified information is official government information that has been determined to require protection in the interest of national security. All classified information (with only one exception) is under sole ownership of the U.S. Government, and employees possess no right, interest, title, or claim to such information. Levels And Categories of Classified Information Classified information is designated by both a classification level and a category. The classification level is based on how much our national security could be damaged if the information were to be released to unauthorized person(s). There are three classification levels: Top Secret (TS)— the highest level applied to information whose unauthorized disclosure could be expected to cause exceptionally grave damage to the national security of the United States. Secret (S)— the classification level between Confidential and Top Secret whose unauthorized disclosure could be expected to cause serious damage to the national security of the United States. Confidential (C)— the lowest level applied to information whose unauthorized disclosure could be expected to cause damage to the national security of the United States. Overview of the Security Classification System

11. Other forms of classified information and programs that you may come in contact with or be required to gain access to are: NATO: North Atlantic Treaty Organization – Before having access to NATO classified information, employees are required to be given a NATO briefing that covers the requirements of NISPOM section 10-7-1 and the consequences of negligent handling of NATO classified information. COMSEC: Communications Security – All contractor employees who require access to COMSEC information in the performance of their duties shall be briefed before access is granted. Restricted Data: is Department of Energy (DOE) data concerning design, manufacture or utilization of atomic weapons; the production of special nuclear material; or the use of special nuclear material in the production of energy. SAP: Special Access Program For Official Use Only (FOUO) is unclassified government information which is exempt from general public disclosure and must not be given general circulation.

12. Access Requirements Authorized access to classified information may be granted only when two conditions are met. The recipient must have a valid and current security clearance at a level at least as high as the information to be released. The recipient must demonstrate the need for access to the classified information. This is referred to as “Need To Know”. Need To Know is integrally related to clearance level.

13. NEED-TO-KNOW Need To Know (NTK) is the determination by an authorized holder of classified information that access to the information is required by another appropriately ‑ cleared individual in order to perform official duties. You may need to make ʺ Need To Know ʺ decisions when: Someone wants to view a document under your control. You are briefed on a very sensitive project. Discussing specific projects. Although someone may have a clearance ‑ they may not have the NEED TO KNOW. If you have any doubt, ask your supervisor or contact the FSO.

14. Threat Awareness

15. The Threat: U.S. sensitive technologies and information are under attack from foreign entities Industry reporting assists the Defense Security Service (DSS), and our government partners, in detecting, deterring, mitigating, and neutralizing the threat

16. Background & Purpose Each suspicious contact report (SCR) makes a difference – Over 34,000 reports from industry in FY14 – Reporting led to identifying 989 subjects and sources DSS produces the Trends to raise threat awareness, encourage reporting, identify specific technologies at risk, and apply appropriate countermeasures

17. Collection Trends Overview

19. Counterfeit Microelectronics Counterfeit microelectronic devices represent a threat to DOD systems Counterfeits that could significantly degrade, tamper, or disrupt the performance of DOD systems can enter the DOD’s supply chain in various ways While it is rare that cleared contractors (CCs) would turn directly to the gray market, DSS identified U.S. companies importing microelectronics from suspected counterfeiters overseas who actively solicit CCs for business

20. Counterfeit Microelectronics DSS assesses it is almost certain foreign intelligence entities possess the capability to introduce non- conforming or malicious microelectronics into the supply chains of cleared industry DSS lacks sufficient specific information to determine whether they intend to exploit supply chain vulnerabilities

21. DSS assesses that foreign entities will almost certainly continue to target cleared industry Most active collector regions will almost certainly remain the same, although the ranking may change Counterfeit Microelectronics

23. Operations Security

24. What Are We Protecting?

25. Trade Secrets

27. Safeguarding Classified Information Must never be left unattended Must have the proper marking Must never be discussed in public places Must be discussed only on secure telephones or sent via secure faxes when/if the need arises Must be under the control of an authorized person at all times Stored in an approved storage container Never be processed on your computer unless approved by the U.S. Government

28. Discussing Classified Information It is your personal responsibility to know that the person you are dealing with is both properly cleared and has a need to know. You must never reveal or discuss classified information with anyone other than those that are properly cleared and have a need to know.

29. Public Networks Be cautious of what you reveal about your job in online forums, such as blogs, wikis, message boards and social networking sites. Hinting or alluding to the fact that you have access to classified information can make you a target for solicitation, viruses and malicious code.

30. Security Violations Ensue Disciplinary Actions For MINOR Violations Action MAY Include:  Verbal Counseling  Written Counseling  Suspension/Termination For MAJOR Violations Action MAY Include:  Same as minor violations  Loss of security clearance  Arrest  Imprisonment or fines

31. Insider Threat

32. What is an INSIDER THREAT? It is a sad reality, but the United States has been betrayed by people holding positions of trust. Arguably, “insiders” have caused more damage than, foreign professional intelligence officers working on behalf of their respective governments. DSS defines insider threat as: Acts of commission or omission by an insider who intentionally or unintentionally compromises or potentially compromises DOD’s ability to accomplish its mission. These acts include, but are not limited to, espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation of departmental resources or capabilities.

33. GAO June 2015 Report to Congress on DOD Insider Threat Program (Extracted..) According to U.S. intelligence-community leaders, unauthorized disclosures of classified information by individuals with authorized access to DOD information and systems have resulted in grave damage to national security and potentially placed the lives of military service members at risk, highlighting the threat insiders can pose to government organizations. Disclosures by an Army service member in 2010 and a National Security Agency contractor in 2013 are among the largest known leaks of classified information in U.S. history, according to DOD and U.S. intelligence-community leaders.

34. GAO June 2015 Report to Congress on DOD Insider Threat Program (Extracted..) In January 2014, the U.S. intelligence community’s Worldwide Threat Assessment cited the persistent challenge and continuing critical threat that insiders pose. Insiders have an advantage over others who may want to harm an organization because insiders may have an awareness of their organization’s vulnerabilities, such as loosely enforced policies and procedures, or exploitable technical flaws. Even insiders who do not intend to cause harm may inadvertently do so through human error.

35. GAO June 2015 Report to Congress on DOD Insider Threat Program (Extracted..) Insiders with access to DOD information and systems may be able to conduct far more malicious activity-wittingly or unwittingly-than outsiders, with potentially devastating consequences for DOD. DOD’s April 2015 cyber strategy stressed the importance of mitigating insider threats, stating that DOD’s work to mitigate these threats extends beyond technological solutions and includes personnel, reliability, leadership, and accountability matters.

36. 2015 Vormetric Insider Threat Report

37. Executive Summary: Catalyst Insider threats are caused by wide range of offenders who either maliciously or accidently do things that put an organization and its data at risk. The insider threat landscape is becoming more difficult to deal with as the range of miscreants move beyond employees and privileged IT staff. It now includes: – Outsiders who have stolen valid user credentials – Business partners – Suppliers – Contractors with inappropriate access rights – Third-party service providers with excessive admin privileges. Unless properly controlled, all of these groups have the opportunity to reach inside corporate networks and steal unprotected data.

38. Executive Summary: Overview Results from the 2015 Vormetric Insider Threat Report show that insider threat awareness levels have increased. Only 11% of respondents felt that their organization was not vulnerable to insider attacks and a very large percentage (93%) were looking to increase or maintain existing spending on IT security and data protection in the company year. 40% of organizations experienced a data breach or failed a compliance audit in the last year 89% feel at least somewhat vulnerable to insider threat

39. Summary of Findings: Globally, 89% of respondents felt that their organization was now more at risk from an insider attack; 34% felt very or extremely vulnerable When asked about who posed the biggest internal threat to corporate data, a massive 55% of respondents said privileged users, nine percentage points behind on 46% were contractors and service providers, and then business partners at 43% Database, file servers, and the cloud hold the vast bulk of sensitive data assets, but for many (38%) mobile is perceived as a high-risk area of concern

40. Businesses are spending more on security software to address the threat

43. Recommendations for Dealing with Insider threat Activity: Concentrate on protecting data at the source Make encryption with access controls the default Monitor and analyze data access patterns Replace point solutions with data security platforms

44. Understanding the Insider Threat

45. Define the Insider Authorized people using their trusted access to do unauthorized things Threat actors vs. threats Boils down to actors with some level of legitimate access, and with some level of organizational trust Inadvertent or Malicious Insiders

46. Potential Risk Indicators Attempts to bypass security controls Request for clearance or higher level access without need Unjustified work pattern Chronic violation of organization policies Decline in work performance Irresponsible social media habits Unexplained sudden affluence Outward expression of conflicting loyalties Unreported foreign contacts / foreign travel (when required) Maintains access to sensitive data after termination notice Visible disgruntlement towards employer Use of unauthorized digital external storage devices

47. Psychosocial Indicators Disgruntlement Responds poorly to criticism Inappropriate response to and/or inability to cope with stress at work Sudden Change in Work Performance Disgruntlement Responds poorly to criticism Inappropriate response to and/or inability to cope with stress at work Sudden Change in Work Performance Ego Domineering Harassment Argumentative Superiority Complex Selfish Manipulative Rules Do Not Apply Poor Teamwork Irritability Threatening Retaliatory Behavior Ego Domineering Harassment Argumentative Superiority Complex Selfish Manipulative Rules Do Not Apply Poor Teamwork Irritability Threatening Retaliatory Behavior Emotional Change in Beliefs Unusual Level of Pessimism Unusual Level of Sadness Difficulty Controlling Emotions Emotional Change in Beliefs Unusual Level of Pessimism Unusual Level of Sadness Difficulty Controlling Emotions Relationship/Financial Problems Divorce Marriage Problems Stress at Home Financial Problems Inappropriate response to and/or inability to cope with stress at home Unexplained Change in Financial Status Irresponsibility Selfish Relationship/Financial Problems Divorce Marriage Problems Stress at Home Financial Problems Inappropriate response to and/or inability to cope with stress at home Unexplained Change in Financial Status Irresponsibility Selfish

48. Lessons Learned Insider threats are not hackers Insider threat is not a technical or “cyber security” issue alone A good insider threat program should focus on deterrence, not detection Detection of insider threats has to use behavioral based techniques

49. 59% of employees leaving a company admit to taking proprietary information with them (FBI) Out of 800 adjudicated insider threat cases, an overwhelming majority of subjects took the information within last 30 days of employment (CERT; Carnegie Mellon) 60% of cases were individuals who had worked for the organization for less than 5 years (CPNI) Majority of acts were carried out by staff (88%); 7% were contractors and 5% temporary staff (CPNI) Courtesy www.Whitehouse.gov When Does It Happen?

58. Questions ??? Contact your Facility Security Officer Kenneth McKnight Primary FSO (703) 522-7400 ext 1069 Leslie Steele Alternate FSO (703) 522-7400 ext 2301

59. DUE DATE Please email your required briefing acknowledgement by Wednesday, June 15 th, so it can be placed in your security folders. ACKNOWLEDGEMENT Please email kmcknight@iimage.com to acknowledge that you have read InterImage Annual Security Refresher Briefing for 2016. Include the following statement in the body of your message: “I acknowledge that I have received and read the InterImage Annual Security Refresher Briefing for 2016 in compliance with NISPOM security training requirements.”kmcknight@iimage.com It is important to include your name after the above statement.