Enclosure 2 - Defense Security Service Slides on …Enclosure 2 - Defense Security Service Slides on...
Transcript of Enclosure 2 - Defense Security Service Slides on …Enclosure 2 - Defense Security Service Slides on...
/
Enclosure 2
• Established in 1972
• Headquartered in Quantico, Virginia
• A federal agency of the Department of Defense (DoD}
• The Under Secretary of Defense for Intelligence provides
authority, direction, and control over DSS
• Originally known as the Defense Investigative Service until 1999
• Oversees the protection of U.S. and foreign classified information and technologies in the hands of cleared industry under the National Industrial Security Program (NISP}
• The NISP was established in 1993 by E.O. 12828; intended to safeguard classified information entrusted to contractors
• Serves as the DoD Functional Manager responsible for the execution and maintenance of DoD security education, training, and certification
• Provides support to 32 federal agencies --~----~-------------- -and approximately 13,500 cleared contractor facilities
2
lo•
\ ~._ ......• - \ '"'\ ---....
~ ~~---
_ _..----Le-, _ , .,~ ~ ---
• I • • / ·-~IIMOTA
. - - - ---~~-f ·----.._souTHDMOTA
: -- , -·---t· . ~~---""""·,.,,
,~~----
~ •
•
~ ,1 • • -----..___ @ --a-
• • • G ll I f o f
• !l I -------
M exico ' (!,
\ •
10,000 + cleared companies at over 13,500 locations
FOCI I Defense Security service DSS Locations: 4 Regions, 45 locations, 26 Field Offices
..
3
• Interprets policy & provides guidance for the NISP
• Manages enterprise operations through EMMC
• Supports CFIUS process
• Manages NID program
• Assesses and mitigates FOCI for companies in the NISP
• Ensures the protection and oversight of secured international transfers of classified information
• Manages the security oversight functions of DSS's direct and indirect support to the Special Access Program community
4
EMMC Mission Set 1. CFIUS 2. DiT Phase 1 Implementation 3. NIDs 4. FCL review (initial, changed) 5. FOCI 6. Referral
Findings?
Findings?
Acceptable~
5
Case Type Priority 1 Identified Risk to Classified
2 CFIUS, Unmitigated FOCI, Medium-High Special Interest
3 DSS in Transition Cases Medium-High
4 National Interest Medium-Low Determinations
5 In-process FCL's [ Low ] 6 Changed Condition FCL, In-
process FOCI, Company Engagement I
Low
I • Initial case priorities are based upon the levels indicated
in this chart but can elevated using the EMMC's priority elevation factors
• The EMMC's list of elevation factors are constantly evolving to meet the needs of our customers
FOCI I Defense Security Service
6
(@External Input: U.S. Government requests NID or CFIUS Input
CFIUS: CFIUS lead requires input on JVN
submission ~ughemai\
lnP-Ut o days
NID: External c,1t agency requests
· support for a NID through email
Control 1 day
Create foundational
analysis document as ::1 required
__ ___,T1....r------lt-l -
CFIUS: Specialist adds case to ~ production ~
tracker
NID: Specialist confirms case submission is complete
Return to sende with 30-day
suspense if case is missing
documents
Close case if DSS has no equities; update parties as appropriate
Closing 1-2 days
Send to EM for next action
or further analysis
7
'11 0 (")
8
• FOCI = Foreign Ownership, Control, or Influence
• "A U.S. company is considered under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of the US company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may adversely affect the performance of classified contracts."
• "A U.S. Company determined to be under FOCI is ineligible for a FCL unless and until security measures have been put in place to mitigate FOCI ... "
- NISPOM 2-300
9
The following eight factors are considered, in aggregate, to determine a company's FOCI exposure:
1) Record of economic and government espionage against the U.S.
2) History of cooperation on technology transfer
3) Type and sensitivity of information that will be accessed
4) Source, nature and extent of FOCI
5) Company's record of compliance with U.S. laws, regulations, and contracts
6) Nature of bilateral or multilateral security agreements with foreign governments
7) Foreign government ownership or control
8) Any other factor indicating or demonstrating a capability on the
part of the foreign interests to control or influence the
operations or management of the business
- DoD Manual 5220.22, Volume 3
FOCI I Defense Security Service
10
• Foundational Analysis: - Triage and limited scope first-touch
analysis of analytic requests - Goal: identify risk/threats associated
with FOCI; security; intelligence; criminal activities; and complex business structures.
- Significant findings 7 coordination with other analytical elements
• Advanced Analytics: - Comprehensive deep-dive analysis,
leveraging supplemental products with technology or industry insights; expanded financial information; or collateral risk issues
- Products may make recommendations for enterprise mitigation of identified risk
@ FOCI I Defense Security Service
11
• Owners • Organizational Structure • Control & Management C WHY? • Lawful Activity • Influencers • Affiliates / Partners / Associations • Customers • NISP Compliance 0 • Suppliers/Supply Chain 0 • Industry (sole source) • Financial Viability • Foreign Debt/Reliance • Foreign Targeting • Foreign Subsidiaries • Program / Asset Importance • Technology • Security Posture/NISP Compliance
12
• Mitigation Strategy Unit identifies, mitigates, and oversees FOCI risks in NISP - Negotiates and emplaces contractual agreements that require FOCI
companies to acknowledge risks and mitigate them - Risk mitigation measures could include:
• reorganizing corporate boards • reviewing electronic communications • physically separating from FOCI affiliates • training employees on FOCI and national security issues
@ FOCI I Defense Security Service
13
MITIGATION OWNERSHIP CONTROL DETAILS
Board Minority AND No Control . Foreign interest has minority ownership insufficient to
Resolution (BR) Ownership control the cleared company, e.g. by appointing Directors
(< 50%) to the Board or making managerial decisions.
Security Minority AND Right to . Foreign interest has minority ownership sufficient to control
Control Ownership representation, . Requires nomination of disinterested, cleared, U.S. citizen
Agreement (< 50%) whether or not Outside Directors, to be approved by DSS
(SCA) exercised
Special Majority OR Effective control . Foreign interest has majority ownership and/or effectively
Security Ownership controls
Agreement (> 50.1 %) . Requires disinterested, cleared, U.S. citizen Outside
Directors (SSA) . Access limitations . Allows for Inside Directors
Proxy Majority OR Effective control . Requires foreign interest to convey most voting rights
Agreement Ownership . Requires complete independence from foreign interest
(PA) (> 50.1%) . Requires cleared, disinterested, U.S. citizen proxy holders . Does not allow Inside Directors
Voting Trust Majority OR Effective control . Requires foreign interest to convey legal title,
Agreement Ownership independence
(VTA) (> 50.1 %) . Requires cleared, disinterested, U.S. citizen trustees
(No NID)
14
Supplement Type
Visitation Restrictions
Financial Reporting Formats
Electronic Communications Plan (ECP)
Technology Control Plan (TCP)
Affiliated Operations Plan (AOP)
Facility Locations Plan (FLP)
Security Provisions For ...
Foreign visitors
Financial reviews
Communications monitoring
Export control compliance
Affiliated operations/shared services
Collocation
NISPOM 2-300(f) - The Federal Government reserves the right and has the obligation to impose any security method, safeguard, or restriction it believes necessary to ensure that unauthorized access to classified information is effectively precluded and that performance of classified contracts is not adversely affected.
15
• Inside Directors - Optional for SCA's, SSA; representatives of the ultimate foreign
parent who may serve on the Board, provided that they are formally excluded from
access to classified information at the cleared company.
• Government Security Committee (GSC) - Required for SCA's, SSA, PA, and VTA; a
permanent subcommittee of cleared U.S. citizens who serve as Directors on the
cleared company's Board. Inside Directors may not serve on the GSC.
• Compensation Committee (CC) - Required for SCA's, SSA, PA, and VTA; a
permanent subcommittee of the cleared company's Board responsible for setting
compensation policy for the cleared company. Inside Directors may serve on the
CC, provided that an equal number of Outside Directors participate as well.
16
Continuous Monitoring ~
(Change Condition/ Amendment/ Renewal)
• E-FCL Package Completed • QA Performed
Mitigation Oversight )
• Conduct Comprehensive f Security Reviews • Continuous Monitoring &
Oversight
FOCI Program Identify & Assess
Negotiate Mitigate
Implement Oversee
Mitigation Implementation
} Identification & Assessment
• Mitigation and Adjudication Recommendations
• FOCI Assessment Completed
l Mitigation Negotiations
• Review / Negotiate Draft Agreement
• Request Outside Directors / Proxy Holders/Voting Trustees
• Obtain Approvals for Mitigation, ECP, TCP, AOP, FLP and Outside Directors/ Proxy Holders 16\ • Schedule and Hold Initial Meeting 'WI' FOCI I Defense Security Service
17
Countrv II Num. 11 Pct. United Kingdom 54 30.68%
Canada 23 13.07%
France
Germany
Japan
Sweden
Italy
Netherlands
Singapore
Denmark
Ireland
13 7.39%
12 6.82%
10 5.68%
7
7
7
7
4
4
Australia 4
3.98%
3.98%
3.98%
3.98%
2.27%
2.27%
2.27%
1.70%
1.70%
1.70%
1.14%
1.14%
1.14%
1.13%
4.55%
Cayman Islands 3
Luxembourg 3
Israel
Norway
Virgin Islands
Lithuania
India
Other
3
2
2
2
2
8
" FOCI I Defense Security Service
68% FOCI Countries are in Euro~e ----,
~
18
• Visit DSS at www.dss.mil . - ---- ~·-· . - . . ..
• Review NISPOM Section 2-300 LEARN • Review DoD Manual Number 5220.22, Volume 3 MORE! • Review ISL 2009-03 (Material Changes)
• Attend DSS-hosted Annual FOCI Conference
• Work closely with your Industrial Security Representative
• Work closely with your Mitigation Strategies Action Officer
• Visit the Center for Development of Security Excellence (COSE) at:
http://www.cdse.edu/stepp/index.html
@ FOCI I Defense Security Service
19
~
QUESTIONS?
Business Analysis and Mitigation Strategy Division (BAMS) Industrial Security Integration and Applications Directorate (IP)
DSS - QUANTICO VIRGINIA
20