If you're a contractor with a security clearance interested in working with a foreign partner, read through this checklist to keep yourself and sensitive information safe.
Related: Search for security clearance jobs.
Introduction
As more U.S. contractor facilities are becoming involved with foreign entities, the Defense Security Service (DSS) has noticed many of these companies are reporting counterintelligence (CI)-related incidents involving foreign visitors, joint ventures and research. These CI concerns could often be mitigated with some simple security countermeasures (SCM). Based on recent experience, some of the best SCM for dealing with foreign entities may include, but are not limited to, the following:
- Have a technology control plan (TCP)
- Have an employee knowledgeable about export control issues
- Conduct frequent computer security audits
- Write "English" into the contract
- Do not respond to requests for visas
Technology Control Plan
A technology control plan stipulates how a company will control access to its export-controlled technology and outlines the specific information that has been authorized for release. It is a plan to protect classified and export-controlled information, control access by foreign visitors and control access by employees who are foreign persons.
A TCP is a security countermeasure that is frequently overlooked by companies eager to secure business in the international marketplace. A TCP may be required by the National Industrial Security Program Operating Manual (NISPOM) and the International Traffic in Arms Regulations (ITAR) under certain circumstances. The TCP shall contain procedures to control access and provide disclosure guidelines to all export-controlled information, and it should be tailored to a company's operations and the specific threats identified. CI organizations can help identify specific threats.
Related: Discover your perfect career path and get customized job recommendations based on your military experience and vocational interests with Military.com's Military Skills Translator + Personality Assessment.
Knowledge of Export Control Issues
In their rush to do business with foreign entities, many small and midsize companies are frequently unaware of the Arms Export Control Act (AECA). The AECA is a federal law that governs the sale and export of defense articles and services. The Office of Defense Trade Controls (ODTC) implements the AECA through the International Traffic in Arms Regulation.
The ITAR regulates the exports of defense articles and related technical data by requiring contractors to obtain a license or other written export authorization. The possibility is very real that a U.S. facility could export a defense-related article or service in violation of the ITAR and not even realize they committed an export violation. However, as the old saying goes, "ignorance of the law is no excuse."
Export control concerns should be considered at the beginning of any foreign business negotiations. A company's knowledge of export control issues could save them a great deal of time and money.
Frequent Computer Audits
Advanced technology is a common aspect of most U.S. contractor facilities. As such, most government or contractor employees have access to the internet. Even business dealings are more frequently being conducted with the assistance of the internet. Use of the internet is a potential vulnerability that could result in the loss of massive amounts of information in a short period of time.
In addition, any company that has computer connectivity outside their facility, even with firewalls, is subject to hacking. Prudent security countermeasures should be conducted daily, or at a minimum weekly, computer security audits. The purpose of the audits is to detect unauthorized intrusion attempts.
Related: For the latest veteran jobs postings around the country, visit the Military.com Job Search section.
However, detecting computer intrusions may be a waste of time if no effort is made to report the illegal activity and take remedial or corrective action. Unauthorized intrusion attempts should be handled in each facility in accordance with the written AIS security plan for the facility. At a minimum, this usually requires reporting the intrusion attempt to the facility security officer, DSS industrial security representative, DSS AIS security specialist and possibly local FBI.
If the intrusion attempt is determined to be a current or former employee, an adverse information report must be submitted to DSS at Operations Center-Columbus, Ohio. If current or former employees make unauthorized intrusion attempts, those individuals should be considered for removal from access to the computer systems.
In some cases, aggressive computer intrusion attempts may require the computer system be temporarily disconnected from connectivity outside the facility until a specific plan can be coordinated to deal with the unauthorized activity if it should continue to occur. Another prudent SCM is to have a policy requiring employees not to respond to any unknown requests over the internet and to report the contacts to their security office.
Write "English" into the Contract
The Defense Security Service has frequently seen joint ventures between foreign entities and U.S. companies result in disagreements over communication or correspondence coming into and leaving the U.S. facility. Many U.S. companies often negotiate contracts with foreign entities and forget a simple SCM that could have saved the cost of an interpreter.
Write "English" into the contract so all parties agree English will be the language for all correspondence coming into and leaving the facility. If a company does not write English into the contract, there may be no way to ensure export-controlled, proprietary or classified information is not leaving the U.S. facility illegally without hiring an interpreter.
Do Not Respond to Visa Requests
Foreign citizens cannot legally enter U.S. territory "just because they feel like it." For most foreign citizens, entry into the U.S. requires a visa. For many foreign scientists and engineers who want to visit the U.S. to conduct research, they must request a visa from a U.S. sponsor. U.S. citizens should be suspicious anytime a foreign entity requests their assistance to obtain a visa to enter the country. If there is no clearly defined benefit to the U.S. company or the U.S. government, do not respond to the request for a visa. By declining to sponsor an unwanted foreign visitor, you could be preventing a potential problem before it has an opportunity to develop.
Summary
One of the objectives of the DSS CI Office is to support the industry's growing involvement in the international marketplace to provide for the application of rational and cost-effective security countermeasures. The security countermeasures mentioned above are some of the more commonly recommended for those facilities entering into business with a foreign entity. If your facility encounters any suspicious contacts, they should be reported to the Defense Security Service and the FBI.
Related: Does your resume pass the 6-second test? Get a FREE assessment.
The Next Step: Find the Right Veteran Job
Whether you want to polish up your resume, find veteran job fairs in your area, or connect with employers looking to hire veterans, Military.com can help. Sign up for a free Military.com membership to have job postings, guides and advice, and more delivered directly to your inbox.