<img src="https://ws.zoominfo.com/pixel/KRrgUcTGWvWgFi4b3mCo" width="1" height="1" style="display: none;">

ThreatSwitch Blog

Learn about security best practices, software updates, industry news, and more

Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog. 

 

“Senior management needs to understand what their true roles and responsibilities are. They are responsible for a lot of things that they’re probably not even aware of.” -Curtis Chappell

Curtis Chappell knows all about senior management’s security responsibilities – from both sides of the coin – both the military angle and the civilian side.

He was willing to sit down and talk about the New Responsibilities & Risks facing Senior Management Officials in 32 CFR 117, which just happens to be the title of the webinar!

Make sure you check out the full webinar here for a LOT more information! (You can also read the transcript below.)

Here are a few highlights from our informative conversation. 

1. Make sure there are controls in place for the program  

Roles and responsibilities weren’t clearly defined, so your standard processes and procedures have to be updated and make sure they follow current NISPOM requirements.

2. Remain informed 

Whether a senior management official is remote or on-site, they are still responsible for knowing what’s going on.

The reality is that most of these very senior officials are not involved in day to day operations –  it's just the nature of their job. They can't be everywhere, and they stay busy managing, doing their job all day long. they are on the phone, they are managing, they're doing their job all day long. They need to be able to trust that their people are doing their jobs, which means that the everyday operations are a little bit too disconnected sometimes. 

You need to make sure regular interactions are well-established between you, the FSO, and your senior management official.

3. Use threat information to make decisions 

There's a lot of threat information that's available. The challenge is getting access to it right now, and then having the ability to sit down and scrub it for where it most ties to your program. 

For example, what connection do you have to companies who are interacting with denied parties?

4. Accountability 

It’s more important now than ever that there’s a good relationship between the prime and the subs. If you don't have access to the information you need and your senior management is not really involved at that level, take action. 

Approach your prime and say, “I'm here and I want to be a part of this. I’m the potential Trojan horse that you want to prevent. It only helps you to help me stay informed with threat intelligence information.” 

Get in tune with the security organization that has oversight of whatever your company is doing. 

Full Webinar Transcript

SPEAKERS

John Dillard, Curtis Chappell

John Dillard  

Good afternoon, everybody. I'm John Dillard, I am delighted to welcome you to our next ThreatSwitch webinar. Thank you so much for joining. We have a long title, but great content today and that is managing new responsibilities in this bond 32 CFR Part 117 specifically for senior management officials. I am delighted to welcome Curtis Chappell, who is director of security for Thales defense and security Incorporated. Notice the Curtis the correct German pronunciation of talus. And we're delighted to have you, as everybody knows here on our threads, which helps enterprises manage security compliance with 32, CFR Part 170, among many other things. So we're excited to talk about a few housekeeping items before we get started. And this is not the first time for many of you, I see some familiar names. But please remember, submit your questions through the Q&A button in zoom, which you should see in your little toolbar in zoom. So that's how we'll review questions and get back to you. We will take those questions throughout the webinar. And we'll hold them until we get to about the three quarters mark and then we'll tackle those we are going to record and we are going to share the slides along with any resources mentioned during the webinar and what we call the show notes that we send out afterwards. So if you have a friend who missed it, or if you are furiously taking notes, don't worry, we're going to cover it and you'll get a recording. So with that, I want to introduce Curtis who is a three time guest actually on the webinar, which is I think you are the record holder at the moment not only for the number of times you've been here but for attendees. I think this one may have crossed the 1000 registration mark just for Curtis chapel webinars, which is super impressive, I think because Curtis has an amazing career and knows what he's talking about. And he's a good speaker, many of us have seen him at either NCMS or, at other events, 20 years in logistics and security. He's currently the director of security and corporate FFS over talent, as I mentioned, multiple Cogswell awards. You know, there's a lot of stuff I can say about Curtis. But, you know, if I, if I talk about all of it, we'd be here all day. Importantly, for today, Curtis is a veteran. So Happy Veterans Day, Curtis, delighted to have you here. So this time around. You know, Curtis often has amazing talks prepared, this time around, we're gonna have a conversation, and specifically, we're gonna have a conversation about senior management responsibilities courtesy, which I know you know, a ton about, and you've talked about frequently. But before we get into the content, Curtis, what I really wanted to start with is that I don't know that many people really had a chance to hear in your own words, how in the world did you end up in this stuff? I mean, you I know, you have an international business background, certainly a military background, but what gets you from there to security, such that we are here talking to you about this stuff?

 

Curtis Chappell  

It's a great question, John, I say this all the time, you know, I could never have predicted the path that would have brought me here. You know, I came out of the United States Merchant Marine Academy. And at that point, during peacetime at that point, there wasn't a whole lot of going on from a military standpoint, but a lot of logistics, and the Merchant Marine Academy supports logistics across all branches, and actually came out into a civilian role supporting the three letter agencies doing cargo operations, and for my own towards my own path and taking me from maritime to air time, and was actually supporting charter cargo aircraft through civilian channels. And fast forward to 2003, we started doing some of the first commercial charter vessels that were going into the hotspots, as if they were a military vessel. And I can turn them around in 72 hours as opposed to getting in line and getting an Air Force transport six weeks later. So let me just say simply that it was fast paced, but it was a valuable experience. Being able to straddle both the civilian and military realms was an asset, I could speak both languages, turn them on and off as I needed to. But it meant being up in the middle of the night screaming through a sat phone giving a squawk to an A 124, with 120 tons of cargo on it. So it could land in Baghdad within a plus or minutes, plus or minus five minute window and not get shot down. So not wanting to do that for eternity, and I don't have any more hair to pull out. You know, I looked at the entire grand scheme of what was going on and doing actual operational logistics with a lot of security and export control behind the scenes, because we're not moving office supplies, even though maybe that's what the manifest said, there was a lot of State Department interaction as well and a lot of security operations. So once I stopped doing the actual operational logistics, Elon activities, I stepped back and said, hey, you know what, being a compliance person, knowing this element of the entire grand scheme is going to be valuable. So you know, what you're asking somebody to do when you say, hey, I need this information, or I need you to sign this piece of paper. And they're around the world, nine and a half hours difference. If they get something within a two or three day period, maybe if you call them they can't hear you, even if they get the signal. And it's not the norm. But there's a lot going on there. So stepping back during the compliance side, export controls, state look, department licensed Department of Commerce, but also more and more with a background in navy and a clearance more and more security. And then I fell into the FOCI realm. And if you've heard me say it before, what the FOCI, what are we really trying to do here, and it's an element I brought to compliance to say, let's cut through the red tape. Let's figure out why we're doing this so we can do it and be effective. And that always helped me there. So more and more security is involved. Now I mostly, you know, security and live in the folk AI world. But having the ability to be ICAR fluent, also cyber capable. It really it's the modern security professionals going to have to be conversationally fluent in the export control side of it, especially when we bring more and more CUI into the mix. And that's exactly why as security professionals, we're that valuable to our senior management officials, because they rely on us to be their first line of defense and accomplish all these compliance things. So from my own experience, bringing me to this point through the Navy through the civilian realm through all those different disciplines. It helps me stand in front of my CEO. We talk on a regular basis, whether it's Bullseye compliance or anything security related, or just sit back and discuss the future of the company. It's a relationship that WE share have a very strong relationship and I hope that many of you already do, but I think we're transitioning to a point and this is what John are going to talk about where it's so much important that we have that relationship and our our senior management official has the understanding of their true responsibility. Not because of their role, because it's now regulation that they are responsible for a lot of the things that they're probably not even aware of. So that's what leads us to our discussion today. Yeah. And it's taken us from good things that we were doing under the DoD manual NISPOM that many of our senior management roles were already doing, but I think we need to take it a step further and educate them on now, we're dealing with 32 CFR one 17.7. And it's very defined roles and specific responsibilities that a senior management official has.

 

John Dillard  

So I want to pick that apart a little bit, because I mean, they have these responsibilities. And you know, I have some notes on some of the areas that you shared with me on what the categories are. And I thought we'd just take them one at a time. And, and the first one that you and I discussed was ensuring controls, right, making sure that they have controls in place, like that's the I mean, it sounds a little bit obvious. But talk about that a little bit. I mean, that very first thing that they have to do is just making sure that there are controls in place for the program. What does that mean, operationally? How do we do that?

 

Curtis Chappell  

Okay, so it's a good question. Let me start real quick to back up a little bit about the old NISPOM in NISPOM 32 of excuse me, the DoD manual. If you looked at that, and just did a search, just be very objective about it. If you searched and said, Okay, fine. For me, the number of times a senior manager official is listed in NISPOM, I can give you an answer, it would be two. It didn't define the role. It didn't tell you the responsibilities. It didn't even establish the acronym of s Mo. So what does it tell you? The role is not defined, the responsibilities are not defined. Okay, stop right there. Sweep that in the rug. Let's fast forward to 32 CFR one 17.7. B two, that's where you go straight to these five requirements that John and I are talking about. And the number one is B to one eye. Right. And so that one is sharing, the contractor maintained a system of security controls in accordance with NISPOM requirements. Okay, translation for the layman. FSO that is our standard practice and procedures are SPP, alright, that's where we live and breathe. How many when's the last time that anybody updated that? Hopefully, it doesn't say DSS on anymore. Are you gonna we'll catch up to you because that's two years ago now. But that's the operational challenge, taking what is our SPP, updating it, make sure we are reflecting what we do in our program, because there is the operational challenge of 32 CFR 117. Seven, b two I, we've got the policy it needs to be cater to your company, right? It's not just regurgitating the requirements that are laid out in the NISPOM requirement. But many of those don't apply to you. All right. So what about your program? What applies to you possessing non possessing, these are all the things that are outlined in your SPP, whose senior management official has read their SPP inside the last half decade? Who knows, that's something maybe a little bit more work with you on. My recommendation is form a little bit of a elevator summary, as we like to do. And for my FOCI friends out there, this is what we do on an annual basis with our annual implementation and compliance report. I'm not giving my senior management official, the 18 pages, hopefully, if not more than that, but I've seen plenty of them that are 30 pages long. You want that elevator summary, you want to tell them what's most important, what the changes to your program are, what the highlights are. And that's what all of us do, already, hopefully, for yourself inspection. That's a corollary to this. Okay, you've got your SPP, you've got your policies, the thing you're supposed to do, and then on a hopefully, as a best practice now, leading towards our compliance based security review, doing additional things to full self inspections per year, then you summarize them, break those down, give that elevator summary to your senior manager official, follow that same modus operandi. With the SPP, make sure it's updated, make sure it reflects current NISPOM rule requirements, and then customize it to your program. Alright, we've all heard the classic case studies, unfortunately, of its assessment, time, peer review, time, whatever the template, you change the name, and you forgot to even change the titles that were on there, because you just copied the temple. Don't pencil with this stuff. This is what we're talking about. This is the effective implementation plan that you have to make sure that you are able to help your senior manager official be compliant and ensure that that system of security controls is up to date and effective. So start there, start with your SPP kind of aligned with your process to summarize your self inspection, discuss that with him. And don't stop there. continue that conversation over time. Make sure they're updated on those changes. And as we all talked about in the last few years of risk based industrial security operations, we got to do more than what's the words on a piece of paper say alright, so look at it practically copy my catchphrase if you want what the FOCI, why are we doing In our program, alright, I'm doing end of day checks every day I signed here. Well, what did that accomplish for you make sure you're doing something that actually protects classified information. If it doesn't move on to something that can help you prioritize something that does impact a potential for an unauthorized disclosure of classified information, or today, Cui added to that conversation. All right, I'm guessing that 60% of this audience at least does not have CUI in their SPP. Alright, that's one of those changes that we're going to need to see. That's that continuous ongoing going process of self inspection and policy review. So I know it's a long answer, John, but rare start with SPP,

 

John Dillard  

that, yeah, the SPP, and you pointed out that many of the senior officials haven't read the SPP, I mean, the SPP me the way you've described it, it's a container for the controls. And absolutely, the way that I've heard you talk about it, I think, in a lot of ways, it helps the senior management official understand the controls so that they can ensure that they're in place. So it's not even about the SPP per se, it's about giving the executive the means to ensure controls are in place. That's what the document does. It's a way of communicating. And it's obviously they don't read it, they're in trouble. But they need to understand the controls. That's what I hear you saying,

 

Curtis Chappell  

I'll jump ahead real quick with just 117 B, two, two, I, that was an easy one, we can move ahead to three, two requires that the senior manager official and the FSL are appointed in writing, also the ITP. So I'm sure many of us have those, go back, make sure you've got a copy, make sure he or she knows that that's been appointed in writing, it could have been a decade or more ago, maybe don't have the email, maybe there is another it PSL the ITP. So may overlap with the senior manager official or the FSL, all those things, but to satisfy 117, b two, II, then just make sure you've got something in writing for those. But make the senior manager official know that that's a requirement and have evidence of it, show them I'm going to hold on to this for you. But this is you 10 years ago being appointed in writing as the senior management official. And in 2016, the Insider Threat program senior official, I got it question answered. But when they are asked during their in your during the security view next year, they can say yes, it wasn't writing, I saw my FSO has a copy. So that was an easy one, knock that one off the list. But that's not as ongoing as the other one. So we can skip up, I'll see you to 117 b two, three, I and enough to give a little bit more of a requirement that we need.

 

John Dillard  

not written down all the numbers, I promise, we are going to send out a reference. Because I can't remember all the numbers, but Curtis has been committed to memory. That's why he's the webinar. Awesome. Well, second, second area real quick that I wanted to jump into here is I would frame it as knowing what the hell is going on remaining informed is maybe the shorthand here. And you've touched on this, they might have been appointed ITP. So or there could be a senior management official that was, you know, put on a on the KMP list years and years ago, they really have no what's going no idea what's going on in the classified program. They have they may not even necessarily be involved in that part of the business. What is that obligation for them? I mean, you're the senior person, your smo what is being fully informed mean, for them? What does that turn into, if especially if they're really senior, and they may not actually be remotely involved in deliver.

 

Curtis Chappell  

So you touched on a good point there, whether they're remote, or they're on site these days, they are responsible, we go back to our leadership and in whatever capacity was you can delegate authority, but not responsibility. And 117 b two, three, ay ay that's we're talking about, remain fully informed of the facilities classified operations, start there, it's focused first on classified operations, they have a lot on their plates. Alright, so triage, trim it down, let's look at our classified operations. For those of you that are in the audience that are named sock companies, maybe you don't have a large degree of classified footprint, your folks are offside as a customer location all time. Okay, have that conversation with your senior management official, because most of them are not involved in day to day operations. And that's just the nature of their job. They can't be everywhere they are on the phone, they are managing, they're doing their job all day long. They need to trust that their people are doing their jobs. So that means that the day to day operations is a little bit too disconnected sometimes. So you need to really establish those regular interactions between you the FSO and your senior management official. I have a bi weekly designated hour that we are on the calendar, we are at least going to spend that time together. If there's something more ad hoc, there's something more on demand that I need to talk to him about. Guess what, I'm picking up the phone, I can text him he'll call me back. We've got a few minutes, but he needs to stay informed. And I can assure you if I have a potential problem that relates to classified information, whether it's our secure network that we might not have, I don't know if we do or not. I'm not saying that in public domain, do we have any of that stuff? No way. But in case maybe there's something going on there. We have classified information, or recently CCI, we have 100% sighting of all inventory of CCI, we have over 4300 items. If we got an issue, maybe we did, I called him right away, he's got to stay in tune with that. And again, you are setting him up for success when he's sitting there talking to your Industrial Security rep. And they asked, Well, does your FSO keep you informed? Are you fully informed of facilities classified operations? The short answer is absolutely. All right, because we talk all the time. So you need to establish those regular interactions, but don't stop at security. We have a discipline that branches far outside of security these days, I'll give you the one example of insider threat, you should have a multidisciplinary group that has oversight over your Insider Threat program, that includes security, that includes cyber that includes legal that includes HR and finance. All right, so you're also engaged with your senior managers official to understand that they are fully informed by those leadership entities outside of security. And that gives that well rounded understanding of what's going on finger on the pulse fully informed about the facility's classified operations.

 

John Dillard  

Yep, makes sense. And just as a follow up to that, you know, if you're, if you are an SMS, I mean, there's there I'm sure there are some on the on the call, or you're an FSA who's trying to get your smo to do the right things. Is there a time when it's just clear that it's not a good fit? Meaning, this person is probably not either equipped or in an operation operational enough role to serve in this capacity? So that they can be fully informed? I mean, what is your thinking on that in terms of how to deal with the situation? What are the minimum ingredients that they have to have in the job to be fully important work before you have to say maybe somebody else needs to be in on our list for SMS?

 

Curtis Chappell  

It's a good question. And unfortunately, we don't all have the luxury of having our senior manager official on site and engaged. And in today's post COVID, hopefully emerging roles, there might be a different state away, it might be disengaged with your program versus a peripheral program that is failing and needs additional help. So, you know, it's not an easy answer for a senior mentor official and an FSO may not see eye to eye. You know, I guess it goes back to the rules of the ship, right? The number one rule the ship is the captain is always right. The second rule is there was a question about rule number one, if the customer's not right, go back to rule number one. So, you know, the senior manager official has that responsibility, we don't ultimately make the decision of who is senior manager official. But to your point, John, we can gauge how much they are in tune and fully informed of what's going on in facility. So I would say you can't make the decision whether they're the right person or not, but if they're not getting the, if they're not getting the information they need, if they're not fully informed, you've got to step it up, or you've got to engage somebody else. We've all been in relationships with and have reports with the C suite at our companies, maybe the president, you don't have access to but you've got a really strong proponent in a vice president or somebody else in a leadership capacity that may have a closer ear to the President or whoever the CEO, whoever it is, advocate with that person, make sure that they're on their understanding, empower the leadership as a whole to make sure the senior management official is effective in their role, because they need to better understand that more and more security is a seat at the table. And I'm not going to read through all of the slip sheet and the reference cards of the new security review. But I can tell you, and this is going to get into the show tips, go back and look at those reference cards in the secure review resources. It outlines some of those things that you're not just involved, you're directly involved. And you're consulted, as you escalate into that, say, a baseline program to a higher low program to a really strong program. And I'm not using the terms deliberately, because we don't need the structure of a security review to make us strive to be effective. You want to be at the table in part of these conversations, not all of us have that ability, do the best you can. But you know, you need to have that access to the senior officials to keep them fully informed. And that's the intent of this new clause within the NISPOM to make sure that they're able to effectively in be responsible and have that authority over the company. It takes you to make sure they have the ability to be fully informed.

 

John Dillard  

Perfect, perfect. Yeah. Oh, three information in particular. I mean, this is in many cases, this is out. I mean, it's SMO might be a little disengaged. But if there's credible threat information, all of a sudden it gets they they're paying attention. So part of the obligation is using threat information to make decisions. One of you could just talk a little bit about that right? What that looks like in an operational practice. What success might look like in order to be able to credibly say, hey, our SMO is actually doing that on a regular basis. So what's your take on the threat information piece?

 

Curtis Chappell  

This is a big topic. I'd say it spans beyond classified information. But of course, that's our first form our focus, who has a copy of the new classified targeting us technologies, trends analysis, nobody raise your hand because nobody's got it yet. We haven't had one in a couple years. Historically, that was one of the key tools that I use to sit down, analyze that with my senior management official, spoiler alert, or whatever country in the Pacific that is the most prominent, you know, collection attempt, every tactic that you can possibly use to gain information, unauthorized or otherwise, from any company in any country. We all know the answer to that question. So there's nothing new there to share with your senior manager official. But we've seen more analysis in the last few years of the methods of compromised methods of operation, there's gonna be a lot of good things that remain from that phase that we went through the comprehensive security review, some good risk based approach things that is some things that we can use to make sure that our CMS specialists empowered with impacts to classified information based on the technologies that we work with based on what countries we work with. At some point, we can get more of an analysis of the entities that we are working with. We're currently scrubbing our supply chain, for countries that are very obviously listed on the denied parties list restricted party screening, there's a there's some other sources, there's a there's an unclassified product that your counterintelligence rep can give you, that basically takes the denied parties that come from the National, the NDAA, the the Authorization Act of 2019, Huawei, ZTE Hikvision, those are the obvious ones, they then have another list of related companies that we can boil down further into another layer. And that's where we're going to start getting into that type of information at a classified level that we can give to our senior manager official. When we answer the question, have we scrubbed our supply chain for any of these related companies to these denied parties. Plus, when and I'm hearing from counterintelligence that they want to get back to doing our secure video teleconference is back at our field offices, they want to do that, when we're able to get past the point and think a little bit more a couple of weeks with the vaccination rate, get back into that environment. So we can get that direct classified threat information, and relay it back to our senior manager official, our C suite, in particular, our business development staff, because they're going out to some of these companies, and they might connect the dots to somebody we're doing business with, maybe we shouldn't be doing business with. So there's a lot of threat information that's available, the challenge is getting access to it right now. And then having the access to sit down and scrub it for where it most ties to your program. So in lieu of that, right now you've got the MC mo the 12. By 13, you've got to break down what technologies go back to the industrial base technology list iptl. Make sure you know some of you did this through the maturation of the comprehensive security review the evolution of DSS and transition. And now back to the right approach a compliance based compliance first security review, but we can't forget that risk based analysis. So incorporate that back into your program, tie it to specifics for you, and then seize the opportunity to get any resource. You can even add a classified level bring that factor Senior Manager official, when they are asked by your rep when they're interviewed. What meetings have you had, what information Have you received from your FSL? That was classified nature, or very specific your program? They should be able to answer that question, hopefully, a few different meetings, a few different opportunities to discuss at that level. So that points to 117. B to four, if I'm not mistaken. So then I think we've got one more after that that kind of outlays, some very specific responsibilities that are now falling on the senior managers official. Perfect that accountability

 

John Dillard  

on the thread stuff. One of the things that we hear a lot from very large companies that are you know, that may have a relatively small portion of the company that has a clear workforce, maybe they're mostly public trust, or maybe they're not even again, federal at all. And they are just doing some things that requires a small pocket of cleared employees. They might not have the kind of threat intelligence operation that you know, a Lockheed or Boeing might have that lives in reason in defense and intelligence all the time. What kind of resources do you think are effective for those companies that don't have, you know, sort of defensive intelligence style threat intelligence centers, they give them right, what they need, where can they do for resources?

 

Curtis Chappell  

So that's a good question. You mentioned a good relationship that should be developing even more these days between the prime and the subs. If yourself you don't have access to this stuff yourself. Your senior management will not really involved at that level. Approach your prime. Say, look, I'm here I want to be a part of this. I am your potential Trojan horse that you want to prevent. Right? It only helps you to help me better stay informed with threat intelligence. information. So get in tune with the security organization that has oversight of whatever your company is doing. And try to tap into threat intelligence and potentially classified exchange that you can gain from them. That relationship can help you if you don't have it yourself. But like I said, also latch on to any opportunity that you have outside your company to gain this threat intelligence from DCSA. Specifically, I'll tease up a little bit of next June in Minneapolis with the annual seminar for NMS. For the one of the I think the first time ever on Monday, there will be classified counterintelligence briefings that you can sign up for that are going to take place at a local defense contractor site, right. So if you don't in your role with your company, even in your area, I have the luxury of being in the National Capital Region, actually, that's now called the minute Atlantic. Region, DC area, we have a lot of opportunity here. If you are outlying in an area that does not have that access. Guess what, that was the entire point of the board putting this together. And I appreciate the seminar chair, Kathy Kelly, of making sure when we first started talking about that, we've got to do this, right. On Monday, let's give these people an opportunity to get a counterintelligence brief at a classified level that they may not have on their doing their day to day stuff, then, okay, what are we talking about here, gain that information, summarize, don't take notes, don't take it with you. But go back to your senior management official, right and have that conversation with them. I was just at NCMS annual seminar last week. And I'm not intended to be a commercial, this is just example. I was there, I was at an opportunity at a classified briefing, this is what I learned. This is how it relates to us as electronic manufacturer or supplier. This is what we need to talk about. And again, that is a resource to them directly from somebody outside your organization, somebody outside of your field office chiefs area of responsibility that you're bringing back to make sure that they are fully informed and have classified capabilities.

 

John Dillard  

Perfect. That's awesome. And great to hear. I won't be the last time we plug the ncms National seminar. We're going to come back to that before we wrap today. But I'm glad you mentioned it, and specifically that topic. Now, you've mentioned this a few times along the way. And I just want to dig into it a little bit more. And all of them relate to the senior management officials. Accountability. Right. And, and I mean, and for those who, you know, are curious about what we mean by that, you know, there's responsibility and accountability. They're two different things. And it sounds like it's pretty explicit that they can't put these things, it's not delegated. Well, so could you talk about what that means and what accountability means for the senior management officials so they understand what they can and can't do here.

 

Curtis Chappell  

That's a good one. And I think it's one of the most important of these five, specified responsibilities for the senior management official. And quick note, or it'll be in there, this is 117, seven V to five, retain accountability for the management and operations of the facility without delegating that accountability to a supportive manager. Now, that's easy for me to read, that's easy for me to tell somebody, that's not easy for them to agree to. Okay, so we know the speed of business, we know how things work, one person can't be everywhere. So there's absolutely going to be delegation, there's going to be an authority matrix. I think the most important thing here is that ultimately, one person has responsibility retains that accountability, we can go back to the Navy Yard shooting, we can go back to the FSO to go that was responsible for that program that included the Navy Yard shooter, disengaged, not a part of it. Ultimately, there was a senior management official over that program, nowhere in sight, different state, different company. Alright, we learned from those things, we still have a long way to go. But I'd say that dcsa will champion for this, you should be speaking as loud as they are, that you have an engaged and active senior management official, perhaps there's a delegation there, but make sure that oversight is effective. And if that's somebody on site, that is your group leader, you know, we have business units, we have global, you know, leads that maybe not even be in the United States, who knows, right? So once one person is designated as the senior management official, at each clear facility, that person's your first line of defense. If they report to somebody else, when they come visit, make sure you're aware. You need to sit down with them. It could be that that person is involved in a phone interview during your security review. Or if there's a periodic we have boards and more as a monthly order reviews, business operations reviews, you're going to try your goal is to try to gain insight into that forum, that audience to make sure that you can demonstrate your record engage with that leadership. The less you can allow someone to be checked off they're just not they're not involved their subordinates somebody else's just possibility they're disconnected. That's the least, you know, optimum situation. So try to engage with those different levels of leadership, they're not going to want to hear you say that you need to be actively engaged. No, that's not my job. That's reason I put that person in place at that business unit. But help them understand that we're in a different world. All right, we are no longer under the DoD manual that we known and loved. We are now subject to the Code of Federal Regulations. Some of your senior management officials don't even know that at this point, maybe you've mentioned it, they heard it, they nodded, they moved on, they've got a meeting right after this, you know how this scenario goes, they need to understand we are now subject to the CFR. They hear far they hear defaults, now they hear 32 CFR 117. In that same conversation, they need to understand the magnitude of that. And this is probably one of your forays into that helping make sure that they're accountable, they retain accountability for that management, by first understanding the gravity of the situation we are in now, they are responsible, that is what the goal is to, you know, understand and define shocker alert, it is actually defined in one 17.3, I believe it is that there is a senior management official, and an entire paragraph on what that means. And then fast forward to one 17.7 b two that outlines these requirements. So that's what we're really trying to make sure we start those conversations, keep those conversations going, John to this one, specifically, that accountability is essential, they need to be aware of what's going on, if there's a change to a corporate structure, how many of us on this phone have been part of one division that was traded to another one, we didn't know it until it was already done, how many people were acquired by another company sold off, whatever it was, you have to keep your finger on the pulse of that to make sure that whoever's responsible, you know who that is, and you have a direct engagement to that person. So they understand the CFR 32 117. And then understand these roles, responsibilities. So keep an eye on that somebody is in charge, somebody might also be within that management chain, you have to understand that that speaks to your responsibility as a facility security officer, being in tune with the management of the company. And then your direct engagement of that senior management official, whether it's on site within the within the group within the corporation, whatever is one of the first things that DCSA asked us for they want to float, they want an org chart, right? Where do we fit into the org structure of the company, put that on there, get your chart, start putting names on it, this is the group leader, this is the Senior Manager official, this is the corporate had a security, outline all those things, and then you can demonstrate that you have a direct audience with those individuals. And then when they are interviewed, that they can convey to DCSA Absolutely. I can't get Curtis to shut up. He calls me all the time. He's telling me all this stuff. You want to talk about accountability? Yes, I understand it. You want to talk about threat intelligence. He's gotten to me all the time. But that's why we're here. Right? We are here to serve in that role to be the boots on the ground for our senior manager officials. That's where it breathes into their information being informed. And then ultimately, their accountability with us standing right side by side with.

 

John Dillard  

Perfect. And you know, I had to follow up on this on the 32 CFR thing and the changes that relates to accountability. But you answered it before I asked. So you clearly anticipated what I was thinking. And I know, this is one resource that you shared. And I thought we before we take questions and the break for letting people formulate those, I wanted to pause and put this resource up that you shared with me. Just and we're gonna, by the way, everybody who is on the call, just remind you one more time, we are going to provide all the resources that we referenced here in the email out after the show notes. So all of this will be available to us. So don't feel like you have to scramble to write it down, you're going to get it. But taking a step back and looking at where they can find out more about I mean, we've touched on these on these areas, and you've done a phenomenal job of hitting some of the high points. There's a lot above around behind all this stuff. As we need to learn more about it. Where do we go here? What are the best resources to get smart, stay smart look stuff up.

 

Curtis Chappell  

So you know, we're not in a bubble, we all work together. The three obvious ones are DCSA, CDSC, and NCMS. Right? So I would encourage people to go to this site to start from here. This is something that you can show to your senior manager official, don't send them a link, maybe print something out, give it to them. When we were reviewing the draft of the 32 CFR 117. Before it was even out. I took that section that outline the senior management official responsibilities. And I pulled that out of there. I email it to my senior manager official I said heads up this is what's coming. This is the change from the manual to the CFR. This is now what is defined as a senior management official. Again, it was not defined in the NISPOM manual I laid that out was four, I laid out these five specific responsibilities. And I told them this is my senior official is actively engaged today. It's not new from him. But it's important that I conveyed to him that these are actual listed responsibilities in the regulation. And I wanted him to be empowered to understand that a little bit better. You know, we can go back to the comprehensive security review, when that first started changing, and I informed him, Hey, we just had a self inspection, or excuse me, a DSS assessment a couple months back, we have a good program, we're focused company, there's a couple of technology reasons that they want to pull us into this new flavor of risk based security operations and his assessment called a comprehensive security view. It's a good thing. He said, Well, wait a second. How's this going to impact if my program, how's this gonna slow us down? And what's it going to cost me? I don't like surprises. Well, I don't like that conversation. The way it went. It was new, it concerns him ultimately came out through with flying colors. But that was him being responsible manager, that was him being engaged in program, knowing the difference from where we started, where we are today and where we're going. So go to DCSA website, the resources right here, this is in the critical technology protection. This outlines the eight primary changes of the new NISPOM rule, one of which is the new responsibilities for the senior management official. Again, I take things a little bit step further, a lot step further, as a folk company. I have the audience of the quarterly government security committee, I'm with my board, I'm with my GSE. I talked to my proxy holders all the time. I understand you don't all have that. But you can take that information out, you can send it to them and highlight what the changes are. A tactic I used was take all of the eight primary changes to this new NISPOM rule. I said what they were and then I gave them an impact to our program. This is going to have minimal program impact to our program. This is more impacting new facility clearances. We've already got our ul 2050 certification, we've already gotten incredibly close area. No, we don't. But these are going to impact my program. And this is senior management official, these are your additional responsibilities. And this is the coming at that point. For travel requirements, reporting, travel, foreign contacts, this is where we're gonna have to start to do moving forward. As a best practice, we've always reported our foreign travel for our career people, we're gonna expand that we've already expanded it to our unclear people just for the threat element of it, I want to give you a briefing, you're going into this level of detail, start with the DCSA, resources. CDC has a great short on the senior management officials, senior management, managing the company. It's called industrial security for the senior management, it's a CDC short, you don't have to log in to watch it. Let me tell you how better the conversation goes, when the SMO tries to login, tries to remember his password tries to find a spot in there versus Here is a short that is seven minutes long for you to watch. Start there and go to GCS s CDC, take it a step further beyond that, right? The communities, the hub, if you've got questions you watch for the communities and in general FSL there's so many great resources all the time. Here's a slick sheet, one page that outlines senior management official responsibilities, I've actually posted that email that I sent back to my SMO So you're not alone, we've got a great community here, reach out to and this is a great opportunity to say, look, there's a mentor mentee relationship that I can develop through many different circles. But NCMS  is one of them. I need help with this. I need somebody that's been doing this, look for that information, get connected, use this network of security professionals that we have. So that's three good ones, John, you've got DCSA CDSC, and NCMS And then beyond that, talk to your senior management official, a flow down, take a breath. That's what I have to do when I'm sitting with him. And I say, Okay, what do you need? Ask that question? What can I give you to help you understand this better? He's a smart guys in an engineering mind. Chances are, there's nothing I can tell him, he doesn't already know. But I might be able to put a spin on it that he didn't see from my perspective. And when it's national security. That's why we're there. We're the general adviser to our senior managers, especially our senior management officials. Right. So that's a good couple of resources there. Other than that community, talk to each other.

 

John Dillard  

Well, that's a perfect time to segue into questions. So before we do that, and this is a great time, by the way, for those of you who haven't submitted one, we've got several teed up right here, use the little Q&A button in the zoom bar, submit your questions, and we will get to those while you're typing. We will launch a brief poll like we always do on webinars that you guys have seen before. So for those of you haven't met threats, which if you'd like to learn a little bit more about us and our software platform, which helps with these problems, among other compliance problems related security, then just let us know and we will reach out if not, no worries, but we'll give that a couple seconds while I don't sing Jeopardy music, and let people type a few more questions. So I'm good A couple more here. I've already got one teed up for you, that I want to ask for Curtis that I'm super excited about. I think we got almost everybody, we get about five or six more seconds. Okay. All righty. So let's jump into questions. And Curtis, the first one that I saw come in like a mile away, is, you know, how my seniors were ignoring me, how do I get paid? Which I mean, having done this job, and also having been the senior this kind of stuff going on? I've been on both sides of that question. What are some tactics or hacks that you have found effective in getting senior management officials, whoever they are, to engage with a security program, when Alabama law stuff going on? How can we make it easier for them to participate and pay attention?

 

Curtis Chappell  

It's a classic struggle. And believe me, I've been there with a less than connected and active senior management official that is focused on other things. And I know during COVID, some of us are struggling. They've got other I mean, they've got to put a tourniquet on before they can focus on polishing things. So timing, and then your tactics, you know, is what I can say, if you put in a policy for them to review that 18 pages long, I can tell you, it's not going to happen. If you can summarize and treat that interaction as an elevator summary, boiled down to it, you have an audience with them for a short period of time, you got to get to the point. And you've got to, you know, go back to Forrest Gump mom always explain things so I could understand them. All right, get to the point, tell them exactly what you need, keep it simple. And then and then build from there. Once they start gaining that trust, and recognizing that what you're doing is making the program stronger. You know, I can I can tell you in early conversations about all the additional things I wanted to do, that ultimately gave us a string of superior ratings that ultimately gave us Cogswell, multiple Cogswell awards, it was well beyond what was required. And it's hard to convince the management to support that it's sometimes, but once you get over the hump, they recognize what it does for your business, when you can say we are a Cogswell winner and your customer recognizes understand knows what that means. That's a difference. And so you're demonstrating the value of these additional conversations, this increase insight, and really pointing out the responsibility that they have to make the program responsible, because you're doing it so that when they have the conversations with their customer, maybe with a uniform on, they appreciate it a little bit more. So you know, I see a comment here, while we're on the topic, it might not be new to them, we're talking about the 441. This is a security control agreement that they've had from the start. This is not new. I agree with you, Dave, I appreciate you. You pick it up on that on that. Perhaps it needs a refresh. And we're in a different world these days. The 441 is a document 32 CFR 117 is federal regulation. So leverage this as an opportunity to make them clear on that and talk about some of these requirements. So I know nice talks, another one of those topics we can talk about not already has this all the same requirements, and that could make it a little more challenging Jama to answer your question on the first one. Yeah, that's

 

John Dillard  

helpful. And related to that. I mean, someone asked about, you know, select sheet to page or something easy that we can put in their hands. I think you mentioned one. So what I'll do is make sure Curtis that if there's one or two that you have found effective that we'll put them in the resource notes and send them out with the rest of materials. Another question here on it coming back to the accountability and responsibility breakdown, we talked a lot about what it means to be accountable for something, maybe share a few examples of what is it okay for them to delegate, like, I think here we're talking about responsibilities, or execution, as long as they still own the accountability. So maybe talk a little bit about what's okay, in the way of responsibilities to delegate that makes it but without delegating accountability, which is the key thing.

 

Curtis Chappell  

So start from the baseline, our most important focus is protection of classified information, classified performance, right? So if that's where one element, the program has a direct oversight by a senior management official start there, if there's other elements that program that are in different business units, maybe it's manufacturing, maybe its supply something else like that, then that's where I agree, I saw the comment there, the RACI breakdown, right? I'm responsible, I'm accountable. I want to stay informed on this, but I'll let you summarize what you need from me on that. That's why a senior managers will realize on his C suite, his managers and then the subordinates underneath that there's a long you know, chain of command that takes place within a corporation like that. But if I if I had to answer that question once, in one simple answer is the impacted classified information. So what do you do you break down the responsibilities and accountabilities that your Senior Management has, and you point to the ones that They're not maybe not as directly involved in. And you can say, because this does not have the potential for a direct compromised of classified information, stop there. And then when you're having those discussions with your DSD, CSA rep, or just stepping back and saying, Is my program effective, you have done an analysis to see where classified information involved, and your greatest focus should be. And that's where I think, John, you can probably allow a little bit of a layering approach to some of this responsibility in your managers, day to day where it's not as directly related to, to classified information.

 

John Dillard  

Right, perfect. We had a couple of questions related to the SPP, and I think you of course, mentioned, the SPP is the thing that outlines the controls that are in place, and then a couple folks were asking about whether an SPP is required for a non possessing facility, which I think I think the answer to that is yes, but I'll come I'll let you answer that question. Cuz you're the expert, but maybe talk a little bit also about, in addition, the responsibility for having an SVP, the point is to have documented controls that the senior management official is accountable for, whether it's called applesauce or the SPV doesn't matter. So if you could address those, those things are going to be great.

 

Curtis Chappell  

I'll make a corollary to see MMC, for those of you that are well versed in that there is a program, there are 10 controls that you have, then there are documented policies that you have to support those things. We may be doing all of the things that we say that we're doing, but I have no paperwork, I have no documentation, I have no policies I can point to or point my employees to, to show them what they need to know. Right. So I would argue, and you have to make the case to me, the new, the new, Miss NISPOM rule makes it very clear than SVP is required. It doesn't give the extent of how in depth you go for an SVP, I could make the argument that previously depending on the complexity of my program, and risk based considerations in the Newspoll manual, that I didn't need to have an SVP and I didn't need to conduct a self inspection. Okay, back up. The Chinese are not going on our firewall, right now, do I really need a manual to tell me that I need a document, it's going to help me with my program stronger, shouldn't Alright, so use these best practices as they were and now requirements as they are to say, let's do an SDP. Let's make this as simple as we can. I'm an a sock company, it's not going to be 30 pages long, but at least I'm going to outline what my focus is and what we should be doing at a bare minimum. And that's something that you can provide to all your employees, make them aware of, and then your senior management official as well. And I always go back to a folk comparison to this too. For those who are there, folks, we've had an electronic communications plan that's based on this special publication 853. Now everybody else is learning that a derivative 153 is now 801 71, which is the basis of what was the default is control. And now was as a five days ago, the new CMC 2.0 110 controls. Alright, there you go. All this has been changing and adapts over time. But the reality is, we're all subject to those things. So because you weren't focused, you didn't have an ECP. Now you have effectively a network control plan, or network systems security plan SSP. Follow the same approach for your SPP, right, try to make sure you understand the difference between an STP and an SSP because that's where they're at right now. Right.

 

John Dillard  

That was the I think some of the confusion here is on these goofy acronyms that we all have to use. And that so Duclair never s PP is I'm gonna take a stab at this but dangerous with you. Because I know that the you know the answer. Security policies and procedures. Yes.

 

Curtis Chappell  

standard practice and procedure. Dang it

 

John Dillard  

and take it and then this s SP is the system security plan. Right?

 

Curtis Chappell  

That is correct. Right. So they are two, but they both are. They're protecting information. So I'll give you bonus points for that. Go back and answer the question that your senior manager official was probably going to ask from this last conversation. What's a nice duck? What the heck is that? I have no idea what an Esaki is, you don't know what a sock is. It also probably don't know that you are one. All right. But we still have to focus on the security elements of that program. And yes, of course, we have so many different acronyms that we know. But that's what you're there to help them do is provide them as a resource. I would say everybody on this call either has an SDP or needs to have one and if you've got one mixture with current, you know we're all working right now. I just gave somebody a an annual refresher training that they hadn't done this yet this year. Need to get it done. I looked down it's still got references to the old NISPOM on it. We'll get there. We got a lot of updated due to a lot of policies and a lot of awareness and training aids. But just getting that awareness in front of them. Whatever site it is, the old NISPOM, the news putting NISPOM, we're protecting classified information, get that point across. We're evolving into protecting unclassified information on our unclassified network, because what's easier to take where the Chinese want our classified information or the much easier to steal unclassified information that in aggregate gets them the answer they want. That phrase right there is something that will get you in the door with your senior manager official. Talk about it further from there.

 

John Dillard  

Perfect. Curtis, we're getting close to the end of time here. And I wanted to share what I think is probably the best resource for learning more about this and just about everything else. And that is the annual training seminar. For those of you who didn't catch it in the beginning, Curtis is on the board of NCMS. I'm sure probably this is where I met you was at the annual training seminar. So I wanted to pause and just let you tell the audience about the annual training seminar. I went to the first in person conference that I've been to in a long time this week, and it was amazing. I mean, just to get together with people in person, there is no substitute. So tell us about the annual training seminar and why they should get.

 

Curtis Chappell  

Well, I back up and I was just with the Pennsylvania tri chapter seminar last few days, a lot of great information there. It was great to be back in person. And if you know him, the Dutchman was there. Right racism co I got to chat with him. And I remembered back in 2010, the first NCMS seminar that I attended live in Reno and I was a little apprehensive about putting in a wreck to go, Hey, I'm going to go to a boondoggle I mean training seminar in Reno for a couple days and learn about security. And as soon as they caught wind, what do you mean, don't hesitate at all. NCMS is shameless plug, of course, that's why I'm contributing back to NCMS. Because I got so much more out of it. But definitely being in person engaging in the valuable training that's going on there. And the networking that you're gaining Yes, that's where John and I met each other is just presenting back to back at one of these events. And we've stayed in close contact since because we're just we're leading from the trenches, right, we want to make sure you have this information. But shameless plug coming up in June of next year, a lot of great information, a lot of great keynote speakers are going to be at the training seminar in Minneapolis, I encourage you all to join. And registration actually just opened up. So be on the lookout for it. Plan ahead for it. I will say if you look at the resource cards that were put out for the new security review, that's part of your case to say, look, my senior management official is giving me the resources is giving what I need to be successful in my role and be effective for my company. This is one of them. This is training, this is going to it, we're back at a point where we're more comfortable with traveling. One of my colleagues on the board just broken it was just talking about earlier today during meeting, she's in Minneapolis now she says it's so nice here. It's such a great town, I haven't spent much time there. So I'm looking forward to it. I'm looking forward to all the great things we're doing. I mentioned earlier on Monday, if you can get an early look at the additional training opportunities there are there is going to be a classified brief. There, we're going to shuttle people back and forth to a facility to properly manage, of course, but that's going to be great event, some local community activities as well, a blood drive. My comer in the local chapter is coordinating for us. And just doing some things to get back to the local community. So this is where your active involvement. And by the way, look at your for security posture categories of the new security review, this implementation, management support community activity, right, that's one of those key ones, I can tell you that if I was a rep in this day and age with this new security view and a compliance based look at your program, being a part of NCMS, being a member of Intimus would not be good enough for me, I want to see you actively a part of this, I want to see you doing things, being a mentor mentee working with your peers, attending live events where it's appropriate to do so being an active involvement. And that's where I would consider that to qualify for a security review. And real quick while on the topic. John, with a couple minutes left, I'll have another shameless plug for the December 1 and second virtual fall seminar that's coming up. The board took a look at this and said, Wow, we've been virtual lot last couple years. But it's been really good. So let's do something to leverage that. And something easy for the people that may not be able to get to Minneapolis, let's do a fall seminar. Let's do it virtual, you're able to register for that for what it costs. I think there's amazing value for what you're going to get out of today's training for that. So I think if you got one more slide, there's another one there to get information on m&r

 

John Dillard  

I'll get it out to you soon. Do the registration and stuff. Yeah.

 

Curtis Chappell  

Registrations open for that. So I encourage everybody, I hope to see you in Minneapolis. I'll put it that

 

John Dillard  

will be there. As a matter of fact, I'm speaker shameless plug of my own. So I'll be there. Curtis will be there heckling me, I'm sure. Last thing I want to mention to everybody before we break. And thank Curtis, we're in the middle of conducting our annual Industrial Security benchmark study. We need experts to fill it out. That's how it gets good. It was fantastic. Last year, the CMMC AB CEO use it regularly. It's a tremendous resource, but it gets better and more people respond. So please check that out. You'll get the link in this in the review fill it out and It takes about five or eight minutes. And it adds a lot of value not just for us but for the community. So check it out. Curtis, thank you so much. Always a pleasure breaking records for webinar registrants as usual, and I can't wait till the next stop. I these are these are always fun. Okay, so thank you, sir. Appreciate you guys. Thank you all righty for coming and have a great week.

Topics from this blog: 32 CFR 117 NISPOM Rule

Subscribe to our Publications

Recent Posts

Transform your security processes

We help organizations save over 60% on training, personnel labor, and other manual security tasks.

Talk to us to find out how we can help you overcome your security compliance challenges.

Learn how to save over 60% on training and reporting costs.