Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000. SAND NO. 2011-XXXXP

SEC100, Annual Security Refresher Briefing

2015/2016 SAND Number: SAND2015-10021 TR

Contents

SEC100 – Remote Training Instructions How to Receive Credit Read through all course modules. E-mail SEC100 Completion Record to SecurityEd@sandia.gov or fax to (505) 844-7802 for credit. Completion Time Course completion time is estimated to be between 30-40 minutes. However, course completion times vary greatly, depending upon familiarity with the content, reading speed, number of interruptions, and number of optional links accessed. Employees may charge up to 30 minutes to A-290 for their time to complete this training.

Introduction………………………………….. 4 Module 1: Review & Approval………….… 7 Module 2: Unclassified Controlled Information (UCI)…………………………….……...…... 9 Module 3: Information Protection.….......... 11 Module 4: Email Dissemination …………… 13 Module 5: Social Media……………………. 15 Module 6: Suspect / Counterfeit Parts....… 17 Conclusion….............................................. 19 SEC100 Completion Record……………… 21 SEC100 Feedback Form…………… ……. 22

To get credit in TEDS, you must complete all the modules (1 through 6).

Introduction Module 1 REQUIRED - Review & Approval Module 2 REQUIRED - Unclassified Controlled Information (UCI) Module 3 REQUIRED - Information Protection Module 4 REQUIRED - Email Dissemination Module 5 REQUIRED - Social Media Module 6 REQUIRED - Suspect/Counterfeit parts Conclusion

3

Introduction When you started working at SNL, you gained access to information that must be protected and you became a potential risk for loss of information. Each day, our information is threatened by cyber attacks, insider espionage, and inadvertent release. The work we do is cutting edge, and others want our information, whether classified (Top Secret, Secret, Confidential) or unclassified (OUO, UCNI, PII, etc.). Threats against the United States, DOE, and Sandia have evolved over the decades. Sandia and DOE continue to address these threats even as new threats emerge.

4

For example, when driving to work, you can’t remember whether you locked the front door of your house. What would you do? You might THINK “Did I lock the front door?” You’d then ASSESS the risks (burglary, vandalism, etc.). You’d likely choose to PROTECT your property by returning home to ensure the door is locked.

Recognize and acknowledge that you are at risk.

Evaluate your routines and environment.

Adopt countermeasures.

In today’s global environment it is easier than ever for adversaries to take advantage of several methods of sabotage and espionage. You are the first line of defense in protecting the information with which we are entrusted. You can do this by applying the core principles of Operations Security (OPSEC):

Make security part of everything you do.

5

Security Incidents Lesson Learned

Unaware of the sensitivity of information when creating emails on the Sandia Restricted

Network (SRN) If in doubt, create your document in Word to submit to a knowledgeable subject area DC or through R&A for review, and before distributing via email.

Classified compilation in email chains Unclassified email messages can become classified when different unclassified facts are combined, even something as simple as a name with projects listed (email signatures).

Improper storage/protection of classified Designate a work space for classified work • Do not comingle classified with unclassified matter • Prevent distractions while working with classified matter • Ensure repositories are secure • Try to reopen a safe once you’ve spun the dial

Improper storage/protection of sensitive Unclassified Controlled Information (UCI)

Ask yourself who owns the information you’re working on and understand the protection requirements (audience, need-to-know, distribution limits).

Unlocked classified computing systems Ensure your screen is locked • Be extra cautious when you switch between the Sandia Restricted Network (SRN) and the Sandia Classified Network (SCN) • Some monitors go to sleep and can leave data unprotected

Increase in classified information being shared with wide audiences

All information must go through Review and Approval (R&A) before release • Only Unclassified Unlimited Release (UUR) can be shared with uncontrolled distribution • Export Controlled Information (ECI) may be unclassified but requires need-to-know and special permissions for release to non-U.S. entities

Individuals do not properly identify classified matter

Classified matter must have appropriate markings; materials may have tags or labels • Classified documents should always have a cover & back sheet • Confidential has a blue cover & back sheet • Secret has a red cover and back sheet

Improper storage on enterprise-wide systems (FileNet, SharePoint, Dropzone)

Ensure your information can be kept on the network you are adding it to • Ensure proper need-to-know controls are added • Keep metagroups up to date • Reassess if you are adding individuals based on convenience • Some metagroups can quickly grow to several hundred members • Use Protected Dropzone for sensitive information

2015

THINK: Is information going to be distributed inside or outside of Sandia? ASSESS: What is the risk of combining information from open sources with Sandia data? PROTECT: When preparing speeches, presentations, or articles for distribution (including any to be provided to an internal audience) you must use the R&A process.

Your responsibility

Protect yourself by using the resources available to you, including Derivative Classifiers (DCs), the Classification Office, your Classified Administrative Specialists (CASs), and the online R&A process. If you release classified to, or allow access by individuals who lack the appropriate clearance and need to know (NTK), whether you meant to or not, it constitutes a security incident and may be a violation of federal law.

Module 1: Review and Approval

Sam is a Q-cleared employee who has worked at SNL for the past eight years. He is scheduled to present at an upcoming engineering conference in South Carolina. He has gathered a large amount of graphics and data from the internet that he wants to compile with his Sandia information for a presentation. Sam knows that his presentation must be reviewed and approved prior to sending it to the coordinator of the conference. Sandia Review and Approval (R&A) determines the presentation has some sensitive information that needs to be removed prior to public distribution.

7

Security Tip Information may start out as unclassified, but combining it with other information (known as “compilation”) may result in the information being classified. To find a DC in your area, see the DC Access List or the List of Top Secret DCs.

Classification Office helpline: (505) 844-5574

Know your Classification Office Derivative Classifier (DC) reviews are always required if there is potential that the information is classified, for example: • Newly generated documents or extracts (a newly generated

document that consists of a complete section) or material in a classified subject area (upon creation of first draft)

• Existing unmarked or marked documents or material that may contain classified information

• Documents or material in a classified subject area intended for public release

• Printed output from a classified information system Challenge a determination that doesn’t seem right or get a second opinion. Getting a second opinion from the Classification Office should not be viewed as a challenge to expertise, but simply to ensure that Sandia’s information is properly characterized and protected. What is a DC? A DC is a person authorized to determine that a document or material is unclassified or classified as Restricted Data, Formerly Restricted Data, and/or National Security Information, and at what level based on classification guidance or source documents. What is a Derivative Declassifier (DD)? A DD is authorized to declassify or downgrade Sandia-originated documents, equipment, or material. All DDs are located in the Classification Office.

8

Module 2: Unclassified Controlled Information (UCI) Sam is responsible for his 2015 program budget. He puts the old hard copy 2014 budget information in the recycle bin with a stack of other papers. The 2014 budget information was not marked. During a meeting with his manager, he learns that all budget information must be marked OUO and destroyed properly or shredded. Sam meets with his team to remind them that budget information, project/tasks, labor rates, and related information should be marked and protected at all times.

THINK: What type of information am I working on and who might see it? ASSESS: What are the consequence of disclosure for individuals without a need to know? PROTECT: Information must be properly marked, protected, and destroyed to prevent unauthorized access.

Your responsibility It is your responsibility to be familiar with the information you are working on and to protect/destroy the information accordingly.

9

Security Tip UCI - Information for which disclosure, loss, misuse, alteration, or destruction could adversely affect national security, SNL, or our business partners. Identification and protection of this type of information is required by the Code of Federal Regulations, public law, governmental directives, DOE orders, contracts with business partners, or Sandia's processes to protect commercially valuable information. For more information see corporate policy IM100.2.5, Identify and Protect Unclassified Information. UCI Identification Flowchart (PDF)

Module 2: Unclassified Controlled Information (UCI)

10

Module 3: Information Protection Sam is scheduled for a meeting with his manager to review new information for an upcoming presentation. On his way back to his office, Sam stops at the break room to refill his coffee. A coworker asks Sam about his weekend, and they walk out of the break room. A building resident later discovered the information on the counter by the coffee pot. He recognizes the yellow UCI coversheet and knows that the information should not have been left unattended. He takes the document to an OAA in the building to find the owner.

THINK: Is the information you are working on sensitive or classified? ASSESS: Who might access the information if it is left unattended? What is the risk of leaving information unattended? PROTECT: All information (whether classified or unclassified) must be easily identifiable and protected accordingly.

Your responsibility If you see unprotected Unclassified Controlled Information (UCI) whether you are cleared or uncleared, an employee, contractor, consultant or student, you have a responsibility to protect it. For more information, see corporate policy IM100.2.5 Identify and Protect Unclassified Information.

11

Security Tip Each area at SNL is designed with risk in mind: Public Areas allow open access, PPAs require swipe access, LAs require two-factor authentication (badge and PIN) because of the potential for classified processing. As the desirability/sensitivity increases, so do the security controls. For more information see corporate policy ISS100.5.3, Control Site Access. To determine whether or not you can have a non-Sandia owned Portable Electronic Device (PED), see PEDs Rules of Use. OPSEC note: Insiders may pick up and collect any work-related information for their own purposes or to pass on to others. Do not make it easy for them; ensure work-related information and material is not left unprotected.

Module 3: Information Protection

12

Module 4: Email Dissemination

Sam sends an email to five members of his team announcing an upcoming project meeting. Sam uses his email marking assistant to mark the email “OUO.” Sam asks the members of his team to be mindful before forwarding the email or replying with additional information to avoid compilation issues.

THINK: Who has a need to know to receive this information? ASSESS: Who has the potential to see this email? Will the email leave Sandia’s firewall? PROTECT: Ensure all email responses do not have additional information that could potentially make the email sensitive.

Your responsibilities

• When creating email, perform a review with security in mind before you hit “send.”

• If in doubt of the sensitivity of the information, use the classified network.

• Have regular meetings with your team or your manager to discuss the classification aspects of your program.

• Review program requirements to understand the sensitive aspects of your work.

• Engage your program’s DC to gain a better understanding of relevant sensitivities.

• Contact the Classification Office for assistance.

13

Difference between compilation and association Classification by association concerns 1) two or more different unclassified facts that when combined in a specific way result in a classified statement, or 2) two or more different classified facts (or unclassified and classified facts) that when combined in a specific way result in a higher classification level or more restrictive category (e.g., two NSI statements together may create RD, or an unclassified fact with an NSI fact may create FRD).

Classification by compilation occurs when 1) a large number of similar, unclassified pieces of information are put into a document in such a way (through selection, arrangement, or completeness) as to become classified, or 2) a large number of similar classified pieces of information (or unclassified and classified information) adds enough value to become classified at a higher level (e.g., a series of test results separately are NSI, but combined together in one document in such an arrangement as to form a complete picture of a weapon characteristic could be classified at RD).

Documents classified as a compilation must not be portion-marked and must contain the following statement: This document has been classified as a compilation and must not be used as a source document for a derivative classification decision.

Security Tip Association and compilation security incidents are most often found in emails. Remember to review the entire email string to ensure that no possible associations and compilations of classified information are present. If in doubt, start a new email and simply reference the previous email by subject line, and remember to tell the recipients you started the new email because of security concerns. Better yet, move the email conversation to the SCN.

Recent examples of email incidents: • Forwarding UCI email to a personal email account (home account). • Sending UCI or classified information outside the firewall without review. • Downloading open-source information, later determined to be classified, and processing it or integrating it into a report. • Replying to email strings with information that, by compilation, could potentially be classified.

14

Module 5: Social Media

Sam gets a promotion to “Distinguished Engineer.” He posts pictures from the celebration dinner on social media and tags some of his co-workers and his manager. Sam receives a lot of comments and questions about his new job and notices a post from a foreign engineer he met at a conference. Sam realizes that his posts are public and stops posting additional information.

THINK: Before posting on social media, ask yourself: Who has access to my information? ASSESS: Are you comfortable with your information being public knowledge? PROTECT: Learn and use all the security controls on each site and keep up with them as they change.

Your responsibility

Ask yourself: Am I careful with the information I am posting and do I understand data aggregation issues? Am I willing to use security controls and keep up with them as they change? Am I putting myself or others at risk by posting personal information?

15

Personal Information • Keep sensitive, work-related information off your online profile. • Keep your plans, schedules, and location data to yourself. • Protect the names and information of coworkers, friends, and family

members. • Tell friends to be careful when posting photos and information about you

and your family. Posted Data • Check all photos for indicators in the background or reflective surfaces. • Check file names and file tags for sensitive data or metadata (e.g., your

name, organization, projects, geolocation information). Passwords • Use passwords that are unique from other online passwords. • Make them strong and/or sufficiently hard to guess. • Protect them; e.g., don’t share them or write them down where they can

easily be found. Settings and Privacy • Be sure to set your privacy and security options. • Determine both your profile and search visibility. • Sort “friends” into groups and networks, and set access permissions

accordingly. • Verify that a “friend” request was actually from a friend. Security • Keep your anti-virus, anti-malware, operating system, browser, and

other software updated. • Beware of links, downloads, and attachments, just as you would in

email. • Beware of “apps” or plug-ins, which are often written by unknown third

parties who might use them to access your data and friends. • Look for “https” and the lock icon that indicate active transmission

security before logging in or entering sensitive data, especially when using Wi-Fi hotspots.

Security Tip Use Sandia’s Information Technology resources appropriately per corporate procedure IM100.1.3, Use and Protect Computing Resources. For more information see the FBI’s brochure, Internet Social Networking Risks, and Interagency OPSEC Support Staff’s brochure OPSEC and Social Networking Sites. Per ISS100.3.4,, Conduct Operations Security, all Members of the Workforce are responsible for recognizing, understanding, and protecting critical information, as identified by the responsible program manager. They must protect critical information from inadvertent release (e.g., via the web, internet, social media, conferences/symposia, publications, Lab News, or other means) to individuals who do not have a need to know. This includes all forms of social media.

16

Module 6: Suspect/Counterfeit parts Sam received a USB thumb drive from a vendor when he attended the engineer’s conference. Sam inserted the thumb drive into his Sandia laptop and immediately received an error message. He removed the thumb drive and called his Cyber Security Representative (CSR). If the thumb drive was counterfeit and contained malware, the CSR would contact Security Connection, who would begin the SIMP process.

THINK: Has this item been approved for use with a Sandia device? Is my sensitive information safe? ASSESS: Could this item pose safety, security, and environmental risks, such as counterfeit electrical components, extension cords, or memory devices used to store sensitive information? PROTECT: Work with your Sandia Procurement Representative (Buyer) to specify quality assurance requirements for any procurement where risk of obtaining Suspect/Counterfeit items exists.

Your responsibility You can reach the suspect/counterfeit item team by email at sqasci@sandia.gov or the suspect/counterfeit items webpage, which offers an easy way to report items, additional information about suspect/counterfeit items, newsletters, and detailed contact information. Don’t toss it, report it!

17

Security Tip Does the price seem too good to be true? Counterfeits are often priced well below market value so it’s a good idea to know the true cost of a product and not fall for the “cheap” scam. Other indicators: • “New” item appears to be used • Unusual or inadequate packaging • Evidence of tampering • Lack of markings or incorrect

markings • Product appears to have been

reworked (excessive grinding) • Missing or incorrect manufacturer

logo or information on tags or component

• Materials are not what was expected (plastic versus metal)

• Missing NRTL (Nationally Recognized Testing Laboratory) logos on electrical components (i.e. UL, ETL)

• Type of part is no longer manufactured, has been previously recalled, or design has changed

• Items do not fit well or do not work properly

Module 6: Suspect/Counterfeit parts

Counterfeit /altered memory device

Exploding counterfeit battery

Legitimate Apple charger (left), counterfeit (right)

Visit the Suspect/Counterfeit Items webpage! http://cfo.sandia.gov/procure/SCI/pages/index.html

18

You must report any potential loss or compromise of classified information.

An inquiry is a review of the circumstances to develop all pertinent information and to determine whether an infraction, or a compromise or potential compromise had occurred. Only a small number of potential events result in infractions or incidents of security concern.

A security incident is an event of concern to the DOE Safeguards and Security Program, and thus warrants preliminary inquiry and subsequent reporting to DOE.

A security infraction is issued to document the assignment of responsibility for an incident per DOE 470.4B. Security Incident Management Program (SIMP) utilizes specific criteria for issuing infractions approved by NNSA oversight, recognizing that not all incidents warrant an infraction.

See Something, Say Something

When you "See Something" or make a mistake, you should “Say Something.” Mistakes never get better with time. Speak up when you: • See a potential compromise of

information.

• Suspect waste, fraud, or abuse.

• For details about these and other things that must be reported, see the DOE and Sandia Reporting Requirements.

What's the risk? Reporting is about mitigating potential consequences, which include: • Harm to national security.

• Loss of America’s technological and

military superiority.

• Damage to Sandia’s reputation.

If you make a mistake, report ASAP! Quick reporting allows for actions to be taken to mitigate the issue and check other systems (access control, cyber systems). Reporting allows us to learn from mistakes and help others avoid doing the same thing. Contact SIMP by dialing 321 from any Sandia phone or 505-845-1321 as soon as possible.

Conclusion

19

Sam made it through another year.

He learned a lot about protecting Sandia’s information as well as his personal information. With the help of tools like the R&A process and guidance from his DC and manager, Sam has a better understanding

of his security responsibilities.

Reminder: In addition to SEC100, Counterintelligence Training CI100 is required annually for all Sandia employees, all staff-augmentation contractors, and any other contractors or visitors who work on-site side-by-side with Sandians and who might therefore be targeted and approached by foreign entities, excluding

contractors/visitors who receive their training through other government facilities. 20

SEC100 Completion Record: 2015/2016

Print Full Name (Last, First, Middle):

SNL Org # or Company Name:

Employee Contractor Consultant Student KMP

Signature:

Date:

After reading all the modules of SEC100, complete this form and send it via email to securityed@sandia.gov or via fax to 505-844-7802 to receive course credit. If you would like confirmation of completion, provide your email or fax number (please write legibly).

I have read and understand all the modules in SEC100, Annual Security Refresher Briefing.

21

Your feedback is important to us. Please complete this evaluation and send it to us via email at securityed@sandia.gov or via fax at 505-844-7802. Rate the following on a scale of 1 to 5, with 1 = poor and 5 – excellent. The ease of use of this learning. 1 2 3 4 5 The organization of the information presented. 1 2 3 4 5 The usefulness of the information presented. 1 2 3 4 5 Your level of knowledge related to this topic BEFORE using this learning tool. 1 2 3 4 5 Your level of knowledge related to this topic AFTER using this learning tool. 1 2 3 4 5 Fill in the blanks. What was the most valuable about this learning tool? What information needs to be corrected, inserted, removed, or updated? What could be done to improve or enhance this learning tool?

SEC100 Feedback Form

22