Last year, the US Department of Defense released a memorandum called “Security Review Follow-on Actions” after the Massachusetts Air National Guard security leak. The memorandum emphasized the importance of stringent security measures in safeguarding Classified National Security Information (CNSI).

While many compliance action deadlines have come and gone, September 30th 2024 was the deadline for appropriate electronic device detection systems and mitigation measures in all Defense Department Sensitive Compartmented Information Facilities (SCIFs).

This article seeks to inform the business community about government-driven security protocols that can enhance security frameworks, protect sensitive information, and mitigate risks associated with insider threats.

The Defense Department’s directive is a critical reminder to continuously improve security practices, particularly for organizations handling intellectual property and other sensitive information. While the memorandum is aimed at defense organizations, it can be incorporated into private-sector information security practices, especially for businesses that handle government-classified or proprietary sensitive data.

Security Accountability Plan

The defense memorandum prioritizes protecting CNSI because its compromise can result in “exceptionally grave damage” to national security. Similarly, a company’s intellectual property breach can threaten its status as a viable business, potentially jeopardizing its future.

A security accountability plan ensures all corporate employees with access to sensitive information are accounted for in a designated security information system. This plan should include developing and maintaining an inventory of all employees with access to sensitive information.

All personnel with access should be managed by a security team responsible for protecting sensitive data.

Access Validation

The Massassachussets Air National Guard Leak has forced the Pentagon to reevaluate who should access CNSI.

As the Department of Defense now implements enhanced validation efforts for personnel needing access to Sensitive Compartmented Information (SCI), businesses should conduct audit reviews to validate the necessity of access to sensitive information.

Only those with a clear and documented need should have access.

Businesses should also require employees with access to sensitive data to sign a non-disclosure agreement (NDA), reinforcing the legal and ethical obligations to be entrusted with sensitive information.

Facility Requirements

The Department of Defense mandates compliance with Intelligence Community Directive (ICD) 705 for Sensitive Compartmented Information Facilities (SCIFs).

While this requirement may be more relevant for defense industrial base companies, it can also apply to companies that need to protect sensitive data. As such, businesses should assess and ensure that all facilities retaining and processing sensitive information comply with security standards appropriate for the information’s sensitivity. This can include physical security, access control measures, and regular audits.

Finally, exploiting electronic emissions has been a defense concern for decades.

Companies should prohibit personal or portable electronic devices within areas where sensitive data is being processed or discussed.

Insider Threat Monitoring

The memorandum’s focus on insider threats and enhanced cybersecurity aligns with civilian CISOs (80%) who see human risk, particularly negligent employees, as a significant risk factor.

Companies should establish a robust insider threat program that includes continuous user activity monitoring across all networks. While most private businesses do not handle top-secret information, appointing a team to manage and control sensitive information access ensures a clear custody and accountability chain.

Leverage Technology

The US Defense Department highlights the importance of optimizing security information technology systems. Companies that invest in advanced IT systems that facilitate information sharing and reporting will be ahead.

For example:

• Using cloud technology and artificial intelligence (AI), businesses can enhance threat detection, streamline access control, and improve the overall efficiency of their security operations.

• Technology solutions exist to track wireless and electronic devices within a facility and provide real-time warnings when secure areas are breached.

• Emerging technologies like quantum-secure encryption algorithms can protect today’s sensitive data from future quantum exploitation (save now/exploit later). In fact, NIST recently released its first approved post-quantum encryption standards. Post-quantum encryption promises to secure several vital applications, such as electronic mail and e-commerce.

The Wrap

These Department of Defense security protocols can help enhance a business’s ability to protect sensitive information and mitigate insider threats.

Implementing these recommendations can also increase the reputation of technology leaders and improve stakeholder trust that information security measures are on the right track.

This proactive approach aligns with best practices and reinforces the organization’s commitment to safeguarding critical assets in an increasingly complex security environment.