Professional Documents
Culture Documents
Compliance Training
PURPOSE OF TRAINING
Organization Facilities
• Sensitive Data (ITAR/CUI)
• Corporate Sensitive Documents (ITAR/CUI)
• Customer parts (ITAR/CUI)
• Company IT Network(s) & Devices
YOU ARE CRITICAL TO REDUCING RISK
Employee errors, omissions, and behavior are often the highest source of
risk for:
• Unauthorized visitors gaining access to company facilities
www.stealth-iss.com
authorized people
• Understand the methods malicious people will try to use to
compromise your password, access your computer, our network, and
take advantage of trusted access to files and our IT network
• Understand what to report, when to report, and how to report
incidents involving Sensitive Data of ANY kind
For the purposes of all Organizational policies, procedures, work instructions, and other
business activities, Corporate Sensitive Data (sensitive data) is defined as any means of
communication, electronic data or physical representation* regarding:
• Adverse impact on employee health and safety.
www.stealth-iss.com
Contains
CUI//SP-Export Controlled
Controlled Unclassified Information (CUI) (EXPT) information
[ITAR]
Covered Defense Information (CDI)**
CUI//SP-Controlled Technical Information (CTI)
CUI//SP-Export Controlled information (EXPT)
“ITAR Controlled information”
US GOVERNMENT REQUIRES SAFEGUARDING OF
CERTAIN DATA, DOCUMENTS, & PARTS
• Work Instructions
• CUI Data & Document Controls
• CUI Part Controls
• Physical Security
• Employee Responsibilities & Training
• Supplier/Outside Processor Compliance
WHY IS NIST 800-171 COMPLIANCE REQUIRED?
ELIGIBLE
AUTHORIZED
QUALIFIED
ARE YOU? TRAINED
WHO IS AUTHORIZED TO ACCESS CORPORATE
SENSITIVE DATA?
What is Export Controlled information (EXPT)? A category of CUI concerning certain items,
commodities, technology, software, or other information whose export could reasonably be
expected to adversely affect the United States national security and nonproliferation objectives.
To include dual use items; items identified in export administration regulations, international
www.stealth-iss.com
traffic in arms regulations and the munitions list; license applications; and sensitive nuclear
technology information.
WHAT IS EXPORT CONTROLLED INFORMATION?
• The term does not include information that is lawfully publicly available
without restrictions.
CUI//SP-EXPT
SAFEGAURD – CUI PARTS
DoD Covered
Defense
Information: Customer’s
Export Control includes Proprietary and Certain Company
(EXPT) Company Operations and
Controlled Confidential Data,
information Employee Data, Financial Data
Technical Parts, and other
Health and Safety
ITAR/EAR Information (CTI) types of technical
data
Export Control
information
(EXPT)
CUI is safeguarded, controlled, marked, shared and consistent with CFR, Policy, and Policy
www.stealth-iss.com
Outside
Processors NDT Cert &
www.stealth-iss.com
Processing Archiving
Masking Shipping
Planning
MSS & Workflow Software
Receiving
IT Infrastructure
Sales IT Support & Security
& Quoting
Data, Document,
Human & Part Management
Resources Audit
Monitoring &
Record
keeping
SAFEGUARDING ACCESS IS CRITICAL
Controlling Access
to Company ALL Visitors must provide the ⛔️ Facilities
follow information:
Facilities, Authorized May be • Date/Time of Visit
Sensitive Data, Visitor Escorted • Complete Name
www.stealth-iss.com
• Signature
Network & • Citizenship - U.S. person or
US Person
Devices. specific foreign citizenship
• Company or other
WHO IS THAT? affiliation, if applicable,
Must Determine Visitor Status including address with ⛔️ Sensitive Data
Employees must Conduct Denied Party Screening minimum of city/state
and/or country if not U.S.
challenge unknown • Company Employee to be
persons, confirm their Visited (if Foreign Person
status, and visitor, this would be the
assigned escort – see
appropriately restrict Authorized ✅MUST be below)
their movements. Visitor Escorted • Time of Departure (to be ⛔️ Network & Devices
completed by visitor,
visitor escort, receptionist,
Foreign Person or other employee
monitoring reception area)
FOREIGN TRAVEL & SENSITIVE DATA
Export Controlled
(EXPT) information ✅ Briefed on Security ⛔️ Facilities
& Foreign Travel. & Export Control 🛡 Devices
Restrictions Configured
It is illegal to ⚠️ Specifically EXPT w/Special
www.stealth-iss.com
Authorized
transport sensitive w/Export Controlled
Security Controls
technical data Information US Person
across international
borders without the ⛔️ Sensitive Data
written permission of Foreign
the U.S. Travel
Government. Failur
e to properly license
hand-carried ⛔️ Not ⛔️ No EXPT
technical data (in Authorized CLEAN information
⛔️ Network & Devices
hardcopy or in ⛔️No CUI on any
✅ Briefed on Devices
electronic format) Security
can result in criminal US Person
& Export Control
and civil charges. Restrictions
VISITOR ACCESS CONTROL IS CRITICAL
Controlling Access
to Company Company Escorts must: ⛔️ Facilities
Be US persons
Facilities, Authorized May be Trained on:
Sensitive Data, Visitor Escorted ✅ Export Control
www.stealth-iss.com
regulations
Network & ✅ CUI requirements
US Person
Devices. ✅ Tech Control Plan and
sign the
ALL VISITORS MUST acknowledgement
Must Determine Visitor Status ✅ Ensure an NDA is signed ⛔️ Sensitive Data
BE CONTROLLED. by the visitor
Conduct Denied Party Screening
✅ Maintain positive control
Foreign person visitors of visitors at all times
must be ✅ Restrict the movement
RESTRICTED. of foreign person visitors
✅ Brief the visitor on
Authorized ✅MUST be limitations and
Visitor Escorted restrictions. ⛔️ Network & Devices
✅ Report any violations,
inadvertent disclosure,
Foreign Person or compromise
✅ Direct questions to
the FSO or ECO
✅ Sign the visitor in and
out.
HANDLING, MARKING, & SHARING CUI
• Handling is any use of CUI, including but not limited to marking, safeguarding, transporting,
disseminating, re-using, and disposing of the information.
• Unmarked CUI. Treat unmarked information that qualifies as CUI as described in the Order,
www.stealth-iss.com
• Reasonable Expectation Rule. To share CUI to any person or organization, the authorized
employee MUST have a REASONABLE EXPECTATION that all intended recipients are
authorized to receive the CUI and have a basic understanding of how to handle it.
www.stealth-iss.com
• The intended recipients must also be compliant with NIST 800-171 requirements.
• Unauthorized Disclosure occurs when an authorized holder of CUI intentionally or
unintentionally discloses CUI without a lawful Government purpose, in violation of restrictions
imposed by safeguarding or dissemination controls, or contrary to limited dissemination
controls. ANY AUTHORIZED DISCLOSURES SHOULD BE REPORTED IMMEDIATELY.
EXERCISE: Is it CTI or EXPT (ITAR/EAR)
Use the Rule Rules to determine 5 example documents, and items proper CUI category and marking
• Does it meet the definition of Controlled Technical Information or ITAR controlled information even if it
has no markings or indications? See Definitions
• Per the CFR, if the document meets the definition of CUI, it must be treated like CUI…
Identify CUI data in the Sales & Workflow?
Please insert a sanitized example photo of a company held Export Controlled Part
RUN RULES: DETERMINING CUI//SP-EXPT
CONTROLLED PARTS
www.stealth-iss.com
Please insert a sanitized example photo of a company held Export Controlled Part
DETERMINING CUI DATA: KEY POINTS
Use the QRG to Determine 5 example documents, and items proper CUI category and marking
www.stealth-iss.com
EXERCISE: IS IT CTI OR EXPT (ITAR/EAR)
Use the QRG to Determine 5 sanitized example documents, and items proper CUI category and marking
www.stealth-iss.com
Insert Example 1 Insert Example 2 Insert Example 3 Insert Example 4 Insert Example 5
Use the Run Rules to Determine 5 sanitized example documents, and items proper CUI category and marking
www.stealth-iss.com
Insert Example 1 Insert Example 2 Insert Example 3 Insert Example 4 Insert Example 5
Use the Run Rules to Determine 5 sanitized example documents, and items proper CUI category and marking
www.stealth-iss.com
Insert Example 1 Insert Example 2 Insert Example 3 Insert Example 4 Insert Example 5
Below are sanitized examples of Masking Instructions that MUST BE MARKED and MAY NOT BE MARKED
MUST BE MARKED MAY NOT BE MUST BE MARKED MUST STILL BE MUST STILL BE
www.stealth-iss.com
Customer Data
Project Customer Marked
Contract Redacted Redacted Distribution
Assembly Restrictions
Unmarked Diagram w/Parts Unmarked Diagram w/Parts Unmarked Diagram w/Parts Unmarked Diagram w/ Parts CUSTOMER MARKED RESTRICTED
NOT specifically for NOT specifically for SPECIFICALLY for SPECIFICALLY for Diagram
Military/Space/Aerospace Use Military/Space/Aerospace Use Military/Space/Aerospace Use Military/Space/Aerospace Use
Below are sanitized examples of Masking Instructions that MUST BE MARKED and MAY NOT BE MARKED
INTERNAL
CLOSE UP PICTURES LACKING SENSITIVE DETAILS
PROJECT
#001234
www.stealth-iss.com
CUI, it is encouraged to mark all potential document that could contain CUI as a precaution.
Warning – This document may contain CUI. Disseminate in accordance with DOD directives .
Marking – CUI Basic Banner Marking
CUI Specified – Protected information that also requires one or more specific handling
standards for that information. It would be marked CONTROLLED //SP-XXX to indicate to the
reader that there will be special handling instructions for one or more CUI within the document.
Banners markings for ITAR controlled documents
CUI//SP- Export Controlled or CUI//SP-EXPT
MARKING – CUI COVER SHEET
CUI//SP-EXPT
PROTECT: PHYSICAL SECURITY
CYBERSECURITY TRAINING
www.stealth-iss.com
• SALES • OPERATIONS
• STORES CUI DATA HERE: • STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS • STORES PHYSICAL DOCUMENTS HERE:
HERE: • DESTROYS CUI DOCUMENTS HERE:
www.stealth-iss.com
• SHIPPING
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:
www.stealth-iss.com
• QUALITY
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:
• EXPORT CONTROL
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:
CYBERSECURITY AWARENESS – EMAILING
SENSITIVE INFORMATION
• BODY of EMAIL
• ITAR STATEMENT (If Appropriate)
• If you need a CD, flash drive, or external hard drive, YOU MUST check it out from the media
library.
• Always keep checked out digital media devices in your presence or locked in your
www.stealth-iss.com
desk/office.
• You cannot take digital media devices from a company facility without permission.
• Unattended portable devices must always be behind at least locked inside a secure
container.
• All portable media devices MUST BE labeled and encrypted.
MARKING – ELECTRONIC MEDIA STORING OR
PROCESSING CUI
• Unrecoverable
• Sanitization techniques, include:
• Clearing
• Purging,
• Cryptographic erase
• Destruction
• Examples include media found in scanners, copiers, printers, notebook computers,
workstations, network components, and mobile devices.
• The company determines the appropriate sanitization methods recognizing that
destruction is sometimes necessary when other methods cannot be applied to media
requiring sanitization.
• You can find very detailed destruction methods by device in the Media Protection Policy
(CUI-IT-VST-XXX) Appendix C
DESTROY – NON-DIGITAL MEDIA
• Destroy paper using crosscut shredders which produce particles that are 1 mm x 5
mm (0.04 in. x 0.2 in.) in size (or smaller) or pulverize/disintegrate paper materials
using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen.
• Destroy microforms (microfilm, microfiche, or other reduced image photo negatives)
by burning.
• Notes: When material is burned, residue must be reduced to white ash.
1mm x 5mm
or smaller
Cybersecurity Awareness – Malicious Code
• Malicious code is a program that install itself without the user’s knowledge
• Malicious code can:
• Corrupt files
www.stealth-iss.com
• Be carful of “Spillage” which is CUI that is moved to an unsecure area or computer either
intentionally or unintentionally
• An example of spillage is CUI that has been released as commonly known information and
disseminated without authorization
www.stealth-iss.com
• Be aware of all markings on documents and potential CUI that has not been marked at all!
When in doubt, ask and mark it!
• DO NOT send CUI data to ANYONE you don’t have a reasonable assurance that they are
compliant and will safeguard the data properly
• Label all files, removable media, and subject headers with appropriate classification markings
• Make sure you are ALWAYS WORKING on the organizations secured network or through the
VPN
• Report any SPILLAGE IMMEDIATELY to YOUR SUPERVISOR and submit an URGENT help
desk ticket
INSIDER THREAT
• An insider threat is a person who uses authorized access, wittingly or unwittingly, to harm an
organization or company through unauthorized disclosure, data modification, espionage
(government or corporate), terrorism, or kinetic actions (bodily or infrastructure harm) resulting
in loss of resources or capability
www.stealth-iss.com
• Hostile behavior
• Criminal behavior
• Unexplained or sudden wealth
• Unreported foreign contact or travel
• Inappropriate, unusual, or excessive interest in sensitive information
• Mishandling of Controlled Unclassified Information
INSIDER THREAT
• Don’t talk about your work outside of work unless it is a specifically designed public meeting and is a
controlled environment
• Even inside a closed work environment, be careful about discussing your sensitive job functions
• Avoid activities that may compromise situational awareness
• Be aware that people could be listening when retrieving messages from any form of media device
VULNERABILITY – SOCIAL NETWORKING
• Social Networking trades certain parts of your identity in order to connect within groups.
• Combining these pieces of information can combine to create a complete picture of your
location, habits, and routine.
www.stealth-iss.com
• Any information you post can help you be targeted as an employee of a Department of Defense
Contractor who they may see as a target to gain information.
• Set your privacy settings to friends only and be careful that you don’t accept friend requests
from people you don’t know.
• Be careful when Posting on social media with @ symbols. @Joes Gym or Heading to Seattle
for the weekend with @JohnSmith can let people track your activity for malicious reasons.
Photos posted using a smart phone are imbedded with Latitude and Longitude data.
• Many applications are free to play their games because the data they get from you accepting
their terms are where the value resides for them. You give them access to most of your device
in many cases.
VULNERABILITIES – TRAVEL
• Do NOT connect laptops to hotel internet connections. If you are directed to a login page
before you can connect by VPN, the risk malware or data compromise is substantially
increased
• When traveling with a mobile, including a laptop or cell phone:
www.stealth-iss.com
• Fake Wifi access points may be used for deception. “Airport Wifi” or “coffee shop Wifi”.
• Information sent over unsecured public wi-fi connections may be exposed to theft, and the device
may be exposed to malware
VULNERABILITIES – TRAVEL
protection
• Password, Identification, and
authentication • System and information integrity
• Mobile Device • User Registration and
• Remote Access Deregistration
• Network Operations and Security
• Encryption
Management
• Incident response
• Clear Desk and Screen
• IT Maintenance
• Controlling the Flow of CUI within
• Media protection the the organizations Enterprise
• Physical Security IT Network(s).
ABOUT US
Stealth – ISS Group® Inc. (est. 2002) act as your extended IT, cyber security, risk and compliance team and provide
strategic guidance, engineering and audit services, along with technical remediation and security operations. We pride
ourselves on the quality and professionalism of our workforce, collaborative relationships with our clients, and our ability to
bring you innovative, customized but affordable vendor agnostic solutions based on your immediate needs while aligning with
your business strategy and operations. We add massive value and save you money on staffing a permanent security
www.stealth-iss.com
organization.
We are a passionate about protecting companies and agencies from all facets of cyber-crime, protecting your people and
company data, reducing your information and financial losses, and protecting your reputation.
London, England
Dubai, United Arab Emirates
Bratislava, Slovakia