DFARS/NIST 800-171/CMMC

Compliance Training
 PURPOSE OF TRAINING

Use employee training to reduce risk, reduce vulnerabilities, and limit

sensitive data breaches in our company
• 5 High Risk Areas - All Employees MUST Safeguard
•
www.stealth-iss.com

Organization Facilities
• Sensitive Data (ITAR/CUI)
• Corporate Sensitive Documents (ITAR/CUI)
• Customer parts (ITAR/CUI)
• Company IT Network(s) & Devices
 YOU ARE CRITICAL TO REDUCING RISK

Employee errors, omissions, and behavior are often the highest source of
risk for:
• Unauthorized visitors gaining access to company facilities
www.stealth-iss.com

• Compromise or disclosure of Corporate Sensitive Data

• Network security intrusions, device compromises, and malicious insiders

YOU CAN MAKE A DIFFERENCE!

 TOGETHER WE CAN REDUCE RISK

ALL EMPLOYEES MUST:

• Understand and strictly enforce policies and procedures
• Restrict access to company facilities and sensitive data to only
www.stealth-iss.com

authorized people
• Understand the methods malicious people will try to use to
compromise your password, access your computer, our network, and
take advantage of trusted access to files and our IT network
• Understand what to report, when to report, and how to report
incidents involving Sensitive Data of ANY kind

WE CAN MAKE A DIFFERENCE!

 WHAT IS SENSITIVE DATA?

For the purposes of all Organizational policies, procedures, work instructions, and other
business activities, Corporate Sensitive Data (sensitive data) is defined as any means of
communication, electronic data or physical representation* regarding:
• Adverse impact on employee health and safety.
www.stealth-iss.com

• Security, confidentiality, and integrity of proprietary information

• Security, confidentiality, and integrity of any Covered Defense Information (CDI) including
Controlled Technical Information (CTI).
• Security, confidentiality, and integrity of any category or type of Controlled Unclassified
Information (CUI), including Export Controlled (EXPT) data, documents, or parts (Defense
articles or EAR commodities).
• Customer confidential and proprietary information, drawings, or parts*.
• The organizations operations and financial performance.
 WHAT IS SENSITIVE DATA?

ANY FORM of data required to be safeguarded and maintained in confidence by Federal,

State, regulatory, statutory, or by any contractual obligation between the organization and its
customers, outside processes, partners, and vendors.
www.stealth-iss.com

Contains
CUI//SP-Export Controlled
Controlled Unclassified Information (CUI) (EXPT) information
[ITAR]
Covered Defense Information (CDI)**
CUI//SP-Controlled Technical Information (CTI)
CUI//SP-Export Controlled information (EXPT)
“ITAR Controlled information”
 US GOVERNMENT REQUIRES SAFEGUARDING OF
CERTAIN DATA, DOCUMENTS, & PARTS

• US Government policy mandates and contractually obligated to meet the compliance

requirements regarding Controlled Unclassified Information (CUI)
• Defense Federal Acquisition Regulation Supplement (DFARS)
• Code of Federal Regulations (32/48 CFR)
www.stealth-iss.com

• International Trafficking in Arms Regulation (ITAR)

Safeguard What Type of Information?

• “Controlled Unclassified Information” (CUI): Information that the US government requires
safeguarding or dissemination controls pursuant to and consistent with applicable law,
regulations, and government-wide policies.
• NIST Special Publication 800-171: Details the information technology, cybersecurity, and
reporting requirements for contractor and supplier networks handling CUI. The primary goal of
NIST 800-171 is to protect the confidentiality of this information and to reduce the risk of
disclosure, compromise, and data breaches involving CUI.
 CUI Requirements Impact These Major Areas

• IT Networks & Devices

• Business Areas & Workflows
• Policies & Procedures
www.stealth-iss.com

• Work Instructions
• CUI Data & Document Controls
• CUI Part Controls
• Physical Security
• Employee Responsibilities & Training
• Supplier/Outside Processor Compliance
 WHY IS NIST 800-171 COMPLIANCE REQUIRED?

• It’s the law. Enforced by civil and criminal penalties.

• DFARS requires it. Enforced by contractual and civil penalties.
• Prime contractors are required to be compliant and they are responsible to make sure all their
www.stealth-iss.com

subcontractors are compliant. Enforced by contractual penalties.

• All companies handling CUI in the supply chain MUST comply with this law, CUI cannot be
legally shared with non-compliant people or organizations.
Example of Customer Requirements for documents, data, and parts

If a company in YOUR supply chain is not compliant, they

cannot receive this CUI data, documents, drawings, etc.
 WHO IS AUTHORIZED TO ACCESS CORPORATE
SENSITIVE DATA?

All employees of the organization are responsible to ensure that only

authorized personnel may gain access to Corporate Sensitive Data,
Company IT Network(s) and authorized devices
A person must be:
www.stealth-iss.com

• Authorized to access the Sensitive Data as part of job duties

• Eligible MUST BE DETERMINED TO BE A US PERSON
• Authorized to access the Sensitive Data as part of job duties
• Must sign an NDA prior to accessing any sensitive data
• Must be trained on the risks, responsibilities, and reporting requirements

ELIGIBLE
AUTHORIZED
QUALIFIED
ARE YOU? TRAINED
 WHO IS AUTHORIZED TO ACCESS CORPORATE
SENSITIVE DATA?

All employees of the organization are responsible to ensure that only

authorized personnel may gain access to Corporate Sensitive Data,
Company IT Network(s) and authorized devices
A person must be:
www.stealth-iss.com

• Authorized to access the Sensitive Data as part of job duties

• Eligible MUST BE DETERMINED TO BE A US PERSON
• Authorized to access the Sensitive Data as part of job duties
• Must sign an NDA prior to accessing any sensitive data
• Must be trained on the risks, responsibilities, and reporting requirements
Must meet these requirements prior to being granted access to the
organizations facilities, documents, Corporate Sensitive Data in any form,
and Company IT Network(s) devices of any kind.
 WHAT IS EXPORT CONTROLLED INFORMATION?

What is Export Controlled information (EXPT)? A category of CUI concerning certain items,
commodities, technology, software, or other information whose export could reasonably be
expected to adversely affect the United States national security and nonproliferation objectives.
To include dual use items; items identified in export administration regulations, international
www.stealth-iss.com

traffic in arms regulations and the munitions list; license applications; and sensitive nuclear
technology information.
 WHAT IS EXPORT CONTROLLED INFORMATION?

Export-controlled information (commodities and defense articles) includes any

INFORMATION, MATERIALS, or PARTS that cannot be released to foreign nationals or
representatives of a foreign entity, without first obtaining approval or license from:
• Department of State Items controlled by International Traffic in Arms Regulations (ITAR)
www.stealth-iss.com

• Department of Commerce Items controlled by the Export Administration Regulations (EAR)

• Export-Controlled information MUST BE controlled and safeguarded as sensitive information,

KNOW THE LEGAL REQUIREMENTS--> Properly marked
 WHAT IS CONTROLLED TECHNICAL INFORMATION (CTI)?

Controlled Technical Information: A category of CUI, the term means

Contains
technical information with military or space application that is subject to CUI//SP-Controlled
Technical
controls on the access, use, reproduction, modification, performance, Information (CTI)

display, release, disclosure, or dissemination.

www.stealth-iss.com

• The term does not include information that is lawfully publicly available
without restrictions.

What is Technical Information?

"Technical Information" includes research and engineering data, engineering
drawings, and associated lists, specifications, standards, process sheets,
manuals, technical reports, technical orders, catalog-item identifications,
data sets, studies and analyses and related information, and computer CUI//SP-EXPT
software executable code and source code.

CUI//SP-EXPT
 SAFEGAURD – CUI PARTS

Safeguarding & Restricting Access to Customer Parts

www.stealth-iss.com

• Customer parts should be secured, controlled, and restricted from

access ONLY by authorized personnel
• ONLY eligible, qualified, authorized, and trained personnel should be
in possession of CUI parts
• CUI parts will only be closely OBSERVED, HANDLED, or RECEIVED
by AUTHORIZED personnel
• DO NOT ALLOW RESTRICTED VISITORS or UNAUTHORIZED Insert a picture of an
Customer part (blurred picture) as
PERSONS to access customer parts, data, or documents an example of a CUI part
 CHECK ON LEARNING: GIVE SOME EXAMPLES OF
SENSITIVE DATA?

Examples of Corporate Sensitive Data

www.stealth-iss.com

DoD Covered
Defense
Information: Customer’s
Export Control includes Proprietary and Certain Company
(EXPT) Company Operations and
Controlled Confidential Data,
information Employee Data, Financial Data
Technical Parts, and other
Health and Safety
ITAR/EAR Information (CTI) types of technical
data
Export Control
information
(EXPT)

Protected by Organizational Policies, Procedures, and NIST 800-171 Controls

 HOW DO WE MEET & SUSTAIN REQUIREMENTS?
Path to CUI Compliance

Implementation and enforcement of the Governance

CUI Program, Policies, and Procedures

CUI is safeguarded, controlled, marked, shared and consistent with CFR, Policy, and Policy
www.stealth-iss.com

Guidance & Guidance

Affected personnel receive baseline training

that incorporates the essentials of the CUI program and any specific needs Training

Security controls, devices, and monitoring of CUI are enforced by

Authorized Users/Employees established in Company IT Policies Technology

Company Employees, Suppliers, & Contractors are accountable by

management with oversight responsibilities Accountability

Company meet requirements, develop sustainable CUI compliance program,

and implements effective risk management practices, and best practices
Sustainment
 CHECK ON LEARNING: IDENTIFY TYPES OF CUI
YOU MAY ENCOUNTER?

Company Workflow Impacted by CUI

Outside
Processors NDT Cert &
www.stealth-iss.com

Processing Archiving
Masking Shipping
Planning
MSS & Workflow Software
Receiving
IT Infrastructure
Sales IT Support & Security
& Quoting
Data, Document,
Human & Part Management
Resources Audit
Monitoring &
Record
keeping
 SAFEGUARDING ACCESS IS CRITICAL

Controlling Access Current or Future

to Company ⛔️ Facilities Employee
Facilities, Authorized May be
Sensitive Data, Visitor Escorted
www.stealth-iss.com

Network & US Person US Person

US Person
Devices.
WHO IS THAT?
Must Determine Visitor Status ⛔️ Sensitive Data
Employees must Conduct Denied Party Screening
challenge unknown
persons, confirm their ✅ Qualified
✅ Authorized
status, and ✅ Trained
appropriately restrict Authorized ✅MUST be
their movements. Visitor Escorted ⛔️ Network & Devices

Foreign Person US Person

 VISITOR ACCESS CONTROL IS CRITICAL

Controlling Access
to Company ALL Visitors must provide the ⛔️ Facilities
follow information:
Facilities, Authorized May be • Date/Time of Visit
Sensitive Data, Visitor Escorted • Complete Name
www.stealth-iss.com

• Signature
Network & • Citizenship - U.S. person or
US Person
Devices. specific foreign citizenship
• Company or other
WHO IS THAT? affiliation, if applicable,
Must Determine Visitor Status including address with ⛔️ Sensitive Data
Employees must Conduct Denied Party Screening minimum of city/state
and/or country if not U.S.
challenge unknown • Company Employee to be
persons, confirm their Visited (if Foreign Person
status, and visitor, this would be the
assigned escort – see
appropriately restrict Authorized ✅MUST be below)
their movements. Visitor Escorted • Time of Departure (to be ⛔️ Network & Devices
completed by visitor,
visitor escort, receptionist,
Foreign Person or other employee
monitoring reception area)
 FOREIGN TRAVEL & SENSITIVE DATA

Export Controlled
(EXPT) information ✅ Briefed on Security ⛔️ Facilities
& Foreign Travel. & Export Control 🛡 Devices
Restrictions Configured
It is illegal to ⚠️ Specifically EXPT w/Special
www.stealth-iss.com

Authorized
transport sensitive w/Export Controlled
Security Controls
technical data Information US Person
across international
borders without the ⛔️ Sensitive Data
written permission of Foreign
the U.S. Travel
Government. Failur
e to properly license
hand-carried ⛔️ Not ⛔️ No EXPT
technical data (in Authorized CLEAN information
⛔️ Network & Devices
hardcopy or in ⛔️No CUI on any
✅ Briefed on Devices
electronic format) Security
can result in criminal US Person
& Export Control
and civil charges. Restrictions
 VISITOR ACCESS CONTROL IS CRITICAL

Controlling Access
to Company Company Escorts must: ⛔️ Facilities
Be US persons
Facilities, Authorized May be Trained on:
Sensitive Data, Visitor Escorted ✅ Export Control
www.stealth-iss.com

regulations
Network & ✅ CUI requirements
US Person
Devices. ✅ Tech Control Plan and
sign the
ALL VISITORS MUST acknowledgement
Must Determine Visitor Status ✅ Ensure an NDA is signed ⛔️ Sensitive Data
BE CONTROLLED. by the visitor
Conduct Denied Party Screening
✅ Maintain positive control
Foreign person visitors of visitors at all times
must be ✅ Restrict the movement
RESTRICTED. of foreign person visitors
✅ Brief the visitor on
Authorized ✅MUST be limitations and
Visitor Escorted restrictions. ⛔️ Network & Devices
✅ Report any violations,
inadvertent disclosure,
Foreign Person or compromise
✅ Direct questions to
the FSO or ECO
✅ Sign the visitor in and
out.
 HANDLING, MARKING, & SHARING CUI

• Handling is any use of CUI, including but not limited to marking, safeguarding, transporting,
disseminating, re-using, and disposing of the information.
• Unmarked CUI. Treat unmarked information that qualifies as CUI as described in the Order,
www.stealth-iss.com

§2002.8(c), and the CUI Registry.

• Marking. Prior to sharing CUI, authorized the organizations employees must label CUI
according to marking guidance issued in the CUI Registry, and must include any specific
markings required by law, regulation, or Government-wide policy.
• Sharing. Only approved methods may be used to sharing CUI documents or data with
ANYONE.
 HANDLING, MARKING, & SHARING CUI

• Reasonable Expectation Rule. To share CUI to any person or organization, the authorized
employee MUST have a REASONABLE EXPECTATION that all intended recipients are
authorized to receive the CUI and have a basic understanding of how to handle it.
www.stealth-iss.com

• The intended recipients must also be compliant with NIST 800-171 requirements.
• Unauthorized Disclosure occurs when an authorized holder of CUI intentionally or
unintentionally discloses CUI without a lawful Government purpose, in violation of restrictions
imposed by safeguarding or dissemination controls, or contrary to limited dissemination
controls. ANY AUTHORIZED DISCLOSURES SHOULD BE REPORTED IMMEDIATELY.
 EXERCISE: Is it CTI or EXPT (ITAR/EAR)

Use the Rule Rules to determine 5 example documents, and items proper CUI category and marking

Run Rules: Determining CUI for Data & Documents

• Does the document include technical data on the part? See Definition for Technical Data.
www.stealth-iss.com

• Does the document specifically include Distribution Restriction statements or stamps.

• Does the document have a words like…”CONTROLLED”, ”ITAR RESTRICTED”, ”DISTRIBUTION
RESTRICTION”.
• Is the document from a known contractor or project with space and military applications?

• Is the information publicly available?

• Does it meet the definition of Controlled Technical Information or ITAR controlled information even if it
has no markings or indications? See Definitions
• Per the CFR, if the document meets the definition of CUI, it must be treated like CUI…
 Identify CUI data in the Sales & Workflow?

WHAT YOU NEED TO KNOW

www.stealth-iss.com

⚠️ Are they CTI or EXPT?

⚠️ How are they marked?
⚠️ How are they shared?
⚠️ How are they protected?
⚠️ How are they stored?
⚠️ How are they destroyed?
⚠️ Who do I ask for help?
⚠️ How do I report incidents?

Insert an example of company specific CUI//SP-Controlled Technical

Information (CTI) document in place of the example below.
 IDENTIFY CUI DATA IN THE SALES & WORKFLOW?

WHAT YOU NEED TO KNOW

www.stealth-iss.com

⚠️ Are they CTI or EXPT?

⚠️ How are they marked?
⚠️ How are they shared?
⚠️ How are they protected?
⚠️ How are they stored?
⚠️ How are they destroyed?
⚠️ Who do I ask for help?
⚠️ How do I report incidents?

Insert a sanitized example of customer’s CUI//SP-EXPORT CONTROLLED

document. It has distribution restrictions AND the customer’s ITAR marking.
 RUN RULES: DETERMINING CUI//SP-EXPT
CONTROLLED PARTS

WHAT YOU NEED TO KNOW

www.stealth-iss.com

⚠️ Are they CTI or EXPT?

⚠️ How are they marked?
⚠️ How are they shared?
⚠️ How are they protected?
⚠️ How are they stored?
⚠️ How are they destroyed?
⚠️ Who do I ask for help?
⚠️ How do I report incidents?

Please insert a sanitized example photo of a company held Export Controlled Part
 RUN RULES: DETERMINING CUI//SP-EXPT
CONTROLLED PARTS
www.stealth-iss.com

Please insert a sanitized example photo of a company held Export Controlled Part
 DETERMINING CUI DATA: KEY POINTS
www.stealth-iss.com
Insert a sanitized example of an unmarked
company document that is CUI
• Not marked, but information indicates military
or space applications.
• From DoD Military Program & Contractor
• Information about specific end use products
that are ITAR restricted
• Document meets the definitions for CUI,
regardless if marked correctly.
• Must be treated like CUI
 EXERCISE: IS IT CTI OR EXPT (ITAR/EAR)

Use the QRG to Determine 5 example documents, and items proper CUI category and marking
www.stealth-iss.com
 EXERCISE: IS IT CTI OR EXPT (ITAR/EAR)

Use the QRG to Determine 5 sanitized example documents, and items proper CUI category and marking
www.stealth-iss.com

Insert Example 1 Insert Example 2 Insert Example 3 Insert Example 4 Insert Example 5

⚠️ Are they CTI or EXPT? ⚠️ How are they stored?

⚠️ How are they marked? ⚠️ How are they destroyed?
⚠️ How are they shared? ⚠️ Who do I ask for help?
⚠️ How are they protected? ⚠️ How do I report incidents?
 EXERCISE: IS IT CTI OR EXPT (ITAR/EAR)

Use the Run Rules to Determine 5 sanitized example documents, and items proper CUI category and marking
www.stealth-iss.com

Insert Example 1 Insert Example 2 Insert Example 3 Insert Example 4 Insert Example 5

⚠️ Are they CTI or EXPT? ⚠️ How are they stored?

⚠️ How are they marked? ⚠️ How are they destroyed?
⚠️ How are they shared? ⚠️ Who do I ask for help?
⚠️ How are they protected? ⚠️ How do I report incidents?
 EXERCISE: IS IT CTI OR EXPT (ITAR/EAR)

Use the Run Rules to Determine 5 sanitized example documents, and items proper CUI category and marking
www.stealth-iss.com

Insert Example 1 Insert Example 2 Insert Example 3 Insert Example 4 Insert Example 5

⚠️ Are they CTI or EXPT? ⚠️ How are they stored?

⚠️ How are they marked? ⚠️ How are they destroyed?
⚠️ How are they shared? ⚠️ Who do I ask for help?
⚠️ How are they protected? ⚠️ How do I report incidents?
 MASKING INSTRUCTIONS & MARKING

Below are sanitized examples of Masking Instructions that MUST BE MARKED and MAY NOT BE MARKED

MUST BE MARKED MAY NOT BE MUST BE MARKED MUST STILL BE MUST STILL BE
www.stealth-iss.com

Example 1 MARKED Example 3 MARKED MARKED

Example 2 Example 4 Example 5

Customer Data
Project Customer Marked
Contract Redacted Redacted Distribution
Assembly Restrictions

Unmarked Diagram w/Parts Unmarked Diagram w/Parts Unmarked Diagram w/Parts Unmarked Diagram w/ Parts CUSTOMER MARKED RESTRICTED
NOT specifically for NOT specifically for SPECIFICALLY for SPECIFICALLY for Diagram
Military/Space/Aerospace Use Military/Space/Aerospace Use Military/Space/Aerospace Use Military/Space/Aerospace Use

⚠️What CUI details may be excluded?⚠️ How are they stored?

⚠️ How are they marked? ⚠️ How are they destroyed?
⚠️ How are they shared? ⚠️ Who do I ask for help?
⚠️ How are they protected? ⚠️ How do I report incidents?
 MASKING INSTRUCTIONS & MARKING

Below are sanitized examples of Masking Instructions that MUST BE MARKED and MAY NOT BE MARKED

INTERNAL
CLOSE UP PICTURES LACKING SENSITIVE DETAILS
PROJECT
#001234
www.stealth-iss.com

EXTREME CAUTION: As a General RULE: If a

knowledgeable person in the industry LOOKED at
the DRAWING, WOULD THEY KNOW THE TYPE OF
RESTRICTED ITEM, PART, ASSEMBLY, OR PROJECT
WAS IN THE DETAIL? HELP ME GET
Masking Instructions ❌DO NOT INCLUDE Customer Data THIS RIGHT!!
🇺🇸 WOULD YOU WANT OUR ENEMIES TO KNOW
❌DO NOT INCLUDE Project THIS INFORMATON?
❌DO NOT INCLUDE Contract
❌DO NOT INCLUDE Assembly
👕
⚠️ What CUI details SHOULD be excluded?
⚠️ Detailed MUST BE WRITTEN work instructions on
redacting, closeup diagrams with appropriate cautions
⚠️ How are they still CONTROLLED?
⚠️ How are they still limited when shared?
⚠️ How are they still protected?
⚠️ How are they stored when not in use or archived?
⚠️ How are they destroyed after use?
⚠️ Who do I ask for help?
⚠️ How do I report incidents?
 MARKING – HEADER

• The primary marking for all CUI here is the

CONTROLLED Banner
• Marking. This is the main marking that will be
www.stealth-iss.com

applied in the Header of each page of any document

that contains CUI:
• Mandatory for all documents containing CUI
• Must be inclusive of all CUI within the document
• Marking must be the same on every page
• Must be centered bold capitalized black text stating
“CONTROLLED” in the Header of the page.
Template will be provided by management
 MARKING – HEADER

Footer of each Page

This statement must be entered in Footer of each
Company document containing CUI: The information
www.stealth-iss.com

herein is Controlled Unclassified Information (CUI) and

is protected under the Privacy Act of 1974, as
amended. These files may only be accessed by the
organization and U.S. Government Personnel who
possess a valid need-to-know. Unauthorized
disclosure or misuse of this information may result in
criminal and/or civil penalties
 MARKING

Marking – CUI Basic Banner Marking

Many U.S. Government forms and templates either containing or requiring CUI do not currently
display the mandatory markings. Considering companies are held accountable for unmarked
www.stealth-iss.com

CUI, it is encouraged to mark all potential document that could contain CUI as a precaution.

Warning – This document may contain CUI. Disseminate in accordance with DOD directives .
Marking – CUI Basic Banner Marking
CUI Specified – Protected information that also requires one or more specific handling
standards for that information. It would be marked CONTROLLED //SP-XXX to indicate to the
reader that there will be special handling instructions for one or more CUI within the document.
Banners markings for ITAR controlled documents
CUI//SP- Export Controlled or CUI//SP-EXPT
 MARKING – CUI COVER SHEET

• Personnel should ALWAYS use this CUI

Cover Sheet when possible for physical
Contains
documents containing CUI on the front
CUI//SP-Export
www.stealth-iss.com

and back of each document. Controlled

CUI//SP-EXPT
(EXPT)
information
[Type-ITAR]
• Always use this Cover Sheet for each
Non-digital file or banner markings when
the digital document contains CUI data,
images, or other technical data on the
front of the package.

CUI//SP-EXPT
 PROTECT: PHYSICAL SECURITY

• Rooms where CUI is routinely used are marked

• Cubicles should have privacy screens
www.stealth-iss.com

• Computers should be marked with “Controlled” and “Company Name”

• Non-digital media disposal containers and media Storage spaces should be labeled and
locked
• Shipping and Mailing
• Address packages that contain CUI for delivery only to a specific recipient
• Do not put CUI markings on the outside of an envelope or package for mailing/shipping
• Use in-transit automated tracking and accounting tools where possible
• Employees responsible for receiving or sending mail must be individually trained on how to
handle CUI and report misuse
 CUI SAFEGUARDING BASICS REVIEW

• Safeguard the US Government's technical data, documents, & parts from

• PREVENT unauthorized disclosure or compromise
www.stealth-iss.com

• Determine the CUI data, documents, and parts requiring protection

• Properly mark and control the flow
• Restrict sharing to those US PERSONS, AUTHORIZED, QUALIFIED, and TRAINED
• Ensure controls and security requirements are established, enforced, and EFFECTIVE
• Monitor, maintain records, and audit controls and processes
• Train personnel on Policies, Requirements, and MQS Work Instructions
• Report potential or actual compromise
 REPORTING INCIDENTS

• Company Sensitive Data of ANY KIND is POTENTIALLY AT ⛔️ Facilities

RISK TO BE COMPROMISED, STOLEN, LOST, OR
UNKNOWN
www.stealth-iss.com

• TELL YOUR SUPERVISOR

• AND REPORT THE DETAILS ⛔️ Sensitive Data

• URGENT HELP DESK TICKET LINK

• CONTACT YOUR INFOSEC OFFICER NAME, CELL
• CONTACT QUALITY MANAGER NAME, CELL
⛔️ Network & Devices
• CONTACT SITE EXPORT CONTROL OFFICER NAME, CELL

• Restrict sharing details WITH ONLY AUTHORIZED

PERSONNEL
 CYBERSECURITY TRAINING

CYBERSECURITY TRAINING
www.stealth-iss.com

✅ Areas & Devices

✅ Awareness
✅ Insider Threat
✅ Key Policies
 CYBERSECURITY AWARENESS TRAINING

YOU CAN MAKE A DIFFERENCE!

www.stealth-iss.com
 SAFEGAURD – SECURE NETWORK EQUIPMENT
CONTAINING CUI

• Keep the server room locked.

• Each administrator will have their own passcode to access
the server room.
www.stealth-iss.com

• Lock rooms that contain electrical conduits.

Server Room
• IT accessories such as diagnostic equipment, software
boxes, laptops, or backup network components will be
stored in a locked area.
• All digital devices containing CUI will be password protected
and encrypted.
• All printers that produce CUI will be placed in a secured
location away from unauthorized personnel.
 CYBERSECURITY AWARENESS – SENSITIVE DATA STORAGE
(Controlling the Flow of CUI)

• Sensitive Data includes many different types (See Sensitive

Data Policy)
• Contractor’s proprietary data
www.stealth-iss.com

• Controlled Unclassified Information (CUI)

• Controlled Technical Information (CTI)
• Other types of Sensitive Data not previously covered in this
training that may include:
• Employee PII (Personally Identifiable Information) Social
Security Number, address, etc.
• Employer Financial Records (Payroll Information)
 CYBERSECURITY AWARENESS – SENSITIVE DATA STORAGE
(Controlling the Flow of CUI)

• Properly mark all sensitive information

• Store all sensitive information on properly approved
LOCATIONS on the organizations secured networks
www.stealth-iss.com

• Follow all disposal policies

• Follow all DoD, DFARS and NIST requirements for
safeguarding CUI
• Only transmit CUI to people and organizations YOU know to
be compliant
• CUI must be ENCRYPTED during digital storage and when
emailed
 BASIC SECURITY REQUIREMENTS

• Safeguard the US Government's technical data, documents, & parts from

• PREVENT unauthorized disclosure or compromise
www.stealth-iss.com

• Determine the CUI data, documents, and parts requiring protection

• Properly mark and control the flow
• Restrict sharing to those US PERSONS, AUTHORIZED, QUALIFIED, and TRAINED
• Ensure controls and security requirements are established, enforced, and EFFECTIVE
• Monitor, maintain records, and audit controls and processes
• Train personnel on Policies, Requirements, and MQS Work Instructions
• Report potential or actual compromise
 CYBERSECURITY AWARENESS – SENSITIVE DATA STORAGE
(Controlling the Flow of CUI)

• SALES
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS
HERE:
www.stealth-iss.com
• OPERATIONS
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:

• DESTROYS CUI DOCUMENTS HERE:

• NDT
• RECEIVING • STORES CUI DATA HERE:
• STORES CUI DATA HERE: • STORES PHYSICAL DOCUMENTS HERE:
• STORES PHYSICAL DOCUMENTS • DESTROYS CUI DOCUMENTS HERE:
HERE:
• DESTROYS CUI DOCUMENTS HERE:
• PLANNING
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS
HERE:
1mm x 5mm
• DESTROYS CUI DOCUMENTS HERE: or smaller
 CYBERSECURITY AWARENESS – SENSITIVE DATA STORAGE
(Controlling the Flow of CUI)

• SHIPPING
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:
www.stealth-iss.com

• QUALITY
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:
• EXPORT CONTROL
• STORES CUI DATA HERE:
• STORES PHYSICAL DOCUMENTS HERE:
• DESTROYS CUI DOCUMENTS HERE:
 CYBERSECURITY AWARENESS – EMAILING
SENSITIVE INFORMATION

• ENCRYPTED EMAIL PROCEDURE: Describe Procedure

• SUBJECT: XXXXXXX EMAIL INCLUDES CUI DOCUMENTS
www.stealth-iss.com

• BODY of EMAIL
• ITAR STATEMENT (If Appropriate)

• Only transmit CUI to people and organizations YOU know to be compliant

• CUI MUST BE encrypted at rest ON EVERY DEVICE and when emailed
 SAFEGUARD – Clear Desk Workstation

• BE AWARE of “Shoulder Surfers” while working on CUI.

• Prior to leaving YOUR workstation personnel will:
• Lock YOUR screen
www.stealth-iss.com

• Lock up any portable digital devices

• Lock up any Non-digital CUI items

• Screen timeouts should be set at 10 minutes or less.

❌DO NOT LEAVE
• If the workstation is shared, before leaving written passwords
• Close all programs on the workstation
• Log out of everything
• Lock away all CUI (Digital and Non-Digital)
 SAFEGUARD - DESK AND SCREEN POLICY

• Computer workstations must be shut completely down at the

end of the workday.
• Keys used for access to documents or devices containing
www.stealth-iss.com

Company Sensitive information must controlled with a written

procedure and not accessible to unauthorized personnel.
• Whiteboards containing Restricted and/or Sensitive information
will be erased after use and will not be directly observable to ❌DO NOT LEAVE
unauthorized personnel/visitors. ⛔️CUI
Documents
• Customer parts, whether proprietary or export controlled, must ⛔️Customer
be secure and controlled in designated work areas and Parts
restricted access from unauthorized individuals during
employees' daily activities
 EMPLOYEE ACKNOWLEDGEMENT
www.stealth-iss.com

You are accessing a “Company” IT System that is

provided for “Company” use only. This system
contains Controlled Unclassified Information (CUI). I
acknowledge that failure to abide by these terms and
the other parts of the user agreement may result in
revoked or suspended access privileges.
 HANDLE – DIGITAL MEDIA

• If you need a CD, flash drive, or external hard drive, YOU MUST check it out from the media
library.
• Always keep checked out digital media devices in your presence or locked in your
www.stealth-iss.com

desk/office.
• You cannot take digital media devices from a company facility without permission.
• Unattended portable devices must always be behind at least locked inside a secure
container.
• All portable media devices MUST BE labeled and encrypted.
 MARKING – ELECTRONIC MEDIA STORING OR
PROCESSING CUI

• Media such as USB sticks, hard drives, and CD ROMs

must be marked to alert holders to the presence of CUI
stored on the device
www.stealth-iss.com

• As space may be limited, at a minimum, mark media

with the CUI Control Marking and the designating
agency
• Desktop computers that contain CUI will be marked CUI//SP-EXPT

• If you discover items not properly marked, ask your

supervisor and submit a help desk ticket
CUI//SP-EXPT

YOU CAN MAKE A DIFFERENCE!

 SAFEGUARD - DESK AND SCREEN POLICY

• Digital Media devices(Cd’s, flash drives, external hard

drives, etc.) are kept in a locked Media Library
• Only Company authorized and issued digital media shall be
www.stealth-iss.com

used in the workplace

• Personnel are not allowed to possess or use their own
removable digital media device
✅Properly Mark
• Company digital media devices should not be taken off Storage Devices
❌DO NOT LEAVE
premises without authorization
storage devices
• All digital media will be locked away when personnel leave or passwords on
ANY workstation
their workstation.

YOU CAN MAKE A DIFFERENCE!

 HANDLE – NON-DIGITAL MEDIA

• If you print CUI remove it from the printer immediately

• All non-digital cui should have a cover sheet on it
www.stealth-iss.com

• All Non-digital CUI should be locked away when you

leave your workstation
 DESTROY – DIGITAL MEDIA

• Digital media cannot just be thrown away if it breaks. It must be “Sanitized” by IT

personnel. Sanitation makes it:
• Unreadable
• Indecipherable
www.stealth-iss.com

• Unrecoverable
• Sanitization techniques, include:
• Clearing
• Purging,
• Cryptographic erase
• Destruction
• Examples include media found in scanners, copiers, printers, notebook computers,
workstations, network components, and mobile devices.
• The company determines the appropriate sanitization methods recognizing that
destruction is sometimes necessary when other methods cannot be applied to media
requiring sanitization.
• You can find very detailed destruction methods by device in the Media Protection Policy
(CUI-IT-VST-XXX) Appendix C
 DESTROY – NON-DIGITAL MEDIA

• An example of a way to sanitize non-digital media would be to remove the Appendix

of a document containing CUI and making it an otherwise clean document.
• In the even a printed document contains CUI, dispose of it in the provided locking
trash bin for later destruction.
www.stealth-iss.com

• Destroy paper using crosscut shredders which produce particles that are 1 mm x 5
mm (0.04 in. x 0.2 in.) in size (or smaller) or pulverize/disintegrate paper materials
using disintegrator devices equipped with a 3/32 in. (2.4 mm) security screen.
• Destroy microforms (microfilm, microfiche, or other reduced image photo negatives)
by burning.
• Notes: When material is burned, residue must be reduced to white ash.

1mm x 5mm
or smaller
 Cybersecurity Awareness – Malicious Code

• Malicious code is a program that install itself without the user’s knowledge
• Malicious code can:
• Corrupt files
www.stealth-iss.com

• Erase your hard drive

• Allow hackers access to your device and network

• To avoid downloading malicious code is to avoid accessing:

• Website links. Be careful allowing cookies.
• DO NOT SAVE passwords in your browser
• Graphics or links in email messages
• DO NOT USE Advertising Popups EVER!
• An email from someone you know or don’t know, THINK before you click
• DO NOT FORWARD a suspicious email to anyone -> Send a screenshot on a help desk ticket
 CYBERSECURITY AWARENESS – MALICIOUS CODE

• Websites that encrypt data will start with “HTTPS”

and not just HTTP.
• Report any suspicious issues or computer problems
www.stealth-iss.com

involving the issues above using an URGENT help

desk ticket. Report it to your supervisor and peers
on common workstations.
 CYBERSECURITY AWARENESS – PHISHING ATTACKS

• Phishing Attacks – Criminal activity employing social-engineering tactics

to steal passwords, sensitive information, money, or your identity.
Phishing attacks begin with an email that disguises itself as coming from
www.stealth-iss.com

source like a bank, credit card company, or an ecommerce site. The

language is crafted to generate fear or excitement and make you click to
a fake website and give up critical information. These attacks are not
aimed at a specific person but a group (i.e. Bank of America customers).
• The Lure – Click on the provided link (looks like your bank). Your corporate
credit card has an issue that needs to be resolved right now!
• The Hook – The website looks and feels real and they trick you into giving
out your username and password
• The Catch – They use the information provided to gain access to your
computer and steal your company’s data using your account
 CYBERSECURITY AWARENESS – PHISHING ATTACKS

• Spear Phishing attack - The same thing as Phishing but it is

specifically target at a small group or one individual for financial gain,
trade secrets, or national security information
www.stealth-iss.com

• Whaling Attack – A spear phishing attempt to target Senior

Executives/Leadership

STOP, THINK, before you CLICK

YOU CAN MAKE A DIFFERENCE!
 CYBERSECURITY AWARENESS - SPILLAGE

• Be carful of “Spillage” which is CUI that is moved to an unsecure area or computer either
intentionally or unintentionally
• An example of spillage is CUI that has been released as commonly known information and
disseminated without authorization
www.stealth-iss.com

• Be aware of all markings on documents and potential CUI that has not been marked at all!
When in doubt, ask and mark it!
• DO NOT send CUI data to ANYONE you don’t have a reasonable assurance that they are
compliant and will safeguard the data properly
• Label all files, removable media, and subject headers with appropriate classification markings
• Make sure you are ALWAYS WORKING on the organizations secured network or through the
VPN
• Report any SPILLAGE IMMEDIATELY to YOUR SUPERVISOR and submit an URGENT help
desk ticket
 INSIDER THREAT

• An insider threat is a person who uses authorized access, wittingly or unwittingly, to harm an
organization or company through unauthorized disclosure, data modification, espionage
(government or corporate), terrorism, or kinetic actions (bodily or infrastructure harm) resulting
in loss of resources or capability
www.stealth-iss.com

• Insiders do extraordinary damage to their organizations by taking advantage of trusted status to

the organizations information system or sensitive documents
• LOOK FOR WARNING SIGNS
• Show behavior indicating security concerns (80%)
• Experiencing a life crisis (25%)
 INSIDER THREAT

• Organizations protect against this behavior:

• User activity monitoring
• Workplace reporting
• Referring individuals to counseling
www.stealth-iss.com

• Requiring training on protocols

• Organization-wide protocols designed to secure information, resources, and personnel.
• PEOPLE MATTER MOST GET TO KNOW YOUR EMPLOYEES
• Acknowledge difficult life circumstances DO NOT IGNORE WARNINGS SIGNS
• Divorce or death of significant other
• Alcohol or substance misuse.
• Untreated mental health issues.
• Financial difficulties
 INSIDER THREAT

• PEOPLE MATTER MOST GET TO KNOW YOUR EMPLOYEES

• DO NOT IGNORE WARNINGS SIGNS
• Extreme, persistent interpersonal difficulties
www.stealth-iss.com

• Hostile behavior
• Criminal behavior
• Unexplained or sudden wealth
• Unreported foreign contact or travel
• Inappropriate, unusual, or excessive interest in sensitive information
• Mishandling of Controlled Unclassified Information
 INSIDER THREAT

• Be alert and report any suspicious activity or behavior to your supervisor

• To avoid being targeted by people trying to take advantage during difficult times:
• Remove your security badge after leaving work
www.stealth-iss.com

• Don’t talk about your work outside of work unless it is a specifically designed public meeting and is a
controlled environment
• Even inside a closed work environment, be careful about discussing your sensitive job functions
• Avoid activities that may compromise situational awareness
• Be aware that people could be listening when retrieving messages from any form of media device
 VULNERABILITY – SOCIAL NETWORKING

• Social Networking trades certain parts of your identity in order to connect within groups.
• Combining these pieces of information can combine to create a complete picture of your
location, habits, and routine.
www.stealth-iss.com

• Any information you post can help you be targeted as an employee of a Department of Defense
Contractor who they may see as a target to gain information.
• Set your privacy settings to friends only and be careful that you don’t accept friend requests
from people you don’t know.
• Be careful when Posting on social media with @ symbols. @Joes Gym or Heading to Seattle
for the weekend with @JohnSmith can let people track your activity for malicious reasons.
Photos posted using a smart phone are imbedded with Latitude and Longitude data.
• Many applications are free to play their games because the data they get from you accepting
their terms are where the value resides for them. You give them access to most of your device
in many cases.
 VULNERABILITIES – TRAVEL

• Do NOT connect laptops to hotel internet connections. If you are directed to a login page
before you can connect by VPN, the risk malware or data compromise is substantially
increased
• When traveling with a mobile, including a laptop or cell phone:
www.stealth-iss.com

• Fake Wifi access points may be used for deception. “Airport Wifi” or “coffee shop Wifi”.
• Information sent over unsecured public wi-fi connections may be exposed to theft, and the device
may be exposed to malware
 VULNERABILITIES – TRAVEL

• FOREIGN TRAVEL overseas with a mobile device:

• Do not travel with company mobile devices unless AUTHORIZED
• DO NOT TAKE DEVICES WITH STORED CUI DATA
• DO NOT TAKE DEVICES WITH STORED CUI DATA THAT IS EXPORT CONTROLLED UNLESS
www.stealth-iss.com

SPECIFICALLY LICENSED TO THAT PARTICULAR INFORMATION

• Assume any electronic transmission you make (voice or data) may be monitored
• Mobile phones carries overseas are often compromised upon exiting the plane
• Physical security of mobile devices carries overseas is a major issue
• Maintain positive control of your devices at all times. If not in your possession it must be locked
away out of sight.
• CUI on the device must be encrypted.
• You must use Multifactor Authentication (MFA).
• Keep wireless capability (Bluetooth) turned off when not in use.
 POLICY TRAINING

• Access control • Risk assessment

• Configuration management • Security Monitoring
• Sensitive Data • System and communications
www.stealth-iss.com

protection
• Password, Identification, and
authentication • System and information integrity
• Mobile Device • User Registration and
• Remote Access Deregistration
• Network Operations and Security
• Encryption
Management
• Incident response
• Clear Desk and Screen
• IT Maintenance
• Controlling the Flow of CUI within
• Media protection the the organizations Enterprise
• Physical Security IT Network(s).
 ABOUT US

Stealth – ISS Group® Inc. (est. 2002) act as your extended IT, cyber security, risk and compliance team and provide
strategic guidance, engineering and audit services, along with technical remediation and security operations. We pride
ourselves on the quality and professionalism of our workforce, collaborative relationships with our clients, and our ability to
bring you innovative, customized but affordable vendor agnostic solutions based on your immediate needs while aligning with
your business strategy and operations. We add massive value and save you money on staffing a permanent security
www.stealth-iss.com

organization.

We are a passionate about protecting companies and agencies from all facets of cyber-crime, protecting your people and
company data, reducing your information and financial losses, and protecting your reputation.

Stealth Group consistently delivers trusted, world-class cyber

security and IT solutions. By delivering tailored solutions, and
highly qualified cyber experts, Stealth Group has earned its spot on
the Inc. 500 list, a list of America’s top entrepreneurs. We speak the
trust in security and go great lengths to build trust with our
customers by professional and high-quality service delivery, and by
offering effective, uncomplicated, and economical solutions.
 STEALTH GROUP DIMENSIONS OF CYBER
www.stealth-iss.com
 THANK YOU

HQ – ARLINGTON, VIRGINIA OFFICE LOCATIONS

4601 North Fairfax Drive, Suite 1200 Huntsville, Alabama
Arlington, VA 22203 Las Vegas, Nevada
www.stealth-iss.com

London, England
Dubai, United Arab Emirates
Bratislava, Slovakia

Stealth-ISS Group® Inc. | www.stealth-iss.com | bizdev@stealth-iss.com

NAICS Codes: PSC Codes:

GSA:47QTCA19D0059
132-45 | 132-100 | 132-51 | 70-500
NATO BOA:
NC3A/BOA/11688 334614 | 511210 | 517919 | 518210 |
519190 | 541330 | 541511 | 541512 |
541513 | 541519 | 541611 | 541618 |
541690 | 541990 | 561320 | 611420
D308 | D318 | D399 | D310 |
D306 | D316 | D302 | D307 |
D324 | D319 | D301 | D303 |
D314 | D309 | D325 | D305