Signed Change in Control Agreement Made Easy

Signed change in control agreement

Welcome and thank you all for standing by. All participants will be on a listen-only mode for the duration of today's conference. I would also like to inform parties that the call is being recorded if you have any objections you may disconnect at this time I'll now turn the meeting over to Ms. Christine Beauregard, thank you maam you may begin. And thank you and good morning everybody! Thank you for taking time to join us for our first ever snow day edition of our CDSE Industrial Security Learn at Lunch webinar series. Before we get started please be aware that the video portion of this webinar is also being recorded. Once the red light appears, we will begin. Okay I do see the red light so let's get started Again my name is Christine Beauregard. I am the Industrial Security Curriculum Manager here at CDSE and your host for today's webinar. And since tomorrow is Valentine's day I'd like to take a minute right now to wish you all happy early Valentine's Day Assisting today from our various remote sites are Linda Adams one of our talented Instructional System Designers, and Mr. Steve Raymond an Industrial Security Instructor extraordinaire here at CDSE. Linda will be working behind the scenes to ensure our webinar runs smoothly today, and Steve well Steve's going to be doing what he does best and that is presenting today's webinar, which is Technology Control Plans or TCP under the NISPOM. We want to make sure that everyone can equally participate this morning so we're gonna kick today's webinar off by having Linda lead us to a few basic webinar instructions. Linda! Thank you Chris! Alright for this for those of you who are unfamiliar with our DCO meeting room, let me give you just a quick tour. You'll see in the bottom left hand corner is marked with a green arrow here you'll find a notes box. This lists the call in number and other announcements. If you are disconnected from the audio this number will remain on the screen for your reference. Also on the screen you'll see our notes regarding use of full screen. If you look at the gray banner at the top of your screen you'll find the full screen option there however when the poll questions appear, you have to select full screen again to return to the normal view and responded to the poll. Next slide! Speaking of poll questions,during this webinar we will be popping up some poll questions. You'll be able to select your answer and we'll provide you with some feedback. Next slide! To the right is a Q&A box,a question and answer box for entering in your questions and/or your feedback. Since the participants phones are muted, this is your only way to communicate with us. Below the presentation you will find a file share box. You can download and save the files to your computer to record notes on today's presentation. All you need to do is to click on the file and you'll see the download files button will enable, and you can do only one presentation at a time but you can download either one to your desktop. Okay Chris that's about all the technical part so I'll turn it back to you. Thank you, thank you Linda. Now let's get to what we are all really here for and that is our presentation Technology Control Plans under the NISPOM. and I can't think of anyone better I'd like to turn this over to and lead us through this topic than the one, the only thank goodness Mr. Steve Raymond.Steve are you there and ready for us? I am here and thank you Christine. Good morning everyone and thanks again for joining today's Lunch and Learn or Learn at Lunch. My name is Steve Raymond and I am currently an instructor on the Industrial Security team here at CDSE. Now prior to my coming to CDSE in February of 2009, I was an Industrial Security representative in the Capital Region for over 20 years. As a cleared contractor if you employ foreign nationals, or have foreign nationals assigned who are visiting your facility, you're required to develop and implement procedures to protect classified information, unclassified export controlled information, and other sensitive information that your facility may have in its possession. Now these procedures to protect your information are documented in a Technology Control Plan or TCP. Now throughout today's presentation, there are a few common terms found in the NISPOM you will be hearing. So let's take a minute to review these. The first of these is Foreign National. A Foreign National is any person who is not a citizen or national of the United States. The 2nd is U.S. person. A U.S. person is any person who is a citizen or national of the United States. Now a national of the United States is a person whose only connection to the US is through birth in an outlined possession which as of 2005 is limited to american Samoa's in the Swaines Island,or through descent from a person so born that person acquires US nationality but not US citizenship and for those who are interested Swaines Island is a part of American Samoa. In the final term the Technology Control Plan or TCP simply put TCP is security countermeasure. is developed and implement it they're reasonably preclude the possibility inadvertent accessed by non US citizens to information which they are not authorized access. Now that we have that out the way, let's take a look at what you can expect this morning. Today's webinar will be broken down into three parts or sections. First we're gonna take a look at foreign ownership control or influence or FOCI and a TCP requirement for cleared contractors who are operating under FOCI. Then we will discuss the TCP requirement for cleared contractors employing foreign nationals or having foreign nationals assigned or visiting their facility. And finally, we'll take a look at the contents of a sample TCP. And this brings us to our first poll question: Where can we find in NISPOM requirement for a TCP? Select all that apply, A: NISPOM chapter 2 B: NISPOM Chapter 4, C: NISPOM Chapter 7, D: NISPOM Chapter 8, or E: NISPOM Chapter 10? And I'll give you a few seconds to respond. Ok let's close the poll and see what we have. We have 16% for NISPOM Chapter 2 67% for NISPOM Chapter 4 2% for NISPOM Chapter 8 and 94% for NISPOM Chapter 10. Well the answer is Chapter 2 and Chapter 10. They're the two areas of the NISPOM you will find the requirement to implement a TCP. Very good, let's explore NISPOM Chapter 2. But before we can get into TCP requirements of Chapter 2, it is important that we all understand some FOCI basics. A U.S. company in process for a facility clearance or already cleared, is considered to be under FOCI when a foreign interest has the power, direct or indirect whether or not exercised, to direct or decide matters affecting the management or operations of the U.S. company. For example, if a foreign entity as ownership or effective control over company then that company would be under FOCI. Remember, we start with the premise that a U.S. company found to be under FOCI is ineligible fora facility clearance unless security measures have been put in place in the gate or mitigate the FOCI. The security measures used in the gate or mitigate FOCI are as indicated on the slide, the voting trust agreement, the proxy agreement, the special security agreement, the security control agreement, and a board resolution. The plans you see on the slides are listed from the most restrictive, which would be your voting trust agreement to the least restrictive which is a board resolution. And by restrictive, I mean the amount of control the foreign owner can have in the management of their company that relates to their classified contracts. In the case of minority foreign ownership you can see that the voting trust agreement, the proxy agreement, or special security agreement may be used. And in the case of minority foreign ownership, the security control agreement or the board resolution may be used. Now we're not going to get into the details of these plans today, but you can find those details in NISPOM, Paragraph 2,303, on the DSS website and in the CDSE FSO Toolkit under FOCI. Now on the next slide you have depiction about how the available action plans are used as well as a lair or barrier between foreign owner and U.S. cleared or in-process contractor when the TCP is required. The three red lines represent the action plans which can be utilized for majority ownership, again the voting trust proxy agreement and special security agreement. The two blue lines represent the action plans which can be utilized for minority ownership, the security control agreement and board resolution. Now TCP is required for all of the agreements represented by a solid line, trust agreement, proxy agreement, special security agreement and security control agreement. And the TCP may be required by the board resolution represented by the dotted line on the slide. Now keep in mind that although you see all 5 plans depicted on the slide, only one will actually be used from majority or minority foreign ownership cases. Now that we've spent some time talking about FOCI and FOCI action plan, let's see how you do with our second poll question. How many of you have worked for a company that's operating under a FOCI action plan? If yes please indicate which type of plan your company's operating under. If no, select not applicable A is your voting trust, B: your proxy agreement, C: your special security agreement, D: the security control agreement, E: the board resolution, and F: is not applicable. So we have our numbers coming in and I see 4- proxy agreement 10 under special security agreement 3- under security control agreement 5- under a board resolution, now I'm not surprised to see no one under a voting trust because there hasn't been a voting trust in my memory that DSS has ever had, and that's because as I said earlier the voting trust is the most restrictive type of mitigation agreement that that can be put into place. Now remember, if your company is operating under a voting trust, proxy agreement, special security agreement, or security control agreement, you should already have approved procedures or a TCP in place. Now that we're clear on our FOCI TCP requirements let's take a look at the TCP requirements under NISPOM Chapter 10 Section 5. Specifically NISPOM Paragraph 10-509 states that a TCP is required to control access by foreign nationals assigned to or employed by cleared contractor facilities unless the Cognizant Security Agency which for our discussion today is DSS, determines that procedures already in place at the contractor's facility are adequate. Now keep in mind that this paragraph also states that the TCP must contain procedures to control access to all export controlled information. Remember what a TCP really is. It's simply a security countermeasure that prevent access by unauthorized foreign persons. Now that we understand the two NISPOM TCP requirements, Chapter 2 Chapter 10, let's put it all together by looking at the TCP itself. Now on this slide you can see the sections of the TCP. Section 1 is Scope, Section 2 is Purpose, Section 3 is Background, Section 4 is U.S. person and foreign person, Section 5 Access Controls to foreign nationals, Section 6 Export Control information, Section 7 non disclosure statement and acknowledgement and has attachments in Section 7, Supervisor Responsibilities in Section 8, and employee responsibilities in Section 9. Now to assist you DSS has a sample TCP as available for you to use, and this sample TCP is located in your files share box the bottom of your screen and is also available on the DSS website and in the CDSE FSO toolkit. So now let's take a closer look at each of these sections in our sample TCP. Section 1 or the Scope, now this section identifies the company with the statement that all of the elements contained within the plan apply to the company, and that the disclosure of classified information to a foreign person is considered an export and the proper license or approval is required for that disclosure. Let me repeat that: disclosure of classified information to a foreign person is considered an export and the proper license or approval is required for that disclosure. Number 2 Section 2, the purpose this sections states the purpose of the plan is to explain and inform employees and visitors to the facility the controls that are necessary to ensure that no transferred classified information or controlled unclassified information takes place without proper authorization. Now section T3, excuse me section 3 the background, this section addresses the products and services the company provides. and Section 4, addresses a couple different items. It defines a U.S. person and a U.S. National for the NISPOM and a foreign national. It advises that foreign persons will not be given access to classified material or controlled unclassified information until the proper export license has been approved. Let me repeat that again, a foreign person will not be given access to classified material or controlled unclassified information until the proper export license has been approved. It also details the briefings necessary to be administered to supervisors of foreign persons, and speaks to the foreign person indoctrination. Now Section 5 addresses the controls that will be put into place to prevent access by foreign nationals. Because as good security professionals we know what material in our facility has to be protected and from whom. We're now going to establish the controls that would be put into place to prevent any unauthorized access. On our sample TCP, you can see we have badges, escorts, perhaps even the establishment of segregated work areas. And let's not forget access to our company's information system. Let's suppose that our foreign national employee will be required to get onto the intranet, what's on our intranet, and what accesses will that foreign national require. So let's take a second and talk about some of these. Suppose you facilitate foreign nationals in-house, you may or may not already have a badge system in place, and remember a badge system is not a requirement under the NISPOM. If you have a badge system in place whether or not it used to designate clearance will be a simple process that an additional unique badge to identify the foreign national in the facility. If you have not implemented a badge system, it will be an easy process to create a unique badge for the foreign national to display. Now suppose you add to the foreign national assigned to your facility the recurring business year facility by a foreign national. Now on those occasions you may want to utilize an escort for the visiting visitors. Those escorting would need to be educated regarding their duties and responsibilities in escorting. And you may want to also establish segregated work areas, these would be designated work areas with controlled access. Let's move on to part or Section 6. This identifies what a foreign national can have access to and what can't be accessed. And finally Sections 7,8, and 9. Here we have acknowledged a set address, an inadvertent disclosure, supervisory responsibilities, and employee responsibilities. Section 7 is a non-disclosure them to be signed by the foreign person Section 8 is a statement of responsibilities signed by the supervisor. And section 9 are the employee responsibility for the non disclosure statement and TCP briefing acknowledgement. Pretty simple, right? Remember this sample TCP is available for your use, but make sure that you take the time to review it, and to make any modifications or changes necessary to meet the needs of your facility. Which brings us to the end of my presentation, so let's do a short recap. Remember, a TCP is nothing more than a security countermeasure to prevent unauthorized access by foreign nationals the classified information, controlled unclassified information, and unclassified export controlled information. We reviewed the two NISPOM paragraphs requiring the TCP. NISPOM Paragraph 2-307, NISPOM Paragraph 10-509. Those are the only places in NISPOM we are going to find the TCP address. Now once you know the need to have a TCP, it's important that you know what you have to protect. Then once you know what you need to protect, simply develope the procedures to protect that information. And finally, education is the key to success so make sure everyone in your facility employees, supervisors, foreign national or nationals know what their responsibilities are under your TCP. Well I hope you've found this webinar to be beneficial, we really just scratched the surface but at least you know now have a better idea when a TCP is required and what information is considered in a TCP. That does it for me so to wrap up this webinar let me turne it back to Christine. Thanks Steve! That was a lot of good information and although we only really did scratch the surface I hope that everyone leaves here today with a better understanding of the TCP and the important role it plays in the protection of our national security information are costs like export controlled information, our unclassified export controlled information, and other sensitive information that you may have at your company. And don't forget that sample TCP that Steve just reviewed with you is a great tool for you to use, and the best part is DSS has done the work for you, you just need to review it and modify it to fit the needs of your company's security program. I also urge you all to become familiar with our CDSE FSO toolkit. In addition to the sample TCP we went over today you'll find over 300 other products, references 0:20:55.480,0:20:59.500 resources right at your fingertips all of which can be used and are modified to use in your program. Okay, I think we do have a few minutes Steve for some question so if you would like to answer maybe two questions for us this morning? Sure Christine! We've gotten several questions in over 25 questions that come in but I kinda picked two that are are tied together and I'd like to address, take a few minutes to talk about them. The first one is what information should non safeguarding locations be controlling access to. Classified information is given but guidance on relevant nonclassified information would be helpful. Company managers desire clear requirements and are not always willing to accept an FSO's word? That's an excellent question! A non safeguarding location for purposes of our discussion right now will be a cleared facility without safeguarding capability, a non possessing facility. Now just because a clear facility does not have authority to store classified information, does not mean that the facility does not have information that must be protected and controlled. Let's take a few seconds to think about what information a facility without safeguarding capability would need to protect and control and think outside the box. Let's take say five or six seconds. What I came up with, was unclassified export controlled information a given, controlled unclassified information, PII, personally identifiable information, for official use only (FOUO)information, unclassified information associated with a classified contract that the customer wants to limit access to, business sensitive information, company proprietary information. Now are the requirements to protecting control access to these? What about FOUO what about the unclassified export controlled info, how about unclassified connected to the classified there are, there are. What about business sensitive, and company proprietary material you certainly wouldn't find that address in the NISPOM but you should not have a hard time selling management on the idea that that material should be controlled and protected. The main point I want to emphasize is that you must know what material is in your facility. You must get out into your facility and talk to your people and look at what material they have. Once you determine that, you can determine how you're going to protect it. And the other question was, Would like details related to resident aliens and U.S. persons? Well this takes us back to our definitions. Let's talk about a couple of definitions. What's an alien? Any person not a citizen or national of the United States. What's a resident alien? It's a non-us citizen who has been authorized to live and work in the U.S. indefinitely. They are here under a green card. What about a U.S. person, well we talked earlier about U.S. person under the NISPOM is any person who is a citizen or national of the United States, but there some other definitions out there we have to take into consideration. Now we have not spoken about the ITAR. The ITAR is the International Traffic and Arms regulation. In this publication which is published by Department of State governs the export defense articles in the defense services. The ITAR has its own definition of a U.S. person. The ITAR states that a U.S. person is a person who is a lawful permanent resident of the United States. So now what do we have? Under the NISPOM a permanent resident with the green card is still a foreign national and not a U.S. person. No access to classified import export controlled information gonna take place. Under the ITAR a permanent resident or green card holder can have access to :25:01.299,0:25:05.990 unclassified export controlled information without an export license in place. What does this mean? Let me give you an example. All of you have cleaning crews that come in and clean your facility, empty trash things like that. I would say many of you have them come into your facility after hours, some of them may even come in unescorted. Who is on that cleaning crew, and by that I mean are they all United States citizens, are they permanent residents or green card holders, are they not permanent residence but they may be here on a work visa or student visa, and what is in your facility let's go to take that back to the non possessing facility, not worried about classified information but what information do you have in that facility that has to be protected that you would not want to have people have access to. Just some things to think about. Chris I think we're running out of time so I'm going to hand it back to you. Okay thank you Steve and keep in mind that these questions and answers along with any others that we received but didn't have time to get to today will be posted on our CDSE webinar website under archives. So be sure to look for those in the very near future. Before we go we have one last audience participation activity for you and that's our webinar survey. Your feedback is very important to us and is greatly appreciated so please take a moment to participate and this is a very short survey. Also if there any topics you'd like us to cover at our Learn at Lunch webinar, make sure to include those. Now we want to make sure we continue to provide you element topics each month. The survey may now be available on your screen or it may appear as a new tab on your web browser. While you're doing that I would just like to thank you all again for spending part of your day with us here at CDSE. We know you are all very busy and hope that you find this thirty-minutes out your day well worth your while. And so that you know how to get in touch with us we'll leave you with our contact and resource center information. Our next Learn at Lunch webinar scheduled for Thursday March 13th the topic then will be Potential Espionage Indicators, detecting action outside the norm. Registration for that webinar should be opening soon so don't forget to sign up as you can. And that about does it. Have a great rest of your day and remember don't ever miss an opportunity to Learn at Lunch. And for those of you on the East coast stay warm and we'll see you next time. Bye Bye everyone.