Monthly Newsletter

The United States is the dominant political, economic, and military force in the world. We have power, information, and technology that other countries want, and they will not hesitate to harm or exploit U.S. persons to obtain it.

Every U.S. person is a potential target for exploitation. Our work in the government space means that we are of particular interest to foreign actors. For this reason, we must take extra precautions when interacting with any foreign person(s), foreign entity, foreign business, or foreign organization.

Foreign Travel

U.S. Citizens are often targeted while traveling outside the U.S. Even in “safe” countries, there are risks and precautions we must take to ensure safety and awareness when traveling.

Federal contractor facilities and their personnel are subject to foreign travel briefing and reporting requirements as outlined in 32 CFR Part 117, SEAD 3, and certain program specific reporting guidelines. FSOs are required to provide travel safety briefings, country specific briefings, and post-travel debriefing.

For this reason, we recommend that all contractor personnel (employees and consultants) report any travel outside of the United States, both personal and professional, to their company’s FSO at least 30 days prior to departure (whenever possible).

Pre-Travel: Ideally any travel outside the US should be reported to your FSO at least 30 days prior to your departure. When 30 days’ notice is not possible, the travel should be reported immediately upon booking. For those that live in border areas, unexpected day trips to Mexico and Canada must be reported within 5 days of return.

Post-Travel: Foreign travel debriefing is required. Covered individuals should contact their company’s FSO immediately upon return to complete post travel debriefing requirements.

Foreign Considerations (Contact, Influence, Interests, Activities, Conflicts of Interest)

Covered individuals are required to self-report any contact with foreign nationals, potential foreign influence, foreign activities or interests, suspicious contact, and any other information pertinent to connections with a foreign country or foreign persons.

Conditions that must be reported include, but may not be limited to:

• Any contact (through any method including social media) with a foreign family member, business or professional associate, friend, acquaintance, or any other person who is a citizen or resident of a foreign country
• Any business, financial, or property interests in a foreign country, or in any foreign-owned or foreign-operated business
• Any unauthorized association with a suspected or known agent, associate, or employee of a foreign intelligence entity
• Any connection to any foreign person, group, government, or country that could potentially create a perceived conflict of interest

Foreign Preference

When an individual gives preference to a foreign country over the U.S., they are far more vulnerable to exploitation. Conditions that could raise concern, and must be reported, include but are not limited to:

• Applying for and/or acquiring citizenship in any other country
• Failure to use a U.S. passport when entering or exiting the U.S.
• Assuming employment, position, or political office in a foreign government or military organization
• Any act of expatriation from the U.S.

Suspicious Contact

Suspicious contact is any effort by any individual, regardless of nationality, to obtain illegal or unauthorized access to information or to compromise an individual.

Examples of suspicious contact that must be reported include:

• Any individual’s efforts, regardless of nationality, to obtain illegal or unauthorized access to sensitive or classified information
• All contact with known or suspected foreign intelligence operatives
• Any contact requesting a person to participate in a foreign conference, seminar, tradeshow, etc.
• Any contact seeking information about your work, job duties, coworkers, etc.

Outside Activities

Involvement in certain types of outside employment or activities could be a security concern if it poses a conflict of interest or if it could increase the risk of unauthorized disclosure of classified or sensitive information.

Some conditions that could raise concern, and must be reported, include:

• Any employment or service with the government of a foreign country or any foreign nation, organization, or other entity
• Any foreign, domestic, or international organization engaged in analysis, discussion, or publication of material on intelligence, defense, foreign affairs, or protected technology

Why Reporting is Critical

Full transparency and self-reporting about any foreign considerations is vital. Failure to report will always be viewed by Adjudicators as “what is this person trying to hide and why?” If investigators find information on their own before you self-report, the consequences are significantly greater.

All covered individuals must report any foreign travel, foreign considerations, suspicious contact, and outside activities to their company’s FSO.

Resources and Additional Learning

• CDSE Foreign Travel Defensive Briefing
• DCSA Self-Reporting
• SEAD 3 – Reporting
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions, ask your FSO!

May is Mental Health Awareness Month! Mental health is a critical part of a person’s overall wellness. According to the CDC, mental illnesses are among the most common health conditions in the United States. Approximately 50% of the population will experience a mental health condition in their lifetime and 1 in 5 Americans are affected by mental illness each year.

During this month of awareness, we would like to spotlight this topic as it pertains to government contractor workforce members and, hopefully, alleviate common concerns about seeking care for your mental wellbeing as a federal contractor.

Destigmatizing Mental Health Care

Mental health care is a positive course of action that often mitigates security concerns. Avoiding care can increase risk and create deeper concern.

In recent years, significant strides have been made within the federal government to destigmatize seeking support. DCSA is working diligently to raise awareness that seeking mental health care and services, on its own, does not affect one’s ability to obtain or hold clearance eligibility and will not impact your national security eligibility.

The Benefits of Mental Health Care and Stress Management Strategies

Some techniques that many find beneficial include:

• Meditation and Mindfulness techniques
• Physical exercise
• Deep breathing exercises
• Yoga
• Journaling
• Positive self-talk
• Healthy eating and prioritizing sleep
• Engaging in creative activities like painting, music, writing, etc.
• Setting healthy boundaries both personally and professionally
• Seeking professional assistance

Many companies offer Employee Assistance Programs (EAP) or other similar programs to assist their personnel when trouble arises. Don’t be afraid to tap into these resources if you need them.

When Are Mental Health Concerns Reportable

Security Executive Agent Directive 3 (SEAD 3) states you must report any apparent or suspected mental health issues where there is reason to believe it may impact a cleared individual’s ability to protect classified or other information specifically prohibited by law from disclosure.

Examples of reportable conditions include:

• Declarations of mental incompetence by a court or administrative agency
• Court-ordered mental health care or evaluation (inpatient or outpatient)
• Hospitalizations for mental health conditions (voluntary or involuntary)
• Diagnoses of psychotic disorders, bipolar mood disorders, or certain personality disorders
• Developing a mental health condition that substantially affects judgment, reliability, or trustworthiness

Will Reporting a Mental Health Concern Affect an Individual’s Clearance?

History dictates that, in most cases, the answer is No. DCSA Adjudications looked at 5.4 million adjudicative actions taken from 2012 to 2020 and found that of 97,000 cases that dealt with psychological-related issues, only 62 were denied or revoked for psychological concerns. This equates to only 0.00115% of total adjudicative actions.

Mitigating circumstances that may ease security concerns include:

• The person’s condition is controllable with treatment and the person has demonstrated ongoing compliance with a treatment plan
• The person voluntarily enters a counseling or treatment program
• The issue was temporary and has since been resolved
• There is no indication of a current problem

Why Reporting is Critical

Looking back on some of the most devastating security incidents in our Nation’s history, mental health and psychological considerations were prevalent pre-incident indicators. In almost all cases there were indicators but, unfortunately, other people around the individual were simply afraid to report for fear the person would lose their clearance.

REPORTING CAN SAVE LIVES.

If you have any concerns about the mental health of yourself or anyone else, please seek guidance from your company’s Facility Security Officer (FSO). Report all concerns to your company’s FSO.

Resources and Additional Learning

• The Facts About Mental Health and Security Clearances
• DCSA: Mental Health Treatment Not an Automatic Disqualifier
• SAMHSA National Helpline
• SAMHSA 988 Suicide & Crisis Lifeline
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements.

Bits of information can act like puzzle pieces that an adversary may collect, aggregate, analyze, and exploit to do harm to or gain an advantage over the U.S. Sensitive information can be especially vulnerable to compromise due to its potential for aggregation. As such, it is crucial to have robust safeguards in place to protect this type of information.

What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

The CUI program, established by Executive Order 13556 and implemented by 32 CFR part 2002, defines the need for protection of this type of information and establishes requirements for protecting it.

Identifying CUI

Unclassified information associated with a law, regulation, or government-wide policy and identified as needing safeguarding is considered CUI. It requires access control, handling, marking, dissemination controls, and other protective measures for safeguarding.

CUI is clustered into organizational indexes (e.g., defense, privacy, proprietary) with associated categories, and is categorized by the DoD according to the specific law, regulation, or government-wide policy requiring control.

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information falls into a CUI category and for applying CUI markings and dissemination instructions accordingly.

The National Archives and Records Administration (NARA) maintains the CUI Registry, which lists the authorities that require or permit safeguarding or dissemination controls for specific types of information.

CUI Responsibilities and Training Requirements

Every individual at every level, including DoD civilian, military personnel, and contractors providing support to the DoD, are required to comply with the requirements in DoDI 5200.48.

The Department of Defense (DoD) has implemented a mandatory CUI training program to educate personnel on the proper handling, protection, and dissemination of CUI. All individuals, both cleared and uncleared, that perform U.S. Government related work could be exposed to CUI information and should complete CUI training.

Reporting Requirements

• If you receive CUI and have not yet completed CUI training, contact your Facility Security Officer (FSO) immediately.
• When you receive CUI information, documents, or materials, notify your company’s FSO for awareness.
• If you find CUI that is not properly controlled or stored, you must report this to your company’s FSO.

Resources and Additional Learning

• DoD Mandatory CUI Training
• CUI Toolkit
• CUI Registry
• CUI Policies
• Executive Order 13556
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!

Organizations that perform work on U.S. Government classified contracts are required to report certain incidents, events, information, and behaviors. Reporting is required under a variety of U.S. Government policies. Today we will focus on the most common types of reporting required under 32 CFR Part 117, Security Executive Agent Directive 3 (SEAD 3), and many U.S. Government contractual stipulations.

Do You Have an Obligation to Report?

All cleared facilities and all covered individuals are required to follow the reporting requirements outlined in 32 CFR Part 117, SEAD 3 and ISL2021-02, and all other U.S. Government policies and contractual requirements.

A Covered Individual is any person that:

• Has been granted eligibility for access to classified information; and/or
• Occupies a “Sensitive Position”; and/or
• Is in the process of eligibility determination for access to classified or sensitive information; and/or
• Occupies a position wherein contractual guidance for reporting requirements has been applied by any U.S. government agency or customer

If you perform work for a cleared facility, you have reporting requirements. If you have any question as to whether reporting requirements pertain to you, contact your organization’s FSO immediately.

What Are You Required to Report?

Security Incidents/Violations/Vulnerabilities: Any known or suspected security incident, violation, infraction, or vulnerability. NOTE: Security violations must be reported within 24 hours of discovery!

Espionage, Sabotage, Terrorism, or Subversive Activities: Any situation related to actual, probable, or possible espionage, sabotage, terrorism, or subversive activities directed at the United States.

Adverse Information: Any information (about yourself or any other covered individual) that could adversely reflect on the integrity, trustworthiness, reliability, or character of an individual, or suggests their ability to safeguard classified or sensitive information may be impaired.

Insider Threat Concerns and Indicators: Any information or behavior that suggests an individual may be, or may become, an insider threat, including indicators of recruitment by a foreign intelligence service, suspicious behavior, or questionable national loyalty.

Suspicious Contact: Any contact by any individual, regardless of nationality, that is of a suspicious nature, including efforts to obtain illegal or unauthorized access to classified information.

Foreign Travel: Travel to any foreign country (including Canada and Mexico). NOTE: Cleared individuals must report ALL foreign travel, both personal and professional.

Foreign Contact and Influence: Close and continuing contact with a foreign national in any capacity, contact with anyone associated with a foreign government or foreign-owned organization, or financial obligations to any foreign national or entity.

Personal Finance & Business Interests: Ownership of foreign state-backed, hosted, or managed cryptocurrency and ownership of cryptocurrency wallets hosted by foreign exchanges.

Change in Personal Status: Name changes, changes in marital or cohabitation status, changes in citizenship, changes in employment status or need for access to classified information.

Cyber Intrusions and Cyber Incidents: Any actual, possible, or potential penetration of information systems, suspicious network activity, unauthorized use of DOD account credentials, or spillage.

DoD Hotline

Your organization’s FSO should always be your first point of contact for all matters. That said, certain types of reports may be made to the Department of Defense Hotline if going to your FSO is not an option.

Examples of matters to report to the DoD Hotline include: fraud, waste, abuse, whistleblower reprisal, bribery, contract and procurement fraud, health care fraud, and COVID-19/CARES Act Fraud.

DoD National Hot Line: Email: dodighotline@dodig.mil | Phone: 1-800-424-9098 | Website: https://www.dodig.mil/Hotline

Resources and Additional Learning

• Reporting Requirements at a Glance
• DCSA Self-Reporting
• NISP Reporting Requirements
• SEAD 3 – Reporting
• Reporting Job Aid
• 32 CFR Part 117 (NISPOM Rule)

As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!