The Special Security

parakeetconspiracyManagement

Nov 20, 2013 (3 years and 6 months ago)

80 views

CATC All Hands


December 8,
2010

Solid partners.

Flexible solutions

The Special Security
Agreement (“SSA”)

Purpose, Governance Structure
and Implementing Procedures

2

National Industrial Security Program (NISP) Guidance


Govt

policy: Allow foreign investment consistent with national
security interests


Company determined to be under FOCI is ineligible for FCL absent
security measures to negate or mitigate FOCI


“FOCI policy . . . is intended to facilitate foreign investment by ensuring
that foreign firms cannot undermine U.S. security and export controls to
gain unauthorized access to critical technology, classified information,
and special classes of classified information.”


Govt

reserves right and has obligation to impose any security
method, safeguard, or restriction it believes necessary to
ensure that . . .


Unauthorized access to classified information is effectively precluded
(including ability to leverage others who have access)


Performance of classified contracts is not adversely affected

3

NISP Description of the Special Security Agreement (SSA)


SSA is one of the potential FOCI mitigation measures. The
others include a Board Resolution, Security Control
Agreement, Voting Trust Agreement

and

Proxy Agreement)


The SSA imposes various industrial security and export control
measures within an
institutionalized set of company practices
and procedures


Preserves foreign owner’s right to be represented on the Board of
Directors. The foreign owner’s member is called an INSIDE

DIRECTOR.


Direct voice in business management of the company


While denying unauthorized access to classified
and unclassified, export
controlled
information


NISP limitations on SSA


Provides for GSC


active involvement in security matters by Senior
Management and Outside Directors (Inside Director

cannot be member.


No access to proscribed information


absent determination that release
to company will not harm national security (NID)


Additional company practices and procedures

4

SSA Governance Structure


A legal entity

the business of which is
managed by a Board of
Directors

or equivalent Management Group or Committee.


Board composition


Three Outside Directors (Two with DSS

authorized
exception). Shareholders elect the members of Board of Directors.


At least 1 Inside Director; at least 1 Officer Director


Number of Inside Directors shall not equal or exceed the combined total
number of Outside Directors and Officer Directors


Chairman shall not be Inside Director



Actions by majority vote


1 Inside Director and 1 Outside Director necessary for quorum.


Proxy by an Outside Director can only be given to another Outside Director.


Contains no tie breaking language.


All

Directors have normal fiduciary duties of a director: care, loyalty,
business judgment, disclosure, confidentiality, risk and compliance
oversight


Limitations


Certain actions require prior approval from the Parent


Parent may remove members of Board only in accordance with procedures
set forth in SSA

5

Government Security Committee (GSC)


Responsible for ensuring
a the requirements of the
SSA,
NISPOM and export procedures are followed; ensure the
protection of classified and unclassified export controlled
information.


Composition: all Outside Directors and cleared Officer Directors


Specific GSC duties


Ensure Company maintains policies and procedures to safeguard the
classified and controlled information in its possession


Electronic communications


Contacts and visits


Ensure Company complies with . . .


DoD

Security Agreement


SSA


Appropriate contract provisions regarding security


U.S. export laws


NISP (NISPOM)

6

Government Security Committee (GSC)


Specific GSC duties (continued)


Oversee activities of Facility

Security Officer (FSO)

and Technology Control
Officer (TCO)


Monitor administrative services being provided by Parent/Affiliates


Ensure does not receive administrative services without DSS approval. DSS
usually approves the following shared services:

»
Insurance benefits

»
Retirement plans

»
HR services but usually insists cleared company independently selects

is
employees without undue influence and control by foreign owners

»
Payroll services but pay is by cleared company.



Outside Directors ensure administrative services do not allow the Parent or
Affiliates to control or influence the management or business of the
Company in violation of the SSA


Each member of GSC must exercise best efforts to . . .


Ensure all provisions of SSA are carried out


Ensure Company’s officers, directors and employees comply with SSA


Advise DSS of any known violation of, or attempt to violate, any provision of
the SSA, appropriate contract provisions regarding security, export control
laws or NISP

7

Foreign Owner
Commitements


Parent commits by resolution to . . .


Exclude themselves and Affiliates from access to protected info


Grant the Company independence to safeguard protected info


Refrain from taking any action to control or
influence the performance
of the Company’s classified contracts

or its participation in classified
programs

8

Institutionalized Set of Company Practices and Procedures


Visits/meetings
. Except for routine business visits, all visits must be
approved in advance by one of the Outside Directors


Routine business visits


Made in connection with regular day
-
to
-
day business operations


Do not involve classified or controlled unclassified information


Pertain only to the commercial aspects of the business


Certain categories of routine business visits are identified in SSA and
implementing procedures. GSC may add “specific categories” and alter
categories


with DSS approval


Electronic communications
. “All Electronic Communications between
Cleared company
e
mployees

and representatives and the parent and its
affiliates (collectively
referred to as the
Affliates
)
must be monitored and
recorded”


Email: Usually “captured” by software; sampled and reviewed by FSO/GSC.
Often establish a firewall to “stop” e
-
mails or “provide

copy to Outside
Director(s) for review and sometimes to actually “release”


Phone calls: logged (contact reports) and reviewed by FSO/GSC


Fax: collected and reviewed by FSO/GSC


Training


Initial and ongoing training of personnel


certify as to understanding and
commitment to comply


Parent/Affiliate: also need procedures, training and commitment to comply

9

Institutionalized Set of Company Practices and Procedures


Inside Directors


Inside Directors not subject to the visitation restrictions, which apply to
other representatives of the Affiliates.



No Outside Director review/approval required for visits by Inside Directors.




Not subject to visit controls if on
-
site to attend Board meeting (no entry into
controlled areas)


However, must be escorted at all times while on
-
site


if not a U.S. citizen (???)


Emails, calls, etc. to/from Inside Director must be monitored and recorded


as with other Parent/Affiliate personnel


Foreign owner’s voice in management must be exercised through
participation on Board of Directors. Inside Directors has equal vote to other
Directors.


Board is principal forum for foreign owner’s input regarding
business. Inside
Director must not take on the role of an “officer”, “Consultant” or “employee” of
cleared company.


Input should be consistent with normal Director activity


i.e.,
generally, it is
inappropriate for Inside Director to seek to direct day
-
to
-
day business affairs of
Company


Inside Director may have additional input


consistent with Visitation Policy and
ECP

10

Institutionalized Set of Company Practices and Procedures


Senior officials and Non
-
Routine Visits


Recent SSA’s usually indicate that visits by Officer(s) and Director(s) are not
to be treated as “routine business”.


Most authorities agree that
a visit with an Officer or Director of a Parent or
Affiliate cannot be characterized as a Routine Visit

regardless of whether
the purpose of such a visit corresponds to one of the categories of routine
visits.


All companies that I am familiar with have visits between cleared company
and the Affiliates are processed as non
-
routine and approved by an Outside
Director.

11

The Electronic Communications Plan (ECP)



The ECP
is submitted to and
approved
by DSS. Enter into E
-
FCL.
* All employees, consultants or representatives of the cleared
company are briefed on and annually re
-
briefed on the ECP. Such
personnel sign an acknowledge that they received a briefing,
understand the briefing and will comply. I recommend you give
them a copy of the ECP and during self
-
inspections check to
determine if they have a soft or hard copy readily available.


Other companies post the ECP, TCP and Operating Agreement
(SOP) on their web site with other “policies” and “procedures”.

12

The 2012 DSS FOCI Branch FOCI Statistics


Provided by Steve
Linquist

from the DSS FOCI Branch.



FY 2012, DSS has conducted 8,575 security vulnerability assessments.


299 of which were FOCI
signatories


398 of which were FOCI non
-
signatories



FOCI Signatory Compliance Breakdown:


63.9% rated Satisfactory


19.1% rated Commendable


16.1% rated Superior


1.0% rated Marginal or Unsatisfactory



FOCI Non
-
Signatory Compliance Breakdown:


37.7% rated Satisfactory


32.4% rated Commendable


28.9% rated Superior


1.0% rated Marginal or Unsatisfactory




13

The 2012 DSS FOCI Branch FOCI Statistics (non
-
FOCI)


FY 2012, DSS has conducted 8,575 security
vulnerability assessments.


7,844 of which were non
-
FOCI facilities



Non
-
FOCI Compliance Breakdown:


78.2% rated Satisfactory


14.9% rated Commendable


6.5% rated Superior


0.4% rated Marginal or Unsatisfactory



Questions

??