In July, the Department of Defense’s Inspector General (IG) released a report detailing whether contractors took adequate security measures to protect DoD information. The report found several issues, including a specific incident in which neither the Defense Threat Reduction Agency nor a contractor involved addressed the "spillage of classified information to unclassified cloud, internal contractor network and webmail environments … As a result, classified information remained unprotected on the commercial cloud and the webmail server for almost two years."
This incident is what’s known as classified spillage, and it’s a major focus for agencies and contractors that are responsible for protecting our national interests. It’s also one of the reasons that led the DoD to establish the Cybersecurity Maturity Model Certification (CMMC), which is a set of standards for implementing cybersecurity for defense contractors.
What is classified spillage?
Although the incident called out above – and the IG report in general – focused on electronic data storage, classified spillage can happen in both the physical and digital world. From a digital perspective, this includes a security incident that results in the transfer of classified information onto an information system not accredited or authorized at the specific security level.
Classified spillage can occur in a physical storage environment as well and applies to hard copy files/information. This means that physical files received on a commercial contract are later identified by the originator to contain classified information. Clearly, there are real concerns when classified information ends up in unclassified IT systems or physical storage containers.
How do you recognize classified spillage has occurred?
Most often, classified spillage is not intentional or an act of malice; it happens inadvertently when information that was unclassified in its origination later became classified and was exposed accidentally. This can happen as a result of world events, or other circumstances beyond the originator’s control. In this case, it is the responsibility of the originator to notify the holder(s) of said information so appropriate actions can be taken to prevent further unauthorized access to the classified information. The holder then must implement mitigation policies to purge the unclassified systems of the classified information.
Once classified spillage is identified, immediate action must be taken. So, how do agencies better prepare themselves to mitigate the possibility of classified leakage from the beginning?
Steps to better protect records and information
Agencies can protect their information without sacrificing the need to keep it readily visible and available by establishing a formal records and information management program – to include proper physical and digital storage. This should be an essential component of any records program and is especially important when classified information is being considered. As part of this program, agencies should:
· Establish an information management framework
The first, and most important, step is to establish a formalized information framework that addresses a variety of issues, spanning risk management, retention, compliance and disposition. This includes the need to construct a control framework specifically to address the risks posed by managing classified information. The framework is an operational self-assessment program that allows records managers to diagnose their own performance against a set of given controls. Such a program provides a comprehensive and consistent protocol for records managers, regardless of their location or the work they perform, to identify and address potential weaknesses in the design or execution of internal processes.
· Enable continuous monitoring
Once a formal risk framework is in place, agencies need to focus on another risk area – continuous monitoring. After identifying information and assets in the framework development, agencies should identify the requirements and rules that govern that information. Emerging technologies like automation, artificial intelligence and analytics can help agencies to achieve higher levels of asset visibility while keeping both their information stores and compliance requirements continuously updated and monitored.
· Enforce access controls
After agencies have deployed capabilities for governing and monitoring their information and records, they must implement strict policies for accessing that information. This includes establishing identity and access management practices that meet the requirements associated with classified records and information storage to enforce physical – and digital – access. Such enforcement measures should include authorization along with physical access controls for the facilities or systems where the records reside.
· Implement full information lifecycle strategies
Even after implementing robust security controls, continuous monitoring capabilities and a formal risk framework, an agency’s work is not done. The last step for properly securing classified records is an ongoing enforcement and management of the information management lifecycle practices established in the other three areas noted above. Agencies must ensure that the enterprise strategy they have set in place applies to all information both current and future, in physical and digital formats. Losing sight of this strategy will result in a higher propensity for a classified spillage incident to occur.
In order to better protect classified records and eliminate the potential for spillage, agencies need a formal program that incorporates policies for receiving, storing and handling the information, as well as technical capabilities to automate and continuously monitor these records. This type of comprehensive information management program will help agencies more effectively secure their data and classified records, while still maximizing the availability of this important asset.
Wayne Starrs is senior director of operations and strategic programs for Iron Mountain Government Solutions.