doing business with esa working with classified information · technology and communications...
Post on 09-May-2020
1 Views
Preview:
TRANSCRIPT
ESA UNCLASSIFIED – For Official Use
Stefano Zatti – ESA Security Office
Warsaw, 14 April 2014
DOING BUSINESS WITH ESA –
Working with Classified Information
ESA UNCLASSIFIED – For Official Use
1. Synergy: A basic security system protecting all assets and information, augmented by an additional capability to handle classified information
2. Holistic approach: Cover the five pillars of security: Physical, Personnel, Information Protection, Information Technology and Communications (INFOSEC) + BCDR
3. Necessity: Keep implementation at the minimum level necessary with respect to the assessed risks.
4. Division of powers: Separate the security policy and the control of its correct implementation from the implementation and operations of security
Security Principles at ESA
ESA UNCLASSIFIED – For Official Use
• Security Policy and Control of its correct implementation
• Head of the Office is the Head of the ESA Director General’s
Cabinet H/DGC, directly reporting to DG
• Managed by the ESA Security Office Manager, DGC-Y
• 4 officers: Infosec, Physical, Information Protection and BCM,
Personnel and Outreach + 2 administrative assistants
• Support from Legal Department for legal and technology export
issues
• Based at ESRIN in Frascati, Italy with Agency-wide scope
• Support ESA Executive in the ESA Security Committee
• Secure premises at ESRIN (Class I) for high levels of classification
(ESA Confidential and Secret)
The ESA Security Office
ESA UNCLASSIFIED – For Official Use
SECURITY POLICY DEFINITION
ESA Security Committee
ESA Executive =
ESA Security Office ESA Legal Dept
National Security Authorities
Of ESA Member States
ESA Director General
ESA UNCLASSIFIED – For Official Use
ESA Convention
ESA Security Agreement
ESA Security Regulations
ESA Security Directives ESA Generic PSI
ESA COMSEC Instructions
Physical Security Directives
Personnel Security Directives
Information Protection Directives
InfoSec Directives
Business Continuity Management Directives
SEC OPS
SEC OPS SEC
OPS SEC OPS
SEC OPS SEC
OPS SEC OPS
SEC OPS SEC
OPS
The ESA Security Framework –
Policy vs. Implementation
ESA UNCLASSIFIED – For Official Use
ESA UNCLASSIFIED INFORMATION ESA CLASSIFIED INFORMATION
Types of information in ESA
ESA UNCLASSIFIED – For Official Use
ESA UNCLASSIFIED
Refers by default to any information, document or material, whatever
the format or media, produced or acquired by ESA. As a general rule,
unclassified information is not to be made publicly available, unless
explicitly authorised.
Protected within a contractual framework
– ESA UNCLASSIFIED – For Official Use
By default.
– ESA UNCLASSIFIED – For Internal Use
Produced within the Agency and distributed within a limited framework,
not necessarily confined to the Agency.
ESA UNCLASSIFIED INFORMATION - 1
ESA UNCLASSIFIED – For Official Use
– ESA UNCLASSIFIED – Proprietary Information
Intellectual property rights remain with the originator.
– ESA UNCLASSIFIED ITT/TEB – For Internal Use
Limited Distribution
For the protection of ESA’s procurement processes
– ESA UNCLASSIFIED – Releasable to the Public
Can be released in public fora (internet, conference etc...).
Possible extra attention to the sensitivity of a document can be drawn
through an additional caveat marking “For SSA Programme Manager’’ /
‘‘Releasable to the Public starting 10/07/2013’’.
ESA Unclassified Information - 2
ESA UNCLASSIFIED – For Official Use
ESA CLASSIFIED INFORMATION
ESA Classified
Refers to any information, document or material, whatever the format
or media, produced or acquired by ESA, which is subject to a formal
security classification according to the ESA Security Regulations.
Protected within a legal framework
– ESA SECRET (PSC required)
– ESA CONFIDENTIAL (PSC required)
Applicable to information and material the unauthorised disclosure of
which could harm the essential interests of ESA or of one or more of its
Members States.
– ESA RESTRICTED (no PSC required)
ESA UNCLASSIFIED – For Official Use ESA UNCLASSIFIED – For Official Use
TABLE OF EQUIVALENCES
ESA ESA SECRET ESA CONFIDENTIAL ESA RESTRICTED
Austria Geheim Vertraulich Eingeschränkt
Belgium Secret (Loi 11.12.1998)
Geheim (Wet 11.12.1998) Confidentiel (Loi 11.12.1998)
Vertrouwelijk (Wet 11.12.1998) nota below1
Czech Republic Tajné Důvěrné Vyhrazené
Denmark Hemmeligt Fortroligt Til tjenestebrug
Finland SALAINEN
HEMLIG LUOTTAMUKSELLINEN
KONFIDENTIELL KÄYTTÖ RAJOITETTU
BEGRÄNSAD TILLGÅNG
France Secret Défense Confidentiel Défense nota below3
Germany Geheim VS2— Vertraulich VS — Nur für den
Dienstgebrauch
Greece Απόρρητο
Abr: (ΑΠ) Εμπιστευτικό
Αbr: (ΕΜ) Περιορισμένης Χρήσης
Abr: (ΠΧ)
Ireland Secret Confidential Restricted
Italy Segreto Riservatissimo Riservato
Luxembourg Secret Lux Confidentiel Lux Restreint Lux
The Netherlands Stg GEHEIM Stg CONFIDENTIEEL Dep. VERTROUWELIJK
Norway Hemmelig Konfidensielt Begrenset
Poland Tajne Poufne Zastrzeżone
Portugal Secreto Confidencial Reservado
Romania Strict secret Secret Secret de serviciu
Spain Reservado Confidencial Difusión Limitada
Sweden HEMLIG / SECRET or HEMLIG
HEMLIG / CONFIDENTIAL HEMLIG / RESTRICTED
Switzerland SECRET / GEHEIM / SEGRETO CONFIDENTIEL / VERTRAULICH /
CONFIDENZIALE
INTERNE / INTERN / AD USO
INTERNO
The United Kingdom UK Secret UK Official Sensitive
EU EU Secret EU Confidential EU Restricted
ESA UNCLASSIFIED – For Official Use
Process to adopt classification
within a project
ESA Security Regulations, section XIII on Industrial Security
• ESA will determine the aspects of an ESA program or element requiring security protection – this approach may be requested/required by a Member State participating in the project
• The ESA Security Committee and the appropriate ESA subordinate body will recommend the security classification to be accorded to each aspect area of the programme to ESA Council for approval
• The programme implementing rules … shall contain a Programme Security Instruction, containing a Programme Security Classification Guide (or as a minimum a “Security Aspect Letter”)
ESA UNCLASSIFIED – For Official Use
THE ESA GENERIC PSI:
a tool to adopt classification in a programme
• PSI: Programme Security Instructions
• Provide instructions on safeguarding of the ESA classified information and material that is
provided to or generated in the framework of an ESA Programme
• Based on the ESA security regulations
• Describes:
• Classification levels (ESA RESTRICTED, CONFIDENTIAL, SECRET)
• protection, handling, transportation, IT use of classified information at the
different levels
• Release of information
• International visits
• Contracting and subcontracting
• To be customized (in specially marked areas) for each ESA programme that will need to be
protected using the ESA classification system (e.g., (Galileo), EGEP, Egnos, SSA)
• Classification guide (Annex D) to provide all the details on which document or element
will get which classification level for the specific programme
• To be made applicable to an ESA classified contract, providing industry with all the details
they need to manage ESA information properly
ESA UNCLASSIFIED – For Official Use
Particular modalities for Classified
Procurement
• ESA only rarely issue classified Procurement ( main procurement was
for Galileo) but is fully equipped to that effect with detailed Security
Regulations & Directives , FSC and significant number of staff with
PSC’s.
• Classified Procurement can take two forms :
• The ITT issued by ESA include some classified parts: In this
case ESA will sue the Two Stage Tendering Procedure as
defined in Article 16 of the Procurement Regulations
• (part of ) the Tenders are expected to be classified : Dedicated
Security Evaluation Panel with cleared members
• IN some cases, ESA will select Non Competitive Procurement or
Restricted competition
ESA UNCLASSIFIED – For Official Use
The Classified ITT
• In the case of Classified ITT, ESA will select the two stage tendering
procedure with :
• The Non Classified part of the ITT will be issued on EMITS and
outline the need for tenderers to submit their offer in two
stage:
– A Request to Participate compliance with selection
criteria : in particular evidence of existing security
Clearance ( FSC,PSC’s) or at least a letter of NSA
confirming process of clearance is on going.
– ESA TEB will verify the fulfilment of security criteria and
make available through secured channels, the classified
part of the ITT.
– Proposal submission and evaluation as shown after
ESA UNCLASSIFIED – For Official Use
Classified proposal Submission
• Classified Proposal shall be submitted in two separate way
• For the Non classified part , through the standards means as
described in the General Conditions of Tender and specific
provisions of the ITT
• For the Classified part, in accordance with specific modalities
defined in the ITT derived from ESA security Directives and
providing for a secured transmission of the ITT.
• Classified Proposals will be evaluated as follows:
• Unclassified part of the Proposal by the TEB
• Classified Part of the Tender by a Security Panel composed of
ESA staff members with Personal Security Clearance.
• The Panel will report to the TEB its conclusions by providing
only unclassified information.
ESA UNCLASSIFIED – For Official Use
Classified ITT & TEB 1/6
• A Security Officer for the programme/project shall be proposed to
the Head of the ESA Security Office who will endorse the
appointment.
• The Security Officer shall be appropriately security cleared.
• The security officer shall ensure that all persons requiring access
to the ITT and TEB material classified RESTRICTED CRYPTO,
CONFIDENTIAL or higher is appropriately cleared prior to be given
access.
ESA UNCLASSIFIED – For Official Use
Classified ITT & TEB 2/6
• Companies from ESA member states that have signed and ratified the ESA Security Agreement can participate in a classified ESA ITT (unless decided otherwise by the ESA Security Committee and the ESA Council when establishing the programme) provided they hold a Facility Security Clearance (FSC, or are in the process of obtaining one) and have appropriately cleared personnel (PSC).
• also valid for contracts related to works in ESA
establishments, sites etc…
• In case the company has a provisional facility security clearance it
must be ensured that the full FSC is granted not later than the
moment the contract is signed
• In case the company is in the process of obtaining an FSC it must
be ensured that the full FSC is granted not later than at signature
of contract
ESA UNCLASSIFIED – For Official Use
Classified ITT & TEB 3/6
• It is the Security Office which makes the FSC verification with the
appropriate NSA by requesting a Facility Information Sheet (FIS).
• Companies holding a valid FSC can collect the classified data
package (if any) at the designated ESA Class 1 Area. The courier
must have a valid courier certificate.
• Companies not yet having a valid FSC can consult the classified
data package in a designated ESA Class 1 Area, provided the
persons concerned have a valid PSC and a valid RFV procedure
was concluded
• Classified ITTs shall have a clause that all classified data are
returned to ESA by companies not submitting a proposal, or by
companies not awarded a contract, 15 days after notification.
ESA UNCLASSIFIED – For Official Use
Classified ITT & TEB 4/6
• All personnel in TOB, pre-TEB or TEB needing access to the
classified data, must be appropriately cleared.
• All elements of the proposals classified CONFIDENTIAL or higher
must be stored in a Class 1 Area and can only be consulted here.
• All meetings related to classified information CONFIDENTIAL or
higher shall take place in a Class 1 Area.
ESA UNCLASSIFIED – For Official Use
Classified ITT & TEB 5/6
• The TEB Security Officer shall ensure that all MoM, reports and
notes generated during CLA meetings are verified, and receive
correct classification. He shall register these documents
accordingly.
• The TEB Security Officer shall ensure proper handling, registration,
distribution and/or transmission and destruction of the relevant
classified information.
- The TEB Security Officer shall ensure the appropriate return of the
relevant classified proposals if required.
top related