This proposal, prepared by Armadillo Security Incorporated, presents a comprehensive physical and information security assessment of Heavy Metal Technologies (HMT), a defense contractor headquartered in Huntsville, Alabama. Following a site walk-through of HMT's North American facilities conducted in April 2010, the security team identified seven critical deficiencies in access control, personnel oversight, emergency planning, and security awareness. The paper recommends a series of countermeasures — including CCTV installation, proximity card readers, an exchange badge system, a personnel reliability program, and a formal security awareness training initiative — to bring HMT into compliance with U.S. Army integrity, confidentiality, and availability requirements for a sensitive defense enhancement program.
Heavy Metal Technologies (HMT) is a defense contractor headquartered in Huntsville, Alabama. It is a relatively small corporation by Pentagon standards, with approximately $350 million a year in revenues, but it has an exceptionally strong track record in upgrading operational electronic combat systems to new or improved equipment standards (Schou & Shoemaker, 2007). As such, the company enjoys an extremely strong, long-standing relationship with virtually all branches of the Department of Defense, as well as several defense prime contractors. It has a very large installed base of products, a number of sole-source contracts, and a strong management and advisory team (Schou & Shoemaker, 2007).
The company's Electronic Combat Systems Group is located in several places across North America. In Kanata, Canada, the group specializes in the design and production of electronic warfare (EW) training systems, while in Buffalo, New York, the group provides circuit card assembly, electromechanical assembly, and environmental testing (Schou & Shoemaker, 2007). However, the main production operation is in Fort Walton Beach, Florida, where operations are actually constituted across four facilities (Schou & Shoemaker, 2007):
1. The Jackson Street Facility handles manufacturing and engineering functions. The main building is dedicated to electrical, software, and mechanical engineering and documentation control. Four other buildings are dedicated to machine shops consisting of CNC milling, lathes, sheet metal brakes, and coordinated inspection stations.
2. The Sunnyside Street Main Building houses the complex's administration, purchasing, finance, main shipping and receiving, quality assurance, contracts, legal, information technology, stockroom, program management, and business development functions.
3. The Oceanside Facility houses the bulk of the electrical manufacturing facilities, including printed circuit board component insertion, soldering, surface mount assembly and soldering, light painting and silkscreen, electrical and mechanical assembly, chassis wiring, subsystem and final system testing, environmental stress testing, stockroom, industrial engineering, and production management. It performs the same function as the Buffalo facility does for the entire company; however, it is focused strictly on work at Fort Walton Beach.
4. The Sunnyside West Facility houses the engineering staff for the electronic warfare unit.
The systems enhancement under development is critical to the future success of the main ground attack helicopter program and to national defense. The Army demands that the integrity, confidentiality, and availability of all project information be fully secured.
From April 3 to 10, 2010, the Armadillo Security Team conducted a walk-through of all facilities associated with HMT and identified the following general deficiencies:
1) There is no access control program or database for personnel entry and exit.
2) There are no procedures or policies in place regarding access control for personnel, vehicles, and equipment.
3) There are no plans developed for natural disasters or emergencies.
4) There is no training plan in place for incoming and current employees to maintain security and information awareness.
5) There are no personnel specifically assigned to administer, develop, and monitor information and security awareness programs.
6) There is no standardized access control equipment on doors or entrances.
7) There is no standard clearance or security level required for employees.
"Eight specific security measures proposed for implementation"
In order to administer, educate, inspect, and distribute security-related information, we recommend the creation of a two-person section in each facility or building that specializes in physical and information security. This section should represent the eyes and ears of the company president or contract lead.
In order to ensure that all personnel operate according to a common set of standards, we recommend the creation of a company physical security plan. The plan will provide policies regarding personnel, equipment, and vehicle access. It will also address what actions to take in the event of a security incident or natural disaster.
In order to provide training, education, and cooperation from all employees, we recommend the creation of a security and information awareness program. The program will provide introductory training in security procedures, reporting of suspicious activities, individual security practices, and information and operational security practices while on the computer or when transporting sensitive information. The program will also serve as a means to recognize and reward units, areas, or teams that apply these practices in their daily operations.
In order to maintain an accurate, area-specific, and reliable access program, we recommend the installation of an access control program and database. The database will standardize and prioritize access to all locations within HMT in order to prevent personnel from entering restricted or controlled areas without authorization.
In order to monitor entrances, common areas, and employee activities, we recommend the installation of CCTV cameras. These cameras will allow the constant monitoring of sensitive areas and enable a minimal number of contracted guards to view multiple locations simultaneously.
In order to establish a redundant access control program, we recommend the installation of proximity card readers at all sensitive areas. These readers will require all personnel to enter a secret four-digit numeric PIN code in order to gain entry to a given area.
In order to ensure that personnel are authorized to enter certain areas, we recommend the use of an exchange badge system for highly classified locations. The system, coupled with a card reader, ensures the visual verification of the individual entering the classified area and allows for 100% accountability at all times.
In order to ensure that the personnel hired to complete this enhancement are trustworthy and have no criminal background, we recommend the immediate institution of a personnel reliability program. The program should be incorporated into the hiring process and periodically reviewed by appropriate personnel.
The deficiencies identified are different for each facility but represent a consistent pattern of gaps in standardization and oversight. In order to meet the security requirements issued by the Army, we believe that HMT must immediately implement our recommendations and allow our team to conduct a re-inspection within the next 90 days. We appreciate the candor and courteousness of all company personnel during our review of each area and facility, and we stand ready to provide any services required to ensure the successful completion of this important Department of Defense project by HMT.
Schou, C., & Shoemaker, D. (2007). Information assurance for the enterprise: A roadmap to information security. New York, NY: McGraw-Hill Irwin.
You’re 92% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.