When some have security clearance and others don't. What to do?


#1

A group of scientists at my company is currently performing research on a project that, in the future, will require use of classified data. These scientists don’t hold active security clearances. However, a team of engineers (also working in the project) does have security clearances, and will have access to the classified data without much problem. My questions are the following:

(1) Is this type of scenario common in other companies and research environments?
(2) How can we define the information that the engineers would be able give to the scientists so that the scientists can further refine the algorithms and improve the research being done? This of course, without breaking any rules on the nature of the data.
(3) Have you seen these scenarios work in real life? Or is there a specific burden that hampers working this way?
(4) If these types of scenarios do work in real life, what challenges do you know of, and what suggestions would you make so that the interaction works in a smooth manner?


#2

This sounds like a system where the software or hardware is NOT classified but the information, the data being processed, IS classified.

If that’s the case, it is very similar to working in the insurance industry where rules prevent testing with “live” data because that would provide PIM to employees who should not, or in some cases, may not (read that as overseas contract workers) have access to the real data.

In those situations, I have created test data that, while mimicking production data, does not contain any PIM. We modify social security number, names and addresses while leaving the other claim data, for example, as is.

Your engineers may need to mock up data that simulates any problems that are found with the live data and pass these mockups to the scientists for their work.

There are other ways to handle these problems. I’m sure others may have different ideas.


#3

We run simulators at my job, for NOAA. The data isn’t classified but I assume the process would be the same. The simulators are ran outside of NOAA then the packages are brought to NOAA to install after integration testing. Like I said, NOAA data isn’t classified so it’s the same people doing the work but in your case I assume the researchers would need to run simulations and then hand off to the engineers for implementation.