This section continues our discussion of the DSS’
The Self-Inspection Handbook for NISP Contractors. We are still addressing Section
M, classified storage. This update addresses perimeter controls that deter and detect unauthorized removal and introduction of classified information.
5-103 Is a system of
perimeter controls maintained to deter or detect unauthorized introduction or
removal of classified information from the facility? If so, when, where, and
how are these being implemented?
According to NISPOM 5-103. Perimeter Controls. Contractors authorized to store classified material shall
establish and maintain a system to deter and detect unauthorized introduction
or removal of classified material from their facility.
Traceability
is an important part of protecting classified information. There is plenty of
allusion in industry best practices, NISPOM, and training that only TOP SECRET
information is to be accountable. There is tremendous direction for application
of accountability for TOP SECRET information, including the designation of a TOP SECRET Control
Officer
or TSCO. This position also has detailed responsibilities of how to receive,
account for, trace, destroy, and remove the information that could cause
extremely grave damage to national security if disclosed to uncleared and
persons without need to know.
But what about SECRET and CONFIDENTIAL? Shouldn’t those also be accounted for?
Technically no.
Though
many FSOs are actively protecting classified information in this manner, practitioners
must be specific while communicating the requirements. I learned this lesson early
when writing DoD Security Clearance
and Contracts Guidebook. I had sent it out for review, editing, and comments from
leaders in the industry. In the earlier version I wrote that “all classified
information must be accounted for”. After all, I felt it was a safe assumption
to write for a book about how to protect classified information. Language in
the NISPOM suggests that classified information must be produced in a
reasonable amount of time. Also, classified information should be reported if
disclosed in an authorized manner, compromised, stolen or lost.
So
how could you prove it was lost, stolen or otherwise safe unless you know what
you have and how much of it is there? That sounds like accountability to me.
Though
the reviewer and expert in the field expressed, rather emphatically, that I
could not write such language but that the contractor could use an information
management system to keep up with classified information. For the final version
of the book, we agreed on using information management instead of
accountability, but I still feel that some TS protection measures,
accountability and traceability, should be practiced to protect all classified
information.
How can TSCO requirements be applied to all classified information?
Without
creating a great resource burden to the enterprise, the FSO can manage classified
information responsibly and protect classified information by tracking and documenting what is
stored on site, in what format, and how many copies there are. Additionally, contractors
should discourage the introduction or removal of classified material without
proper authority. A best practice includes centrally storing all classified
information, receipting classified information, documenting the information in
an information management system (IMS) such as SIMSSOFTWARE, and controlling
the use of the classified information.
Commercially
available IMS uses information technology to create a detailed database that
helps FSOs track classified material through many dispositions from receipt,
inventory requirements and final disposition. Some produce receipts, tie to a
barcode scanner, report statistical data that can help determine use and much
more. For example, if an inventory reveals missing classified information, the
database can provide valuable information to help reconstruct the classified
information’s history.
However,
this doesn’t always have to be an expensive software or network endeavor. Some
inexpensive and free solutions are available. I once produced my classified
document library system on a printed Microsoft Excel spreadsheet to DSS' satisfaction.
Technology
also exists to create a classified library or database and associating it with scanner
software. Barcodes can be printed and applied to classified items for scanning.
If an item is destroyed, shipped, filed, loaned or returned, it can be scanned
and the status updated. These databases provide reports identifying when and
where the barcode on the classified document was scanned and the last
disposition.
The FSO can use the technology to research dates, methods of
receipt, contract number, assigned document number, assigned barcode, title, classification,
copy number, location, and name of the receiver. For more information, see our
blog post Information Management Systems. http://dodsecurity.blogspot.com/2011/04/information-management-systems.html#.VVY_k-lFB9A
FSOs should establish
perimeter controls to deter or detect unauthorized introduction or removal of
classified information from the facility. The NISPOM encourages the use of technology to
assist, however, this does not need to be an expensive endeavor. Technology
could be as simple as a spreadsheet or an old school library checkout system.
FSOs should document
whichever processes used and provide for self-inspections and DSS reviews. Security awareness
training, posters, flyers, standard operating procedures,
policy, practices and technology should be available for validation.
For more information, see our NISPOM training subjects or DoD Security Clearance and Contract Guidebook.
Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook". See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM
No comments:
Post a Comment