Skip to main content

The Self-Inspection For FSOs of Cleared Contractors-Classified Storage

This section continues our discussion of the DSS’ The Self-Inspection Handbook for NISP Contractors. We are still addressing Section M, classified storage. This update addresses perimeter controls that deter and detect unauthorized removal and introduction of classified information.

5-103 Is a system of perimeter controls maintained to deter or detect unauthorized introduction or removal of classified information from the facility? If so, when, where, and how are these being implemented?

According to NISPOM 5-103. Perimeter Controls. Contractors authorized to store classified material shall establish and maintain a system to deter and detect unauthorized introduction or removal of classified material from their facility.

Traceability is an important part of protecting classified information. There is plenty of allusion in industry best practices, NISPOM, and training that only TOP SECRET information is to be accountable. There is tremendous direction for application of accountability for TOP SECRET information, including the designation of a TOP SECRET Control Officer or TSCO. This position also has detailed responsibilities of how to receive, account for, trace, destroy, and remove the information that could cause extremely grave damage to national security if disclosed to uncleared and persons without need to know.

But what about SECRET and CONFIDENTIAL? Shouldn’t those also be accounted for? 

Technically no.


 Though many FSOs are actively protecting classified information in this manner, practitioners must be specific while communicating the requirements. I learned this lesson early when writing DoD Security Clearance and Contracts Guidebook. I had sent it out for review, editing, and comments from leaders in the industry. In the earlier version I wrote that “all classified information must be accounted for”. After all, I felt it was a safe assumption to write for a book about how to protect classified information. Language in the NISPOM suggests that classified information must be produced in a reasonable amount of time. Also, classified information should be reported if disclosed in an authorized manner, compromised, stolen or lost.

So how could you prove it was lost, stolen or otherwise safe unless you know what you have and how much of it is there? That sounds like accountability to me.

Though the reviewer and expert in the field expressed, rather emphatically, that I could not write such language but that the contractor could use an information management system to keep up with classified information. For the final version of the book, we agreed on using information management instead of accountability, but I still feel that some TS protection measures, accountability and traceability, should be practiced to protect all classified information.

How can TSCO requirements be applied to all classified information?


Without creating a great resource burden to the enterprise, the FSO can manage classified information responsibly and protect classified information by tracking and documenting what is stored on site, in what format, and how many copies there are. Additionally, contractors should discourage the introduction or removal of classified material without proper authority. A best practice includes centrally storing all classified information, receipting classified information, documenting the information in an information management system (IMS) such as SIMSSOFTWARE, and controlling the use of the classified information.

Commercially available IMS uses information technology to create a detailed database that helps FSOs track classified material through many dispositions from receipt, inventory requirements and final disposition. Some produce receipts, tie to a barcode scanner, report statistical data that can help determine use and much more. For example, if an inventory reveals missing classified information, the database can provide valuable information to help reconstruct the classified information’s history.

However, this doesn’t always have to be an expensive software or network endeavor. Some inexpensive and free solutions are available. I once produced my classified document library system on a printed Microsoft Excel spreadsheet to DSS' satisfaction.

Technology also exists to create a classified library or database and associating it with scanner software. Barcodes can be printed and applied to classified items for scanning. If an item is destroyed, shipped, filed, loaned or returned, it can be scanned and the status updated. These databases provide reports identifying when and where the barcode on the classified document was scanned and the last disposition. 

The FSO can use the technology to research dates, methods of receipt, contract number, assigned document number, assigned barcode, title, classification, copy number, location, and name of the receiver. For more information, see our blog post Information Management Systems.  http://dodsecurity.blogspot.com/2011/04/information-management-systems.html#.VVY_k-lFB9A


FSOs should establish perimeter controls to deter or detect unauthorized introduction or removal of classified information from the facility. The NISPOM encourages the use of technology to assist, however, this does not need to be an expensive endeavor. Technology could be as simple as a spreadsheet or an old school library checkout system.

FSOs should document whichever processes used and provide for self-inspections and DSS reviews. Security awareness training, posters, flyers, standard operating procedures, policy, practices and technology should be available for validation.

For more information, see our NISPOM training subjects or DoD Security Clearance and Contract Guidebook.



 Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook". See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

Labels:

Comments

Post a Comment

Popular posts from this blog

How will you publish your book

  You can publish your book yourself, or publish with others. There are so many options available depending on how much work you want to put into the process. Writing a book is a great experience that can help you further your business opportunities. Publishing with it’s many requirements and resources could prove to be more work than you want to do, especially if writing is not our primary business.   Self-publishing provides an increasingly valuable method of getting information to your audience. With self-publishing, you can write, outsource the printing, and market your book while controlling the process. This type of publishing can be done with very little money up front and, if done right, creates a great source of revenue. If you plan to self-publish, you will need some basic items and information. Books should have copyright protection and each book sold through distribution channels will need International Standard Book Numbers (ISBN). However, with Kindle Direct Publishing (K
Post a Comment
Read more

Self-Publishers, Pay Attention to Detail

CreateSpace is an excellent self-publishing solution. I primarily use Lightning Source for most of my publishing needs, but there are some advantages of printing with CreateSpace as well. Primarily, books are listed “in stock” at Amazon.com and CreateSpace stores if printed with CreateSpace. My Lightning Source books are available on Amazon.com but usually not listed “in stock”. Thus, I often make my books available for print with both Lightning Source and CreateSpace. If you chose to use one or the other, or both, make sure your title information, ISBN and other book administrative details are accurate and listed the same in both venues. Without that level of detail, your book manuscript and cover submissions may not be approved. Additionally, if you try to link your printed book with an Amazon.com Kindle version, or your paperback with your hardback version, it may prove difficult if title information details vary too greatly. For example, my manuscript is entitled Red Bike Publis
Post a Comment
Read more

LCCN, PCN or CIP? How to Catalog Your Self-Published book

Catalog options mentioned here are available only to United States  (US) publishers with offices and staff in the US who are available to answer  bibliographic questions about their books. The Library of Congress  Control Number (LCCN) Catalog in Publication (CIP) are two  well known catalog systems. The CIP provides free distribution of prepublished and further distribution of completely published books to libraries  and book vendors world-wide. The PCN provides an abbreviated  record but is not further disseminated to libraries on the same scale  as the CIP. Here is a secret. This book is primarily written for nonfiction authors  who want to self-publish a professional book available to specialized  organizations or professionals. It will most likely be available through  Amazon.com and other on-line bookstores and distributors. This is  the widest distribution effort and your best marketing source. You will  most likely use print on demand and rely on word of mouth, social ne
Post a Comment
Read more