Friday, November 13, 2009

Changes to the National Industrial Security Program Impact Defense Contractors

Just five short years ago several changes came out almost simultaneously. The changes challenged the thinking of many security specialists because the ideas were so new. The proactive employees put plans into place that made the changes easier to implement within their organizations. The others found themselves implementing the changes at the last minute.
I cannot imagine working without the Joint Personnel Adjudication System (JPAS). However, when it first came out the protest was pretty loud. One of the many objections identified using JPAS to submit visit authorization requests instead faxing personal identifiable information to a hosting cleared facility. I heard one FSO comment that “need to know” could not be properly controlled by such an impersonal system. Though unfounded, such objections still needed to be met. T o prepare industry for the new process, Defense Security Services and professional organizations such as NCMS (Society of Industrial Security Professionals) began preparing ways to educate Facility Security Officers and other JPAS users. Now, JPAS is required throughout the Department of Defense.
Remember the thick personnel files? FSOs maintained huge volumes of cleared employee information. SF86 applications, medical and information release forms, SF 312 forms and more were packed into manila folders and stuffed into bulging lateral cabinets. I remember hearing of one security professional stating that they had requested a new lateral filing cabinet. Their supervisor balked at such an expense and the employee argued the need for it. Fortunately another employee who kept up with changes in the NISP reminded the two of a then recent change; the FSO could no longer maintain SF 86 information once a security clearance determination had been made. As a result, the cleared employee files withered to a few pieces of paper and some of the lateral cabinets were emptied.
The point here is that new changes are bound to come because of amendments to Presidential Executive Orders or policy updates. FSOs and security specialists should begin a plan immediately to implement the new requirements. While incorporating the changes into the security program, prepare another report of the impact to your organization. Will the new requirements increase costs of doing business or are there significant cost reductions? Document the findings and keep management informed. Finally, prepare to hi-light significant changes for presentation during annual security awareness training.

Thursday, November 12, 2009

Need to Know-the Rest of the Story or Establishing Need to Know within the National Industrial Security Program

According to E.O. 12869, no one can have access to classified information unless they have been determined eligible for a security clearance and have “need to know”. Access is a determination made by an expert based on the results of a proper investigation. This eligibility is easy to determine after the U.S. Government provides the notification of a granted security clearance or upon validation of an approved cognizant security agency database. When an employee is granted a CONFIDENTIAL, SECRET or TOP SECRET clearance they are eligible for access to classified information at the level of clearance and below.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.

Identification and the Defense Contractor’s Rolodex

Identification is a critical part of our business. Those who possess classified information cannot just disclose it to anyone who asks; verification is necessary to ensure that those who are authorized to receive such information are who they say they are. Sometimes identification is made visually through recognition of a friend, colleague or co-worker. More often than not the visual recognition is backed up with technology. Many contractor and government organizations and agencies have internal identification systems using software and hardware designed to recognize biological and electronic information. There are many configurations of card reading technology. Some use picture badges unique to organizations coupled with small chips providing a code for entry into access controlled areas.
At any given time you can identify such employees by the card dangling at the end of a lanyard. Perhaps even some are laden with multiple cards pushing the lanyard’s published tensile strength to the limit. A card is used to enter the employer’s facility and the remaining cards are for entry to contract related organizations; each agency issuing its own recognition requirements.
A few months back I was flying away on business. I like to arrive early enough to get through security and usually have a form of government issued identification and my boarding pass ready to go. When I get to the TSA checkpoint, I display the required credentials and am given access. I recently saw a fellow traveler approach the TSA checkpoint just as I was about to do. However, instead of passing smoothly through the process, he became show stopper. The flow had been interrupted considerably.
The traveler made it to the checkpoint, but he was not prepared to present his access credentials. Well, he presented information, but it was the wrong kind. When he approached the TSA official, he began to work through what I call “the contractor rolodex”. He had worn his lanyard with about 10 access cards around his neck through the entire security line and began showing each card one by one. The patient TSA officer rejected each card until the traveler successfully produced the government issued one. This could have been a driver’s license or a common access card for all I know, but it was the right one.
Aside from the comic relief the incident provided, there is somewhat of a traveler and employee security issue to deal with. Employees are trained to put away our organization’s access card when not in the facility, though some apparently do not quite understand the “secrecy”. At the very least risk, the access card may identify the wearer as a government official or a defense contractor employee, depending on where they live. It also may provide the employee’s specific place of work and in some instances their clearance level. Worst case scenario, the card could be stolen and allow unauthorized access to a facility. Perhaps, a subject can be targeted for exploitation based on identification of line of work and employer.
Identification is a major part of doing business. Access and need to know can be verified with proper recognition provided by information printed or embedded in access card technology. Security professionals should provide education and training that help employees understand the importance of protecting their identification and how they are associated with sensitive information or business.