The Six Step Risk Assessment Process for Cleared Defense Contractors and FSOs

The facility security officer should conduct an assessment of classified holdings to determine vulnerabilities, threats, and risk to classified information. This risk assessment is above and beyond what has been determined by the original classification authority (OCA) and as applies to the National Industrial Security Program Operating Manual (NISPOM). Where the OCA has determined classification level, the NISPOM provides guidance on how to protect the classified information. 

The mission piece is the defense contractor and how they protect the classified information by format and location. It's not always good enough to rely on NISPOM requirements as the environment may dictate additional countermeasures. For example, SECRET and CONFIDENTIAL information can be approved for storage in a GSA approved container. However, if the defense contractor is in a high crime area, additional physical security measures may be necessary. 

That's where the 6 step risk management process comes in handy. The NISPOM, SCG, Statement of Work, DDForm254 and other guidance recommends minimum protection measures, the FSO should consider forming a team to help determine risk to classified information at the enterprise location(s). The process can be laid out in six steps:

1. Determine Assets to be Protected-In this case it’s classified information. The FSO might consider expanding the scope to include controlled unclassified information stored on site. However, for the analysis, consider the classified information by format (hardcopy, softcopy, end item, information in a person’s head, ect.) and location (high bay, closed area, security contain, open storage, SCIF, and etc.)
2. Determine Threats-Threats can include: emergency situations, spies, break ins, insiders, and other environment issues specific to the contractor location.
3. Assess Vulnerabilities-Understand what can be exploited to get to the classified information specific to your facility. Vulnerabilities could include traffic patterns, limited security staff, lack of seasoned cleared employees, or other weaknesses in the infrastructure or environment.
4. Assess Risk-Match the threats to the vulnerabilities and determine whether or not baseline security measures are enough. For example, even though classified information is stored in an approved GSA security container, new employees forget to lock the container before leaving the area. In the example, the NISPOM requirements are met to store classified information, but the environment requires more protection.
5. Assign Countermeasures-If the security program designed to protect classified information does not protect classified information appropriately, assign additional countermeasures. In the above example, the GSA approved container is adequate for protecting classified information, but employees have been forgetting to lock the container while taking short breaks. Additional countermeasures could include; multiple checks from supervisors, conducting additional security awareness training, discipline, and other actions to ensure the risk to classified information is mitigated.
6. Determine Residual Risk-Inspect the countermeasures to see if they truly mitigate the risk. If the supervisor checks can’t be sustained, then additional countermeasures will have to be implemented. Keep checking until behavior is corrected and risk is mitigated.

The OCA provides the classification level and the contractor is required to protect the classified information assigned. The NISPOM provides the guidance, but that may not be enough. The FSO might consider enterprise specific issues that could require additional countermeasures, conduct risk assessments, and document the effort.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".