Wednesday, December 23, 2015

Keeping the knowledge of security container combinations to a minimum.

In this weeks article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308.

5-308 Is the number of people possessing knowledge of the combinations to security containers kept to a minimum?

Not every employee needs the combination to the security container.

The combinations should be provided to those with the proper clearance and need to know. This is the maximum number of individuals who should have it, but a minimum standard as far as combination accountability. After all, the security container combination is classified at the same level as the highest level of information stored in the container. 

Clearance and need to know of the contents aside, maintaining control of combinations should include keeping access to the security container at a minimum amount necessary to manage good information security. For example, 10 cleared employees may need access to a document. However, these 10 cleared employees may not need access to the security container.

There are many ways to monitor and approve combination distribution.

One consideration might be shared container space. For example in the example of the 10 cleared employees above, the 10 may have classified documents collocated in the same security container with the classified documents of another group. All are classified at the same level, but not everyone has a need to know of each group’s information. Need to know would be approved for those who are granted the combination. These few would be granted need to know then given the combination. They could then distribute the contents as required.

Another consideration is classification of the combination. Not only is the classified information protected based on access and need to know, but the combination is also classified to the level of the information stored in the container. Therefore it also must be protected by verifying employee clearance level and need to know controls. If the combination is written, then the written combination should be marked properly and also stored in a security container. Protecting, documenting and accounting for the classified security container combination provides the controls necessary for proper information security. Combinations should be memorized. A good memory jogger is a word that matches the combination numbers. A combination reminder magnet helps.

Another consideration is availability. Out of the above example of 10 cleared employees, those granted with access should be available throughout the working day to open and close the container.

Though not an exhaustive list of examples, each of the above cases require thought. Out of the cleared employees, which have need to know of the information in the security container. Then providing and maintaining access to the combination at a minimum.

Where the classified combination is provided, it must be properly documented. The FSO should record the names of those to whom the combination is provided.

In cases where a cleared contractor involves a one-person operation, that person serves as the FSO for that entity. The single employee FSO is as critical as any other FSO. The main difference is that the single employee FSO is the only one who has access to safe or vault combinations and access control and alarm codes. If the employee dies or is incapacitated a backup plan is necessary to better protect the classified material. In cases of sole employees, the FSO will give the combinations to DSS or the home office if part of a larger organization

VALIDATION:                                                                                   
  • Determine who has access to the security container combination.
  • Document the process to limit access to the combination to the minimum necessary.
  • Interview those who have access to the container and document how they enforce need to know of the contents before distributing classified information.
  • Demonstrate that the combination is treated as classified information. Verify that if written or recorded, that it is marked correctly and stored in a GSA approved container.   
  • Demonstrate written policy that limits the number of those with access to the security container combination to the minimum necessary
  • Security awareness training is provided that enforces the protection of combinations as classified and with limited distribution.

Tuesday, December 1, 2015

NISPOM Based Questions







Try these NISPOM based questions and see how you do. You may find some answers in the NISPOM, but some you might just have to think about.



1. TOP SECRET information can be transmitted by which of the following methods within the U.S. and its territories?

a. Defense Courier Service, if authorized by GCA

b. A courier cleared at the SECRET level

c. By electrical means over FSO approved secured communication devices

d. By government vehicle

e. By U.S. Postal Service Registered Mail



2. SECRET information can be transmitted by which of the following means?

a. Registered mail

b. Cleared commercial carrier

c. As designated in writing by GCA

d. Commercial company approved by CSA

e. All the above

3. Contractors who designate cleared employees as couriers shall ensure all EXCEPT:

a. They are briefed on responsibilities to safeguard classified information

b. They possess a card with the company name, name of individual and picture ID

c. They possess authorization to store classified in hotel safe

d. Classified material is inventoried prior to deliver

e. Classified material inventory transported with material.



4. When escorting classified information transported in the airplane’s cargo area, plane _____ and deplane _____.

a. Before other passengers, after other passengers

b. After other passengers, before other passengers

c. After cargo is secured, before anyone

d. After engines start, before plane pulls to gate

e. After plane leaves gate, before plane pulls to gate











Scroll down for answers





1. TOP SECRET information can be transmitted by which of the following methods within the U.S. and its territories?

a. Defense Courier Service, if authorized by GCA (NISPOM 5-402)

b. A courier cleared at the SECRET level

c. By electrical means over FSO approved secured communication devices

d. By government vehicle

e. By U.S. Postal Service Registered Mail



2. SECRET information can be transmitted by which of the following means?

a. Registered mail

b. Cleared commercial carrier

c. As designated in writing by GCA

d. Commercial company approved by CSA

e. All the above (NISPOM 5-403)



3. Contractors who designate cleared employees as couriers shall ensure all EXCEPT:

a. They are briefed on responsibilities to safeguard classified information

b. They possess a card with the company name, name of individual and picture ID

c. They possess authorization to store classified in hotel safe (NISPOM 5-410)

d. Classified material is inventoried prior to deliver

e. Classified material inventory transported with material.



4. When escorting classified information transported in the airplane’s cargo area, plane _____ and deplane _____.

a. Before other passengers, after other passengers

b. After other passengers, before other passengers

c. After cargo is secured, before anyone (NISPOM 5-413f)

d. After engines start, before plane pulls to gate

e. After plane leaves gate, before plane pulls to gate


So how did you do? These questions and more can be found in DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".