Saturday, June 27, 2015

FSOs and Emergency Procedures

We are continuing our analysis of the DSS’ The Self-Inspection Handbook for NISP Contractors to determine requirements and best practices for meeting them.

Since Section M has multiple inspection points, we have broken them up into individual articles.  This update addresses classified information and emergence procedures. 


5-104 Are procedures developed for the safeguarding of classified material during an emergency?

According to NISPOM Paragraph 5-104. Emergency Procedures, 
“Contractors shall develop procedures for safeguarding classified material in emergency situations. The procedures shall be as simple and practical as possible and should be adaptable to any type of emergency that may reasonably arise. Contractors shall promptly report to the CSA any emergency situation that renders the facility incapable of safeguarding classified material.”

An essential element to creating a security program to protect classified information involves not only thwarting spies, thieves, and insiders, but also inadvertent disclosure. This accidental disclosure can cause just as much damage as malicious intent. This, FSOs and cleared defense contractors should be prepared to protect classified information by format and location in the event of an emergency. Emergencies should also be considered by probability and on risk based decision processes.

The facility security officer should conduct an assessment of classified holdings to determine vulnerabilities, threats, and risk to classified information above and beyond what has been determined by the original classification authority and as applies to the National Industrial Security Program Operating Manual (NISPOM).

Since the NISPOM, SCG, Statement of Work, DDForm254 and other guidance dictates how to protect classified information, the FSO should consider forming a team to help determine emergency scenarios that could increase risk to classified information at the enterprise location(s).

It’s important that threats include natural disasters. Next, the threats should be mitigated to ensure that classified information is protected and not compromised, regardless of the emergency event. But remember, human lives come first. So the earlier and better the FSO prepares, the more successful they will be.

Here is an example of how an FSO might conduct a risk assessment. For this example, the following information only applies to emergency situations for information purposes. A genuine risk assessment should consider all scenarios. More scenarios can be found in DoD Security Clearance and Contracts Guidebook.

The 6 step risk assessment process should be used to determine and address risks to classified information. The following is an example of a risk assessment with emergency situations as the focus:

1. Determine assets to be protected.

In this case it’s classified information and controlled unclassified information stored on site. However, for the analysis, consider the classified information by format (hardcopy, softcopy, end item, information in a person’s head, ect.) and location (high bay, closed area, security contain, open storage, SCIF, and etc.)

2. Determine threats to the classified information.

For this situation, FSOs should determine disasters and emergencies that could cause unauthorized disclosure of classified information. Threats should be considered specific to the facility to the assets by format and location. Somethings to consider are workplace injuries, heart attacks, strokes, fire, severe weather, earthquakes, flood, explosions, and anything else that could lead to exposed or lost assets.

3. Assess Vulnerabilities or what can be exploited to get to the classified information specific to your facility.

Vulnerabilities could building set up in low areas, poor construction, location of classified material to emergency services traffic, or things that contribute to emergency situations.

4. Assess Risk to determine threat to vulnerability and determine whether or not baseline countermeasures are effective.

For example, an area approved for open storage has the required alarms and facility construction. However, how effective are these security measures in the event of an emergency.        






For example, when an employee experiences a heart attack how will that employee be rescued? What happens to classified information that is properly stored on shelves or are on desks, computer screens, or lab tables?

5. Assign countermeasures.

If the security program designed to protect classified information does not protect classified information appropriately, assign additional countermeasures. In the above example, the open storage approved area container is adequate for protecting classified information from intruders, but not authorized entry by uncleared personnel. Additional countermeasures could include assigning escorts for emergency situations, selecting ingress and exit routes, providing emergency situation throw blanket to hide classified information.

6. Determine Residual Risk.

Inspect the countermeasures to see if they truly mitigate the risk. One might have time to cover classified information during a medical emergency, but those countermeasures may not be effective when there is no reaction time. Always consider assigning the countermeasures by situation and asset format and location.

One universal tool that FSOs might find useful is providing an emergency kit back at each location. These kit bags can be assigned to responsible and adequately cleared employees to deploy in emergency situations. However, not at all costs. Human lives should always come first.

Emergency Kit Bags

· Marking supplies (Pen, stamp, preprinted labels, etc)

· Opaque bag or wrapping paper

· Opaque security tape

· Cleared personnel roster

· Classification level coversheets

· Light source

*Suggested contents of emergency kit bags. These bags should be kept up to date and readily available during emergency evacuations.


An FSO should form a team to conduct the risk assessment process. The team should include emergency scenarios among the possibilities of unauthorized disclosure of classified information. The more subject matter expertise, the better. The FSO might enlist the help of cleared employees working in each unique environment, the safety officer, facilities manager, and others to more provide a more complete picture of the environment.

VALIDATION:

Document all actions and make available during annual security review. Actions might include:

· risk assessment process describing each of the six steps

· locations of emergency kit bags

· security training provided to cleared employees

· training provided to designated emergency escorts

· list of approved emergency escorts

· plan to protect classified information during an emergency event

An essential element to creating a security program to protect classified information involves not only thwarting spies, thieves, and insiders, but also inadvertent disclosure. This accidental disclosure can cause just as much damage as malicious intent. This, FSOs and cleared defense contractors should be prepared to protect classified information by format and location in the event of an emergency. Emergencies should also be considered by probability and on risk based decision processes.


The Six Step Risk Assessment Process for Cleared Defense Contractors and FSOs

The facility security officer should conduct an assessment of classified holdings to determine vulnerabilities, threats, and risk to classified information. This risk assessment is above and beyond what has been determined by the original classification authority (OCA) and as applies to the National Industrial Security Program Operating Manual (NISPOM). Where the OCA has determined classification level, the NISPOM provides guidance on how to protect the classified information. 


The mission piece is the defense contractor and how they protect the classified information by format and location. It's not always good enough to rely on NISPOM requirements as the environment may dictate additional countermeasures. For example, SECRET and CONFIDENTIAL information can be approved for storage in a GSA approved container. However, if the defense contractor is in a high crime area, additional physical security measures may be necessary. 

That's where the 6 step risk management process comes in handy. The NISPOM, SCG, Statement of Work, DDForm254 and other guidance recommends minimum protection measures, the FSO should consider forming a team to help determine risk to classified information at the enterprise location(s). The process can be laid out in six steps:

  1. Determine Assets to be Protected-In this case it’s classified information. The FSO might consider expanding the scope to include controlled unclassified information stored on site. However, for the analysis, consider the classified information by format (hardcopy, softcopy, end item, information in a person’s head, ect.) and location (high bay, closed area, security contain, open storage, SCIF, and etc.)
  2. Determine Threats-Threats can include: emergency situations, spies, break ins, insiders, and other environment issues specific to the contractor location.
  3. Assess Vulnerabilities-Understand what can be exploited to get to the classified information specific to your facility. Vulnerabilities could include traffic patterns, limited security staff, lack of seasoned cleared employees, or other weaknesses in the infrastructure or environment.
  4. Assess Risk-Match the threats to the vulnerabilities and determine whether or not baseline security measures are enough. For example, even though classified information is stored in an approved GSA security container, new employees forget to lock the container before leaving the area. In the example, the NISPOM requirements are met to store classified information, but the environment requires more protection.
  5. Assign Countermeasures-If the security program designed to protect classified information does not protect classified information appropriately, assign additional countermeasures. In the above example, the GSA approved container is adequate for protecting classified information, but employees have been forgetting to lock the container while taking short breaks. Additional countermeasures could include; multiple checks from supervisors, conducting additional security awareness training, discipline, and other actions to ensure the risk to classified information is mitigated.
  6. Determine Residual Risk-Inspect the countermeasures to see if they truly mitigate the risk. If the supervisor checks can’t be sustained, then additional countermeasures will have to be implemented. Keep checking until behavior is corrected and risk is mitigated.

The OCA provides the classification level and the contractor is required to protect the classified information assigned. The NISPOM provides the guidance, but that may not be enough. The FSO might consider enterprise specific issues that could require additional countermeasures, conduct risk assessments, and document the effort.


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Monday, June 1, 2015

Try these NISPOM Based Questions


Try these NISPOM based questions and see how you do. You may find some answers in the NISPOM, but some you might just have to think about. 

1. After receiving classified material, the receiver inventories the contents and inspects the package. Name three items for possible inspection?

2. You have just received a classified package. Upon comparing the contents of the package with the receipt, you notice a misspelled title. What should you do?

3. Who should the FSO or senior security specialist notify in the event of a potential or suspected compromise of classified material?

So how did you do? These questions and more can be found in DoD Security Clearance and Contracts Guidebook, as well as in NISPOM Training. Both resources provide excellent study material that may help with passing the ISP and SPeD certification exams. 




                                                     

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. 

Contact Jeff at Editor@redbikepublishing.com to book him at your next event.


Jeff is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".