Sunday, March 27, 2016

Combinations to security containers changed by authorized persons as required

www.redbikepublishing.com

Earlier articles addressed documenting the authorized persons having access to the combinations. Determining who needs access to the combination is one part of a successful formula. This article addresses when to and who does change the combinations.

In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308b-d.
                                                                       
5-309  Are combinations to security containers changed by authorized persons when required?

RESOURCE:  ISL 2006-02 Changing Combinations under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html

The question seems to emphasize whether or not the person changing the combination is authorized. However a further review of NISPOM and the Industrial Security Letter require focusing the actual effort on the combination change event. The point is to protect the classified information from unauthorized disclosure through proper security container maintenance practice.

Earlier articles discussed methods of determining who should have access to combinations. Careful consideration ensures the enforcement of releasing classified information to those with proper security clearances, but limiting the access to those with need to know. As surely as the combination access is protected, the proper maintenance and setting of the combination is equally important.

Those authorized to change combinations should be aware of circumstances requiring a combination. Some are more obvious than others, but a good plan to manage the combination will help meet requirements outlined in NISPOM. Expanding a good security awareness training program to include combination changing events could create a more effective program to protect classified information.

The NISPOM states:

Combinations shall be changed by a person authorized access to the contents of the container, or by the FSO or his or her designee. Combinations shall be changed as follows:
a. The initial use of an approved container or lock for the protection of classified material.
b. The termination of employment of any person having knowledge of the combination, or when the clearance granted to any such person has been with-drawn, suspended, or revoked.
c. The compromise or suspected compromise of a container or its combination, or discovery of a container left unlocked and unattended.
d. At other times when considered necessary by the FSO or CSA.

Again, rationale for combination changes may be obvious such as point a. A security manager or any organization should change the combination’s factory setting for something less obvious and more secure.

Point b is almost as obvious. Employees no longer employed, or having had their clearance and or need to know revoked no longer need access to the combination. The most secure, desired, and required method is to change the combination and this goes right along with basic physical security practices. After all, a hotel guest should expect that a previous guest’s access card will not open the current guest’s door. They have “checked out” and no longer have authorized access to the room.

ISL 2006-02 makes a good point. The person must have had knowledge of the combination, not just access to the container’s contents. For point b, it is not necessary to change any or all combinations unless the employee had access to the combination.

Combinations must be changed upon the termination of employment of any person having knowledge of those combinations. Having knowledge and having access are not the same thing. A locksmith has access to every combination but may not have knowledge of any combinations other than his or her own. It is not realistic to require a contractor to change hundreds of combinations when a locksmith leaves. The only combinations which require changing are those for which the locksmith had personal knowledge and the combination to the container(s) housing the master list or copies of combinations.


Point c may not be as obvious, but any compromise of the security container warrants and change of the combination. This is because the combination resides in security container documentation (SF 700). The combination is written on the SF 700 and protected according to instructions found on the SF 700. The SF 700 is also updated every time the security container combination is changed. The classified SF 700 Part 2 is to be protected at the same classification level of the information it protects; inside a GSA approved container. If a container is left open, there is no guarantee that unauthorized personnel did not gain access to a combination and classified contents.
When the combination or security container has been compromised or is suspected of being compromised, then the combination must be changed and an investigation conducted.


A special note about admin security containers-Some FSOs with multiple security containers keep a folder of all combinations in one of the security containers. If that container is left unsecure, ALL combinations must be changed.

Security violations occur when combinations are revealed to unauthorized or non-cleared persons. Combinations spoken out loud, written down, or otherwise broadcast in an unauthorized manner put classified material at risk of compromise. Likewise security containers that no longer work properly or have suffered damage significant enough to affect the required security capability may make compromise a possibility.


Point d is based on guidance from those in authority. If they say change the combination, the n change it. Local policy may go above and beyond NISPOM and create requirements to automatically change combinations after a certain event or time period.

VALIDATION:                     
  • Document names of those authorized to change combination with rationale for the decision
  • Document date approved container or lock is put into initial use. Add additional or new container to other inspection and security container management documents and information management systems  
  • Ensure enterprise policy includes notification of terminated or resigning employees. Local policy should include JPAS review and combination authorization. A process should be in place to trigger combination changes. Document combination changes and update SF 700  
  • Document compromises or suspected compromises of a container or its combination. Ensure policy is in place to trigger security container documentation. Update SF 700 and other security container maintenance documentation.
  • Document directed combination changes. Consider internal policy for other event or time driven combination change requirements
  • Update security awareness training to include required combination changes.


               

Wednesday, March 9, 2016

NISPOM Based Questions

Taking practice tests is the best way to prepare for an exam. Successful students in grade school and college study using guides and exam preparation questions based on the test subject material. This same successful methodology can also help prepare for professional exams like ISP Certification and SPeD Certification. DSS has study material and tests available for those who enroll, NCMS has test study material as well.

Practice tests augment certification exam preparation. Red Bike Publishing's Unofficial Study Guide features four complete test length practice exams based on NISPOM. It could help you pass the ISP and SPeD certification exams.

According to reader comments and emails to the author, many who have bought this book, the ISP Test Tips, and used our techniques to augment their preparation have performed very well on the exam.

Try these questions to see how you do:


1. During UNCLASSIFIED visits by foreign nationals, it is a _____ responsibility to ensure export authorizations are obtained.

a. GCA

b. Contractor

c. CSA

d. State Department

e. DGR

2. Card readers, control panels, interface devices or keypads communication located inside of a TOP SECRET closed area shall have which of the following:

a. Tamper resistant enclosure

b. Fastened to a structure

c. Protected by tamper alarm

d. Activated retinal scan

e. None of the above



3. Sanitizing is the methodology used of _____ information from media prior to reusing the same media in an area that does not provide a level of protection that is acceptable.

a. Eradicating

b. Removing

c. Examining

d. Releasing

e. Exposing



4. TOP SECRET control officials shall be designated to _____________ TOP SECRET information.

a. Transmit, maintain access and accountability records for, and receive

b. Create, classify, brief, document

c. Receive, create, classify, disseminate

d. Request, assign, account, disseminate

e. Receive, transmit, classify, document











Scroll down for answers:












1. During UNCLASSIFIED visits by foreign nationals, it is a _____ responsibility to ensure export authorizations are obtained.
a. GCA
b. Contractor (NISPOM 10-507)
c. CSA
d. State Department
e. DGR
2. Card readers, control panels, interface devices or keypads communication located inside of a TOP SECRET closed area shall have which of the following:
a. Tamper resistant enclosure
b. Fastened to a structure
c. Protected by tamper alarm (NISPOM 5-313f)
d. Activated retinal scan
e. None of the above

3. Sanitizing is the methodology used of _____ information from media prior to reusing the same media in an area that does not provide a level of protection that is acceptable.
a. Eradicating
b. Removing (NISPOM 8-301b)
c. Examining
d. Releasing
e. Exposing


4. TOP SECRET control officials shall be designated to _____________ TOP SECRET information.
a. Transmit, maintain access and accountability records for, and receive (NISPOM 5-201a)
b. Create, classify, brief, document
c. Receive, create, classify, disseminate
d. Request, assign, account, disseminate

e. Receive, transmit, classify, document_____________________________________________________________________________________________________________________






Consider visiting Red Bike Publishing for training that you can download and present to cleared employees as well as present to DSS during the annual review.

Tuesday, March 1, 2016

When combinations to classified containers are placed in written form, are they marked and stored as required?

Earlier articles addressed documenting the authorized persons having access to the combinations. Determine who needs access to the combination is one part of a successful formula. This article addresses how to store or treat recordings of GSA Approved Container combinations.

In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308b-d.

5-308b Are security containers, vaults, cabinets, and other authorized storage containers kept locked when not under direct supervision of an authorized person?

5-308c-d When combinations to classified containers are placed in written form, are they marked and stored as required?

GSA approved containers, vaults, cabinets and other authorized storage containers safeguarding classified information should be secured. Afterall, they protect classified information and therefore are no good unless they are locked.

Using the same logic, the contents are not safeguarded if keys are left out or combinations are not likewise protected. As written previously, combinations are classified at the same level as the contents of the security container. If recorded, these combinations are required to be safeguarded in the same manner as the classified information that the combination protects.

The classified combination should be memorized so that it can’t be compromised. Just like the slogan says, “Memorize, Don’t Compromise”. But don’t miss this important point; to protect the classified information in their heads.

Since we can’t store the person in a container at all times, how does one protect the “knowledge” of the combination? This leaves an implied task; train employee not to reveal the combination unless the other person has access and need to know.

If recording is necessary, it should be provided the appropriate classification level in the appropriate places and stored in the appropriate container. For example, if the combination protects SECRET information and if recorded anywhere, the media should be marked SECRET and stored in a location approved for SECRET storage.

Why such emphasis on something so fundamental? One should not assume cleared employees understand requirements, nor take clear employee security knowledge for granted. Cleared employees should be trained not only with Initial and Annual Security Awareness, but also how to perform security related duties.

Take this experience from a few years ago:

As a new FSO, I performed a walk through inspection of our classified holdings. At one point I approached a cleared employee who had access to a GSA Approved Container and therefore all the contents. I asked her to open the container so that I could ensure all documentation was in order. She pulled out her smart phone and started typing in a code…

What? Typing in a code?

Yes, she had recorded the combination in her smartphone. I began an investigation immediately.

She had committed a security violation and we had to investigate whether or not classified information was exposed.

Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination should be protected at that same level of the contents in the security container. For example, if the contents of the security container are CONFIDENTIAL, then so is the combination. To ease in memorization combinations can be created with six letter words or the first six letters of longer words. Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers.

The following is a best practice for when an enterprise has multiple classified containers and combinations.

Some FSOs have made classified combination binders to record combinations and containers the combinations are assigned to. This binder can be used to keep up with which cleared employees have access to the combinations, serial numbers of the containers, and when the locks were last changed. Where facilities have multiple security containers, this binder can serve as a reminder of all combinations. Instead of remembering every combination, the list of combinations can be stored in a security container with equal or greater security classification storage capacity. Then authorized employees only have to memorize one combination. They open that container and have a catalogue of other combinations.

Another best practice for memorizing combinations is to memorize a corresponding work. Magnetic combinations reminders similar to telephone touch pads are great tools. Here’s how it works, each number corresponds to a set of letters. For example the number 2 corresponds with ABC, three with DEF, etc. When cleared employees have access to multiple safes, word reminders help prevent security violations that occur when cleared employees write the combinations down for personal use. Using combination word clues and providing an administrative security container helps reduce the risk of such violations.



VALIDATION:

Observe authorized employees as they open GSA Approved Containers?

Do they memorize the combination?

Do they have it stored in an unauthorized location?

If combinations are recorded:

Are the recorded combinations stored in a GSA Approved Container?

Are the recorded combinations stored at the appropriate classification level?

Is the recorded combination media marked with the appropriate classification level?