Information for the CIO, CSO, FSO, ISSO and other security professionals. Understanding NISPOM and ITAR compliance is tough. With over 12,000 cleared defense contractors, a majority of those don't have a security staff. We'll hope to help fill the gap. From security clearances to performing on classified contracts, you can find help here.
Wednesday, July 30, 2008
The FSO
Some enterprises may want to get into the business of government contracting, but may not know where to begin. To help with classified contracts and contractor requirements I'll be posting excerpts of my upcoming book due out next summer. This first post from the book addresses the appointment of a Facility Security Officer.
Under the national industrial security program, a contractor is required to appoint an FSO to take on this responsibility of directing a security program to protect our nation's secrets while entrusted to the cleared facility. This FSO has a tremendous scope of responsibility and takes on the role as the provider of security and the link between the government contractor, the cognizant security agency (CSA) and the federal government. Fortunately, they have the National Industrial Security Program Operating Manual (NISPOM)to help.
The employer has the choice of hiring a new employee or assigning a current cleared employee as the FSO. The employee must meet two minimum requirements; be a United States citizen and possess a security clearance according to the company’s facility clearance level (FCL). In smaller companies, an assistant, engineer, program manager, human resources specialist or other capable employees assume the additional responsibility. Larger companies may have the luxury of hiring additional personnel for specific and defined security responsibilities.
The FSO should be cleared to the level of the facility clearance. A facility clearance is awarded to businesses that meet strict requirements and have a need to work with classified information. The personnel security clearance is awarded based on the need and the approval of a facility clearance. In either case, both the facility and the FSO have to be U.S. Entities and must have a history of integrity and conduct that prevents or limits exploitation or coercion to release classified material in an unauthorized manner.
However a company decides to appoint an FSO, that person should demonstrate keen leadership and team playing traits that complement the minimum requirements found in the NISPOM. As the director of the security program the main purpose is to prevent the unauthorized disclosure and release of classified information. Any unauthorized release can cause problems such as but not limited to: loss of reputation, loss of contracts, jail time or disciplinary actions against the employee, and loss of clearance for the employee and/or the business. The FSO has a tough task that they can not possibly do alone (for training resources visit our website).
Stay tuned for more posts on the subject of FSO, NISPOM and cleared contractors.
Saturday, July 19, 2008
Turning Meetings Into Doings
Recently a friend of mine asked me to run for officer of a professional committee we are involved in. “Jeff”, he said, “we only meet once a month for an hour. I’m sure you can spare that kind of time for a worthy cause.” How could I refuse such a promising proposition? I eagerly joined, wanting to make a difference. However, I quickly learned what most of us know; many meetings are a waste of time.
“We only meet once a month for an hour.” How many times have you heard that pitch? You bought-in only to be pulled into a group that met only because someone said they should. Then you end up meeting for an hour and a half of directionless conversations. These may even have been followed up with an agreement to meet again to continue the discussion. You then learned to lead and took the same lessons with you. This misuse of meetings has contributed to our earned reputations of having meetings just to conduct meetings.
Though meetings are an essential part of leading professional, many are far from necessary. Often meetings are put together for the wrong reasons, leaving group members feeling frustrated about the waste of time. Some leaders confuse having meetings with accomplishment or activity. Some misuse meetings as a method of passing information, exercising authority, visiting, or airing opinions. Members leave without having impact, input, or a feeling of accomplishment.
However this frustration can be avoided by following six simple steps. If you can address these rules your meetings will impact your projects with positive results: determine need, calculate the cost, set up the meeting, create the agenda, conduct the meeting, and finally follow up.
First, determine the need for a meeting. Most problems can be solved with a quick phone call, email, office call, or a chat in the hallway. If there is no reason to formally bring everyone in, then by all means avoid it. Save meetings for the timely and absolutely necessary times when everyone’s efforts are needed. Ask yourself the following questions: Can I accomplish this with better communication? Is there another way to get the needed results? Can someone make the decision for the whole group? Am I just lonely? If the answer is yes to any of those questions, then don’t have the meeting.
Next, calculate the cost. Once you decide that you do need a meeting, try to eliminate another determining factor; the cost. The Essential Manager’s Manual, a text book used in some graduate level communication courses, uses a simple formula for figuring how much a meeting will cost. Add the combined salaries of attendants plus expenses then divide by work hours per year. For example, if your meeting requires the attendance of someone from the church staff member and others from local businesses, you will need to figure everyone’s salaries. Once you have the total, add to that any miscellaneous costs. These costs include the rental of a conference room, cost of refreshments, per diem for guest speakers, and etcetera. Once you have the total, divide it by the work hours per year. Most businesses recognize 2,080 work hours per year. For example, if the combined salary of the group and miscellaneous expenses is $250,000 then the cost of a one hour meeting is $120.00. Ask yourself if the value of your meeting exceeds the cost.
Dollar amounts are not the only expenses to consider with volunteers. The next costs are intangible. Though there is no set formula, as the leader, you have to compare these costs with the potential benefits. Since most meetings take place on weekend or the evenings after work, you should consider these intangible costs for each member of your group. Badly planned meetings leave volunteers and committee members to unnecessarily experience missing meals, foregoing play time with grandchildren, not helping with household chores, being away from friends and family, spending gas money, rearranging schedules, reacting to last minutes events and putting off personal agendas. Motivated volunteers expect to sacrifice for the good work; however they shouldn’t expect to waste valuable time.
Setting up the meeting involves deciding who will attend and the purpose or what you hope to accomplish. After you have determined that the need and that the benefit of having the meeting will exceed the costs, then it’s time to set up. Your committee by-laws may require everyone’s presence, or you may decide that for planning purposes you need everyone’s input. Perhaps you only need the key players in the organization. You have diligently figured the financial and intangible costs and decided that minimum participation is better. Either way, this is a vital to the group’s ability to act and the impact it will have.
Next, you should outline what success looks like and backward plan from there. If your meeting is to conduct training for prayer walking in surrounding neighborhoods during the next school break, use this to set measurable milestones. Identify the projected date, determine how long training will take and decide when to begin and how you will measure the results. From there you can identify the teachers develop the curriculum. Knowing and communicating the point of the meeting is a major factor in making it a huge success.
Create an agenda to reinforce the purpose of the meeting. Up to now we have discussed how to determine the need and actions leading to the meeting. The agenda is a powerful and effective tool to use well before the actual meeting. An agenda is nothing more than a chronological order of topics to be discussed during the meeting.
At this preparation stage, pre-publishing the agenda to all invitees is a valuable time saving tool. This allows them to prepare information, decisions, or resources. With advance warning and a thorough agenda, your group will be more informed about what is expected, how to arrange their schedules and will feel valued as members. Later, call on all those you have invited to remind them of the agenda. This will prepare you for tough questions as well as help you streamline and fine tune before the meeting.
Finally, you can conduct the meeting. Show up early and prepare the room. Work out where participants will sit or stand. Placing key people strategically will ensure maximum participation. Make sure you have your resources, your notes and especially your agenda on hand. As people arrive, greet them and guide them to their places. Start with a positive attitude and have everyone warmed up for the meeting. If you can “break the ice” before the meeting, you will have more time for the objective.
Begin the meeting using the agenda. Set the ground rules and agree how you will handle disputes, confidentiality, input and who will present. If you haven’t done so already, select someone to take the minutes of the meeting. Minutes are nothing more than a record of time, location, discussion and agreements made. Have the person take detailed notes to be converted to minutes at a later time. At this stage their priority is to capture a snapshot of the meeting.
Go over the agenda to refresh everyone. As you go through the events, encourage input by asking open ended questions. For example you might ask, “Who do you recommend that we approach about helping our deployed soldiers’ families?” If you are good, you may get more suggestions and input than you expected. Much of it may be off the agenda so be prepared to guide the conversations back. If anyone wishes to add something new, write it down and agree to cover it at a later time or date.
Finally, conduct the follow up. When the meeting is finished, review the agenda and the agreements made and solutions brought up. Summarize key points made and agree to follow up to check on progress. Set goals and decide who has the next action, and use milestones to measure accomplishments. Republish the agenda and distribute the minutes at a later date to keep the group mindful of the meeting’s results.
Whether or not to hold a meeting is a big decision. Meetings held for the sake of meeting are a waste of time and resources. Using the six steps identified above will ensure that your necessary meetings have more impact. Such accomplishments improve the morale and help volunteers to keep themselves motivate and focused on the objective. Then, when you invite someone to join your committee for an hour a month you will have established credibility and they will be happy to be a part of something powerful.
“We only meet once a month for an hour.” How many times have you heard that pitch? You bought-in only to be pulled into a group that met only because someone said they should. Then you end up meeting for an hour and a half of directionless conversations. These may even have been followed up with an agreement to meet again to continue the discussion. You then learned to lead and took the same lessons with you. This misuse of meetings has contributed to our earned reputations of having meetings just to conduct meetings.
Though meetings are an essential part of leading professional, many are far from necessary. Often meetings are put together for the wrong reasons, leaving group members feeling frustrated about the waste of time. Some leaders confuse having meetings with accomplishment or activity. Some misuse meetings as a method of passing information, exercising authority, visiting, or airing opinions. Members leave without having impact, input, or a feeling of accomplishment.
However this frustration can be avoided by following six simple steps. If you can address these rules your meetings will impact your projects with positive results: determine need, calculate the cost, set up the meeting, create the agenda, conduct the meeting, and finally follow up.
First, determine the need for a meeting. Most problems can be solved with a quick phone call, email, office call, or a chat in the hallway. If there is no reason to formally bring everyone in, then by all means avoid it. Save meetings for the timely and absolutely necessary times when everyone’s efforts are needed. Ask yourself the following questions: Can I accomplish this with better communication? Is there another way to get the needed results? Can someone make the decision for the whole group? Am I just lonely? If the answer is yes to any of those questions, then don’t have the meeting.
Next, calculate the cost. Once you decide that you do need a meeting, try to eliminate another determining factor; the cost. The Essential Manager’s Manual, a text book used in some graduate level communication courses, uses a simple formula for figuring how much a meeting will cost. Add the combined salaries of attendants plus expenses then divide by work hours per year. For example, if your meeting requires the attendance of someone from the church staff member and others from local businesses, you will need to figure everyone’s salaries. Once you have the total, add to that any miscellaneous costs. These costs include the rental of a conference room, cost of refreshments, per diem for guest speakers, and etcetera. Once you have the total, divide it by the work hours per year. Most businesses recognize 2,080 work hours per year. For example, if the combined salary of the group and miscellaneous expenses is $250,000 then the cost of a one hour meeting is $120.00. Ask yourself if the value of your meeting exceeds the cost.
Dollar amounts are not the only expenses to consider with volunteers. The next costs are intangible. Though there is no set formula, as the leader, you have to compare these costs with the potential benefits. Since most meetings take place on weekend or the evenings after work, you should consider these intangible costs for each member of your group. Badly planned meetings leave volunteers and committee members to unnecessarily experience missing meals, foregoing play time with grandchildren, not helping with household chores, being away from friends and family, spending gas money, rearranging schedules, reacting to last minutes events and putting off personal agendas. Motivated volunteers expect to sacrifice for the good work; however they shouldn’t expect to waste valuable time.
Setting up the meeting involves deciding who will attend and the purpose or what you hope to accomplish. After you have determined that the need and that the benefit of having the meeting will exceed the costs, then it’s time to set up. Your committee by-laws may require everyone’s presence, or you may decide that for planning purposes you need everyone’s input. Perhaps you only need the key players in the organization. You have diligently figured the financial and intangible costs and decided that minimum participation is better. Either way, this is a vital to the group’s ability to act and the impact it will have.
Next, you should outline what success looks like and backward plan from there. If your meeting is to conduct training for prayer walking in surrounding neighborhoods during the next school break, use this to set measurable milestones. Identify the projected date, determine how long training will take and decide when to begin and how you will measure the results. From there you can identify the teachers develop the curriculum. Knowing and communicating the point of the meeting is a major factor in making it a huge success.
Create an agenda to reinforce the purpose of the meeting. Up to now we have discussed how to determine the need and actions leading to the meeting. The agenda is a powerful and effective tool to use well before the actual meeting. An agenda is nothing more than a chronological order of topics to be discussed during the meeting.
At this preparation stage, pre-publishing the agenda to all invitees is a valuable time saving tool. This allows them to prepare information, decisions, or resources. With advance warning and a thorough agenda, your group will be more informed about what is expected, how to arrange their schedules and will feel valued as members. Later, call on all those you have invited to remind them of the agenda. This will prepare you for tough questions as well as help you streamline and fine tune before the meeting.
Finally, you can conduct the meeting. Show up early and prepare the room. Work out where participants will sit or stand. Placing key people strategically will ensure maximum participation. Make sure you have your resources, your notes and especially your agenda on hand. As people arrive, greet them and guide them to their places. Start with a positive attitude and have everyone warmed up for the meeting. If you can “break the ice” before the meeting, you will have more time for the objective.
Begin the meeting using the agenda. Set the ground rules and agree how you will handle disputes, confidentiality, input and who will present. If you haven’t done so already, select someone to take the minutes of the meeting. Minutes are nothing more than a record of time, location, discussion and agreements made. Have the person take detailed notes to be converted to minutes at a later time. At this stage their priority is to capture a snapshot of the meeting.
Go over the agenda to refresh everyone. As you go through the events, encourage input by asking open ended questions. For example you might ask, “Who do you recommend that we approach about helping our deployed soldiers’ families?” If you are good, you may get more suggestions and input than you expected. Much of it may be off the agenda so be prepared to guide the conversations back. If anyone wishes to add something new, write it down and agree to cover it at a later time or date.
Finally, conduct the follow up. When the meeting is finished, review the agenda and the agreements made and solutions brought up. Summarize key points made and agree to follow up to check on progress. Set goals and decide who has the next action, and use milestones to measure accomplishments. Republish the agenda and distribute the minutes at a later date to keep the group mindful of the meeting’s results.
Whether or not to hold a meeting is a big decision. Meetings held for the sake of meeting are a waste of time and resources. Using the six steps identified above will ensure that your necessary meetings have more impact. Such accomplishments improve the morale and help volunteers to keep themselves motivate and focused on the objective. Then, when you invite someone to join your committee for an hour a month you will have established credibility and they will be happy to be a part of something powerful.
Thursday, July 10, 2008
Being vigilant while protecting the money makers
A former engineer with Boeing Company has pleaded guilty to possessing classified information in an unauthorized location. Does anyone want to guess where? Yes, that’s right, his house. He thought he could take the information home with him and work on it there. You can read more about the information in the article Boeing Engineer is found guilty.
While many security managers are focused on good training and may think that they have it in the bag, don’t rest just yet. Chances are that the involved engineer is not the only one breaking the rules of safeguarding classified material. Those who work on classified contracts need to be reminded again and again how to do so while following the laws of our country.
Let’s break this case down. Engineer has access to computer processing. He then down loads the information to a data stick and brings it home with him. Though he probably meant no harm, his actions created tons of it and he will be punished for it.
Chances are, he had attended and understood all security awareness training events. His former employer probably had warning signs and controls in place to remind the engineer of the proper use of classified IT. The probably followed NISPOM requirements to perform random checks, control classified processing, account for classified material and all actions necessary to prevent unauthorized disclosure. However, he still got through.
This serves to remind security professionals to be creative in their risk analysis. This involves thinking like those you support and answering questions like the following: How could an employee sneak or inadvertently remove classified material? Are there any ways to remove, copy, destroy or disclose information without leaving a trail? Can employees be duped into releasing classified, export controlled or proprietary information at a convention?
Find the answers and address them as soon as possible. For example, our engineer downloaded classified information on a data stick. Security managers could return to policies of two person use rules for all tasks requiring the use of classified material, or require each employee to verify verbally that they do not have cameras, data sticks, or recording devices before entering facilities.
Security managers have the tough job of protecting classified material. While many may feel they are in the business alone, professionals create an environment including the whole company in the plan and activities of protecting our nation’s secrets. Security managers have to learn to be as creative as the employees they support to better counter threats of unauthorized disclosure.
While many security managers are focused on good training and may think that they have it in the bag, don’t rest just yet. Chances are that the involved engineer is not the only one breaking the rules of safeguarding classified material. Those who work on classified contracts need to be reminded again and again how to do so while following the laws of our country.
Let’s break this case down. Engineer has access to computer processing. He then down loads the information to a data stick and brings it home with him. Though he probably meant no harm, his actions created tons of it and he will be punished for it.
Chances are, he had attended and understood all security awareness training events. His former employer probably had warning signs and controls in place to remind the engineer of the proper use of classified IT. The probably followed NISPOM requirements to perform random checks, control classified processing, account for classified material and all actions necessary to prevent unauthorized disclosure. However, he still got through.
This serves to remind security professionals to be creative in their risk analysis. This involves thinking like those you support and answering questions like the following: How could an employee sneak or inadvertently remove classified material? Are there any ways to remove, copy, destroy or disclose information without leaving a trail? Can employees be duped into releasing classified, export controlled or proprietary information at a convention?
Find the answers and address them as soon as possible. For example, our engineer downloaded classified information on a data stick. Security managers could return to policies of two person use rules for all tasks requiring the use of classified material, or require each employee to verify verbally that they do not have cameras, data sticks, or recording devices before entering facilities.
Security managers have the tough job of protecting classified material. While many may feel they are in the business alone, professionals create an environment including the whole company in the plan and activities of protecting our nation’s secrets. Security managers have to learn to be as creative as the employees they support to better counter threats of unauthorized disclosure.
Wednesday, July 2, 2008
Safeguarding 101
Since the Federal Government allows contractors to use classified information on the performance of contracts, the Department of Defense regulates a classified contractor’s ability to work with classified material. The Federal Government has published a policy appropriately titled: The National Industrial Security Program Operating Manual (NISPOM). This page turner is sponsored by the Presidential Executive Order (E0)12829 for the protection of information classified under E.O. 12958. Having poured over both publications and the updates, I can confidently assure you that they take this business very seriously.
When specific work calls out performance on classified efforts, provisions of the applicable DD Form 254 and Security Classification Guide (SCG) shall govern. Both the DD 254 and SCG spell out what specific work a contractor can and cannot perform and what exactly is classified. Both of these documents not only should be available prior to execution but read and understood by all performing employees.
Classified information is marked with CONFIDENTIAL, SECRET and TOP SECRET designations and must be afforded protection at the appropriate level. For example, unauthorized disclosure of CONFIDENTIAL information could reasonably be expected cause damage; SECRET could reasonably be expected to cause serious damage; and TOP SECRET could reasonably be expected to cause exceptionally grave damage to national security. Prior to discussing or providing classified data, employees are required to ascertain the receiving party’s clearance level and need-to-know. They will advise the receiving party of the classification level of information provided.
Facility security officers and industrial security professionals should develop measures to safeguard classified information at the highest level indicated. Employees should be trained to pay close attention to the classification and the identified protective measures. As part of the awareness, DoD contractor employees should notify security of any meetings involving performing on classified contracts. The primary objective is to work with the customer to identify specified needs according to the contract. If working on a classified effort, the customer will provide the above mentioned DDForm254 and an SCG specific to the contract or delivery order. Both publications identify the classified work to be performed and describe the classification level of materials, documents, tasks, and details as required. The FSO will also work out details concerning the proper storage, handling and maintaining of classified material, documents and items.
When specific work calls out performance on classified efforts, provisions of the applicable DD Form 254 and Security Classification Guide (SCG) shall govern. Both the DD 254 and SCG spell out what specific work a contractor can and cannot perform and what exactly is classified. Both of these documents not only should be available prior to execution but read and understood by all performing employees.
Classified information is marked with CONFIDENTIAL, SECRET and TOP SECRET designations and must be afforded protection at the appropriate level. For example, unauthorized disclosure of CONFIDENTIAL information could reasonably be expected cause damage; SECRET could reasonably be expected to cause serious damage; and TOP SECRET could reasonably be expected to cause exceptionally grave damage to national security. Prior to discussing or providing classified data, employees are required to ascertain the receiving party’s clearance level and need-to-know. They will advise the receiving party of the classification level of information provided.
Facility security officers and industrial security professionals should develop measures to safeguard classified information at the highest level indicated. Employees should be trained to pay close attention to the classification and the identified protective measures. As part of the awareness, DoD contractor employees should notify security of any meetings involving performing on classified contracts. The primary objective is to work with the customer to identify specified needs according to the contract. If working on a classified effort, the customer will provide the above mentioned DDForm254 and an SCG specific to the contract or delivery order. Both publications identify the classified work to be performed and describe the classification level of materials, documents, tasks, and details as required. The FSO will also work out details concerning the proper storage, handling and maintaining of classified material, documents and items.
Subscribe to:
Posts (Atom)