Tuesday, April 13, 2010

Are Alarms Always Required For Contractors and FSOs according to NISPOM?

The National Industrial Security Program (NISPOM) is THE guidance for Defense Contractor Facility Security Officers. However, it doesn’t always answer some questions these FSOs might have about protecting classified information. For example, suppose a defense contractor company has an Indefinite Delivery/Indefinite Quantity Contract. In that contract, the facility is required to store information classified at the SECRET level. Do they need an alarm?
In this scenario, the FSO has only had to request the security clearance of employees required to perform on classified work at another facility. To date, classified work had not been performed or stored at the cleared facility. So far, she has done an excellent job of managing the clearances and has received a COMMENDABLE in her last DSS review.
Now, a delivery order requires the storage of SECRET documents on site. Fortunately the FSO has been preparing for such an opportunity. She has recently purchased an approved security container adequate for holding the classified items. However, she isn’t sure whether or not the company needs to have an intrusion detection system (IDS).
So, does the cleared contractor storing SECRET information require an IDS? Do you think you know the answer?
Well, according to NISPOM, this situation does not require an IDS. SECRET information is only required to be stored in a GSA- approved security container. IDS is required for TOP SECRET and SECRET not stored in a GSA-approved container in a closed area. How many of you thought that IDS is always required?
This is where risk management comes in. IDS may be required, but not by NISPOM. However, if you live in a high crime area or life safety considerations require it, get the IDS. But only do so after assessing the risks. Many small companies do not have the vast security budgets of their larger colleagues. Many large companies may have CCTV, magnetic card readers, IDS systems and many other state of the art security measures as a “best practice” consideration. But many times, the return on investment may not be there if risks are low or non-existent.
An FSO can demonstrate value added by determining whether or not the need for IDS exists and then presenting the pros and cons to management. A terrible and costly mistake is to request security measures just because they are “industry standard”. Know what NISPOM says, implement NISPOM requirements, but make an intelligent determination for all other security

2 comments:

Unknown said...

When dealing with sensitive information, there shouldn't be any question of procedure or protocol. Confusion on such a matter often leads to oversight. This can be costly for employers, employees and those needing to keep the data secure.

DefensePlacements
Security Clearance Jobs

jeff said...

Absolutely right Ken and well said. As you probably know this includes the biggest problem of all, export compliance.