Unless retention is permitted by the Government Contracting Activity (GCA), classified information must be destroyed or returned as soon as it has served its purpose. According to NISPOM section 5-701, classified information can only be retained for two years unless the GCA approves an extension.
Cleared contractors should develop a system to evaluate the classified information in their possession for reduction. Classified information no longer needed should be returned to the GCA or destroyed using approved methods. The FSO should create a system to help prioritize which items to evaluate. The Information Management System (IMS) or accountability system can be used in the process to manage classified holdings and help determine what is still useful and what can be removed. The objective is to maintain only the classified material necessary to execute the classified contract. Additionally, the FSO should be able to determine that the documents were actually destroyed or returned and not lost.
The IMS can also be used to help determine classified information by status. For example, the FSO can sort classified information by contract and see how many related documents and copies exist. Items can be prioritized based on expired contracts, duplicate copies or other criteria.
Approved Destruction Methods
Two people are required to destroy and document the destruction of TOP SECRET information. SECRET and CONFIDENTIAL only require one person. Records and receipt of destruction should be kept on hand for two years when TOP SECRET is destroyed. Though not specifically required, records should also be maintained for SECRET and CONFIDENTIAL. This documentation helps determine the disposition of classified information during inspections and inventories.
Classified information can be destroyed by approved means based on its composition. For example, paper products can be shredded, burned, pulped or pulverized. The residue should be inspected to ensure that classified information is no longer legible. Also, only use NSA approved equipment when shredding classified material.
Commercial enterprises and vendors also provide destruction services. Burn facilities operate at temperatures hot enough to burn paper in bulk, computers and hard drives and other medial. However, approval through DSS is required. Also, classified information should be destroyed the same day as it is removed from the cleared facility. When removed from the cleared facility, classified information should be prepared for removal by double wrap, receipting action and documentation. In other words, the same methods as dissemination of any classified material. Documentation of destruction should include destruction method, who destroyed it, date and time of destruction.
Information for the CIO, CSO, FSO, ISSO and other security professionals. Understanding NISPOM and ITAR compliance is tough. With over 12,000 cleared defense contractors, a majority of those don't have a security staff. We'll hope to help fill the gap. From security clearances to performing on classified contracts, you can find help here.
No comments:
Post a Comment