Facility Security Officers (FSO) have
a tremendous responsibility developing a security program to protect classified
information. After all, they (individual or staff) are the link between the
government oversight (cognizant security office), customer (prime contractor or
Government Contracting Activity) and the cleared defense contractor to ensure that classified information is
properly protected.
However, if FSOs focus solely on
the classified responsibilities, they are missing great opportunities to
increase their effectiveness. That’s right, focusing solely on the single task
of protecting classified information may reduce chances of being more
effective. Providing value added outside
of the National Industrial Security Program Operating Manual (NISPOM) actually helps the FSO create a better
security program.
FSOs can expand their influence by
providing lessons learned and best practices to integrate security into all
enterprise areas. These areas become part of a holistic approach to security of
information across the facility. Few controls are in place to
protect unclassified but sensitive info. The FSO can be a rock star in this
area. FSO could use skill to protect government and other customer supplied
sensitive products as well as internally created
Here are a two ways FSOs can use their skills to identify
and protect proprietary information, intellectual property, and other sensitive
information.
1. Government and
other customer provided products:
- Classified information-Government information that is identified and protected based on levels of potential damage to national security. Classified information is protected with guidance found in the NISPOM. It is prescriptive, meaning, if information is SECRET, it must be stored, handled, transported and destroyed according to regulations and policies. The government appointed original classification authority (OCA) uses a 6 Step OCA process to identify and protect classified information. Follow policies of NISPOM, contract and other applicable regulations to build your security program.
- OPSEC- A process to deny potential adversaries information about capabilities and/or intentions. OPSEC plans are required on many classified and UNCLASSIFIED contracts. You can see the requirements in the DD Form 254 section of classified contracts and in the contract of unclassified contracts. Use the 5 Step OPSEC process to identify OPSEC indicators, determine threat, determine vulnerability, assess risk and implement countermeasures.
- Technical information- scientific information, that relates to research, development, engineering, test, evaluation, production, operation, use, and maintenance of munitions and other military supplies and equipment. Information falling under this category are protected by export compliance and International Traffic in Arms Regulation (ITAR). You may see this information in program tests, work breakdown structure and other program related materials.
- Critical Technology - technologies are so fundamental to national security or so highly enabling of economic growth that the capability to produce these technologies must be retained or developed in the United States. The government has identified this information and is also required to be protected.
Company information is harder to identify and requires more proactive work. Where government and customer provided material should come with sensitivity level and protection requirements, internal secrets require proactive identification and protection requirements. The FSO can incorporate processes similar to the 5 step OPSEC process or 6 step OCA process to help accomplish the task. The following are examples of such items:
- Trade Secrets-processes, procedures, formulae and etc that an enterprise produces and is not well known.
- Proprietary information-Same as trade secrets and includes documentation, financial data, program details, test data, trade secrets that are not well known and that an enterprise would like to keep a secret.
- Intellectual property-Something designed, written, published, built, and etc that belongs exclusively to an individual or corporation. These differ from trade secrets and proprietary information in that they are an exclusive creation such as music composition and not personal or financial information. Intellectual property covers trademarks, patents, copyrights and others.
Identification of
trade secrets, proprietary information and in some cases intellectual property
may require a working group of subject matter experts. The FSO can lead
discussions to help determine trade secrets and use skills to protect it.
Personally Identifiable information (PII)-includes details
that can help find or identify a person. This includes name, address, drivers
license number, social security number, etc. This protection is required by
law. The FSO can help determine who needs to maintain PII and how to protect it
from unauthorized disclosure.
Once all internal information is identified and protection
measures are implemented, employees can have left and right limits that help
prevent unauthorized disclosure commonly found in events such as: conferences,
papers, patent applications and press releases.
The FSO is a pivotal member of the cleared contractor
facility. They are one of two employees absolutely required by NISPOM and their
sole purpose is to protect classified information. However, this role can be
expanded to protect all levels of sensitive information and make them a star
when it comes to enterprise protection.
Find more about the role of the FSO and security specialist
in DoD
Security Clearance and Contracts Guidebook.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM