Friday, May 24, 2013

Why is the CLASSIFIED BY: Line so important?

Cover designed by Jeffrey W. Bennett.
NISPOM available at Red Bike Publishing

Why is the CLASSIFIED BY: Line so important? Let’s put it in perspective. Someone is responsible for classification decisions and that person may be accountable for their actions. This is also the person who can provide insight into security violation investigations and etc. The impact; this is the person to go to for research into the classification as well as who is accountable for classification decisions good or bad. Let’s face it; someone has to answer for their decisions. That’s why developing a process for deriving classified information is so important.

So, we know the requirements in the BY line, all we now need is a tool or process to identify how to identify source documents for derivative classification. First, what tool do we have available to research derivative classification? According to DoD Security Clearance and Contracts guidebook, the NISPOM addresses the requirement to account for TOP SECRET information.  Well what about SECRET and CONFIDENTIAL? They should probably be tracked as well. If not, how do you know what you have and how many there are? Better yet, without a cataloging system, how can derivative classifiers complete the picture of what they carried over as classified and what the source documents, security classification guides (SCG) and DD Forms 254 are available.  Additionally, NISPOM also requires the cleared defense contractor to provide classified information within a reasonable amount of time for a variety of reasons.

1. Reference tools-One important tool in the process is the information management system (IMS). An IMS can be a commercial software system available such as SIMSSoftware or something more simple such as a Microsoft Excel Spreadsheet listing all the assets and where they are located. The derivative classification process can be easily tied into the IMS as a point of research into source documents, SCGs, and DD Forms 254. The IMS can be researched to provide the source documents as the reason for classification, and answer the DERIVED FROM, DOWNGRADE ON and DECLASSIFY ON elements.

2.  Training tools-Before cleared employees can perform derivative classification, they must be trained. NISPOM lays out training requirements. It’s up to you to provide that training. Without the training, cleared employees won’t know how to perform their jobs. Additionally, without training they aren’t authorized to perform the derivative classification. So, how will they, write reports, design products, assemble end items, perform test, modeling and simulations involving information deemed classified by a classification authority?

3. Compilation tools-One plus one equals elevendy. Sometimes the sum of the parts is greater than the whole. Compiling unclassified elements or information may lead to a classified product. How will you know? The subject matter experts do understand and assembling a working group to analyze the DD Form 254, SCG, classified source documents and other  information from tool 1 should be required. Invite the government and contractor project managers, engineers, scientists, security professionals, etc into a solutions working group to identify unclassified elements that may be classified or classified elements that may warrant higher classification by compilation.

4. Identify export controlled information- this tool may seem out of place, but it leads to the final tool. Before we go to the final tool, consider items that may be export controlled. Again, security managers may not be able to identify this and will refer to a working group. The group can examine technologies and determine by their nature whether or not they are export controlled based on State (ITAR) or Commerce EAR Department requirements. You explain the rules and the subject matter experts can identify tests, components, documents and etc that contain export controlled information. Then, teach them to document and protect it.

5. Information Product Guide-Assemble all the tools into a reference document listing elements or entire compilations of relevant SCGs, DD Forms 254, source documents (catalog or names only), end items and export controlled information. This is for reference for both programs and security and will provide basis for smart decisions.

6. Develop Public Release Process-This is an enterprise function using program, leadership, security, contracts, business development and HR as a minimum. In smaller companies the same people may perform multiple critical functions. Use the product from tool 5 to reference a process where speeches, presentations, articles, products, and anything considered for public release is reviewed and documented as decisions are made.

The CLASSIFIED BY: Line is an important part of documenting derivative classification. However, to do so properly, you need the right tools. Use these six tools to ensure training and performance that exceeds standards.

Derivative classifier training is available at 
http://www.redbikepublishing.com/training/nispom-derivative-classifier-training/


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training,  and recommends export compliance and intellectual property protection countermeasures. Jeff is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Tuesday, May 21, 2013

What the Classified By Line Looks Like


Thanks for continuing to read so many articles about derivative classification. So far, we've written a lot about the derivative classification portion of NISPOM Change 1. It's important to understand the sections with the largest amount of changes. After all, the products that cleared defense contractors provide constitute derivative classification. Failure to recognize and apply requirements can result in security violations and unmet contract requirements.

We began with an article defining derivative classification, next, an article on who should provide derivative classification training, an article about the required training topics, and finally this article describing the new CLASSIFIED BY line.

New changes to NISPOM include the addition of a CLASSIFIED BY Line to the derived document. This may seem confusing at first until the intent is made more clear. The CLASSIFIED BY Line should be thought of simply as who provided the derivative classification. Perhaps to save confusion the policy powers should have named it the DERIVED BY Line. This requires the identification of the person and the position of the person applying the derivative classification marking.

I'm not sure what the phrase: "If not otherwise evident, the line will include the agency and office of origin will be identified and follow the name and position or personal identifier of the derivative classifier". Other than the obvious repetition of "will", the reader is left to decide if the agency and office of origin means of original classification or origin of the derivative classifier. Reference to the most recent DoD marking guide "Classified By: List name and position title or personal identifier of the DERIVATIVE classifier and, if not otherwise evident, include the Component and office of origin." demonstrates almost the same word for word. 

To be sure, derivative classifiers identifying their names and positions will meet the minimum requirements and the relationship and contract should make the relationship with the component and office of origin evident. Also, the derived from line may also include that information. More clarification is needed, so I'm all ears.

The rest of the BY Line includes the familiar DERIVED FROM, DOWN GRADE TO (as applicable)  and finally DECLASSIFY ON Lines.

DERIVED FROM-Gives an account of where the derivative classifier pulled the classified information from. This could reflect instruction from a security classification guide, classified markings on a source document, or as required on a DD Form 254. 

DOWNGRADE TO-is only necessary when the classification source gives downgrade instructions. If a classified element or information is used form a classified source and instructs to DOWNGRADE TO SECRET on 21 May 2021, then DOWNGRADE TO is applied to the new product. If there are no downgrade instructions, then the marking is not required.

DECLASSIFY ON-is applied the same as the  DOWNGRADE TO line. There will almost always be a DECLASSIFY ON line on "vanilla" classified products.  


Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

Derivative Classified Training-What FSOs Should Know

Change 1 to the National Industrial Security Program Operating Manual (NISPOM) outlines requirements for derivative classification. Where the original classification authority receives training on the same topics annually, NISPOM requires derivative classification once every two years. According to NISPOM derivative classifiers should be trained…in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. .. not authorized to conduct derivative classification until they receive such training.

Here’s the important part, no derivative classifier training, no work. Proper NISPOM training and documentation is the difference between performing on classified work and not being able to meet contractual requirements. Make sure your cleared contractors performing derivative classification responsibilities are trained to standard. The standard is listed below with a few ideas on how to meet each of the criteria.

Classification levels-
In all occasions, employees should understand how to recognize classified information and handle it properly. Those in possession of classified information should comprehend how to safeguard it and prevent unauthorized disclosure.
There are three levels of classification: CONFIDENTIAL, SECRET and TOP SECRET and are assigned based on impact to national security as follows:

CONFIDENTIAL-could be expected to cause damage to the national security

SECRET-could be expected to cause serious damage
TOP SECRET-could be expected to cause exceptionally grave damage
Level of damage is determined through a process by the original classification authority (OCA). After the OCA makes a determination, the classification level is documented through a security classification guide, Contract Security Classification Specification (DD Form 254) and classification marking on the products.

Defense contractors practice derivative classification by carrying over the communicated classification levels to the new product. This information is found on classified source documents, instructions in the SCG or as required by the DD Form 254. In practical measures this means repackaging classified data generated from testing and simulation, research using classified source documents, building classified end items and etc.

Duration of classification-

This is identified in the (Classified By: ) information line. It consists for four lines total.
Information comes from the source. e original classifier indicates either a date or event for the duration of classification for up to 10 years from the date of the original classification decision unless the date is further extended due to information sensitivities for up to 25 or 50 years.

1. Classified By: The derivative classifier carries over the date for the same duration. On the source comments, the (Classified By: line) is now required to identify the derivative classifier.

2. Derived From: This lists the source(s) where the derivative classifier pulled to classification guidance from. This is most likely the relevant security classification guide. However, if more than one source is used, then
“multiple sources" is used. The derivative classifier then keeps a record to support the duration identified. This record can be listing of sources attached to each derivatively classified item. 
3. Then there’s the Downgrade To____ On____ line. If provided on source guidance, just carry over instructions from the source documents, DD Form 254 or SCG to downgrade to SECRET or CONFIDENTIAL on specified date or event.
4. Declassify On: Here’s where you put the duration. The duration of within 10, 25 or 50 years is from the date of original classification, not from the date of the derived product. If many source documents or SCGs are used, be sure to carry over the date of the longest duration.

Here’s what a derivative classification line might look:

Classified By: Jared Jerrod, XYZ Contractor Lead Engineer
Derived From: Gravy SCG
Downgrade to CONFIDENTIAL on
Declassify On: 20201024


Identification and markings-
Classified items, documents, hard drives, computers and end items should be properly marked to indicate the highest classification level. These markings should stand out to warn the user of the classification level so that they can properly safeguard it. For example, classified documents would have classification levels on the top and bottom of each page as well as portion markings on paragraphs, illustrations and graphs. There are five different types of classification markings that go on documents. They are overall markings, page markings, component markings, portion markings and subject and title markings.

Removable hard drives, computers, and objects should have classification designations conspicuously marked on them. The user would then know how to protect it while in use and at rest.
When not stored in a secure container classified objects should have cover sheets. These cover sheets are obvious reminders of classification markings and are color coded:
TOP SECRET is orange
SECRET is red
CONFIDENTIAL is blue

Classification prohibitions and limitation- Information is only to be marked classified based on previous guidance found in the DD Form 254, SCG or classification markings on source documents and for the protection of national security. Classification markings cannot be applied to hide legal violations, inefficiencies or mistakes. Nor can the derivative classifier assign a classification just to prevent embarrassment, prevent or restrict competition or delay the release of information that hasn’t previously required such a level of protection

Sanctions-

Classified information is nothing to leave around while going on lunch break or discussing in the car pool while driving back to the office from a classified conference. All cleared employees working with classified information should know how to protect and treat it at all times. This includes at work, at rest, during transmission, and destruction. Failure to protect classified information can result in corporate discipline, revocation of security clearances, debarred from conducting classified business, prosecuti0n, and jail time to name a few.

Classification challenges-

It is a cleared employee’s duty to challenge the classification level if they find the classification level to be inappropriate or unnecessary. The NISPOM states that challenges go through the Information Security Oversight Office, however they can be easily handled program channels or brought through the addresses found in the administrative section of the appropriate SCG if available.

Security classification guides (SCG)-

SCGs communicate a program’s classification decisions. They are created by a program, applied to an effort and are signed by an OCA. A well written SCG should provide the cleared contractor with sufficient information to apply derivative classification. The SCG will provide information on whether or classified and to what level. Some elements include administrivia, items, processes, testing, simulation, modeling and performance. Ensure the SCG is clear, applicable and well understood by cleared employees. If not, challenge it and seek clarification.
Information sharing-

True or false? Everyone in our company has a clearance, so we can all work together on it.

It is the person’s in possession of classified information responsibility to ensure the requester has a security clearance at the appropriate level of the classified information and that they have a need to know.

This responsibility extends to transmitting the information through email, presentations, fax, mail and other methods. Need to know and clearance level must both be enforced to properly protect classified information.

Cleared contractors in certain environments create classified products derived from classified information. Without the executed and documented training, derivative classification cannot be performed and thus they would not be able to meet contractual requirements; no training, no work. Use these recommendations to develop and provide outstanding training to your cleared employees. The good news is that anyone can perform the training as long as it is to standard. The above information outlines the NISPOM Change 1 guidance that reflects that standard.
Derivative classifier training is available at 
http://www.redbikepublishing.com/training/nispom-derivative-classifier-training/



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM