Tuesday, May 21, 2013

Derivative Classified Training-What FSOs Should Know

Change 1 to the National Industrial Security Program Operating Manual (NISPOM) outlines requirements for derivative classification. Where the original classification authority receives training on the same topics annually, NISPOM requires derivative classification once every two years. According to NISPOM derivative classifiers should be trained…in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. .. not authorized to conduct derivative classification until they receive such training.

Here’s the important part, no derivative classifier training, no work. Proper NISPOM training and documentation is the difference between performing on classified work and not being able to meet contractual requirements. Make sure your cleared contractors performing derivative classification responsibilities are trained to standard. The standard is listed below with a few ideas on how to meet each of the criteria.

Classification levels-
In all occasions, employees should understand how to recognize classified information and handle it properly. Those in possession of classified information should comprehend how to safeguard it and prevent unauthorized disclosure.
There are three levels of classification: CONFIDENTIAL, SECRET and TOP SECRET and are assigned based on impact to national security as follows:

CONFIDENTIAL-could be expected to cause damage to the national security

SECRET-could be expected to cause serious damage
TOP SECRET-could be expected to cause exceptionally grave damage
Level of damage is determined through a process by the original classification authority (OCA). After the OCA makes a determination, the classification level is documented through a security classification guide, Contract Security Classification Specification (DD Form 254) and classification marking on the products.

Defense contractors practice derivative classification by carrying over the communicated classification levels to the new product. This information is found on classified source documents, instructions in the SCG or as required by the DD Form 254. In practical measures this means repackaging classified data generated from testing and simulation, research using classified source documents, building classified end items and etc.

Duration of classification-

This is identified in the (Classified By: ) information line. It consists for four lines total.
Information comes from the source. e original classifier indicates either a date or event for the duration of classification for up to 10 years from the date of the original classification decision unless the date is further extended due to information sensitivities for up to 25 or 50 years.

1. Classified By: The derivative classifier carries over the date for the same duration. On the source comments, the (Classified By: line) is now required to identify the derivative classifier.

2. Derived From: This lists the source(s) where the derivative classifier pulled to classification guidance from. This is most likely the relevant security classification guide. However, if more than one source is used, then
“multiple sources" is used. The derivative classifier then keeps a record to support the duration identified. This record can be listing of sources attached to each derivatively classified item. 
3. Then there’s the Downgrade To____ On____ line. If provided on source guidance, just carry over instructions from the source documents, DD Form 254 or SCG to downgrade to SECRET or CONFIDENTIAL on specified date or event.
4. Declassify On: Here’s where you put the duration. The duration of within 10, 25 or 50 years is from the date of original classification, not from the date of the derived product. If many source documents or SCGs are used, be sure to carry over the date of the longest duration.

Here’s what a derivative classification line might look:

Classified By: Jared Jerrod, XYZ Contractor Lead Engineer
Derived From: Gravy SCG
Downgrade to CONFIDENTIAL on
Declassify On: 20201024


Identification and markings-
Classified items, documents, hard drives, computers and end items should be properly marked to indicate the highest classification level. These markings should stand out to warn the user of the classification level so that they can properly safeguard it. For example, classified documents would have classification levels on the top and bottom of each page as well as portion markings on paragraphs, illustrations and graphs. There are five different types of classification markings that go on documents. They are overall markings, page markings, component markings, portion markings and subject and title markings.

Removable hard drives, computers, and objects should have classification designations conspicuously marked on them. The user would then know how to protect it while in use and at rest.
When not stored in a secure container classified objects should have cover sheets. These cover sheets are obvious reminders of classification markings and are color coded:
TOP SECRET is orange
SECRET is red
CONFIDENTIAL is blue

Classification prohibitions and limitation- Information is only to be marked classified based on previous guidance found in the DD Form 254, SCG or classification markings on source documents and for the protection of national security. Classification markings cannot be applied to hide legal violations, inefficiencies or mistakes. Nor can the derivative classifier assign a classification just to prevent embarrassment, prevent or restrict competition or delay the release of information that hasn’t previously required such a level of protection

Sanctions-

Classified information is nothing to leave around while going on lunch break or discussing in the car pool while driving back to the office from a classified conference. All cleared employees working with classified information should know how to protect and treat it at all times. This includes at work, at rest, during transmission, and destruction. Failure to protect classified information can result in corporate discipline, revocation of security clearances, debarred from conducting classified business, prosecuti0n, and jail time to name a few.

Classification challenges-

It is a cleared employee’s duty to challenge the classification level if they find the classification level to be inappropriate or unnecessary. The NISPOM states that challenges go through the Information Security Oversight Office, however they can be easily handled program channels or brought through the addresses found in the administrative section of the appropriate SCG if available.

Security classification guides (SCG)-

SCGs communicate a program’s classification decisions. They are created by a program, applied to an effort and are signed by an OCA. A well written SCG should provide the cleared contractor with sufficient information to apply derivative classification. The SCG will provide information on whether or classified and to what level. Some elements include administrivia, items, processes, testing, simulation, modeling and performance. Ensure the SCG is clear, applicable and well understood by cleared employees. If not, challenge it and seek clarification.
Information sharing-

True or false? Everyone in our company has a clearance, so we can all work together on it.

It is the person’s in possession of classified information responsibility to ensure the requester has a security clearance at the appropriate level of the classified information and that they have a need to know.

This responsibility extends to transmitting the information through email, presentations, fax, mail and other methods. Need to know and clearance level must both be enforced to properly protect classified information.

Cleared contractors in certain environments create classified products derived from classified information. Without the executed and documented training, derivative classification cannot be performed and thus they would not be able to meet contractual requirements; no training, no work. Use these recommendations to develop and provide outstanding training to your cleared employees. The good news is that anyone can perform the training as long as it is to standard. The above information outlines the NISPOM Change 1 guidance that reflects that standard.
Derivative classifier training is available at 
http://www.redbikepublishing.com/training/nispom-derivative-classifier-training/



Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: