Tuesday, April 15, 2014

Social Media and Security Clearances

Can social media posts impact your security clearance?
It’s great to have family reunions or go out with friends and take pictures of events and the good times. We all want our friends to know how well we are doing and maybe we want to make some co-workers jealous while on vacation. Facebook, Instagram and Twitter make it possible to post your fun immediately.

Social media is a great invention and used for good, can be a rather fun way to keep up with others and allow them to keep up with you. However, such opportunities also provide epic fail situations where the poster gets in trouble at home and at work.

You may have read where school students have been suspended, military personnel have been punished and employees fired for events captured on social media. Some irresponsible postings have had reputation ruining consequences based upon perception as in the case of DeSean Jackson missing practice while posting vacation photos. Even though he had probably preplanned the event, football fans everywhere decried his bold and audacious move to vacation rather than practice.

The next time you post something negative about your work environment, the many photos with you posed with a drink in your hand, or update your relationship status for the 5th time in a week, think about this question; What happens when the security clearance investigation digs into social media?

Currently, this is an issue being discussed in shadows and whispers. The possibility of adding social media to the investigation docket may be coming. Per a study into the Navy Shipyard shooting[1], one DoD agency piloted a study and determined that at least 20 percent of the 3300 individuals subject to the pilot have been identified as having information relevant to adjudication.

Remembering the 13 adjudication criteria, there are several ways we can get into trouble through our real or perceived postings. If investigators (or even co-workers) discover information relative to adjudication, you may find your clearance delayed while explaining behavior that could be perceived as reportable or derogatory information.

So, live it up, enjoy the good life that your job has provided. But think seriously about what you want to post about yourself and how you want to world to perceive you. A little good judgment keeps you out of hot water. Bad decisions could possibly hold up or deny your chances of a security clearance.


Foot note: 


[1] SECURITY FROM WITHIN, Independent Review of the Washington Navy Yard Shooting, NOVEMBER 2013

Access Authorizations

We can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education,
(D) FOCI
(E) Classification

This third article in the series will address how to integrate the access authorizations into the overall security program designed to protect classified information.

Here are some questions from the handbook and ways to address the topics:

Are the numbers of clearances held to a minimum consistent with contractual requirements?

The facility security clearance is tied to a contract. Typically this tie-in is carried down to the cleared employee. However tying in a personnel security clearance to ONLY a contract might not be the right answer. For example, where a DD Form 254 and classified contract statement of work demonstrate that classified work is to be performed, these references do not dictate how many cleared employees are needed to conduct the work.

The best way to do measure “minimum consistent” is to tie the personnel security clearances (PCL) with the contract and establish need to know (there is a great article in clearancejobs.com that covers need to know as a justification for security clearances). Many people are required to make a contract successful, but don’t need a clearance. These might include buyers, assistants, engineers, program analysts and others support the contract, but may not actually perform on classified work.

For example, suppose 20 employees support a government contract which includes performing in a classified environment. The actual classified work is off site and involves five employees conducting testing on a new missile. The test results are classified and the five employees are the only ones to ever engage with the classified product.

In this situation, the easy course would be to just provide clearances for all employees and tie the justification to the contract number. However, the end result would be committing enterprise, industry and national security resources to supporting an unjustifiable additional 15 cleared persons. Though the contract involves classified work, the justification should be on the need to know and not necessarily the classified contract.

Here is a link to an earlier post about how to justify clearances. It even includes a sample form that can be duplicated, used and presented to DSS.

http://dodsecurity.blogspot.com/2011/07/security-clearances-and-real-deal.html

Are employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and completeness only and that the information will be used for no other purpose within the company?

This is an administrative task that can be demonstrated with a signed memo. Write up the requirement and agreement of the SF 86 purpose, have the employee sign it and file it away to demonstrate not only compliance, but a workable process.

Are original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified information has been granted or denied, and then destroyed?

This is an important question. Many years ago (2006-2007), groaning resonated from the facility security officer (FSO) community about the arduous task of removing all the files and the loss of “valuable” information upon the destruction of such a massive record base. NISPOM, Industrial Security Letters, DSS reviews, JPAS, and personal identifiable information protection requirements have provided guidance and helped build a new standard of releasing that information for tightly gripped fists.

Now, all contractors should now have a process in place to ensure that the SF-86 is destroyed as soon as a final determination of the employee's eligibility for access to classified information has been made.

Are all pre-employment offers based on acceptance to begin employment within 30 days of granting eligibility for a Personnel Clearance (PCL)?

For this, you can go directly to ISL 2009-02, #2 Pre-employment Clearance Action under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html

According to the NISPOM 2-205 a cleared company can submit a PCL request on an prospective employee as long as there is a written agreement that the employee will begin work within 30 days of the clearance being granted. This requirement can be met with human resources or the FSO filing a signed memo offering the prospective employee a job and their commitment to begin work once the clearance is granted.

Has citizenship been verified for each initial PCL applicant? RESOURCE: ISL 2011-02 Acceptable Proof of Citizenship under Industrial Security Letters at:

http://www.cdse.edu/toolkits/fsos/personnel-clearances.html

Citizenship can be verified by any means listed in NISPOM 2-208. Primarily, certified U.S. birth certificates; certificate of naturalization, U.S. State Department certificates of citizenship and etc. This is an easy question to answer, but unless you are willing to make photocopies of all the citizenship verification documents, it’s hard to demonstrate. The best thing to do is document this requirement somewhere in company policy and be prepared to address how you meet the requirement during the DSS review. Be prepared to identify the documents and what you would check to ensure they were certified.

Preparing for the annual review can only strengthen your security program. Take the topics from The Self-Inspection Handbook for NISP Contractors and see where yours can be improved. 


For more ideas, see our books, "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".