What is A Standard Practice Procedure (SPP)?
According to NISPOM,
Appendix C an SPP is a "document prepared by a contractor that
implements the applicable requirements of this manual for the contractor's
operations and involvement with classified information at the contractor's
facility."
In other words it's your process for applying the NISPOM
as you conduct classified work as it applies to your unique operation. The SPP
should be tailored to your specific organization. To be effective, it should
reflect performance requirements on classified contracts as reflected in the statement of work, DD
Forms 254 and security classification guides.
Who should have an SPP?
NISPOM 1-202 states that, "The
contractor shall implement all applicable terms of this Manual at each of its
cleared facilities. Written procedures shall be prepared when the FSO believes
them to be necessary for effective implementation of this Manual or when the
CSA determines them to be necessary to reasonably exclude the possibility of
loss or compromise of classified information."
The NISPOM is clear that the SPP can be directed by
Defense Security Services (DSS) to reasonably exclude possibility of loss or
compromise. Perhaps an annual DSS review has determined vulnerabilities exist
that must be mitigated to adequately protect classified information. In that
case, DSS may direct an analysis and additional countermeasures. They could
also direct development of security procedures and documenting them in an SPP.
Another reason DSS could require an SPP is if the cleared facility is needs to
upgrade clearance level or storage approval in execution of new classified
contracts. The SPP would address new procedures implemented to protect a higher
classification of information.
Additionally, the FSO can use the same rationale as a
basis for creating a new or updating an existent SPP. A self-inspection, sudden
growth in cleared employees, new and growing classified holding locations, new
work requirements, corporate policy and other factors may drive the decision to
develop and implement an SPP
The first step is to determine what parts of the NISPOM
apply to your facility. Chapters 1-3 and parts of Chapter 6 apply to all
cleared contractor facilities. Therefore, fundamentally, the SPP should cover
the organization's mission, applicability of the NISPOM, facility and personnel
security clearances, security education and general security procedures. For
facilities with storage capability, the SPP would expand to protecting
classified information, storage of classified information, closed areas,
security containers and etc. The point is to provide a tangible standardized
process for cleared employees on the requirements of protecting classified
information while performing on classified contracts.
There are a few source documents FSOs can refer when
determining what should be covered in the SPP. These sources include but are
not limited to:
DD Forms 254-provides security requirements and
expectations of the government contracting activity or prime contractor.
Specific requirements will be found in blocks 10, 13 and any additional pages.
FSOs should include these requirements in the SPP. FSOs might consider either a
separate SPP or annexes to a single SPP to distinguish between unique
requirements by program, project or contract.
Security Classification Guides (SCG)-SCGs provide classification
levels and reasons for classification. These are the expectations of what to
protect and at what level. SCGs might be included in the SPP language or at
least used as a reference document.
Statements of Work-SOWs can provide explicit requirements
and expectations made by the customer. Incorporating SOW language will help
develop the right positive for the desired performance.
FSOs should lead a team of contractual, program, project
and other internal employees who are subject matter experts. The team should
review requirements and work together to develop procedures that help enforce
and execute work based on those requirements. The FSO keeps focus by
transposing requirements into procedures that support protecting classified
information according to the NISPOM.
Once complete the SPP should be staffed throughout the
organization for additional input or to see how the SPP would impact other
business units. This input is necessary to gain support of the organization and
leadership and to determine where or if there is conflicting policy. Once
staffed and approved, the SPP should be adopted as corporate policy. Once
adopted by the enterprise, leadership backing will provide credibility and
ensure that security procedures will be followed.
Creating Your SPP
According to the DSS website, the following is a list of
possible topics:
- Facility Information
- General Security
- Security Clearances
- Security Education
- Self-Inspections / Vulnerability Assessments Individual
- Reporting Responsibilities
- Graduated Scale of Disciplinary Actions
- Visit Procedures
- Public Release/Disclosure
- Classification
- Security Forms
- Definitions and Acronyms
- Safeguarding Classified Information
- End-of-Day Security Checks
- Perimeter Controls
- Information Mgmt. System
- Transmission
- Reproduction
- Destruction Information Systems Security
FSOs can use the above list as a table of contents where appropriate while constructing or building upon their SPPs. Use it as the foundation, form a team and fill in the applicable sections.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment