Monday, October 20, 2014

FSO's, Self-Inspection and Classification

Facility Security Officers (FSO) should coordinate an annual self-inspection to ensure their organizations are equipped to conduct and capable of conducting continuous protection of classified information. A great tool FSOs or designated inspecting officers can use for preparing, conducting and documenting the self-inspection is DSS’ The Self-Inspection Handbook for NISP Contractors. The handbook identifies “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. The five elements that pertain to ALL cleared defense contractors are:

(A) Facility Security Clearance (FCL)

(B) Access Authorizations

(C) Security Education,

(D) FOCI

(E) Classification

This section covering Classification will consist of multiple parts. Keep reading future newsletters and posts for the rest of the story.

Part I

First off, cleared defense contractor employees do not perform classification. That’s the government’s job. Classification is conducted by the Original Classification Authority (OCA). The OCA is a designated position that uses a six step process to identify whether or not something is classified, at which level of classification, for how long it is to remain classified, and communicate the decision.

Derivative classification in general terms includes, paraphrasing, incorporating, restating or regenerating classified information into a new form. Since contractors are not performing original classification, most of their work would involve using classified sources to create new classified products.

Cleared defense contractors are responsible for establishing security program to protect the classified information. The program should consist of protecting classified information in all instances according to guidance found in the classified contract and NISPOM. This guidance can include handling, storing, marking, training cleared employees, and etc.

So aside from protecting classified information, what roles do cleared contractors play in classification?

Derivative Classification

When classified information is used to derive a new product, the original classification should be carried over into the new product. Items assembled, copied, scanned, or reports made based on instructions or requirements found in the DD Forms 254, Statements of Work, and Security Classification Guides (SCG) are considered derived or derivative classification decisions.

Here are some questions and explanations from the DSS handbook.

4-102d Have employees received appropriate training before they were authorized to make derivative classification decisions for you company? Here’s where you provide a list of the trained employees and a sample of the training or other proof that required NISPOM topics are taught.

According to NISPOM paragraph 4-102d, cleared employees must receive derivative classification training prior to being authorized to make derivative classification decisions.

Where the original classification authority receives training on the same topics annually, NISPOM requires derivative classification once every two years. According to NISPOM derivative classifiers should be trained “…in the proper application of the derivative classification principles, with an emphasis on avoiding over-classification, at least once every 2 years. .. not authorized to conduct derivative classification until they receive such training.”

Here's the important part, no training; no work. Appropriate NISPOM training and documentation is the difference between performing on classified work and not being able to meet contractual requirements. FSOs must plan to train cleared contractor employees who perform derivative classification responsibilities.

More information on derivative classified training can be found here: http://dodsecurity.blogspot.com/2013/04/nispom-change-1-derivative.html

http://dodsecurity.blogspot.com/2013/05/derivative-classified-training-what.html

4-102d Are all derivative classifiers identified on the documents on which they made derivative classification decisions? This can be both demonstrated by providing the proof of training as well as actual derivative classification documents if appropriate.

One such training task ensures that the authorized employees apply proper markings to their products. Not only are classification markings required, but so is the proper documentation of who is actually performing the derivative classification. According to NISPOM paragraph 4-102d, cleared employees who are authorized to make derivative classification decisions are responsible for identifying themselves on the documents where they make those decisions. Identification instills discipline, control and accountability of derivative classification decisions.

Only authorized cleared employees are assigned as derivative classifiers and they must be identified as such. The identified employees must be provided with the appropriate derivative classifier training.

Proper identification occurs when authorized derivative classifiers apply their names and titles on the derived items. However, contractors can substitute using their names with some type of personal identifier that translates to an authorized name and position. The use of the personal identifier is usually allowed unless the government customer states otherwise.

When the alternative identifier is used, the organization should develop a designator that aligns with a person’s name and position. If the government customer or anyone authorized to view the classified information has any questions, the derivative classifier can be identified from the list. The contractor should maintain this list for at least the as long as the cleared employee is with the business organization.

Once derivative classifier training is complete, the FSO should provide documentation listing the trained employees and the training topics. A good idea is to keep the training available in case details of the training are needed. Once filed, this documentation can be shown to demonstrate compliance with the NISPOM. Whether the inspector is part of a self-inspection team or with industrial security representatives from DSS, the proof of training should meet the intent.


For more information about derivative or classification training visit www.redbikepublishing.com/training or see: 





Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

No comments: