Monday, October 5, 2015

NISP Self Inspection Handbook-Closed Area Construction

Welcome to National Industrial Security Program Operation Manual (NISPOM) 5-306 portion of the Defense Security Service’s (DSS) Self Inspection Handbook for NISP Contractors. This section covers closed area construction as identified in the NISPOM. 

Here is the question:                                            

5-306 Are Closed Areas constructed in accordance with the requirements of the NISPOM?

Where the size or operational environment of the classified material may prove unsuitable for storage in a GSA approved security container or vault, a closed area might be the right solution. If a closed area is needed, DSS and the contactor should agree to the construction of the closed area as early as possible in the contract or a qualifying an existing as soon as the need arises. This is a great reason for a proactive FSO to be involved in classified contracts from cradle to grave. This includes reading requests for proposals, statements of work and engagement with  DD Form 254 reviews to determine classified material storage needs and address the any closed area considerations with DSS for consideration and approval.

If a closed area construction is needed, the Cognizant Security Agency, DSS, is the approving authority. They will provide approval based on NISPOM 5-306 Section 8 requirements. These construction considerations include not only walls, floors, and ceilings, but anything that may be considered an opening or vulnerable areas. Construction should address deny, deter and detect protection measures. For example, the hardware should be heavy gauge and installed in such a way it cannot be removed. Walls should be built to deny entry through destruction, damaging entry methods, or wall section removal and any attempts should leave visible markings.  See NISPOM 508 for more specific construction details.

With environmental (HVAC) and cyber concerns (network, wires, and cables) exist, false ceilings and floors abound. A common construction technique is to lower the ceiling with ceiling tiles and raise the floor to hide unsightly IT and other equipment. The closed area must be considered as wall to wall and ceiling to floor. This expands the area to well beyond the false ceiling and raised floors to the actual place where walls and floors / ceilings connect.  The space above the false ceiling and below the floor should be vetted as secure and when so, security integrity should be inspected for the life of use. Options for protecting hidden areas include alarms, viewing areas where tiles are clear or removable so that the areas can be viewed, periodically inspecting these hidden areas, and ensuring work orders involving closed areas are approved by the FSO.

Additionally, access controls and personnel security must be in place to limit access and need to know. These access controls can be as simple as having a cleared person guarding the entrance with a check list of authorized persons or as complicated as technical devices or systems.

 

Recommended closed area inspection cycle


 Nature of Classified Information

 Security-in-Depth

Minimum
Inspection
Frequency
Classified Information Systems with unprotected transmission lines above false ceiling or below false floor
No

Monthly

 

Yes

 

Every Six Months

 Open Storage of Classified Documents  

No

Monthly

Yes

Every Six Months

 
  Classified Hardware

No

Every Six Months

Yes

Annually


There may be times when GSA security containers are just not enough. Operational requirements, size of classified material, work environment and other factors may require the construction of or re-use of a qualifying location as a closed area. When using closed areas, FSOs should apply and enforce physical security measures to deny, deter, and detect unauthorized access at any time. Reinforced doors, windows and other access points should be installed to prevent anyone from easily breaking in or going around current security precautions. FSOs should always coordinate with DSS or CSA as they are the approval agency of new construction, modifications, and repairs of closed areas. As always, the FSO should validate and document work. See Validation section for ideas.

RESOURCES: 
 
 
ISL 2006-02 Structural Integrity of Closed Areas under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html

VALIDATION:

The required minimum inspection frequency must be approved by your Industrial Security Representative. The FSO should save all approval records and document inspections on the DSS Form 147, “Record of Controlled Areas.”                                                                                                          
When building closed areas, the FSO should ensure pictures of progress are taken as evidence of compliance with construction requirements. 

Create a binder, notebook, file or other record for all closed area transactions. Include in the file:

·         Closed area locations

·         Standard practices and procedures

·         Standard operating procedures

·         Written security requirements

·         Certifications and approvals

·         Specific annual security training requirements designed for classified contract and closed area use

·         Inspection details
                                              

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".