HTTP://www.redbikepublishing.com |
In this
installation of the Defense Security Service (DSS) Self Inspection Handbook for
NISP Contractors, we’ll review the
National Industrial Security Program Operating Manual (NISPOM),
Paragraph 5-306b. Here is the question:
5-306b Has DSS approval been granted for the
open shelf or bin storage commonly known as “open storage” of documents in
Closed Areas?
Though we
have covered the storage of classified information in earlier articles, this
writing will address storage of classified information specific to these closed
areas. See if you can find the differences.
According to NISPOM paragraph 5-306b, open shelf or bin storage (hereinafter or
“open storage” of SECRET and CONFIDENTIAL documents in closed areas requires
Cognizant Security Agency (CSA) approval. Prior to approval, DSS will consider open
storage of material and information system (IS) media based on the cleared
contractor meeting the following:
- Limited storage space required for storing classified information (product is too large to fit in a GAS approved security container); or, the performance of classified work (operational environment) requires open storage.
- Access to the open storage area is limited to those with adequate security clearance and need to know of all information in the open.
- The entrance doors to the area are equipped with GSA-approved electromechanical combination locks that meet Federal Specification FF-L-2740.
- For SECRET material, the area is protected by an approved intrusion detection system with a 30-minute response time, as well as security-in-depth (SID) as determined by DSS. For open storage areas lacking sufficient SID, a 5-minute response time is required.
- For CONFIDENTIAL material, no supplemental protection or SID is required.
- The open storage area is within a facility, or specific portion of a facility, determined by DSS to have security-in-depth based on the following criteria:
- The contractor has documented the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility in which open storage is approved. During self-inspections, the contractor must review the effectiveness of these controls and report any changes affecting those controls to DSS.
- At a minimum, the contractor has considered the following elements in their security-indepth assessment:
- Perimeter controls
- Badge systems when the size of the population of the facility render personal recognition impracticable
- Controlled access to sections of the facility in which classified work is performed
- Access control devices when circumstances warrant
The
difference between storage of classified information in a GSA approved storage
contain and open storage could be addressed by considering the outer perimeter
of the closed area as a “GSA approved container” requiring additional
supplemental controls. Where the storage SECRET is adequate in a GSA approved
security container (unless a risk assessment requires supplemental security),
open bin storage of the same level of classification requires proper
construction of the closed area plus the additional alarms and monitoring to
provide the secure barrier.
For
example, XYZ Contractor may store SECRET and CONFIDENTIAL information for one
contract in 5 drawer GSA approved security container. All documents, hard
drives, and other classified media fit nicely and are checked out and turned in
as appropriate.
However,
on another contract the classified material is large and bulky and will not fit
in a GSA approved container. The closed
area is inside of an access controlled facility and constructed as outlined in the
NISPOM. Additionally, access is limited to those with the appropriate security
clearance and Need to Know of all classified information. At night the room is
safeguarded with the intrusion detection and security in depth.
RESOURCE: ISL 2012-04 Open Shelf or Bin Storage under
Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html
VALIDATION:
Pose all closed area requests, justifications, and inspections where they can be easily and readily accessed for audit, inspection or review.
Post all closed area approvals where they can be easily and readily accessed for audit, inspection, or review.
Provide demonstration and documentation of specific layered and complementary security controls where open storage is approved. Consider the following:
- Perimeter controls
- Badge systems when the size of the population of the facility render personal recognition impracticable
- Controlled access to sections of the facility in which classified work is performed
- Access control devices when circumstances warrant
Document any report any changes affecting those controls to DSS for review, inspection, or audit.
No comments:
Post a Comment