Monday, November 9, 2015

Approval of Open Storage-The Self Inspection Handbook for NISP Contractors

HTTP://www.redbikepublishing.com
In this installation of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we’ll review the  National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-306b. Here is the question:                                          
         
5-306b       Has DSS approval been granted for the open shelf or bin storage commonly known as “open storage” of documents in Closed Areas?

Though we have covered the storage of classified information in earlier articles, this writing will address storage of classified information specific to these closed areas. See if you can find the differences.

According to NISPOM paragraph 5-306b, open shelf or bin storage (hereinafter or “open storage” of SECRET and CONFIDENTIAL documents in closed areas requires Cognizant Security Agency (CSA) approval. Prior to approval, DSS will consider open storage of material and information system (IS) media based on the cleared contractor meeting the following:
  • Limited storage space required for storing classified information (product is too large to fit in a GAS approved security container); or, the performance of classified work (operational environment) requires open storage.
  • Access to the open storage area is limited to those with adequate security clearance and need to know of all information in the open.
  • The entrance doors to the area are equipped with GSA-approved electromechanical combination locks that meet Federal Specification FF-L-2740.
  •  For SECRET material, the area is protected by an approved intrusion detection system with a 30-minute response time, as well as security-in-depth (SID) as determined by DSS. For open storage areas lacking sufficient SID, a 5-minute response time is required.
  • For CONFIDENTIAL material, no supplemental protection or SID is required.
  •  The open storage area is within a facility, or specific portion of a facility, determined by DSS to have security-in-depth based on the following criteria:
  •  The contractor has documented the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility in which open storage is approved. During self-inspections, the contractor must review the effectiveness of these controls and report any changes affecting those controls to DSS.
  • At a minimum, the contractor has considered the following elements in their security-indepth assessment:
  • Perimeter controls
    • Badge systems when the size of the population of the facility render personal recognition impracticable
    • Controlled access to sections of the facility in which classified work is performed
    • Access control devices when circumstances warrant

The difference between storage of classified information in a GSA approved storage contain and open storage could be addressed by considering the outer perimeter of the closed area as a “GSA approved container” requiring additional supplemental controls. Where the storage SECRET is adequate in a GSA approved security container (unless a risk assessment requires supplemental security), open bin storage of the same level of classification requires proper construction of the closed area plus the additional alarms and monitoring to provide the secure barrier.

For example, XYZ Contractor may store SECRET and CONFIDENTIAL information for one contract in 5 drawer GSA approved security container. All documents, hard drives, and other classified media fit nicely and are checked out and turned in as appropriate.

However, on another contract the classified material is large and bulky and will not fit in a GSA approved container.  The closed area is inside of an access controlled facility and constructed as outlined in the NISPOM. Additionally, access is limited to those with the appropriate security clearance and Need to Know of all classified information. At night the room is safeguarded with the intrusion detection and security in depth.

RESOURCE:  ISL 2012-04 Open Shelf or Bin Storage under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html



VALIDATION:

Pose all closed area requests, justifications, and inspections where they can be easily and readily accessed for audit, inspection or review.

Post all closed area approvals where they can be easily and readily accessed for audit, inspection, or review.

Provide demonstration and documentation of specific layered and complementary security controls where open storage is approved. Consider the following:

  • Perimeter controls

  • Badge systems when the size of the population of the facility render personal recognition impracticable
  • Controlled access to sections of the facility in which classified work is performed
  • Access control devices when circumstances warrant
Demonstrate and document the self-inspection review of the security controls and their effectiveness

Document any report any changes affecting those controls to DSS for review, inspection, or audit.



                                             

No comments: