Earlier articles addressed the necessity of keeping the
knowledge of security container combinations to a minimum. Determine who needs
access to the combination is one part of a successful formula. The next part is
documenting the persons with the combinations.
In this article continuing the coverage of the Defense
Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll
review the National Industrial Security Program Operating Manual (NISPOM),
Paragraph 5-308a.
5-308a Is a record
of the names of people having knowledge of the combinations to securitycontainers maintained?
Maintaining control of combinations is a major line of
defense in protecting classified information inside of a GSA approved storage
container (including vaults and closed areas). It's not enough just to limit
the number of these classified combinations, but the actual names of persons
with the combination numbers must be recorded. After all, you really don't know
what to protect unless it's documented and nothing is really official until the
paperwork is done.
This goes hand in hand in hand with NISPOM paragraph
5-309 which will be covered in an upcoming article. There are certain events
that require changing the combination. Without knowing who has combination
knowledge, it will be hard to enforce and inform the combination change
rationale.
The FSO should either perform or assign an authorized
cleared employee as a combination control point of contact to maintain
administrative records and combination control to protect classifiedinformation. The records and combination control log should contain the names
of those with knowledge of combinations and what the combinations access.
A
common best practice is using the Security Container Information Form, Standard
Form 700 which can be populated and updated every time the combination is
changed. A copy is stored inside the locking drawer of the security container
and the tear sheet is stored in a separate security container approved for
storage at the same level of the container contents.
VALIDATION:
The SF 700 is a great tool for controlling
security container access and keeping records up to date.