Thursday, February 18, 2016

Control Combinations; Record Names


Earlier articles addressed the necessity of keeping the knowledge of security container combinations to a minimum. Determine who needs access to the combination is one part of a successful formula. The next part is documenting the persons with the combinations.

In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308a.
                                                            
5-308a      Is a record of the names of people having knowledge of the combinations to securitycontainers maintained?

Maintaining control of combinations is a major line of defense in protecting classified information inside of a GSA approved storage container (including vaults and closed areas). It's not enough just to limit the number of these classified combinations, but the actual names of persons with the combination numbers must be recorded. After all, you really don't know what to protect unless it's documented and nothing is really official until the paperwork is done.

This goes hand in hand in hand with NISPOM paragraph 5-309 which will be covered in an upcoming article. There are certain events that require changing the combination. Without knowing who has combination knowledge, it will be hard to enforce and inform the combination change rationale.

The FSO should either perform or assign an authorized cleared employee as a combination control point of contact to maintain administrative records and combination control to protect classifiedinformation. The records and combination control log should contain the names of those with knowledge of combinations and what the combinations access. 

A common best practice is using the Security Container Information Form, Standard Form 700 which can be populated and updated every time the combination is changed. A copy is stored inside the locking drawer of the security container and the tear sheet is stored in a separate security container approved for storage at the same level of the container contents.

VALIDATION:
The SF 700 is a great tool for controlling security container access and keeping records up to date.            

No comments: