www.redbikepublishing.com |
Earlier articles addressed documenting
the authorized persons having access to the combinations. Determining who needs
access to the combination is one part of a successful formula. This article
addresses when to and who does change the combinations.
In this article continuing the coverage
of the Defense Security Service (DSS) Self Inspection Handbook for NISP
Contractors, we'll review the National Industrial Security Program
Operating Manual (NISPOM), Paragraph 5-308b-d.
5-309 Are combinations to security containers
changed by authorized persons when required?
RESOURCE: ISL 2006-02 Changing Combinations under
Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html
The
question seems to emphasize whether or not the person changing the combination
is authorized. However a further review of NISPOM and the Industrial Security
Letter require focusing the actual effort on the combination change event. The
point is to protect the classified information from unauthorized disclosure
through proper security container maintenance practice.
Earlier
articles discussed methods of determining who should have access to
combinations. Careful consideration ensures the enforcement of releasing classified information to those with proper
security clearances, but limiting the access to those with need to know. As
surely as the combination access is protected, the proper maintenance and
setting of the combination is equally important.
Those
authorized to change combinations should be aware of circumstances requiring a
combination. Some are more obvious than others, but a good plan to manage the
combination will help meet requirements outlined in NISPOM. Expanding a good security awareness training program to include
combination changing events could create a more effective program to protect
classified information.
The NISPOM
states:
Combinations shall be changed by a person
authorized access to the contents of the container, or by the FSO or his or her
designee. Combinations shall be changed as follows:
a. The initial use of an approved container or
lock for the protection of classified material.
b. The termination of employment of any person
having knowledge of the combination, or when the clearance granted to any such person has been with-drawn, suspended, or
revoked.
c. The compromise or suspected compromise of a
container or its combination, or discovery of a container left unlocked and
unattended.
d. At other times when considered necessary by
the FSO or CSA.
Again,
rationale for combination changes may be obvious such as point a. A security
manager or any organization should change the combination’s factory setting for
something less obvious and more secure.
Point b is
almost as obvious. Employees no longer employed, or having had their clearance
and or need to know revoked no longer need access to the combination. The most
secure, desired, and required method is to change the combination and this goes
right along with basic physical security practices. After all, a hotel guest
should expect that a previous guest’s access card will not open the current
guest’s door. They have “checked out” and no longer have authorized access to
the room.
ISL
2006-02 makes a good point. The person must have had knowledge of the
combination, not just access to the container’s contents. For point b, it is
not necessary to change any or all combinations unless the employee had access
to the combination.
Combinations must be changed upon the
termination of employment of any person having knowledge of those combinations.
Having knowledge and having access are not the same thing. A locksmith has
access to every combination but may not have knowledge of any combinations
other than his or her own. It is not realistic to require a contractor to
change hundreds of combinations when a locksmith leaves. The only combinations
which require changing are those for which the locksmith had personal knowledge
and the combination to the container(s) housing the master list or copies of
combinations.
Point c
may not be as obvious, but any compromise of the security container warrants
and change of the combination. This is because the combination resides in
security container documentation (SF 700). The combination is written on the SF
700 and protected according to instructions found on the SF 700. The SF 700 is also updated every
time the security container combination is changed. The classified SF 700 Part 2 is to be
protected at the same classification level of the information it protects; inside
a GSA approved container. If a container is left open, there is no guarantee
that unauthorized personnel did not gain access to a combination and classified
contents.
When
the combination or security container has been compromised or is suspected of
being compromised, then the combination must be changed and an investigation
conducted.
A special note about admin security containers-Some
FSOs with multiple security containers keep a folder of all combinations in one
of the security containers. If that container is left unsecure, ALL
combinations must be changed.
Security
violations occur when combinations are revealed to unauthorized or non-cleared
persons. Combinations spoken out loud, written down, or otherwise broadcast in
an unauthorized manner put classified material at risk of compromise. Likewise
security containers that no longer work properly or have suffered damage
significant enough to affect the required security capability may make
compromise a possibility.
Point d is
based on guidance from those in authority. If they say change the combination,
the n change it. Local policy may go above and beyond NISPOM and create requirements to automatically
change combinations after a certain event or time period.
VALIDATION:
- Document names of those authorized to change combination with rationale for the decision
- Document date approved container or lock is put into initial use. Add additional or new container to other inspection and security container management documents and information management systems
- Ensure enterprise policy includes notification of terminated or resigning employees. Local policy should include JPAS review and combination authorization. A process should be in place to trigger combination changes. Document combination changes and update SF 700
- Document compromises or suspected compromises of a container or its combination. Ensure policy is in place to trigger security container documentation. Update SF 700 and other security container maintenance documentation.
- Document directed combination changes. Consider internal policy for other event or time driven combination change requirements
- Update security awareness training to include required combination changes.