Tuesday, March 1, 2016

When combinations to classified containers are placed in written form, are they marked and stored as required?

Earlier articles addressed documenting the authorized persons having access to the combinations. Determine who needs access to the combination is one part of a successful formula. This article addresses how to store or treat recordings of GSA Approved Container combinations.

In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308b-d.

5-308b Are security containers, vaults, cabinets, and other authorized storage containers kept locked when not under direct supervision of an authorized person?

5-308c-d When combinations to classified containers are placed in written form, are they marked and stored as required?

GSA approved containers, vaults, cabinets and other authorized storage containers safeguarding classified information should be secured. Afterall, they protect classified information and therefore are no good unless they are locked.

Using the same logic, the contents are not safeguarded if keys are left out or combinations are not likewise protected. As written previously, combinations are classified at the same level as the contents of the security container. If recorded, these combinations are required to be safeguarded in the same manner as the classified information that the combination protects.

The classified combination should be memorized so that it can’t be compromised. Just like the slogan says, “Memorize, Don’t Compromise”. But don’t miss this important point; to protect the classified information in their heads.

Since we can’t store the person in a container at all times, how does one protect the “knowledge” of the combination? This leaves an implied task; train employee not to reveal the combination unless the other person has access and need to know.

If recording is necessary, it should be provided the appropriate classification level in the appropriate places and stored in the appropriate container. For example, if the combination protects SECRET information and if recorded anywhere, the media should be marked SECRET and stored in a location approved for SECRET storage.

Why such emphasis on something so fundamental? One should not assume cleared employees understand requirements, nor take clear employee security knowledge for granted. Cleared employees should be trained not only with Initial and Annual Security Awareness, but also how to perform security related duties.

Take this experience from a few years ago:

As a new FSO, I performed a walk through inspection of our classified holdings. At one point I approached a cleared employee who had access to a GSA Approved Container and therefore all the contents. I asked her to open the container so that I could ensure all documentation was in order. She pulled out her smart phone and started typing in a code…

What? Typing in a code?

Yes, she had recorded the combination in her smartphone. I began an investigation immediately.

She had committed a security violation and we had to investigate whether or not classified information was exposed.

Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination should be protected at that same level of the contents in the security container. For example, if the contents of the security container are CONFIDENTIAL, then so is the combination. To ease in memorization combinations can be created with six letter words or the first six letters of longer words. Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers.

The following is a best practice for when an enterprise has multiple classified containers and combinations.

Some FSOs have made classified combination binders to record combinations and containers the combinations are assigned to. This binder can be used to keep up with which cleared employees have access to the combinations, serial numbers of the containers, and when the locks were last changed. Where facilities have multiple security containers, this binder can serve as a reminder of all combinations. Instead of remembering every combination, the list of combinations can be stored in a security container with equal or greater security classification storage capacity. Then authorized employees only have to memorize one combination. They open that container and have a catalogue of other combinations.

Another best practice for memorizing combinations is to memorize a corresponding work. Magnetic combinations reminders similar to telephone touch pads are great tools. Here’s how it works, each number corresponds to a set of letters. For example the number 2 corresponds with ABC, three with DEF, etc. When cleared employees have access to multiple safes, word reminders help prevent security violations that occur when cleared employees write the combinations down for personal use. Using combination word clues and providing an administrative security container helps reduce the risk of such violations.



VALIDATION:

Observe authorized employees as they open GSA Approved Containers?

Do they memorize the combination?

Do they have it stored in an unauthorized location?

If combinations are recorded:

Are the recorded combinations stored in a GSA Approved Container?

Are the recorded combinations stored at the appropriate classification level?

Is the recorded combination media marked with the appropriate classification level?

No comments: