In this article continuing the coverage
of the Defense Security Service (DSS) Self Inspection Handbook for NISP
Contractors, we'll review the National Industrial Security Program
Operating Manual (NISPOM), Paragraph 5-311a.
5-311a If any of your approved security containers
have been repaired, do you have a signed and dated certification provided by
the repairer setting forth the method of repair that was used?
RESOURCE: ISL 2006-01 Container Repairs under
Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html
The NISPOM states:
Repair of Approved Containers. Repairs, maintenance, or other actions that affect the
physical integrity of a security container approved for storage of classified
information shall be accomplished only by appropriately cleared or continuously
escorted personnel specifically trained in approved methods of maintenance and
repair of containers. Repair procedures may be obtained from the CSA.
a. An approved security container is considered
to have been restored to its original state of security integrity if all
damaged or altered parts are replaced with manufacturer’s replacement or
identical cannibalized parts. A signed and dated certification for each
repaired container, provided by the repairer, shall be on file setting forth
the method of repair used.
ISL
2006-01 States:
While the procedures for repairing approved
security containers have been removed from the NISPOM, repair standards have
not changed. Repairs, maintenance, or other actions that affect the physical
integrity of a security container must still be accomplished by appropriately
cleared or continuously escorted personnel specifically trained in approved
methods of maintenance and repair of containers.
Let’s
explore the NISPOM requirement further, part by part.
Paragraph 5-311
The
integrity of a GSA approved container protects classified
information. Just as a chain is only as strong as its weakest link, classified
information is protected only as long as the security container performs as
designed. Any repairs, augmentations, maintenance or other manipulations that
impact the integrity can only be performed by cleared, authorized persons. Any
repairs by untrained persons could cause an exploitable weakness or outright compromise
of the container’s ability to remain secured.
So, what
qualifies as such an action? Damage from forcible entry or natural disaster, broken
locks, malfunctioning locks, broken latches, levers, rollers, replacement of
metal, welding, and anything that impacts the activity of locking, latching, or
enclosing classified information. In other words, FSOs should not be tackling
welding projects nor should repairs be assigned to facilities maintenance
UNLESS they are trained in such repairs.
The
cleared, authorized persons may or may not be one in the same. The most
important qualification is that the person is trained in the approved methods
or actions to be undertaken. If they are not cleared, they can be escorted or
the security container removed for such actions.
Paragraph
5-311a.
And
ISL
2006-01.
The
containers are certified to perform as intended and any maintenance and upkeep of
the security container should maintain the standard. Additionally, actions
should be performed by approved repair persons using approved parts or approved
cannibalized parts and approved methods. Just as a container’s repairs should not
be performed by an organic and untrained maintenance facility group, the
repairs should be made only with authorized components and not by any other
supplier or fashion (homemade solutions are not authorized).
According
to DoD Security Clearance and Contracts Guidebook, once the repairs are
made, the authorized repair technician issues a certificate of repair and the
certificate is kept in local files. Unless the repair person is a cleared
employee with a need to know, they should never be allowed to change or set the
combination. Combinations are classified at the same level as the contents of
the security container and should be controlled per NISPOM and as described in
recent newsletters and articles. Providing combinations to unauthorized
personnel is a security violation.
When a
security container is brand new or has been removed from service for repair or
resale, it should be set to an industry standard combination of 50-25-50. This
universal combination facilitates opening and closing the container during the
resale, reuse or temporary disposition until the classified combination is
assigned after the container is put back in use.
Upon
initial use and after ensuring the certification
of the container, the new owners of the security container should reprogram a
new combination. The new combination is issued to authorized personnel and
those having knowledge of the previous combination will no longer provide a
security vulnerability.
Keep in mind
authorized actions apply to cosmetic issues. As a reminder, neither the
classification level nor the combination are applied to the outside of the
container. Similarly, paint, wall paper or other “beautification” efforts
should not be made without careful research and consideration to security
program impact.
VALIDATION:
- Authorized and trained repair persons are identified and on record.
- Escorts for authorized repairs are identified and documented.
- Security container actions (inspections, repairs, maintenance, etc.) are documented as required.
- A signed and dated certification for each repaired container is available as required.
- Repair of Approved Containers is included as a topic in Annual Security Awareness Training.
No comments:
Post a Comment