Friday, April 15, 2016

Approved Security Container Repairs

In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-311a.
                                   
5-311a If any of your approved security containers have been repaired, do you have a signed and dated certification provided by the repairer setting forth the method of repair that was used?
RESOURCE:  ISL 2006-01 Container Repairs under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html

The NISPOM states:

Repair of Approved Containers. Repairs, maintenance, or other actions that affect the physical integrity of a security container approved for storage of classified information shall be accomplished only by appropriately cleared or continuously escorted personnel specifically trained in approved methods of maintenance and repair of containers. Repair procedures may be obtained from the CSA.

a. An approved security container is considered to have been restored to its original state of security integrity if all damaged or altered parts are replaced with manufacturer’s replacement or identical cannibalized parts. A signed and dated certification for each repaired container, provided by the repairer, shall be on file setting forth the method of repair used.

ISL 2006-01 States:
While the procedures for repairing approved security containers have been removed from the NISPOM, repair standards have not changed. Repairs, maintenance, or other actions that affect the physical integrity of a security container must still be accomplished by appropriately cleared or continuously escorted personnel specifically trained in approved methods of maintenance and repair of containers.


Let’s explore the NISPOM requirement further, part by part.

Paragraph 5-311

The integrity of a GSA approved container protects classified information. Just as a chain is only as strong as its weakest link, classified information is protected only as long as the security container performs as designed. Any repairs, augmentations, maintenance or other manipulations that impact the integrity can only be performed by cleared, authorized persons. Any repairs by untrained persons could cause an exploitable weakness or outright compromise of the container’s ability to remain secured.

So, what qualifies as such an action? Damage from forcible entry or natural disaster, broken locks, malfunctioning locks, broken latches, levers, rollers, replacement of metal, welding, and anything that impacts the activity of locking, latching, or enclosing classified information. In other words, FSOs should not be tackling welding projects nor should repairs be assigned to facilities maintenance UNLESS they are trained in such repairs.

The cleared, authorized persons may or may not be one in the same. The most important qualification is that the person is trained in the approved methods or actions to be undertaken. If they are not cleared, they can be escorted or the security container removed for such actions.

Paragraph 5-311a.

And

ISL 2006-01.

The containers are certified to perform as intended and any maintenance and upkeep of the security container should maintain the standard. Additionally, actions should be performed by approved repair persons using approved parts or approved cannibalized parts and approved methods. Just as a container’s repairs should not be performed by an organic and untrained maintenance facility group, the repairs should be made only with authorized components and not by any other supplier or fashion (homemade solutions are not authorized).

According to DoD Security Clearance and Contracts Guidebook, once the repairs are made, the authorized repair technician issues a certificate of repair and the certificate is kept in local files. Unless the repair person is a cleared employee with a need to know, they should never be allowed to change or set the combination. Combinations are classified at the same level as the contents of the security container and should be controlled per NISPOM and as described in recent newsletters and articles. Providing combinations to unauthorized personnel is a security violation.

When a security container is brand new or has been removed from service for repair or resale, it should be set to an industry standard combination of 50-25-50. This universal combination facilitates opening and closing the container during the resale, reuse or temporary disposition until the classified combination is assigned after the container is put back in use.

Upon initial use and after ensuring the certification of the container, the new owners of the security container should reprogram a new combination. The new combination is issued to authorized personnel and those having knowledge of the previous combination will no longer provide a security vulnerability.

Keep in mind authorized actions apply to cosmetic issues. As a reminder, neither the classification level nor the combination are applied to the outside of the container. Similarly, paint, wall paper or other “beautification” efforts should not be made without careful research and consideration to security program impact.

VALIDATION:                                 
  1. Authorized and trained repair persons are identified and on record.
  2. Escorts for authorized repairs are identified and documented.
  3. Security container actions (inspections, repairs, maintenance, etc.) are documented as required.
  4. A signed and dated certification for each repaired container is available as required.
  5. Repair of Approved Containers is included as a topic in Annual Security Awareness Training.



                                  

No comments: