This
article continues the series covering the Self-Inspection Handbook
For NISP Contractors
and guidance found in the National Industrial Security Program Operating Manual
(NISPOM) Incorporating
Change 2.
The
transmission of classified information is an important concern. Classified information
should be controlled as it enters and leaves each facility. Each facility that
has a CAGE Code should have it’s own transmission process meeting NISPOM
requirements. How is yours doing? Lets find out.
Question:
5-401 Is classified information properly
prepared for transmission outside the facility?
Here’s
what NISPOM says on the subject. Our narrative follows:
5-401.
Preparation and Receipting
a. Classified information to be transmitted
outside of a facility shall be enclosed in opaque inner and outer covers. The
inner cover shall be a sealed wrapper or envelope plainly marked with the
assigned classification and addresses of both sender and addressee. The outer
cover shall be sealed and addressed with no identification of the
classification of its contents. A receipt shall be attached to or enclosed in
the inner cover, except that CONFIDENTIAL information shall require a receipt
only if the sender deems it necessary. The receipt shall identify the sender,
the addressee and the document, but shall contain no classified information. It
shall be signed by the recipient and returned to the sender.
b. A suspense system will be established to
track transmitted documents until a signed copy of the receipt is returned.
c. When the material is of a size, weight, or
nature that precludes the use of envelopes, the materials used for packaging
shall be of such strength and durability to ensure the necessary protection
while the material is in transit.
The classification level should be the
first consideration when determining how to disseminate classified information.
Dissemination of TOP SECRET has more restrictions than does SECRET and
CONFIDENTIAL. Likewise SECRET has more restrictions than CONFIDENTIAL. According
to the NISPOM, classified information should be wrapped with opaque durable
material such as cardboard, envelopes, or boxes. It should be transmitted in a
way to prevent accidental and unauthorized disclosure and detect tamper.
Inner Layer
The NISPOM does not discuss whether or
not seams of packages should be reinforced. A good practice is to cover seams
with rip-proof opaque tape or other similar material.
Next, the preparer should mark the
package on the top and bottom of all sides with the proper classification level.
Then they should add the “to” and “from” addresses
with two copies of receipts either attached to the first layer or inside the
first layer. The preparer should always coordinate with the intended receiver
to notify of delivery and verify mailing addresses. If the package is being
sent to a cleared DoD contractor, the address could be verified online through
the Industrial Security Facilities Database (ISFD) available through the
Defense Security Service (DSS) website.
DSS recommends hat the address on all
inner wrappers contain the name and office symbol of the intended recipient to
expedite accurate delivery.
Internal contents that come in contact
with the wrapper could be imaged or observed in certain situations. To prevent
this, the preparer can place wrapping paper, patterned paper, receipts or fold
the documents in such a way that they cannot be read through the wrapping. DSS
recommends using classification level cover sheets such as the Standard Form 703
(TOP SECRET), 704 (SECRET), or 705 (CONFIDENTIAL) can be used to prevent and
adversary from reading or imaging the information during technical
scanning. However, though protecting the
actual information being scanned, this could disclose the information as
classified. If using cover sheets, be sure to use the SF appropriate for the
classification level of information inside.
Outer Layer
The outer wrapper is the second line of
defense for the classified
information.
Once the classified information leaves
the cleared facility, the level of protection is severely reduced. The wrapping
requirements are similar to those of the inner wrapper and should be the same
size to prevent looseness or movement that could fray or damage the inner wrapping’s
seams. The outside label should not identify the recipient by name. Office
numbers or symbols should be used to prevent associating a classified package
with a particular person. When addressing shipment labels to contractors, the
outer label should be addressed to “FSO” or “Security”. When addressing
shipment labels to military agencies, the outer package labels should be
“Commander”.
Additionally, addressing deliveries to an
authorized department ensures the package is received by authorized persons.
Providing a person’s name on the outside label could cause problems if they are
not around to receive it and could result in returned packages.
Alternate
wrappings
Large sizes, bulk,
weight, mission requirements or other structural make up could prevent
transmission of items by traditional means. These could be machines, vehicles,
aircraft, missiles, or other cumbersome, odd shaped, heavy or odd sized items.
Brief cases, canvas courier bags, hard cases, shipping crates, large tarps and
other types of containers can serve as proper wrapping provided they are
approved by DSS. The containers are a part of the process to provide multiple
layers of protection, deny accidental access, detect tampering and ensure expedited
transport.
VALIDATION:
·
Chose
a designated location to prepare classified information for shipment
·
Publish
comprehensive instructions, processes, and policies for sound security
practices
·
Post
reminders and instructions in designated areas
·
Use
information management system or similar technology to keep pedigree of transmittal
receipts
·
Demonstrate
that processes are taught to authorized employees in security awareness training
or refresher training