Saturday, December 24, 2016

Shipping Classified Information with Commercial Carriers

www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

When shipping classified information, the sender is responsible for requesting approval to use commercial carriers. The DSS or other Cognizant Security Agency (CSA) approves the use of commercial carriers. For overnight shipping, the Government Services Administration (GSA) provides a list of approved . 

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408. SECRET Transmission by Commercial Carrier. SECRET material may be shipped by a cleared commercial carrier that has been approved by the CSA to transport SECRET shipments.

Cleared Commercial Carriers

Department of Defense contractors may use government approved commercial carriers to transport SECRET and below. When SECRET is to be delivered, the carrier must be approved and cleared to the SECRET level. CONFIDENTIAL can be transmitted by an approved uncleared carrier. The deliveries are not authorized for international travel and can only be made within the continental US or within Alaska, Hawaii and each territory with Government Contracting Agency providing routing information.

When requesting commercial carrier support, the contractor should notify the CSA of the proposed classified material to be shipped, the point of origin and the destination. The CSA will review the information and make an approval decision. If approved, the sender should notify the consignee and the shipping activity of the shipment and provide details of the type of shipment, information about shipping seals, and projected time of arrival. Further coordination should be made with the intended recipient to expect the delivery of classified material along with a projected timeline and what they should expect to receive. If the shipment does not arrive within 48 hours the receiver should notify the sender

Question

Does the contractor use a qualified carrier, authorized by the Government, when shipping classified material?
5-408b. The contractor shall utilize a qualified carrier selected by the U.S. Government that will provide a single-line service from point of origin to destination, when such service is available, or by such transshipping procedures as may be specified by the U.S. Government.

 GSA Approved Overnight Delivery Service

SECRET and CONFIDENTIAL material may be sent using GSA approved companies. These services should not be used without DSS approval. When using an overnight delivery service, the FSO of the sending organization should alert the receiving organization that classified information will be arriving via overnight service. Though overnight carriers are approved through the GSA, the carrier companies do not need to hold a facility security clearance. The carriers are only required to meet requirements of tracking shipments.



Every precaution should be made to ensure that the overnight delivery will not arrive during a holiday or scheduled day off. The best method is to not deliver the day prior to a weekend or federal holiday unless the receiver is operating a mail room with cleared persons and the proper storage capability.

VALIDATION:

1. Produce request to CSA for commercial carrier use and the CSA response.
2. Produce receipts for classified shipments involving commercial carriers and / or GSA approved overnight shippers.
3. Provide policy and procedures for use of commercial carriers and / or GSA approved overnight shippers.
4. Provide documentation of signed receipts of classified information sent via commercial carrier and / or GSA approved overnight shippers.




               



Security Awareness, FSO and NISPOM Training



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 22, 2016

Determining Receiving Facility Security Clearance Level

Get your printed NISPOM at www.redbikepublishing.com
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

Those who possess classified information should determine security clearance and need to know before disclosing it. This is requirement for both cleared persons and cleared facilities. Where classified information is shipped from one CAGE code or facility to another, the shipper is responsible for ensuring the carrier and the receiving entity hare cleared appropriately and that the receiver is cleared and with the need to know to possess the classified information.

Question:
NISPOM 2-100
Is the facility clearance and safeguarding capability of the receiving facility determined prior to transmission of classified information?
2-100. … Contractors are eligible for custody (possession) of classified material if they have an FCL and storage capability approved by the CSA.
…b. FCLs will be registered centrally by the U.S. Government.

The cleared contractor possessing classified information is responsible for validating the appropriate personnel clearance level (PCL) and need to know before releasing classified information to that person. The same rational for shipping classified information from one cleared defense contractor (CDC) to another. The shipper should determine the proper clearance and need to know of the intended receiver. In other words validate facility clearance (FCL) level prior to shipping classified information.

This is performed through the Industrial Security Facilities Database (ISFD). According to the ISFD website, the ISFD provides users with a nationwide perspective on National Industrial Security Program related facilities, as well as facilities under DSS oversight in the DoD conventional AA&E program.

FSOs should have access to ISFD and other Defense Security Services databases in order to provide their employer with adequate security services.  See http://www.dss.mil/diss/isfd.html for more information.

Once registered an FSO or designated employee can access FCL information including clearance level, classified mailing addresses, and points of contact. Prior to sending classified information the sender can log in to ISFD, access the address, POC, and contact information, and coordinate the delivery and any inspection and receipting actions.

VALIDATION:
1. Demonstrate ability to log on to ISFD
2. Demonstrate proficiency with determining a CDC’s FCL

3. Demonstrate proficiency with finding a CDC’s address and POC information. 



 Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".

Thursday, December 8, 2016

Classified Shipping Receipts



This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The receipting action from receiving and transmitting classified information provides required tracing and accountability. Classified information should be documented as it enters and leaves each facility to reduce loss or compromise. Each facility that has a CAGE Code should have its own transmission process meeting NISPOM requirements. How is yours doing? Let’s find out.


Question: 

5-401

Are receipts included with classified transmissions when required?

5-401. Preparation and Receipting
a. …The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.

Receiving Classified Information

When classified information is transmitted, the NISPOM requires receipting action whenever SECRET and TOP SECRET information is transferred to or from a cleared contractor. However, it is a good practice to track deliveries and send receipts for outgoing CONFIDENTIAL information as well. Confirmation of receipt will help the sending contractor close the loop and account for their classified transfer. For the receiving contractor, the receipting action is it first step to internal visibility of newly introduced classified information. It should initialize the internal tracing of classified information and visibility to assist in recalling or retrieving classified information or identifying its location.

Classified information can arrive at a cleared contractor in many different ways including cleared contractor employee or government employee couriers, contractually related customers, secure fax, secure email, US Postal Service, overnight delivery services and other approved means of transmitting or disseminating classified information. Regardless of how classified material arrives, the contractor should provide the proper reception of classified material by authorized cleared employees. The receiver of classified material plays a role in both safeguarding classified material after it arrives as well as identifying discrepancies and security violations that may have occurred while the classified information is in transit.

Inventory Control

One possible solution for controlling the introduction, storage, and transmission of classified information is through an information management system (IMS) (SIMSSOFTWARE is an example). The IMS is a tool that could help track and find classified material at any time no matter how many classified documents or objects are stored. Additionally, cleared contractors could use the IMS as a centralized document control system. Used in tandem with a positive visitor control process, the contractor could direct the arrival of visitors, couriers, mail carriers, overnight delivery companies, and others who could potentially convey classified information to a centralized processing location. Through a process of document control, the cleared contractors can receive classified information, inspect it, sign receipts, document the contents, store, and make classified information available for authorized employee use. Without such controls, classified information could be vulnerable to unauthorized disclosure, loss, or compromise.

Inspecting and Documenting

Classified information (SECRET and above) should contain two copies of receipt. A good security practice allows for the sender to alert the receiver that classified material is being sent to their facility. Many times program managers, engineers or other technical employees are anticipating the delivery, but may not have all the details of delivery times and dates. However an FSO to FSO coordination can provide all the information of the transaction in advance.

The receiver should then check the receipt against the contents to ensure the item has been identified correctly and all items are accounted for. The properly filled out receipt should list the sender, the addressee and correctly identify the contents by an unclassified title and appropriate quantity. Since the receipt may be filed for administrative and compliance purposes, the inspector should ensure it contains no classified information. If the receipt contains a classified title, the sender may be able to coordinate for an unclassified title for internal use and treat the receipt according to the classification level.

The receiver should compare the classification identified in the receipt with that annotated on the inner wrapper and the actual classified material markings. This action validates that the classified contents are safeguarded and transmitted properly once the outer wrapping has been opened or removed. Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities.

5-401b

Is a suspense system established to track transmitted documents until the signed receipt is returned?
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.


It is the sender’s responsibility to ensure classified information arrives at the intended destination. The sender should track the classified deliveries until they receive a receipt or verify arrival. A good practices is to schedule follow up dates in Microsoft Outlook Calendar, IMS, spreadsheet or other tools to validate reception of signed receipts. If the receipts have been returned, the sender can close the action. If not, they may need to send a request to the receiver. 

A good security program designed to protect classified material begins with the proper reception of classified information. Classified information should be delivered to an approved mailing address. Prior to delivery, the sender should contact the receiver and notify them of the intended delivery. The receiver should then prepare for the delivery and ensure that only the proper employee cleared to the appropriate level receives the classified delivery. The receiver should inspect the delivery for proper wrapping, address, and delivery method. After inspection, they should sign a receipt and return it to the sender. The inspector should then enter the classified items into an IMS. Once filed, they can make the information available for use to those with clearance and need to know.

 VALIDATION:


1. Demonstrate compliance through policy and procedure development and updates that include tasks to be accomplished during reception of classified information.

2. Save and file receipts for easy recall.

3. Develop and document inventory management for classified information that includes documenting receipt of classified information.

4. Include reception of classified information with job specific security awareness training.

5. Learn to correctly use information management systems for document control purposes, generate reports, and demonstrate compliance.

6. Develop process to trace and account for signed receipts and what to do when receipts are not returned.