This
article continues the series covering the Self-Inspection Handbook
For NISP Contractors
and guidance found in the National Industrial Security Program Operating Manual
(NISPOM) Incorporating
Change 2.
The receipting
action from receiving and transmitting classified information provides required
tracing and accountability. Classified information should be documented as it
enters and leaves each facility to reduce loss or compromise. Each facility
that has a CAGE Code should have its own transmission process meeting NISPOM
requirements. How is yours doing? Let’s find out.
Question:
5-401
Are
receipts included with classified transmissions when required?
5-401.
Preparation and Receipting
a. …The receipt shall identify the sender, the
addressee and the document, but shall contain no classified information. It
shall be signed by the recipient and returned to the sender.
Receiving Classified Information
When
classified information is transmitted, the NISPOM requires receipting action
whenever SECRET and TOP SECRET information is transferred to or from a cleared
contractor. However, it is a good practice to track deliveries and send
receipts for outgoing CONFIDENTIAL information as well. Confirmation of receipt
will help the sending contractor close the loop and account for their classified
transfer. For the receiving contractor, the receipting action is it first step
to internal visibility of newly introduced classified information. It should
initialize the internal tracing of classified information and visibility to
assist in recalling or retrieving classified information or identifying its
location.
Classified
information can arrive at a cleared contractor in many different ways including
cleared contractor employee or government employee couriers, contractually
related customers, secure fax, secure email, US Postal Service, overnight
delivery services and other approved means of transmitting or disseminating
classified information. Regardless of how classified material arrives, the contractor
should provide the proper reception of classified material by authorized
cleared employees. The receiver of classified material plays a role in both
safeguarding classified material after it arrives as well as identifying discrepancies
and security violations that may have occurred while the classified information
is in transit.
Inventory Control
One possible solution for controlling the
introduction, storage, and transmission of classified information is through an
information management system (IMS) (SIMSSOFTWARE is an example). The IMS
is a tool that could help track and find classified material at any time no
matter how many classified documents or objects are stored. Additionally,
cleared contractors could use the IMS as a centralized document control system.
Used in tandem with a positive visitor control process, the contractor could
direct the arrival of visitors, couriers, mail carriers, overnight delivery
companies, and others who could potentially convey classified information to a
centralized processing location. Through a process of document control, the
cleared contractors can receive classified information, inspect it, sign
receipts, document the contents, store, and make classified information available
for authorized employee use. Without such controls, classified information
could be vulnerable to unauthorized disclosure, loss, or compromise.
Inspecting and Documenting
Classified information
(SECRET and above) should contain two copies of receipt. A good security
practice allows for the sender to alert the receiver that classified material
is being sent to their facility. Many times program managers, engineers or
other technical employees are anticipating the delivery, but may not have all
the details of delivery times and dates. However an FSO to FSO coordination can
provide all the information of the transaction in advance.
The receiver should then check the
receipt against the contents to ensure the item has been identified correctly
and all items are accounted for. The properly filled out receipt should list
the sender, the addressee and correctly identify the contents by an
unclassified title and appropriate quantity. Since the receipt may be filed for
administrative and compliance purposes, the inspector should ensure it contains
no classified information. If the receipt contains a classified title, the
sender may be able to coordinate for an unclassified title for internal use and
treat the receipt according to the classification level.
The receiver should compare the
classification identified in the receipt with that annotated on the inner
wrapper and the actual classified material markings. This action validates that
the classified contents are safeguarded and transmitted properly once the outer
wrapping has been opened or removed. Once all the checks and verifications are
complete, the receiver can then sign a copy of the receipt and return to the
sender, thus closing the loop on the sender’s accounting responsibilities.
5-401b
Is a
suspense system established to track transmitted documents until the signed
receipt is returned?
b. A suspense system will be established to
track transmitted documents until a signed copy of the receipt is returned.
It is the sender’s responsibility to
ensure classified information arrives at the intended destination. The sender should
track the classified deliveries until they receive a receipt or verify arrival.
A good practices is to schedule follow up dates in Microsoft Outlook Calendar,
IMS, spreadsheet or other tools to validate reception of signed receipts. If
the receipts have been returned, the sender can close the action. If not, they
may need to send a request to the receiver.
A good security program designed to
protect classified material begins with the proper reception of classified
information. Classified information should be delivered to an approved mailing
address. Prior to delivery, the sender should contact the receiver and notify
them of the intended delivery. The receiver should then prepare for the
delivery and ensure that only the proper employee cleared to the appropriate
level receives the classified delivery. The receiver should inspect the
delivery for proper wrapping, address, and delivery method. After inspection,
they should sign a receipt and return it to the sender. The inspector should
then enter the classified items into an IMS. Once filed, they can make the
information available for use to those with clearance and need to know.
VALIDATION:
1.
Demonstrate compliance through policy and procedure development and updates
that include tasks to be accomplished during reception of classified
information.
2. Save
and file receipts for easy recall.
3. Develop
and document inventory management for classified information that includes
documenting receipt of classified information.
4. Include
reception of classified information with job specific security awareness training.
5. Learn
to correctly use information management systems for document control purposes,
generate reports, and demonstrate compliance.
6. Develop
process to trace and account for signed receipts and what to do when receipts
are not returned.
No comments:
Post a Comment