Thursday, December 8, 2016

Classified Shipping Receipts



This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.  

The receipting action from receiving and transmitting classified information provides required tracing and accountability. Classified information should be documented as it enters and leaves each facility to reduce loss or compromise. Each facility that has a CAGE Code should have its own transmission process meeting NISPOM requirements. How is yours doing? Let’s find out.


Question: 

5-401

Are receipts included with classified transmissions when required?

5-401. Preparation and Receipting
a. …The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.

Receiving Classified Information

When classified information is transmitted, the NISPOM requires receipting action whenever SECRET and TOP SECRET information is transferred to or from a cleared contractor. However, it is a good practice to track deliveries and send receipts for outgoing CONFIDENTIAL information as well. Confirmation of receipt will help the sending contractor close the loop and account for their classified transfer. For the receiving contractor, the receipting action is it first step to internal visibility of newly introduced classified information. It should initialize the internal tracing of classified information and visibility to assist in recalling or retrieving classified information or identifying its location.

Classified information can arrive at a cleared contractor in many different ways including cleared contractor employee or government employee couriers, contractually related customers, secure fax, secure email, US Postal Service, overnight delivery services and other approved means of transmitting or disseminating classified information. Regardless of how classified material arrives, the contractor should provide the proper reception of classified material by authorized cleared employees. The receiver of classified material plays a role in both safeguarding classified material after it arrives as well as identifying discrepancies and security violations that may have occurred while the classified information is in transit.

Inventory Control

One possible solution for controlling the introduction, storage, and transmission of classified information is through an information management system (IMS) (SIMSSOFTWARE is an example). The IMS is a tool that could help track and find classified material at any time no matter how many classified documents or objects are stored. Additionally, cleared contractors could use the IMS as a centralized document control system. Used in tandem with a positive visitor control process, the contractor could direct the arrival of visitors, couriers, mail carriers, overnight delivery companies, and others who could potentially convey classified information to a centralized processing location. Through a process of document control, the cleared contractors can receive classified information, inspect it, sign receipts, document the contents, store, and make classified information available for authorized employee use. Without such controls, classified information could be vulnerable to unauthorized disclosure, loss, or compromise.

Inspecting and Documenting

Classified information (SECRET and above) should contain two copies of receipt. A good security practice allows for the sender to alert the receiver that classified material is being sent to their facility. Many times program managers, engineers or other technical employees are anticipating the delivery, but may not have all the details of delivery times and dates. However an FSO to FSO coordination can provide all the information of the transaction in advance.

The receiver should then check the receipt against the contents to ensure the item has been identified correctly and all items are accounted for. The properly filled out receipt should list the sender, the addressee and correctly identify the contents by an unclassified title and appropriate quantity. Since the receipt may be filed for administrative and compliance purposes, the inspector should ensure it contains no classified information. If the receipt contains a classified title, the sender may be able to coordinate for an unclassified title for internal use and treat the receipt according to the classification level.

The receiver should compare the classification identified in the receipt with that annotated on the inner wrapper and the actual classified material markings. This action validates that the classified contents are safeguarded and transmitted properly once the outer wrapping has been opened or removed. Once all the checks and verifications are complete, the receiver can then sign a copy of the receipt and return to the sender, thus closing the loop on the sender’s accounting responsibilities.

5-401b

Is a suspense system established to track transmitted documents until the signed receipt is returned?
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.


It is the sender’s responsibility to ensure classified information arrives at the intended destination. The sender should track the classified deliveries until they receive a receipt or verify arrival. A good practices is to schedule follow up dates in Microsoft Outlook Calendar, IMS, spreadsheet or other tools to validate reception of signed receipts. If the receipts have been returned, the sender can close the action. If not, they may need to send a request to the receiver. 

A good security program designed to protect classified material begins with the proper reception of classified information. Classified information should be delivered to an approved mailing address. Prior to delivery, the sender should contact the receiver and notify them of the intended delivery. The receiver should then prepare for the delivery and ensure that only the proper employee cleared to the appropriate level receives the classified delivery. The receiver should inspect the delivery for proper wrapping, address, and delivery method. After inspection, they should sign a receipt and return it to the sender. The inspector should then enter the classified items into an IMS. Once filed, they can make the information available for use to those with clearance and need to know.

 VALIDATION:


1. Demonstrate compliance through policy and procedure development and updates that include tasks to be accomplished during reception of classified information.

2. Save and file receipts for easy recall.

3. Develop and document inventory management for classified information that includes documenting receipt of classified information.

4. Include reception of classified information with job specific security awareness training.

5. Learn to correctly use information management systems for document control purposes, generate reports, and demonstrate compliance.

6. Develop process to trace and account for signed receipts and what to do when receipts are not returned.

No comments: