Monday, May 29, 2017

Security Controls

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2

Prior to sending classified information via commercial carriers, the holder of the classified information should gain approval of the intent to ship and the method of shipment.  Once the approval is gained, the shipper should properly prepare the product and coordinate the shipment with the government, shipper, and receiver.

Question:
Do your cleared employees understand their safeguarding responsibilities?

Answer:

NISPOM 5-100. General.

Contractors shall be responsible for safeguarding classified information in their custody or under their control. This includes classified material controls that govern procedures or capabilities that deny, deter, and detect any unauthorized attempt to gain access to classified information.

NISPOM Chapter 5 is a large section that attempts to provide information to protect classified information by format (written document, electronic document, hardware item, information system, etc.) and location (open storage, computer, in transit, at work, etc). Chapter 5 addresses protection of classified information during reception, storage, transmission, destruction, physical security, and more. This protection involves marking, physical security specifications, oral communication, access, hand carrying, need to know, and other measures to prevent unauthorized access.

While other NISP Handbook sections address format and location of classified information, Section Q focuses on controls that are in place to trace and account for classified information at the cleared facility. This safeguarding question addresses a theme that is undercurrent to the entire Chapter 5; the administrative and technical controls in place to document and detect status of classified information. Though some of these controls were covered in other NISP Handbook questions, they are re-visited here to demonstrate a specific security function.

The question again is general and will be further unpacked in in specific application as we work our way through Section Q. The point with this article is to explain the controls at a high level and dig deeper in consecutive articles. The cleared employees should understand how to answer the question in the context of information management system and perimeter controls available to ensure classified information is received, only authorized persons gain access, and any unauthorized attempts to gain access is detected.

Validation:
Policy and procedure in place that describe information management and perimeter controls
Employee acknowledgement of security training and understanding of classified material controls
Provide written authorization for hand carrier to transport classified information
Develop tracking system to ensure receipts are returned in a timely manner
Provide proof of hand carrier or escort briefing
Review and compare signatures of couriers who have attended training and briefings


No comments: