This article continues
the series covering the Self-Inspection Handbook For NISP
Contractors and
guidance found in the National Industrial Security Program Operating Manual
(NISPOM) Incorporating Change 2.
Contractors are
required to be able to retrieve and dispose of classified information within a
reasonable amount of time. The government owns it, so contractually, the
contractor should turn it over upon request. An information management system
will help with that task.
Question:
Is your Information Management System (IMS) capable of
facilitating the retrieval and disposition of classified material as required?
RESOURCE: ISL 2006-01 Information Management System under
Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html
Answer:
NISPOM 5-200.
Policy.
Contractors shall
establish an information management system to protect and control the
classified information in their possession. Contractors shall ensure that
classified information in their custody is used or retained only for a lawful
and authorized U.S. Government purpose. The U.S. Government reserves the right
to retrieve its classified material or to cause appropriate disposition of the
material by the contractor. The information management system employed by the
contractor shall be capable of facilitating such retrieval and disposition in a
reasonable period of time.
Where the Top Secret Control Official is required to keep
records of TOP SECRET information, the information management systems for
SECRET and below is not proscribed. The NISPOM guidance is for contractors to
implement a control that allows for the acknowledgement of, tracing of, and
disposition classified information that is possessed. The NISPOM
does not require any specific format, just that there is something in place
that performs a control type of function. What is the function? To be able to
retrieve and report disposition of classified information in a reasonable time.
The control helps to ensure that classified information is
used or retained for lawful and authorized U.S. Government services. This
control helps enforce that. For example, a classified contract is awarded and according to the DD
Form 254, the contractor is permitted to receive, generate, and store
classified information as the SECRET level.
As classified information is received, generated, and
stored, the acceptance, issuance, generation, existence, etc. should be
acknowledged in a contractor supplied control. This can be accomplished through
a software based solution such as SIMS Software or as simple as using an excel spreadsheet or piece of
paper and a stubby pencil.
Now, suppose the contract ends and the government requires
returning all classified information related to the contract with in a certain
period of time. The contractor is required to return all classified information
in a short suspense. If it’s just a few items, no problem, however, if the
contractor has multiple security containers in multiple rooms or buildings,
this could prove difficult without a dependable and accurate information
management system.
There also is no requirement for any form of receipt and
dispatch records. However, if a contractor has a large number of documents,
such tools may be very helpful. A software program that allows the tracing and
“accountability” of inventory could be a significant event while searching for
classified information.
For example, suppose the classified information was received
and put into a company security container in a central receiving area and logged into that location. A
year later, the cleared employees on contract require the classified
information to be moved into a newly constructed room with a new security
container. A receipting or tracing action that follows the relocation of the
document would allow the quick retrieval. Relying upon memory or forgetting to
document the movement could result in a time consuming hunt.
Whichever method is used to enforce this control, the intent
is for the contractor to demonstrate capability for timely retrieval of
classified information wherever it’s and have the ability to dispose of classified
information when required to do so.
Validation:
Practice retrieving documents to ensure system functions
Clearly demonstrate ability to retrieve classified
information
Clearly demonstrate ability to relay disposition of
destroyed classified information
Ensure cleared employees understand the information
management system through training and briefings
No comments:
Post a Comment