Is your Information Management System (IMS) capable

This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2. 

 Contractors are required to be able to retrieve and dispose of classified information within a reasonable amount of time. The government owns it, so contractually, the contractor should turn it over upon request. An information management system will help with that task.

Question:

Is your Information Management System (IMS) capable of facilitating the retrieval and disposition of classified material as required?

RESOURCE: ISL 2006-01 Information Management System under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html

Answer:

NISPOM 5-200. Policy.

Contractors shall establish an information management system to protect and control the classified information in their possession. Contractors shall ensure that classified information in their custody is used or retained only for a lawful and authorized U.S. Government purpose. The U.S. Government reserves the right to retrieve its classified material or to cause appropriate disposition of the material by the contractor. The information management system employed by the contractor shall be capable of facilitating such retrieval and disposition in a reasonable period of time.

 Where the Top Secret Control Official is required to keep records of TOP SECRET information, the information management systems for SECRET and below is not proscribed. The NISPOM guidance is for contractors to implement a control that allows for the acknowledgement of, tracing of, and disposition classified information that is possessed. The NISPOM does not require any specific format, just that there is something in place that performs a control type of function. What is the function? To be able to retrieve and report disposition of classified information in a reasonable time.

The control helps to ensure that classified information is used or retained for lawful and authorized U.S. Government services. This control helps enforce that. For example, a classified contract is awarded and according to the DD Form 254, the contractor is permitted to receive, generate, and store classified information as the SECRET level.

As classified information is received, generated, and stored, the acceptance, issuance, generation, existence, etc. should be acknowledged in a contractor supplied control. This can be accomplished through a software based solution such as SIMS Software or as simple as using an excel spreadsheet or piece of paper and a stubby pencil.

Now, suppose the contract ends and the government requires returning all classified information related to the contract with in a certain period of time. The contractor is required to return all classified information in a short suspense. If it’s just a few items, no problem, however, if the contractor has multiple security containers in multiple rooms or buildings, this could prove difficult without a dependable and accurate information management system.

There also is no requirement for any form of receipt and dispatch records. However, if a contractor has a large number of documents, such tools may be very helpful. A software program that allows the tracing and “accountability” of inventory could be a significant event while searching for classified information.

For example, suppose the classified information was received and put into a company security container in a central receiving area and logged into that location. A year later, the cleared employees on contract require the classified information to be moved into a newly constructed room with a new security container. A receipting or tracing action that follows the relocation of the document would allow the quick retrieval. Relying upon memory or forgetting to document the movement could result in a time consuming hunt.

Whichever method is used to enforce this control, the intent is for the contractor to demonstrate capability for timely retrieval of classified information wherever it’s and have the ability to dispose of classified information when required to do so.

Validation:

Practice retrieving documents to ensure system functions

Clearly demonstrate ability to retrieve classified information

Clearly demonstrate ability to relay disposition of destroyed classified information

Ensure cleared employees understand the information management system through training and briefings