This article continues
the series covering the Self-Inspection Handbook For NISP Contractors and
guidance found in the National Industrial Security Program Operating Manual
(NISPOM) Incorporating Change 2.
Contractors depend
heavily on reproducing, printing, or otherwise providing hard copy documents as
contract deliverables or work products. Printers, copiers, and fax machines
now have memory storage and are more information systems by nature than just
“copy machines”. The NISPOM has
been updated to address how to use and categorize equipment with storage
capability.
Question:
Does the equipment used for classified reproduction have any
sort of memory capability? If yes, the equipment may require accreditation as
an Information System (IS).
Answer:
The
concern is that unless a copier with storage capability is treated as an
Information System classified information residing in the storage could be at
risk if improperly disposed of. According to the Self-Inspection
Handbook for NISP Contractors, any reproduction
device that has memory storage may have to be accredited as an Information
System.
In many classified environments, hundreds of thousands of
pages of reports are printed to meet contractual requirements in the printer's lifetime. Test data,
program presentations, critical design reviews, statements of work, period of
performance reports, are but a few sensitive documents subject to reproduction.
These days, date is commanded to be sent from the drive of one classified computer to
the printer, copy machine, or fax machine only to be stored on their drive. Over the years, this information can collate into quite a
voluminous library of intimate programmatic details. The good news is that it
is protected inside of a classified environment and many facility security
officers understand very well how to protect classified information systems.
However, for the uninitiated, a little more training may be
required. The understanding that a printer is simply an intellectually dumb
machine passively making copies is what the Defense Security Services is
attempting to impact. Some are familiar with tales of investigative journalists
procuring recycled copy machines and printers only to access the hard drives.
Years of sensitive government and personal information were surprisingly
revealed as a demonstration of just how foolish it was to recycle these
machines without destroying for wiping the hard drives.
Any machine that processes classified information and has storage or memory capability
should be considered an information system and therefore accredited prior to
use. The accredited system and components will now come under more scrutiny and
accountability to prevent improper disposition.
Validation:
Inspect and inventory all printers, copiers, fax machines
and other office equipment that process classified and sensitive information.
Review accredited IS against the inventory of office
equipment and ensure qualifying systems and components are included in the
accreditation.
Develop a plan that identifies and demonstrate future disposition
of items no longer required (destruction, recycling, etc.)
Ensure cleared employees understand the information system requirements
through training and briefings.
For more security ideas, training, and books, visit www.redbikepublishing.com