Documenting evidence of compliance is a challenge that many
Cleared Defense Contractors (CDC) face. Compliance is checked through reviews
and audits conducted by customers to ensure contractual and government
requirements are met. The best practice for CDCs include conducting
self-inspections and documenting events to demonstrate how the CDCs incorporate
the inspectable items into their daily practices and weave them into the
corporate culture.
Depending on the CDC size and scope of work, the
administrative and compliance challenges increase according to the size of the
staff. The fewer supporting staff, the larger the work requirement for the
employee. For example, in a CDC with 1000 or more employees, the security staff
may include a Facility Security Officer with a dedicated staff of 4 our more
employees dedicated to a security program designed to protect classified
information. This staff addresses personnel and facility security issues
including classified contracts and subcontracts, security awareness training, maintenance
of security clearances and investigation, annual self-inspections, and etc. The
dedicated staff of overhead employees can focus on Defense Security Services
(DSS) reviews and customer security requirements.
For smaller CDCs, this work may be spread out to those
employees that perform security functions in addition to other duties. It’s not
unusual in these cases to see a CEO or other senior executive function as an
FSO or an engineer performing on classified work also charging to overhead to
conduct FSO duties. Smaller CDCs are still required to perform the functions of
an FSO regardless of the size of the organization. Even if they have a full
time job running the company or designing the latest high tech weapon, they
still need to carve out valuable time to address the personnel and facility
security issues and meet customer and DSS requirements.
Some excellent ways to meet these administrative
requirements is to have employees log on to the DSS CDSE website and take
classes and print off the certificates of completion. This requires the
employees to create an account and register for the classes. Another method is
for the CDC to create their own training, present to the employees, and create
a sign in sheet to show that they attended required training.
Some events that are required to occur prior to each DSS
inspection include:
·
Performing a
self inspection-DSS has a self inspection guide book that CDCs can download
and use.
·
Conduct required training-DSS has courses
employees can take these courses include the following topics: These training
topics are also available to download and present from Red Bike Publishing
o
SF312
briefing for cleared employees. Newly cleared employees must be briefed on how
to protect classified information.
While
larger CDCs have a dedicated staff of security professionals to address
security and compliance, smaller CDCs don’t have that luxury. More time and
effort is required to research, implement and then document the compliance.
There are some things small CDCs can do to better manage the requirements and
we hope that these newsletters and articles better assist. If you know of
someone who can benefit from these articles and newsletters, please share.
Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . He regularly consults, presents security training, and recommends export compliance and intellectual property protection countermeasures. He is an accomplished writer of non-fiction books, novels and periodicals. Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training".
No comments:
Post a Comment