3 IMPORTANT POINTSThis briefing is non-IS focused but IS plays a KEY role!When in doubt, contact your DSS representative!
4 Defense Contractor Security Requirements National Industrial Security Program Operating Manual -It provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under theNISP (National Industrial Security Program)Industrial Security LettersDon’t forget ISL’s!
5 Facility ClearanceA. FACILITY CLEARANCENISPOM REF:Question:1-302g(3)Have all changes (e.g. changes in ownership; operating name or address; KMP information; previously reported FOCI information or action to terminate business) affecting the condition of the FCL been reported to your DSS IS Rep?Note: Does the facility have a TS FCL? If so, when did the site last access TS information? Should the site be downgraded? Does the site have a DD Form 254 to support the TS FCL?Is the site’s ISFD record accurate? Physical address? Classified mailing address? FCL level? FSO name? Special accesses? (If special accesses are listed, is the FSO properly briefed?) Ensure the FSO has a current copy of the site’s ISFD record on file. If data is not accurate, contact the site’s ISR to request an update.Has an internal self-inspection been conducted and documented by the FSO six months after the last DSS audit?2-100cHas the fact that the company has an FCL been used for advertising or promotional purposes?2-104Are the senior management official, the FSO, and other Key Management Personnel cleared as required in connection with the FCL?Note: Must be cleared to the level of the facility clearance. Only the Senior Official and the FSO should be listed on the Key Management List. Ensure the Senior Official and the FSO are identified as KMP’s in JPAS. Must maintain current KMP list.2-106a-bHave the proper exclusion actions been conducted for uncleared company officials?Common finding: 1-302: If the facility clearance is approved for special access (i.e., NATO (10-706), COMSEC (9-404)), is the FSO properly briefed?Common finding: DD Form 441 was not on file and/or DD Form 441 was out of date or incorrect
6 Facility Clearance (continued) Common findings:SF 328 is not accurateAppointment letters are not correct or currentDeparted individuals still on the listTSCOs, ISSM, etc, were appointedKMP List does not reflect current key personnel
7 Access Authorizations NISPOM2-200dAre the number of clearances held to a minimum consistent with contractual requirements?Note: When conducting employee interviews ask the employee when was the last time that they had access to classified information or classified material and what classified contract they are performing work under? Validate the need for their clearance.2-202aAre employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and completeness only and that the information will be used for no other purpose within the company?Note: SF 86 and signed releases are required to be maintained until the time that the eligibility process is complete (these records should then be destroyed). During security reviews, IS Reps will ask to speak to employees who recently completed SF 86 to ensure that they received the required notice.2-202bAre procedures in place to ensure that the applicant’s SF 86 and fingerprint cards are authentic, legible and complete to avoid clearance processing delays? Note: The FSO or designee shall ensure that the applicant’s fingerprints are authentic and legible. Review the process. If fingerprints are done off site, does the FSO accompany the applicant?Are original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified has been granted or denied, and then destroyed?Does the site have a process for ensuring that the Security Office is aware when an employee terminates? Ask about their process, procedures, documentation. If an employee had a clearance revoked, were they properly debriefed and was access to classified information denied promptly?Common finding: 2-201a/b: SF 86 and signed releases are required to be maintained until the time that the eligibility process is complete (these records should then be destroyed). Review for completeness only and destroy copy upon issuance or denial of PCL. Original SF312 to be mailed to DISCO.Common finding: 3-108: Debriefings not conducted (follow-up by mail, if necessary)Common finding: 2-200b: Access not removed in JPAS if clearance is revoked or terminated Common finding: 2-200d: Personnel clearances are not held to a minimum
8 Classified Storage Common finding: Combinations (5-309) If combination is written, it must be marked and properly stored and protectedif container stores caveat info, then combo must be so marked (NATO, COMSEC, CNWDI, etc.)Common finding: , Repair of containersMultiple Safes should not have the same combo. Easiest to remember a six letter word. Combinations (if written down) must be marked correctly and protected at the same level of classified the combo protects. Employees with knowledge of combos should be kept to a minimum. If container protects special caveat info (NATO, COMSEC, CNWDI) than all persons with knowledge of the combo must be appropriately briefed.
9 Controlled Access Areas Chapter 5, Section 9:IDS must meet UL 2050 StandardsInstallationPeriodic inspectionsType of monitoring stationRecords of alarmsUL certificates for each areaCommon finding: Expired UL2050 certification (also known as “CRZH”)
10 Closed Area Checklist - Idea Closed Areas Interview Guide ___ Is the media in the area marked properly? (classified, unclassified, and system software) ___ Are both classified and unclassified computer equipment affixed with a label indicating their level of processing? ___ Review the visitor log. Pay close attention to the visitor’s company name. Did someone visit from an HVAC service? If so, ask the area custodian what they did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches? Did someone visit from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified AIS? Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it to the AIS? Did any visitors have “keyboard” access? If so, was that authorized? Dispose of visitor logs from before the last DSS audit ____ Does the 147 note “open storage” of AIS? ____ AIS TEAM MEMBER: Dispose of system paperwork from before the last DSS audit (unless it is still relevant) ___ AIS TEAM MEMBER: Look around. Is there any new hardware connected to the AIS? If so, what is it? Does it have memory? ___ AIS TEAM MEMBER: Check the AIS system access list. Are all individuals still active employees? Balance the list against an active employee listing. Bring a list of recently terminated employees with you, too. Are all individuals on the system access list also on the Closed Area access list? If not, why not? Review the Closed Area access list. Do you see anyone who recently terminated? If so, request that they be taken off the Closed Area access list. Were they on the system access list? If so, has their account been disabled? Balance all the lists against each other. Has everyone on the system access list taken the required CBEs? (Verify.) ___ Are there Security posters in the area? ____ Are the FAX machines in the area marked to indicate “for unclassified use only”? ____ Are the shredders marked “for unclassified use only”? ___ AIS TEAM MEMBER: Do the classified printers have a sign “Output must be treated as classified until reviewed ….?” ___ Are the recycle bins labeled “for unclassified use only”? ____ Are the supplies in the area sufficient? (CD labels, classification labels, coversheets, etc.). ___ Does the area have a “marking guide” poster? ____ Does the area have an updated Security points of contact poster? __ AIS TEAM MEMBER: Before going to audit the system, read about what the system is used for and what it does. This will generate questions and help you understand what goes on in the area ___ AIS TEAM MEMBER: Have a user walk you through the steps they follow when they create classified data. What do they print out? Is it classified? If it’s not classified, do they verify that? How do they know what’s classified? (Do they refer to the program security classification guide? Do they know where the guide is located?) Where do they put the classified when it’s completed? Go look at their safe. Are things marked properly? Ask if the data in the safe is for a current contract. If not, explain the requirements for retention approval. (See NISPOM 5-701) Where does the data or hardware go from there? Is it sent to a customer? What is our relationship with the organization they send it to? Do we have DD Forms 254 in place to/from that organization? What is the classification of what they are working on? Is the system approved up to that level? ___ Do they support IR&D activities? If so, explain how IR&D documents must be marked “IR&D Document,” etc. in accordance with the NISPOM (11-304) ____ Are the above-the-ceiling checks being conducted on the required schedule? Look at the records. Dispose of records from before the last DSS audit __ AIS TEAM MEMBER: Review Trusted Download logs, ask people where the removed media is currently located (stored on a computer, CD, printout), and which method they used for the transfer. DSS is focusing on interviews with employees and may very well ask them to actually demonstrate a trusted download. Ask the employee to walk through the steps with you to prepare them for the audit.
12 Marking Required Markings 1) Overall classification level 2) Company name and address3) Title4) Derived From: ___________5) Declassify on: ___________6) Date of SourceWorking Papers- 180 days Secret/ Confidential- 30 days for TSClassification level must be marked top/ bottom on each page, front and back of document.Common finding: 4-209: Multiple Sources – bibliography not availableCommon finding: 4-200: Documents not properly/completely markedCommon finding: 5-203: Working papers held over (and/or improperly marked)
13 Classified Material Controls Q. CLASSIFIED MATERIAL CONTROLSNISPOMREF:Question:5-100Do your cleared employees understand their safeguarding responsibilities?Note: Interview employees! Ask to see examples of training that is provided.5-200Is your information management system (IMS) capable of facilitating the retrieval and disposition of classified material as required? Test it!5-201aAre TOP SECRET control officials designated at facilities possessing TOP SECRET information?Note: Ensure a TSCO appointment letter is on file.Are TOP SECRET accountability records maintained as required and is an annual inventory conducted?Note: Check the TS records.5-202Is all classified material received directly by authorized personnel?Note: An authorized person means a cleared person who has been assigned this duty and therefore has a need-to-know. This person or persons must be cleared to the level of classified material expected to be received. Ask to watch the process. Ensure they are knowledgeable of their duties. Include mail room, lobby personnel, Shipping and Receiving, and backups!
14 Classified Material Controls Ensure any potential recipients are knowledgeable of their duties include mail room and Shipping and Receiving - and interview their backups Ensure discrepancy reports are submitted as required (i.e., no receipt for Secret or Top Secret, signs of tampering, improperly addressed, etc.) Ensure receipts are all signed and returned
15 Classified Material Controls 5-102Are security checks to ensure proper storage of classified materials conducted at the end of each working day?Note: If you say you document them, make sure your records are complete. Can your employees explain the process they follow? Ask them….5-103Does your system of controls deter or detect unauthorized introduction or removal of classified from the facility?Note: The fact that persons who enter or depart the facility are subject to an inspection of their personal effects shall be conspicuously posted at entries and exits. If guards are used, ask them what they are looking for. Do you keep a record of how many checks are conducted?1-3001-303Are your cleared employees aware of their responsibility to promptly report the loss, compromise, or suspected compromise of classified?Note: Have there been any reported? If so, review the documentation. Ask employees if they are aware of any incidents in their area. Ask what they would do if they were aware of one.5-104Are procedures adequate to protect classified during emergencies?Note: Ensure that site has signs/posters with the instructions
16 Emergency Procedures for Securing Classified Material In any emergency, your primary consideration must be personal safety. Safeguard classified material if at all possible but NEVER at the risk of your own or someone else’s safety. YOUR PERSONAL SAFETY COMES FIRST! If it can be accomplished without personal risk, return classified material to the approved safe prior to evacuating the area. If you have classified material in your possession and can do so safely, you may take it with you when evacuating the area. Keep it in your personal possession and safeguard it from unauthorized disclosure, then return it to an authorized person or the safe. It is not necessary to secure the area when leaving. Doing so might slow down evacuation and emergency personnel may need access to the area. Following the emergency, if you are able to return to the area, examine the classified container for evidence of tampering. Notify Security immediately if you note evidence of tampering. Security shall make every attempt to identify emergency responders and determine whether or not they have had access to classified information. Inadvertent disclosure agreements will be completed where necessary. Emergency telephone numbers and additional evacuation information are available on the MFC Homepage under Emergency Information. REMEMBER your personal safety comes first!SAMPLECommon finding: 5-104: Not having emergency procedures in place
17 ReproductionR. REPRODUCTIONNISPOM REF:Question:Does the equipment used for classified reproduction have any sort of memory capability? If yes, the equipment may require accreditation as an information system.Note: You may want to have labels/signs at each copy machine / printer5-600Is reproduction of classified material kept to a minimum?Note: Who can do it? Are they knowledgeable? Interview them. Are briefings used? Are instructions posted? Speak with the employees who make copies to ascertain their knowledge of the processIs the reproduction of classified accomplished only by properly cleared, authorized, and knowledgeable employees?5-601For Top Secret material, is reproduction authorization obtained as required? Check the DD Form 2545-602Are reproductions of classified material reviewed to ensure that the markings are proper and legible?5-603Is a record of reproduction maintained for TS material and is it retained as required?Note: 2 year retention required.
18 DispositionS. DISPOSITIONNISPOM REF:Question:5-700bAre procedures established to review classified holdings on a recurring basis for the purpose of reduction?Note: Can the FSO explain the process? Consider having a “clean out day”Is the disposition of classified material accomplished in accordance with the required schedule?Note: 5-701d – Symposium notes must be destroyed within one year.Is retention authority requested as required?5-704Is classified material destroyed as soon as possible after it has served its purpose?5-705Is an effective method of destruction employed that meet NISPOM standards?Note: If a crosscut shredder is utilized, ensure it is on the latest NSA evaluated products list of high security crosscut shredders. Verify that output still meets the 1/2 “ x 1/32” requirement. Has the machine been serviced lately? Who services it? Any problems? Does the facility have written DSS approval for the shredder(s)? If not, may want to have it – NOT required as long as the shredder meets the standards but could be a best practice. Check for approval letter from DSS for whatever method of destruction is used. Verify that equipment is still on the NSA Approved Products List5-706Is classified material destroyed by appropriately cleared authorized personnel who fully understand their responsibilities? (may include appropriately cleared subcontractor personnel)Note: Have the employee demonstrate the process.
19 DispositionNISPOM5-707Are proper records maintained for the destruction of TOP SECRET classified and do those who sign have actual knowledge of the material’s destruction?Note: Destruction records must be maintained for 2 years.5-708Is classified waste properly safeguarded until its timely destruction?Note: Ensure classified waste is properly destroyed prior to DSS review. Where is it kept?
20 * Destruction * Retention Approval * Downgrade * Disposition* Destruction * Retention Approval * Downgrade *5-700b, 5-701: Must review holdings on a recurring basis and disposition 2 years after contract close5-705: Destruction methods5-708: Waste destroyed as soon as possible5-706: Destroyed by knowledgeable persons
21 Other Common Findings1-206b – Self Inspections not conducted as requiredFSO has not completed training within 1 year of appointment5-306 – Remember to spin the dial on Closed Areas5-313 – Facility does not have letter from manufacturer of automated access control equipment“Perimeter controls” – i.e., bag checks, are not being conducted (or are insufficient) and/or no signageUncleared individuals signing for mailAIS approvals not available for reviewCommon Service Agreements not on file1-300, 1-302, 1-207: Employees unaware of reporting requirements and no posting of DoD Hotline1-302b - Suspicious Contact Reports not submittedNo graduated scale of disciplinary action in place (or employees unaware)
22 Other Common FindingsNot following the site’s Security Manual/ProceduresFailure to to flow down classification guidance to subcontractors, appropriatelyCOMSEC 254s not signed by GCA5-501b - Outstanding classified material receiptsISL - Use of FedEx without approvals on fileBeware - the consultant agreement should be written to one person only or to a company which is made up of immediate family members only (i.e. mother, father, sister, brother, sons or daughters only). When a consulting agreement is written to a company or multiple names or if the company has employees, they are not considered consultants, they are a subcontractor and must be treated as a subcontractor3-106, 3-107: Initial and refresher briefings do not contain the 5 required topics