This briefing is non-IS focused but IS plays a KEY role! When in doubt, contact your DSS representative! IMPORTANT POINTS
Defense Contractor Security Requirements National Industrial Security Program Operating Manual - It provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP (National Industrial Security Program) -- -- Industrial Security Letters Don’t forget ISL’s!
A. FACILITY CLEARANCE NISPOM REF:Question: 1-302g(3)Have all changes (e.g. changes in ownership; operating name or address; KMP information; previously reported FOCI information or action to terminate business) affecting the condition of the FCL been reported to your DSS IS Rep? Note: Does the facility have a TS FCL? If so, when did the site last access TS information? Should the site be downgraded? Does the site have a DD Form 254 to support the TS FCL? Is the site’s ISFD record accurate? Physical address? Classified mailing address? FCL level? FSO name? Special accesses? (If special accesses are listed, is the FSO properly briefed?) Ensure the FSO has a current copy of the site’s ISFD record on file. If data is not accurate, contact the site’s ISR to request an update. Has an internal self-inspection been conducted and documented by the FSO six months after the last DSS audit? 2-100cHas the fact that the company has an FCL been used for advertising or promotional purposes? 2-104Are the senior management official, the FSO, and other Key Management Personnel cleared as required in connection with the FCL? Note: Must be cleared to the level of the facility clearance. Only the Senior Official and the FSO should be listed on the Key Management List. Ensure the Senior Official and the FSO are identified as KMP’s in JPAS. Must maintain current KMP list. 2-106a-bHave the proper exclusion actions been conducted for uncleared company officials? Facility Clearance Common finding: 1-302: If the facility clearance is approved for special access (i.e., NATO (10-706), COMSEC (9-404)), is the FSO properly briefed? Common finding: DD Form 441 was not on file and/or DD Form 441 was out of date or incorrect
Facility Clearance (continued) Common findings: – SF 328 is not accurate – Appointment letters are not correct or current Departed individuals still on the list TSCOs, ISSM, etc, were appointed – KMP List does not reflect current key personnel
Access Authorizations NISPOM 2-200dAre the number of clearances held to a minimum consistent with contractual requirements? Note: When conducting employee interviews ask the employee when was the last time that they had access to classified information or classified material and what classified contract they are performing work under? Validate the need for their clearance. 2-202aAre employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and completeness only and that the information will be used for no other purpose within the company? Note: SF 86 and signed releases are required to be maintained until the time that the eligibility process is complete (these records should then be destroyed). During security reviews, IS Reps will ask to speak to employees who recently completed SF 86 to ensure that they received the required notice. 2-202bAre procedures in place to ensure that the applicant’s SF 86 and fingerprint cards are authentic, legible and complete to avoid clearance processing delays? Note: The FSO or designee shall ensure that the applicant’s fingerprints are authentic and legible. Review the process. If fingerprints are done off site, does the FSO accompany the applicant? 2-202bAre original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified has been granted or denied, and then destroyed? Does the site have a process for ensuring that the Security Office is aware when an employee terminates? Ask about their process, procedures, documentation. If an employee had a clearance revoked, were they properly debriefed and was access to classified information denied promptly? Common finding: 2-201a/b: SF 86 and signed releases are required to be maintained until the time that the eligibility process is complete (these records should then be destroyed). Review for completeness only and destroy copy upon issuance or denial of PCL. Original SF312 to be mailed to DISCO. Common finding: 3-108: Debriefings not conducted (follow-up by mail, if necessary) Common finding: 2-200b: Access not removed in JPAS if clearance is revoked or terminated Common finding: 2-200d: Personnel clearances are not held to a minimum
Classified Storage Common finding: Combinations (5-309) If combination is written, it must be marked and properly stored and protected if container stores caveat info, then combo must be so marked (NATO, COMSEC, CNWDI, etc.) Common finding: 5-311, Repair of containers
Controlled Access Areas Chapter 5, Section 9: IDS must meet UL 2050 Standards Installation Periodic inspections Type of monitoring station Records of alarms UL certificates for each area Common finding: Expired UL2050 certification (also known as “CRZH”)
Closed Area Checklist - Idea Closed Areas Interview Guide ___Is the media in the area marked properly? (classified, unclassified, and system software) ___Are both classified and unclassified computer equipment affixed with a label indicating their level of processing? ___ Review the visitor log. Pay close attention to the visitor’s company name. Did someone visit from an HVAC service? If so, ask the area custodian what they did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches? Did someone visit from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified AIS? Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it to the AIS? Did any visitors have “keyboard” access? If so, was that authorized? Dispose of visitor logs from before the last DSS audit ____Does the 147 note “open storage” of AIS? ____AIS TEAM MEMBER: Dispose of system paperwork from before the last DSS audit (unless it is still relevant) ___ AIS TEAM MEMBER: Look around. Is there any new hardware connected to the AIS? If so, what is it? Does it have memory? ___ AIS TEAM MEMBER: Check the AIS system access list. Are all individuals still active employees? Balance the list against an active employee listing. Bring a list of recently terminated employees with you, too. Are all individuals on the system access list also on the Closed Area access list? If not, why not? Review the Closed Area access list. Do you see anyone who recently terminated? If so, request that they be taken off the Closed Area access list. Were they on the system access list? If so, has their account been disabled? Balance all the lists against each other. Has everyone on the system access list taken the required CBEs? (Verify.) ___ Are there Security posters in the area? ____ Are the FAX machines in the area marked to indicate “for unclassified use only”? ____ Are the shredders marked “for unclassified use only”? ___ AIS TEAM MEMBER: Do the classified printers have a sign “Output must be treated as classified until reviewed ….?” ___ Are the recycle bins labeled “for unclassified use only”? ____ Are the supplies in the area sufficient? (CD labels, classification labels, coversheets, etc.). ___ Does the area have a “marking guide” poster? ____ Does the area have an updated Security points of contact poster? __ AIS TEAM MEMBER: Before going to audit the system, read about what the system is used for and what it does. This will generate questions and help you understand what goes on in the area ___ AIS TEAM MEMBER: Have a user walk you through the steps they follow when they create classified data. What do they print out? Is it classified? If it’s not classified, do they verify that? How do they know what’s classified? (Do they refer to the program security classification guide? Do they know where the guide is located?) Where do they put the classified when it’s completed? Go look at their safe. Are things marked properly? Ask if the data in the safe is for a current contract. If not, explain the requirements for retention approval. (See NISPOM 5-701) Where does the data or hardware go from there? Is it sent to a customer? What is our relationship with the organization they send it to? Do we have DD Forms 254 in place to/from that organization? What is the classification of what they are working on? Is the system approved up to that level? ___ Do they support IR&D activities? If so, explain how IR&D documents must be marked “IR&D Document,” etc. in accordance with the NISPOM (11-304) ____ Are the above-the-ceiling checks being conducted on the required schedule? Look at the records. Dispose of records from before the last DSS audit __ AIS TEAM MEMBER: Review Trusted Download logs, ask people where the removed media is currently located (stored on a computer, CD, printout), and which method they used for the transfer. DSS is focusing on interviews with employees and may very well ask them to actually demonstrate a trusted download. Ask the employee to walk through the steps with you to prepare them for the audit.
Required Markings 1) Overall classification level 2) Company name and address 3) Title 4) Derived From: ___________ 5) Declassify on: ___________ 6) Date of Source Working Papers - 180 days Secret/ Confidential - 30 days for TS Marking Common finding: 4-209: Multiple Sources – bibliography not available Common finding: 4-200: Documents not properly/completely marked Common finding: 5-203: Working papers held over (and/or improperly marked)
Classified Material Controls Q. CLASSIFIED MATERIAL CONTROLS NISPOM REF: Question: 5-100 Do your cleared employees understand their safeguarding responsibilities? Note: Interview employees! Ask to see examples of training that is provided. 5-200 Is your information management system (IMS) capable of facilitating the retrieval and disposition of classified material as required? Test it! 5-201a Are TOP SECRET control officials designated at facilities possessing TOP SECRET information? Note: Ensure a TSCO appointment letter is on file. 5-201a Are TOP SECRET accountability records maintained as required and is an annual inventory conducted? Note: Check the TS records. 5-202 Is all classified material received directly by authorized personnel? Note: An authorized person means a cleared person who has been assigned this duty and therefore has a need-to-know. This person or persons must be cleared to the level of classified material expected to be received. Ask to watch the process. Ensure they are knowledgeable of their duties. Include mail room, lobby personnel, Shipping and Receiving, and backups!
Classified Material Controls Ensure any potential recipients are knowledgeable of their duties include mail room and Shipping and Receiving - and interview their backups Ensure discrepancy reports are submitted as required (i.e., no receipt for Secret or Top Secret, signs of tampering, improperly addressed, etc.) Ensure receipts are all signed and returned
Classified Material Controls 5-102 Are security checks to ensure proper storage of classified materials conducted at the end of each working day? Note: If you say you document them, make sure your records are complete. Can your employees explain the process they follow? Ask them…. 5-103 Does your system of controls deter or detect unauthorized introduction or removal of classified from the facility? Note: The fact that persons who enter or depart the facility are subject to an inspection of their personal effects shall be conspicuously posted at entries and exits. If guards are used, ask them what they are looking for. Do you keep a record of how many checks are conducted? 1-300 1-303 Are your cleared employees aware of their responsibility to promptly report the loss, compromise, or suspected compromise of classified? Note: Have there been any reported? If so, review the documentation. Ask employees if they are aware of any incidents in their area. Ask what they would do if they were aware of one. 5-104 Are procedures adequate to protect classified during emergencies? Note: Ensure that site has signs/posters with the instructions
Emergency Procedures for Securing Classified Material In any emergency, your primary consideration must be personal safety. Safeguard classified material if at all possible but NEVER at the risk of your own or someone else’s safety. YOUR PERSONAL SAFETY COMES FIRST! If it can be accomplished without personal risk, return classified material to the approved safe prior to evacuating the area. If you have classified material in your possession and can do so safely, you may take it with you when evacuating the area. Keep it in your personal possession and safeguard it from unauthorized disclosure, then return it to an authorized person or the safe. It is not necessary to secure the area when leaving. Doing so might slow down evacuation and emergency personnel may need access to the area. Following the emergency, if you are able to return to the area, examine the classified container for evidence of tampering. Notify Security immediately if you note evidence of tampering. Security shall make every attempt to identify emergency responders and determine whether or not they have had access to classified information. Inadvertent disclosure agreements will be completed where necessary. Emergency telephone numbers and additional evacuation information are available on the MFC Homepage under Emergency Information. REMEMBER YOUR PERSONAL SAFETY COMES FIRST! SAMPLE Common finding: 5-104: Not having emergency procedures in place
Reproduction R. REPRODUCTION NISPOM REF:Question: Does the equipment used for classified reproduction have any sort of memory capability? If yes, the equipment may require accreditation as an information system. Note: You may want to have labels/signs at each copy machine / printer 5-600 Is reproduction of classified material kept to a minimum? Note: Who can do it? Are they knowledgeable? Interview them. Are briefings used? Are instructions posted? Speak with the employees who make copies to ascertain their knowledge of the process 5-600 Is the reproduction of classified accomplished only by properly cleared, authorized, and knowledgeable employees? 5-601 For Top Secret material, is reproduction authorization obtained as required? Check the DD Form 254 5-602 Are reproductions of classified material reviewed to ensure that the markings are proper and legible? 5-603 Is a record of reproduction maintained for TS material and is it retained as required? Note: 2 year retention required.
Disposition S. DISPOSITION NISPOM REF: Question: 5-700b Are procedures established to review classified holdings on a recurring basis for the purpose of reduction? Note: Can the FSO explain the process? Consider having a “clean out day” 5-701 5-703 Is the disposition of classified material accomplished in accordance with the required schedule? Note: 5-701d – Symposium notes must be destroyed within one year. 5-7015-702 Is retention authority requested as required? 5-704 Is classified material destroyed as soon as possible after it has served its purpose? 5-705 Is an effective method of destruction employed that meet NISPOM standards? Note: If a crosscut shredder is utilized, ensure it is on the latest NSA evaluated products list of high security crosscut shredders. Verify that output still meets the 1/2 “ x 1/32” requirement. Has the machine been serviced lately? Who services it? Any problems? Does the facility have written DSS approval for the shredder(s)? If not, may want to have it – NOT required as long as the shredder meets the standards but could be a best practice. Check for approval letter from DSS for whatever method of destruction is used. Verify that equipment is still on the NSA Approved Products List 5-706 Is classified material destroyed by appropriately cleared authorized personnel who fully understand their responsibilities? (may include appropriately cleared subcontractor personnel) Note: Have the employee demonstrate the process.
Disposition NISPOM 5-707 Are proper records maintained for the destruction of TOP SECRET classified and do those who sign have actual knowledge of the material’s destruction? Note: Destruction records must be maintained for 2 years. 5-708 Is classified waste properly safeguarded until its timely destruction? Note: Ensure classified waste is properly destroyed prior to DSS review. Where is it kept? 5-707 Are proper records maintained for the destruction of TOP SECRET classified and do those who sign have actual knowledge of the material’s destruction? Note: Destruction records must be maintained for 2 years.
Disposition * Destruction * Retention Approval * Downgrade * 5-700b, 5-701: Must review holdings on a recurring basis and disposition 2 years after contract close 5-705: Destruction methods 5-708: Waste destroyed as soon as possible 5-706: Destroyed by knowledgeable persons
Other Common Findings 1-206b – Self Inspections not conducted as required 3-102 - FSO has not completed training within 1 year of appointment 5-306 – Remember to spin the dial on Closed Areas 5-313 – Facility does not have letter from manufacturer of automated access control equipment 5-103 - “Perimeter controls” – i.e., bag checks, are not being conducted (or are insufficient) and/or no signage 5-202 - Uncleared individuals signing for mail AIS approvals not available for review Common Service Agreements not on file 1-300, 1-302, 1-207: Employees unaware of reporting requirements and no posting of DoD Hotline 1-302b - Suspicious Contact Reports not submitted 1-304 - No graduated scale of disciplinary action in place (or employees unaware)
Other Common Findings 1-202 - Not following the site’s Security Manual/Procedures 7-100 - Failure to to flow down classification guidance to subcontractors, appropriately 9-407 - COMSEC 254s not signed by GCA 5-501b - Outstanding classified material receipts ISL - Use of FedEx without approvals on file 2-212 - Beware - the consultant agreement should be written to one person only or to a company which is made up of immediate family members only (i.e. mother, father, sister, brother, sons or daughters only). When a consulting agreement is written to a company or multiple names or if the company has employees, they are not considered consultants, they are a subcontractor and must be treated as a subcontractor 3-106, 3-107: Initial and refresher briefings do not contain the 5 required topics