230 likes | 313 Views
SELF INSPECTIONS, Part 2 Okay, so now what do I do?. Jennifer L. Rossignol, Lee Folsom, and Steve Slocum Lockheed Martin. Philosophy …. Self inspection is an art …. IMPORTANT POINTS. This briefing is non-IS focused but IS plays a KEY role! When in doubt, contact your DSS representative!.
E N D
SELF INSPECTIONS, Part 2 Okay, so now what do I do? Jennifer L. Rossignol, Lee Folsom, and Steve Slocum Lockheed Martin
Philosophy … Self inspection is an art ….
IMPORTANT POINTS • This briefing is non-IS focused but IS plays a KEY role! • When in doubt, contact your DSS representative!
Defense Contractor Security Requirements National Industrial Security Program Operating Manual - It provides baseline standards for the protection of classified information released or disclosed to industry in connection with classified contracts under the NISP (National Industrial Security Program) -- -- -- -- Industrial Security Letters Don’t forget ISL’s!
Facility Clearance Common finding: 1-302: If the facility clearance is approved for special access (i.e., NATO (10-706), COMSEC (9-404)), is the FSO properly briefed? • Common finding: DD Form 441 was not on file and/or DD Form 441 was out of date or incorrect
Facility Clearance (continued) • Common findings: • SF 328 is not accurate • Appointment letters are not correct or current • Departed individuals still on the list • TSCOs, ISSM, etc, were appointed • KMP List does not reflect current key personnel
Access Authorizations Common finding: 2-201a/b: SF 86 and signed releases are required to be maintained until the time that the eligibility process is complete (these records should then be destroyed). Review for completeness only and destroy copy upon issuance or denial of PCL. Original SF312 to be mailed to DISCO. Common finding: 3-108: Debriefings not conducted (follow-up by mail, if necessary) Common finding: 2-200b: Access not removed in JPAS if clearance is revoked or terminatedCommon finding: 2-200d: Personnel clearances are not held to a minimum
Classified Storage • Common finding: Combinations (5-309) • If combination is written, it must be marked and properly stored and protected • if container stores caveat info, then combo must be so marked (NATO, COMSEC, CNWDI, etc.) Common finding: 5-311, Repair of containers
Controlled Access Areas • Chapter 5, Section 9: • IDS must meet UL 2050 Standards • Installation • Periodic inspections • Type of monitoring station • Records of alarms • UL certificates for each area Common finding: Expired UL2050 certification (also known as “CRZH”)
Closed Area Checklist - Idea Closed Areas Interview Guide ___ Is the media in the area marked properly? (classified, unclassified, and system software) ___ Are both classified and unclassified computer equipment affixed with a label indicating their level of processing? ___ Review the visitor log. Pay close attention to the visitor’s company name. Did someone visit from an HVAC service? If so, ask the area custodian what they did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches? Did someone visit from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified AIS? Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it to the AIS? Did any visitors have “keyboard” access? If so, was that authorized? Dispose of visitor logs from before the last DSS audit ____ Does the 147 note “open storage” of AIS? ____ AIS TEAM MEMBER: Dispose of system paperwork from before the last DSS audit (unless it is still relevant) ___ AIS TEAM MEMBER: Look around. Is there any new hardware connected to the AIS? If so, what is it? Does it have memory? ___ AIS TEAM MEMBER: Check the AIS system access list. Are all individuals still active employees? Balance the list against an active employee listing. Bring a list of recently terminated employees with you, too. Are all individuals on the system access list also on the Closed Area access list? If not, why not? Review the Closed Area access list. Do you see anyone who recently terminated? If so, request that they be taken off the Closed Area access list. Were they on the system access list? If so, has their account been disabled? Balance all the lists against each other. Has everyone on the system access list taken the required CBEs? (Verify.) ___ Are there Security posters in the area? ____ Are the FAX machines in the area marked to indicate “for unclassified use only”? ____ Are the shredders marked “for unclassified use only”? ___ AIS TEAM MEMBER: Do the classified printers have a sign “Output must be treated as classified until reviewed ….?” ___ Are the recycle bins labeled “for unclassified use only”? ____ Are the supplies in the area sufficient? (CD labels, classification labels, coversheets, etc.). ___ Does the area have a “marking guide” poster? ____ Does the area have an updated Security points of contact poster? __ AIS TEAM MEMBER: Before going to audit the system, read about what the system is used for and what it does. This will generate questions and help you understand what goes on in the area ___ AIS TEAM MEMBER: Have a user walk you through the steps they follow when they create classified data. What do they print out? Is it classified? If it’s not classified, do they verify that? How do they know what’s classified? (Do they refer to the program security classification guide? Do they know where the guide is located?) Where do they put the classified when it’s completed? Go look at their safe. Are things marked properly? Ask if the data in the safe is for a current contract. If not, explain the requirements for retention approval. (See NISPOM 5-701) Where does the data or hardware go from there? Is it sent to a customer? What is our relationship with the organization they send it to? Do we have DD Forms 254 in place to/from that organization? What is the classification of what they are working on? Is the system approved up to that level? ___ Do they support IR&D activities? If so, explain how IR&D documents must be marked “IR&D Document,” etc. in accordance with the NISPOM (11-304) ____ Are the above-the-ceiling checks being conducted on the required schedule? Look at the records. Dispose of records from before the last DSS audit __ AIS TEAM MEMBER: Review Trusted Download logs, ask people where the removed media is currently located (stored on a computer, CD, printout), and which method they used for the transfer. DSS is focusing on interviews with employees and may very well ask them to actually demonstrate a trusted download. Ask the employee to walk through the steps with you to prepare them for the audit.
Marking • Required Markings 1) Overall classification level 2) Company name and address 3) Title 4) Derived From: ___________ 5) Declassify on: ___________ 6) Date of Source • Working Papers • - 180 days Secret/ Confidential • - 30 days for TS Common finding: 4-209: Multiple Sources – bibliography not available Common finding: 4-200: Documents not properly/completely marked Common finding: 5-203: Working papers held over (and/or improperly marked)
Classified Material Controls Ensure any potential recipients are knowledgeable of their duties include mail room and Shipping and Receiving - and interview their backups Ensure discrepancy reports are submitted as required (i.e., no receipt for Secret or Top Secret, signs of tampering, improperly addressed, etc.) Ensure receipts are all signed and returned
Emergency Procedures for Securing Classified Material In any emergency, your primary consideration must be personal safety. Safeguard classified material if at all possible but NEVER at the risk of your own or someone else’s safety. YOUR PERSONAL SAFETY COMES FIRST! If it can be accomplished without personal risk, return classified material to the approved safe prior to evacuating the area. If you have classified material in your possession and can do so safely, you may take it with you when evacuating the area. Keep it in your personal possession and safeguard it from unauthorized disclosure, then return it to an authorized person or the safe. It is not necessary to secure the area when leaving. Doing so might slow down evacuation and emergency personnel may need access to the area. Following the emergency, if you are able to return to the area, examine the classified container for evidence of tampering. Notify Security immediately if you note evidence of tampering. Security shall make every attempt to identify emergency responders and determine whether or not they have had access to classified information. Inadvertent disclosure agreements will be completed where necessary. Emergency telephone numbers and additional evacuation information are available on the MFC Homepage under Emergency Information. REMEMBER your personal safety comes first! SAMPLE Common finding: 5-104: Not having emergency procedures in place
Disposition * Destruction * Retention Approval * Downgrade * • 5-700b, 5-701: Must review holdings on a recurring basis and disposition 2 years after contract close • 5-705: Destruction methods • 5-708: Waste destroyed as soon as possible • 5-706: Destroyed by knowledgeable persons
Other Common Findings • 1-206b – Self Inspections not conducted as required • 3-102 - FSO has not completed training within 1 year of appointment • 5-306 – Remember to spin the dial on Closed Areas • 5-313 – Facility does not have letter from manufacturer of automated access control equipment • 5-103 - “Perimeter controls” – i.e., bag checks, are not being conducted (or are insufficient) and/or no signage • 5-202 - Uncleared individuals signing for mail • AIS approvals not available for review • Common Service Agreements not on file • 1-300, 1-302, 1-207: Employees unaware of reporting requirements and no posting of DoD Hotline • 1-302b - Suspicious Contact Reports not submitted • 1-304 - No graduated scale of disciplinary action in place (or employees unaware)
Other Common Findings • 1-202 - Not following the site’s Security Manual/Procedures • 7-100 - Failure to to flow down classification guidance to subcontractors, appropriately • 9-407 - COMSEC 254s not signed by GCA • 5-501b - Outstanding classified material receipts • ISL - Use of FedEx without approvals on file • 2-212 - Beware - the consultant agreement should be written to one person only or to a company which is made up of immediate family members only (i.e. mother, father, sister, brother, sons or daughters only). When a consulting agreement is written to a company or multiple names or if the company has employees, they are not considered consultants, they are a subcontractor and must be treated as a subcontractor • 3-106, 3-107: Initial and refresher briefings do not contain the 5 required topics