270 likes | 519 Views
Why Conduct Self Inspection?. It’s a NISPOM requirement, NISPOM 1-206b It’s a good way to develop a relationship with your programs It’s a key security tool, providing evidence of strong and weak programs You don’t want to be surprised during DSS inspection
E N D
Why Conduct Self Inspection? • It’s a NISPOM requirement, NISPOM 1-206b • It’s a good way to develop a relationship with your programs • It’s a key security tool, providing evidence of strong and weak programs • You don’t want to be surprised during DSS inspection • Your company management doesn’t want to be surprised during DSS inspection • Your DSS rep doesn’t want to be surprised during DSS inspection
When to Conduct Self Inspection • Midway between inspection cycles • When there is an issue • Monthly/quarterly • Program/functional area specific
Getting Started • Company structure • Large company or MFO with multiple security personnel • Bring in someone from another site • Use local personnel to inspect areas other than their own area of responsibility • Small company • Employee from another department? HR, IT for IS portion • Consider bringing in someone from the outside • If you must conduct the self inspection, make sure you physically look at everything • Don’t pencil whip the inspection • Don’t conduct the inspection from your chair
Getting Started • Don’t be defensive; be open to another opinion • If you conduct a self inspection for another facility, don’t talk about issues. Provide report to FSO and management • Management must ensure that the inspection is not used as an opportunity to discipline, but to learn and improve • Involve senior leaders in the process • Include all employees (cleared and uncleared)
Getting Started • Use NISP Self Inspection Handbook for Contractors • You may have an internally created checklist (do both) • Create your own checklist for above and beyond items to help you reach Commendable and Superior ratings • Cover all areas • Inspect classified markings and IS more often • Work with people who perform the processes to make sure they understand and perform processes correctly and can relay the information to DSS during an inspection
Getting Started • Ask questions • Listen • Take notes • Don’t assume that everything is in good shape; even the best people make mistakes, so make employees show you, not tell you • Provide a takeaway for people who work with classified information • Brochure on marking, basic IS to-do’s, inspection cheat sheet • Token to say “thanks” for doing a good job
Following Up • Document your discrepancies/findings, corrective actions required and date for completion • Send summary report identifying above and beyond items as well as discrepancies/findings to management • This will support any corrective action that must be accomplished • Recognize employees who are doing a good job, cc their supervisor; give goodie (ask for small budget) • Help those who need it
Summary • Make the self inspection count • Schedule the time and commit to doing it right • Do what works for you and your facility • Self inspection is not difficult if you don’t let the process sit idly until the week before the DSS inspection • Can’t do it sitting down
Elements of Inspection • First Three Elements of Inspection • Facility Security Clearance (FCL) • Access Authorization • Security Education • Any additional elements that pertain to your facility • International • Information Security • Etc.
Suspicious Contact Reporting • You should have a process for employees to report suspicious contacts • Employees should understand what constitutes “suspicious contact” • Face-to-face, email solicitation • Brief employees before overseas travel • Report suspicious contact to FBI and DSS as well as customer, if appropriate • Educate, Educate, Educate • No suspicious contact reports on file or reporting requirements not included in initial or refresher briefing could keep you from getting the best security rating
Elements of Inspection • Facility Security Clearance • KMP list did not reflect current Key Management Personnel or information was incorrect • SF 328 was not updated when change occurred or every five years as required • DD Form 441/441-1 was not on file or incorrect • FCL was being used for advertising • Other changes affecting FCL were not reported
Elements of Inspection • Access Authorizations • JPAS/JCAVS records not correct for employees • Sharing account username or password • Clearances not held to minimum • Failure to destroy SF 86 upon granting of clearance • No documented policy for verifying citizenship • Reports on cleared employees not submitted as required
Elements of Inspection • Security Education • FSO has not received special security briefings and debriefings as required • Initial security briefing does not contain minimum required information • No refresher training or no documentation of training • Employees do not understand reporting requirements • Lack of documented disciplinary action in the event of violations or negligence • Employees unaware of Defense Hotline Number; what it is for and where it is posted • Employees not debriefed upon termination
Elements of Inspection • Consultants • Consultant security agreement not on file or not compliant • Consultants not participating in security briefings • Standard Practice Procedures (SPP) • SPP does not reflect current facility operations • Subcontracting • Classification guidance/DD254 not provided to sub or incorrect for contract work • Failure to verify clearance status and safeguarding capability of sub
Elements of Inspection • Visits • No procedures in place for identification of visitors • No procedures for long-term visitors • Classified Meetings • Attendees not cleared to level of meeting or lack of need-to-know • No documentation of classified meeting • No government authorization • Classification • Derivative classification training • Documents and media not appropriately marked • Missing classification guidance or outdated guidance • Downgrading and declassification not accomplished
Elements of Inspection • Employee Identification • Lack of identification for couriers and escorts • Employees don’t understand badge details • FOCI • SF 328 not up-to-date • No TCP • Accessing classified before authorized • Public Release • No documented public release process or review for classified not included in process • Approval not requested by customer prior to release of information related to classified contracts
Elements of Inspection • Classified Storage • End of Day security checks not being performed • Right to Search policy and signage missing • Names of employees who have combinations not accurate • Combinations for containers holding NATO (annual) and COMSEC (every 2 years) not changed as required • Emergency procedures for protection of classified missing • Open storage without approval • Failure to lock containers, closed areas when not under control of cleared person • Controlled Access Areas • Not maintaining alarm records • Missing UL 2050 CRZH certificate • Note: For those with lock bar containers, you should have your plan to meet the 2012 requirement available to DSS
Elements of Inspection • Marking • Mismarked documents • Working papers over 180 days old • Printed documents with handwritten data not properly marked • Media not marked properly • Unclassified media not marked “Unclassified” • Parts or hardware not marked • Presentations not properly marked
Elements of Inspection • Transmission • Failing to verify clearance of receiving facility • Improper marking • Improper shipping method • Tracers for classified material not being sent • Classified Material Controls • Employees don’t understand safeguarding responsibilities • Accountability records not retained or accurate • End of Day security checks not being performed • Emergency procedures not in place
Elements of Inspection • Reproduction • Reproduction equipment with memory not properly authorized • No procedure to review and destroy waste or overruns • No authorization for reproduction of Top Secret • Disposition • No process in place to review and reduce classified holdings • Documents retained beyond authorization • No process for closing out programs and dispositioning classified • Destruction containers not marked appropriately
Elements of Inspection • Information Systems • Operating IS without approval • IATO/ATO expired • SSP not current (employees make changes all the time) • Passwords set to never expire • Software/hardware lists not maintained or updated • Users not briefed or briefings not on file • Virus software not current • Protection measures not set as stated in SSP • System logged on but unattended • Audits not being accomplished • Employees can’t answer questions • Other equipment containing hard drive (i.e., copy machine) not approved before use
Elements of Inspection • COMSEC • Inspectors can inspect COMSEC accounts • Missing user briefings • Material received in account, but not accounted for • Destruction of material was not done properly • OPSEC • OPSEC requirements not implemented when required • Employees don’t understand OPSEC • Special Access Programs (SAP) • If SAP is under DSS cognizance, it will be inspected. Use SAP inspection checklist
Elements of Inspection • International Operations • Lack of appropriate authorization prior to disclosure of classified to foreign entity • DSS not notified of foreign contracts involving classified • Marking and storage of foreign classified and US documents containing foreign classified (no comingling) • Receipt of foreign classified without going through proper channels • Lack of transportation plan for freight • Lack of TCP to control access to export controlled information • Storing classified at contractor facility without approval • Missing NATO briefings/debriefings • NATO documents comingled with other documents
Elements of Inspection • Employee Interviews • Basic information cleared employees should be aware of • Their clearance level • Company badge format (clearance indicators) • Should know who FSO is • Two things that must be met before access to classified can be given (clearance and need-to-know) • Definition of Adverse Information and Suspicious Contacts and when to report • Security Classification Guide concept • Uncleared employees • What to do if they find a badge, classified document, etc. • Suggested questions contained in Self Inspection Handbook • Employees should be able to demonstrate their ability to perform their classified tasks
Preparation for DSS Inspection • Educate employees about the inspection • Send out basic information to all employees (cleared and uncleared) on questions they could be asked • Make sure you have DoD Hotline poster prominently displayed • Right to search policy • Security Posters (change them out) • If files or documents are in a mess, get them in order • The security rating is awarded to the facility, not the FSO • It’s important that all employees understand this and the impact of their actions on the outcome
Preparation for DSS Inspection • Maintain a template for self inspection email to employees, as well as notification to send to employees about upcoming DSS inspection • Answer employee questions • Ask your rep about anything you don’t understand • Complete required paperwork and return as requested • Remember, you don’t want to be surprised during a DSS inspection, neither does your management, and neither does your DSS rep, so be prepared