1 / 27

Why Conduct Self Inspection?

Why Conduct Self Inspection?. It’s a NISPOM requirement, NISPOM 1-206b It’s a good way to develop a relationship with your programs It’s a key security tool, providing evidence of strong and weak programs You don’t want to be surprised during DSS inspection

gaura
Download Presentation

Why Conduct Self Inspection?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Why Conduct Self Inspection? • It’s a NISPOM requirement, NISPOM 1-206b • It’s a good way to develop a relationship with your programs • It’s a key security tool, providing evidence of strong and weak programs • You don’t want to be surprised during DSS inspection • Your company management doesn’t want to be surprised during DSS inspection • Your DSS rep doesn’t want to be surprised during DSS inspection

  2. When to Conduct Self Inspection • Midway between inspection cycles • When there is an issue • Monthly/quarterly • Program/functional area specific

  3. Getting Started • Company structure • Large company or MFO with multiple security personnel • Bring in someone from another site • Use local personnel to inspect areas other than their own area of responsibility • Small company • Employee from another department? HR, IT for IS portion • Consider bringing in someone from the outside • If you must conduct the self inspection, make sure you physically look at everything • Don’t pencil whip the inspection • Don’t conduct the inspection from your chair

  4. Getting Started • Don’t be defensive; be open to another opinion • If you conduct a self inspection for another facility, don’t talk about issues. Provide report to FSO and management • Management must ensure that the inspection is not used as an opportunity to discipline, but to learn and improve • Involve senior leaders in the process • Include all employees (cleared and uncleared)

  5. Getting Started • Use NISP Self Inspection Handbook for Contractors • You may have an internally created checklist (do both) • Create your own checklist for above and beyond items to help you reach Commendable and Superior ratings • Cover all areas • Inspect classified markings and IS more often • Work with people who perform the processes to make sure they understand and perform processes correctly and can relay the information to DSS during an inspection

  6. Getting Started • Ask questions • Listen • Take notes • Don’t assume that everything is in good shape; even the best people make mistakes, so make employees show you, not tell you • Provide a takeaway for people who work with classified information • Brochure on marking, basic IS to-do’s, inspection cheat sheet • Token to say “thanks” for doing a good job

  7. Following Up • Document your discrepancies/findings, corrective actions required and date for completion • Send summary report identifying above and beyond items as well as discrepancies/findings to management • This will support any corrective action that must be accomplished • Recognize employees who are doing a good job, cc their supervisor; give goodie (ask for small budget) • Help those who need it

  8. Summary • Make the self inspection count • Schedule the time and commit to doing it right • Do what works for you and your facility • Self inspection is not difficult if you don’t let the process sit idly until the week before the DSS inspection • Can’t do it sitting down

  9. Elements of Inspection • First Three Elements of Inspection • Facility Security Clearance (FCL) • Access Authorization • Security Education • Any additional elements that pertain to your facility • International • Information Security • Etc.

  10. Suspicious Contact Reporting • You should have a process for employees to report suspicious contacts • Employees should understand what constitutes “suspicious contact” • Face-to-face, email solicitation • Brief employees before overseas travel • Report suspicious contact to FBI and DSS as well as customer, if appropriate • Educate, Educate, Educate • No suspicious contact reports on file or reporting requirements not included in initial or refresher briefing could keep you from getting the best security rating

  11. Elements of Inspection • Facility Security Clearance • KMP list did not reflect current Key Management Personnel or information was incorrect • SF 328 was not updated when change occurred or every five years as required • DD Form 441/441-1 was not on file or incorrect • FCL was being used for advertising • Other changes affecting FCL were not reported

  12. Elements of Inspection • Access Authorizations • JPAS/JCAVS records not correct for employees • Sharing account username or password • Clearances not held to minimum • Failure to destroy SF 86 upon granting of clearance • No documented policy for verifying citizenship • Reports on cleared employees not submitted as required

  13. Elements of Inspection • Security Education • FSO has not received special security briefings and debriefings as required • Initial security briefing does not contain minimum required information • No refresher training or no documentation of training • Employees do not understand reporting requirements • Lack of documented disciplinary action in the event of violations or negligence • Employees unaware of Defense Hotline Number; what it is for and where it is posted • Employees not debriefed upon termination

  14. Elements of Inspection • Consultants • Consultant security agreement not on file or not compliant • Consultants not participating in security briefings • Standard Practice Procedures (SPP) • SPP does not reflect current facility operations • Subcontracting • Classification guidance/DD254 not provided to sub or incorrect for contract work • Failure to verify clearance status and safeguarding capability of sub

  15. Elements of Inspection • Visits • No procedures in place for identification of visitors • No procedures for long-term visitors • Classified Meetings • Attendees not cleared to level of meeting or lack of need-to-know • No documentation of classified meeting • No government authorization • Classification • Derivative classification training • Documents and media not appropriately marked • Missing classification guidance or outdated guidance • Downgrading and declassification not accomplished

  16. Elements of Inspection • Employee Identification • Lack of identification for couriers and escorts • Employees don’t understand badge details • FOCI • SF 328 not up-to-date • No TCP • Accessing classified before authorized • Public Release • No documented public release process or review for classified not included in process • Approval not requested by customer prior to release of information related to classified contracts

  17. Elements of Inspection • Classified Storage • End of Day security checks not being performed • Right to Search policy and signage missing • Names of employees who have combinations not accurate • Combinations for containers holding NATO (annual) and COMSEC (every 2 years) not changed as required • Emergency procedures for protection of classified missing • Open storage without approval • Failure to lock containers, closed areas when not under control of cleared person • Controlled Access Areas • Not maintaining alarm records • Missing UL 2050 CRZH certificate • Note: For those with lock bar containers, you should have your plan to meet the 2012 requirement available to DSS

  18. Elements of Inspection • Marking • Mismarked documents • Working papers over 180 days old • Printed documents with handwritten data not properly marked • Media not marked properly • Unclassified media not marked “Unclassified” • Parts or hardware not marked • Presentations not properly marked

  19. Elements of Inspection • Transmission • Failing to verify clearance of receiving facility • Improper marking • Improper shipping method • Tracers for classified material not being sent • Classified Material Controls • Employees don’t understand safeguarding responsibilities • Accountability records not retained or accurate • End of Day security checks not being performed • Emergency procedures not in place

  20. Elements of Inspection • Reproduction • Reproduction equipment with memory not properly authorized • No procedure to review and destroy waste or overruns • No authorization for reproduction of Top Secret • Disposition • No process in place to review and reduce classified holdings • Documents retained beyond authorization • No process for closing out programs and dispositioning classified • Destruction containers not marked appropriately

  21. Elements of Inspection • Information Systems • Operating IS without approval • IATO/ATO expired • SSP not current (employees make changes all the time) • Passwords set to never expire • Software/hardware lists not maintained or updated • Users not briefed or briefings not on file • Virus software not current • Protection measures not set as stated in SSP • System logged on but unattended • Audits not being accomplished • Employees can’t answer questions • Other equipment containing hard drive (i.e., copy machine) not approved before use

  22. Elements of Inspection • COMSEC • Inspectors can inspect COMSEC accounts • Missing user briefings • Material received in account, but not accounted for • Destruction of material was not done properly • OPSEC • OPSEC requirements not implemented when required • Employees don’t understand OPSEC • Special Access Programs (SAP) • If SAP is under DSS cognizance, it will be inspected. Use SAP inspection checklist

  23. Elements of Inspection • International Operations • Lack of appropriate authorization prior to disclosure of classified to foreign entity • DSS not notified of foreign contracts involving classified • Marking and storage of foreign classified and US documents containing foreign classified (no comingling) • Receipt of foreign classified without going through proper channels • Lack of transportation plan for freight • Lack of TCP to control access to export controlled information • Storing classified at contractor facility without approval • Missing NATO briefings/debriefings • NATO documents comingled with other documents

  24. Elements of Inspection • Employee Interviews • Basic information cleared employees should be aware of • Their clearance level • Company badge format (clearance indicators) • Should know who FSO is • Two things that must be met before access to classified can be given (clearance and need-to-know) • Definition of Adverse Information and Suspicious Contacts and when to report • Security Classification Guide concept • Uncleared employees • What to do if they find a badge, classified document, etc. • Suggested questions contained in Self Inspection Handbook • Employees should be able to demonstrate their ability to perform their classified tasks

  25. Preparation for DSS Inspection • Educate employees about the inspection • Send out basic information to all employees (cleared and uncleared) on questions they could be asked • Make sure you have DoD Hotline poster prominently displayed • Right to search policy • Security Posters (change them out) • If files or documents are in a mess, get them in order • The security rating is awarded to the facility, not the FSO • It’s important that all employees understand this and the impact of their actions on the outcome

  26. Preparation for DSS Inspection • Maintain a template for self inspection email to employees, as well as notification to send to employees about upcoming DSS inspection • Answer employee questions • Ask your rep about anything you don’t understand • Complete required paperwork and return as requested • Remember, you don’t want to be surprised during a DSS inspection, neither does your management, and neither does your DSS rep, so be prepared

More Related