SELF INSPECTIONS, Part 2
Okay, so now what do I do?
Jennifer L. Rossignol, Lee Folsom, and Steve Slocum
Lockheed Martin
Philosophy …
Self inspection is an art ….
IMPORTANT POINTS
• This briefing is non-IS focused but IS plays a KEY role!
• When in doubt, contact your DSS representative!
Defense Contractor Security
Requirements
National Industrial Security Program Operating Manual It provides baseline standards for the protection of classified information released or
disclosed to industry in connection with classified contracts under the
NISP (National Industrial Security Program)
-- -- -- -Industrial Security Letters
Don’t forget ISL’s!
Facility Clearance
A. FACILITY CLEARANCE
NISPOM REF:
Question:
1-302g(3)
Have all changes (e.g. changes in ownership; operating name or address; KMP information; previously reported
FOCI information or action to terminate business) affecting the condition of the FCL been reported to your DSS IS
Rep?
Note: Does the facility have a TS FCL? If so, when did the site last access TS information? Should the site
be downgraded? Does the site have a DD Form 254 to support the TS FCL?
Is the site’s ISFD record accurate? Physical address? Classified mailing address? FCL level? FSO name?
Special accesses? (If special accesses are listed, is the FSO properly briefed?) Ensure the FSO has a
current copy of the site’s ISFD record on file. If data is not accurate, contact the site’s ISR to request an
update.
Has an internal self-inspection been conducted and documented by the FSO six months after the last DSS
audit?
Has the fact that the company has an FCL been used for advertising or promotional purposes?
2-100c
2-104
Are the senior management official, the FSO, and other Key Management Personnel cleared as required in
connection with the FCL?
Note: Must be cleared to the level of the facility clearance. Only the Senior Official and the FSO should be
listed on the Key Management List. Ensure the Senior Official and the FSO are identified as KMP’s in
JPAS. Must maintain current KMP list.
2-106a-b
Have the proper exclusion actions been conducted for uncleared company officials?
Common finding: 1-302: If the facility clearance is approved for special
access (i.e., NATO (10-706), COMSEC (9-404)), is the FSO properly
briefed?
Common finding: DD Form 441 was not on file and/or DD Form 441 was
out of date or incorrect
Facility Clearance (continued)
• Common findings:
– SF 328 is not accurate
– Appointment letters are not correct or current
• Departed individuals still on the list
• TSCOs, ISSM, etc, were appointed
– KMP List does not reflect current key personnel
Access Authorizations
NISPOM
2-200d
2-202a
2-202b
2-202b
Are the number of clearances held to a minimum consistent with contractual requirements?
Note: When conducting employee interviews ask the employee when was the last time that they had
access to classified information or classified material and what classified contract they are performing
work under? Validate the need for their clearance.
Are employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and
completeness only and that the information will be used for no other purpose within the company?
Note: SF 86 and signed releases are required to be maintained until the time that the eligibility process is
complete (these records should then be destroyed). During security reviews, IS Reps will ask to speak to
employees who recently completed SF 86 to ensure that they received the required notice.
Are procedures in place to ensure that the applicant’s SF 86 and fingerprint cards are authentic, legible and
complete to avoid clearance processing delays? Note: The FSO or designee shall ensure that the applicant’s
fingerprints are authentic and legible. Review the process. If fingerprints are done off site, does the FSO
accompany the applicant?
Are original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified
has been granted or denied, and then destroyed?
Does the site have a process for ensuring that the Security Office is aware when an employee terminates?
Ask about their process, procedures, documentation. If an employee had a clearance revoked, were they
properly debriefed and was access to classified information denied promptly?
Common finding: 2-201a/b: SF 86 and signed releases are required to be maintained
until the time that the eligibility process is complete (these records should then be
destroyed). Review for completeness only and destroy copy upon issuance or denial
of PCL. Original SF312 to be mailed to DISCO.
Common finding: 3-108: Debriefings not conducted (follow-up by mail, if necessary)
Common finding: 2-200b: Access not removed in JPAS if clearance is revoked or
terminated
Common finding: 2-200d: Personnel clearances are not held to a minimum
Classified Storage
• Common finding: Combinations (5-309)
• If combination is written, it must be marked and
properly stored and protected
• if container stores caveat info, then combo must be
so marked (NATO, COMSEC, CNWDI, etc.)
Common finding: 5-311, Repair of containers
Controlled Access Areas
Chapter 5, Section 9:
• IDS must meet UL 2050 Standards
• Installation
• Periodic inspections
• Type of monitoring station
• Records of alarms
• UL certificates for each area
Common finding: Expired UL2050 certification (also known as “CRZH”)
Closed Area Checklist - Idea
Closed Areas Interview Guide
___
___
___
____
____
___
___
___
____
____
___
___
____
___
____
__
___
___
____
__
Is the media in the area marked properly? (classified, unclassified, and system software)
Are both classified and unclassified computer equipment affixed with a label indicating their level of processing?
Review the visitor log. Pay close attention to the visitor’s company name. Did someone visit from an HVAC service? If so, ask the area custodian what they
did. Did they put a hole in the wall or make a change affecting the area integrity or the 147? If so, is it greater than 96 square inches? Did someone visit
from Xerox? If so, what did they do while they were there? Did they install a new copy machine with a hard drive? Did this get connected to the classified
AIS? Did someone visit from a computer service vendor? If so, what did they do? Did they bring diagnostic equipment with them? If so, did they connect it
to the AIS? Did any visitors have “keyboard” access? If so, was that authorized? Dispose of visitor logs from before the last DSS audit
Does the 147 note “open storage” of AIS?
AIS TEAM MEMBER: Dispose of system paperwork from before the last DSS audit (unless it is still relevant)
AIS TEAM MEMBER: Look around. Is there any new hardware connected to the AIS? If so, what is it? Does it have memory?
AIS TEAM MEMBER: Check the AIS system access list. Are all individuals still active employees? Balance the list against an active employee listing. Bring a
list of recently terminated employees with you, too. Are all individuals on the system access list also on the Closed Area access list? If not, why not?
Review the Closed Area access list. Do you see anyone who recently terminated? If so, request that they be taken off the Closed Area access list. Were
they on the system access list? If so, has their account been disabled? Balance all the lists against each other. Has everyone on the system access list
taken the required CBEs? (Verify.)
Are there Security posters in the area?
Are the FAX machines in the area marked to indicate “for unclassified use only”?
Are the shredders marked “for unclassified use only”?
AIS TEAM MEMBER: Do the classified printers have a sign “Output must be treated as classified until reviewed ….?”
Are the recycle bins labeled “for unclassified use only”?
Are the supplies in the area sufficient? (CD labels, classification labels, coversheets, etc.).
Does the area have a “marking guide” poster?
Does the area have an updated Security points of contact poster?
AIS TEAM MEMBER: Before going to audit the system, read about what the system is used for and what it does. This will generate questions and help you
understand what goes on in the area
AIS TEAM MEMBER: Have a user walk you through the steps they follow when they create classified data. What do they print out? Is it classified? If it’s not
classified, do they verify that? How do they know what’s classified? (Do they refer to the program security classification guide? Do they know where the
guide is located?) Where do they put the classified when it’s completed? Go look at their safe. Are things marked properly? Ask if the data in the safe is
for a current contract. If not, explain the requirements for retention approval. (See NISPOM 5-701) Where does the data or hardware go from there? Is it
sent to a customer? What is our relationship with the organization they send it to? Do we have DD Forms 254 in place to/from that organization? What is
the classification of what they are working on? Is the system approved up to that level?
Do they support IR&D activities? If so, explain how IR&D documents must be marked “IR&D Document,” etc. in accordance with the NISPOM (11-304)
Are the above-the-ceiling checks being conducted on the required schedule? Look at the records. Dispose of records from before the last DSS audit
AIS TEAM MEMBER: Review Trusted Download logs, ask people where the removed media is currently located (stored on a computer, CD, printout), and
which method they used for the transfer. DSS is focusing on interviews with employees and may very well ask them to actually demonstrate a trusted
download. Ask the employee to walk through the steps with you to prepare them for the audit.
Access Authorization letter – NISPOM 5-313a
Marking
Required Markings
1) Overall classification level
2) Company name and address
3) Title
4) Derived From: ___________
5) Declassify on: ___________
6) Date of Source
Working Papers
- 180 days Secret/ Confidential
- 30 days for TS
Common finding: 4-209: Multiple Sources – bibliography not available
Common finding: 4-200: Documents not properly/completely marked
Common finding: 5-203: Working papers held over (and/or improperly
marked)
Classified Material Controls
Q. CLASSIFIED MATERIAL CONTROLS
NISPOM
REF:
Question:
5-100
Do your cleared employees understand their safeguarding responsibilities?
Note: Interview employees! Ask to see examples of training that is provided.
5-200
Is your information management system (IMS) capable of facilitating the retrieval and
disposition of classified material as required? Test it!
5-201a
Are TOP SECRET control officials designated at facilities possessing TOP SECRET
information?
Note: Ensure a TSCO appointment letter is on file.
5-201a
Are TOP SECRET accountability records maintained as required and is an annual inventory
conducted?
Note: Check the TS records.
5-202
Is all classified material received directly by authorized personnel?
Note: An authorized person means a cleared person who has been assigned this duty and
therefore has a need-to-know. This person or persons must be cleared to the level of
classified material expected to be received. Ask to watch the process. Ensure they are
knowledgeable of their duties. Include mail room, lobby personnel, Shipping and
Receiving, and backups!
Classified Material Controls
Ensure any potential recipients are knowledgeable of their
duties include mail room and Shipping and Receiving - and
interview their backups
Ensure discrepancy reports are submitted as required (i.e.,
no receipt for Secret or Top Secret, signs of tampering,
improperly addressed, etc.)
Ensure receipts are all signed and returned
Classified Material Controls
Classified Material Controls
5-102
5-103
1-300
1-303
5-104
Are security checks to ensure proper storage of classified materials conducted at the end of
each working day?
Note: If you say you document them, make sure your records are complete. Can your
employees explain the process they follow? Ask them….
Does your system of controls deter or detect unauthorized introduction or removal of
classified from the facility?
Note: The fact that persons who enter or depart the facility are subject to an inspection of
their personal effects shall be conspicuously posted at entries and exits. If guards are
used, ask them what they are looking for. Do you keep a record of how many checks are
conducted?
Are your cleared employees aware of their responsibility to promptly report the loss,
compromise, or suspected compromise of classified?
Note: Have there been any reported? If so, review the documentation. Ask employees if
they are aware of any incidents in their area. Ask what they would do if they were aware of
one.
Are procedures adequate to protect classified during emergencies?
Note: Ensure that site has signs/posters with the instructions
Emergency Procedures for Securing Classified Material
In any emergency, your primary consideration must be personal safety. Safeguard classified material if at all possible but NEVER
at the risk of your own or someone else’s safety. YOUR PERSONAL SAFETY COMES FIRST!
If it can be accomplished without personal risk, return classified material to the approved safe prior to evacuating the area.
If you have classified material in your possession and can do so safely, you may take it with you when evacuating the area. Keep
it in your personal possession and safeguard it from unauthorized disclosure, then return it to an authorized person or the safe.
It is not necessary to secure the area when leaving. Doing so might slow down evacuation and emergency personnel may need
access to the area.
Following the emergency, if you are able to return to the area, examine the classified container for evidence of tampering.
Notify Security immediately if you note evidence of tampering.
Security shall make every attempt to identify emergency responders and determine whether or not they have had access to
classified information. Inadvertent disclosure agreements will be completed where necessary.
Emergency telephone numbers and additional evacuation information are available on the MFC Homepage under Emergency
Information.
REMEMBER YOUR PERSONAL SAFETY COMES FIRST!
Common finding: 5-104: Not having emergency procedures in place
Reproduction
R. REPRODUCTION
NISPOM REF:
Question:
Does the equipment used for classified reproduction have any sort of memory
capability? If yes, the equipment may require accreditation as an information
system.
Note: You may want to have labels/signs at each copy machine / printer
5-600
Is reproduction of classified material kept to a minimum?
Note: Who can do it? Are they knowledgeable? Interview them. Are briefings used?
Are instructions posted? Speak with the employees who make copies to ascertain
their knowledge of the process
5-600
Is the reproduction of classified accomplished only by properly cleared, authorized,
and knowledgeable employees?
5-601
For Top Secret material, is reproduction authorization obtained as required? Check
the DD Form 254
5-602
Are reproductions of classified material reviewed to ensure that the markings are
proper and legible?
5-603
Is a record of reproduction maintained for TS material and is it retained as required?
Note: 2 year retention required.
Disposition
S. DISPOSITION
NISPOM
REF:
Question:
5-700b
Are procedures established to review classified holdings on a recurring
basis for the purpose of reduction?
Note: Can the FSO explain the process? Consider having a “clean out day”
5-701 5-703
Is the disposition of classified material accomplished in accordance with the
required schedule?
Note: 5-701d – Symposium notes must be destroyed within one year.
5-7015-702
Is retention authority requested as required?
5-704
Is classified material destroyed as soon as possible after it has served its
purpose?
5-705
Is an effective method of destruction employed that meet NISPOM
standards?
Note: If a crosscut shredder is utilized, ensure it is on the latest NSA
evaluated products list of high security crosscut shredders. Verify that
output still meets the 1/2 “ x 1/32” requirement. Has the machine been
serviced lately? Who services it? Any problems? Does the facility have
written DSS approval for the shredder(s)? If not, may want to have it – NOT
required as long as the shredder meets the standards but could be a best
practice. Check for approval letter from DSS for whatever method of
destruction is used. Verify that equipment is still on the NSA Approved
Products List
5-706
Is classified material destroyed by appropriately cleared authorized
personnel who fully understand their responsibilities? (may include
appropriately cleared subcontractor personnel)
Note: Have the employee demonstrate the process.
Disposition
NISPOM
5-707
Are proper records maintained for the destruction of TOP SECRET classified and do
those who sign have actual knowledge of the material’s destruction?
Note: Destruction records must be maintained for 2 years.
5-708
Is classified waste properly safeguarded until its timely destruction?
Note: Ensure classified waste is properly destroyed prior to DSS review. Where is it
kept?
5-707
Are proper records maintained for the destruction of TOP SECRET classified and do
those who sign have actual knowledge of the material’s destruction?
Note: Destruction records must be maintained for 2 years.
Disposition
* Destruction * Retention Approval * Downgrade *
• 5-700b, 5-701: Must review holdings on a
recurring basis and disposition 2 years after
contract close
• 5-705: Destruction methods
• 5-708: Waste destroyed as soon as possible
• 5-706: Destroyed by knowledgeable persons
Other Common Findings
• 1-206b – Self Inspections not conducted as required
• 3-102 - FSO has not completed training within 1 year of
appointment
• 5-306 – Remember to spin the dial on Closed Areas
• 5-313 – Facility does not have letter from manufacturer of
automated access control equipment
• 5-103 - “Perimeter controls” – i.e., bag checks, are not being
conducted (or are insufficient) and/or no signage
• 5-202 - Uncleared individuals signing for mail
• AIS approvals not available for review
• Common Service Agreements not on file
• 1-300, 1-302, 1-207: Employees unaware of reporting
requirements and no posting of DoD Hotline
• 1-302b - Suspicious Contact Reports not submitted
• 1-304 - No graduated scale of disciplinary action in place (or
employees unaware)
Other Common Findings
• 1-202 - Not following the site’s Security Manual/Procedures
• 7-100 - Failure to to flow down classification guidance to
subcontractors, appropriately
• 9-407 - COMSEC 254s not signed by GCA
• 5-501b - Outstanding classified material receipts
• ISL - Use of FedEx without approvals on file
• 2-212 - Beware - the consultant agreement should be written to
one person only or to a company which is made up of immediate
family members only (i.e. mother, father, sister, brother, sons or
daughters only). When a consulting agreement is written to a
company or multiple names or if the company has employees,
they are not considered consultants, they are a subcontractor and
must be treated as a subcontractor
• 3-106, 3-107: Initial and refresher briefings do not contain the 5
required topics
Conclusion