Sheri Escobar Escobar Security Consulting JSAC April 17-18-2013 Why Conduct a Self-Inspection? It’s a NISPOM requirement, NISPOM 1-206b It’s a good way to develop a relationship with programs and employees It’s a key security tool, providing evidence of strong and weak programs You don’t want to be surprised during DSS assessment Your company management doesn’t want to be surprised during DSS assessment Your DSS rep doesn’t want to be surprised during DSS assessment 2 When to Conduct Self-Inspection Midway between DSS assessment cycle When there’s an issue that needs to be addressed Monthly/quarterly (do quick follow-up before DSS assessment) Program/functional area prior to customer visit 3 Getting Started Company structure Large company or MFO with multiple security personnel Bring in someone from another site Use local personnel to inspect areas other than their own area of responsibility Small company Employee from another department? HR, IT for IS portion Consider bringing in someone from the outside If you must conduct the self-inspection, make sure you physically look at everything Don’t pencil whip the inspection Don’t conduct the inspection from your chair 4 Getting Started Don’t be defensive; be open to another opinion If you conduct a self-inspection for another facility, don’t talk about issues. Provide report to FSO and management Management must ensure the inspection is not used as an opportunity to discipline, but to learn and improve Involve senior leaders in the process Include all employees (cleared and uncleared) 5 Personalize Use NISP Self-Inspection Handbook for Contractors You may have an internally created checklist (use both) Create your own checklist for “above and beyond” items (security enhancements) to help you reach Commendable and Superior ratings Cover all areas that pertain to your operation Inspect operations in accordance with your SPP to ensure operations and documentation match If you don’t have SPP, are your processes documented? Review contracts for specific requirements Inspect areas where most of your issues arise more often Classification markings, classified IS, international visits, etc. 6 Personalize Meet with the people who perform security processes to make sure they understand and perform processes correctly and can relay the information to DSS during a formal assessment Ask questions Listen Take notes Don’t assume everything is in good shape Even the best people make mistakes - make employees show you, not tell you Provide a takeaway for people who work with classified information Marking brochure, DSS assessment survival guide, etc. Token to say “thanks” for doing a good job 7 Personalize Document your discrepancies and corrective actions required and date for expected completion Send summary report identifying “above and beyond” items as well as discrepancies to management Recognize employees who are doing a good job, cc their supervisor; give goodie (ask for small budget) Help those who need it 8 Elements of Inspection First Three Elements of Inspection Apply to Every Facility Facility Security Clearance (FCL) Access Authorization Security Education Add additional elements that pertain to your facility International Information Security Etc. 9 Suspicious Contact Reports You should have a process for employees to report suspicious contacts Employees should understand what constitutes “suspicious contact” Face-to-face, email solicitation Brief employees before overseas travel Report suspicious contact to FBI and DSS as well as customer, if appropriate Educate, Educate, Educate No suspicious contact reports on file or reporting requirements not included in initial or refresher briefing could keep you from getting the best security rating 10 Elements of Inspection Facility Security Clearance KMP list did not reflect current Key Management Personnel or information was incorrect SF 328 was not updated when change occurred or every five years as required DD Form 441/441-1 was not on file or incorrect FCL was being used for advertising Other changes affecting FCL were not reported 11 Elements of Inspection Access Authorizations JPAS/JCAVS records not correct for employees Sharing account username or password Clearances not held to minimum Failure to destroy SF 86 upon granting of clearance No documented policy for verifying citizenship Reports on cleared employees not submitted as required 12 Elements of Inspection Security Education FSO has not received special security briefings and debriefings as required Initial security briefing does not contain minimum required information No refresher training or no documentation of training Employees do not understand reporting requirements Lack of documented disciplinary action in the event of violations or negligence Employees unaware of Defense Hotline Number; what it is for and where it is posted Employees not debriefed upon termination 13 Elements of Inspection Consultants Consultant security agreement not on file or not compliant Consultants not participating in security briefings Standard Practice Procedures (SPP) SPP does not reflect current facility operations Subcontracting Classification guidance/DD254 not provided to sub or incorrect for contract work Failure to verify clearance status and safeguarding capability of sub 14 Elements of Inspection Visits No procedures in place for identification of visitors No procedures for long-term visitors Classified Meetings Attendees not cleared to level of meeting or lack of need-toknow No documentation of classified meeting No government authorization Classification Derivative classification training Documents and media not appropriately marked Missing classification guidance or outdated guidance Downgrading and declassification not accomplished 15 Elements of Inspection Employee Identification Lack of identification for couriers and escorts Employees don’t understand badge details FOCI SF 328 not up-to-date No TCP Accessing classified before authorized Public Release No documented public release process or review for classified not included in process Approval not requested by customer prior to release of information related to classified contracts 16 Elements of Inspection Classified Storage End of Day security checks not being performed Right to Search policy and signage missing Names of employees who have combinations not accurate Combinations for containers holding NATO (annual) and COMSEC (every 2 years) not changed as required Emergency procedures for protection of classified missing Open storage without approval Failure to lock containers, closed areas when not under control of cleared person Controlled Access Areas Not maintaining alarm records Missing UL 2050 CRZH certificate 17 Elements of Inspection Marking Mismarked documents Printed documents with handwritten data not properly marked Media not marked properly Unclassified media not marked “Unclassified” Parts or hardware not marked Presentations not properly marked 18 Elements of Inspection Transmission Failing to verify clearance of receiving facility Improper marking Improper shipping method Tracers for classified material not being sent Classified Material Controls Employees don’t understand safeguarding responsibilities Accountability records not retained or accurate 19 Elements of Inspection Reproduction Reproduction equipment with memory not properly authorized No procedure to review and destroy waste or overruns No authorization for reproduction of Top Secret Disposition No process in place to review and reduce classified holdings Documents retained beyond authorization No process for closing out programs and dispositioning classified Destruction containers not marked appropriately 20 Elements of Inspection Information Systems Operating IS without approval IATO/ATO expired SSP not current (employees make changes all the time) Passwords set to never expire Software/hardware lists not maintained or updated Users not briefed or briefings not on file Virus software not current Protection measures not set as stated in SSP System logged on but unattended Audits not being accomplished Employees can’t answer questions Other equipment containing hard drive (i.e., copy machine) not approved before use 21 Elements of Inspection COMSEC DSS can inspect COMSEC accounts Missing user briefings Material received in account, but not accounted for Destruction of material was not done properly OPSEC OPSEC requirements not implemented when required Employees don’t understand OPSEC Special Access Programs (SAP) If SAP is under DSS cognizance, it will be inspected. Use SAP inspection checklist 22 Elements of Inspection International Operations Lack of appropriate authorization prior to disclosure of classified to foreign entity DSS not notified of foreign contracts involving classified Marking and storage of foreign classified and US documents containing foreign classified (no comingling) Receipt of foreign classified without going through proper channels Lack of transportation plan for freight Lack of TCP to control access to export controlled information Storing classified at contractor facility without approval Missing NATO briefings/debriefings NATO documents comingled with other documents 23 Elements of Inspection Employee Interviews Basic information cleared employees should be aware of Their clearance level Company badge format (clearance indicators) Should know who FSO is Two things that must be met before access to classified can be given (clearance and need-to-know) Definition of Adverse Information and Suspicious Contacts and when to report Security Classification Guide concept Uncleared employees What to do if they find a badge, classified document, etc. Suggested questions contained in Self-Inspection Handbook Employees should be able to demonstrate their ability to perform classified tasks 24 Preparing for the DSS Assessment Educate employees about the assessment Send out basic information to all employees (cleared and uncleared) on questions they could be asked Make sure you have the DoD Hotline poster prominently displayed Right to search policy Security Posters (change them out) If files or documents are in a mess, get them in order The security rating is awarded to the facility, not the FSO It’s important that all employees understand this and the impact of their actions on the outcome of the assessment 25 Preparing for the DSS Assessment Maintain email template for self-inspection and DSS assessment so you can email employees about activities Answer employee questions Ask your DSS rep about anything you don’t understand Complete required advance paperwork and return as requested Remember, you don’t want to be surprised during a DSS assessment, neither does your management, and neither does your DSS rep, so be prepared 26 Summary Make the self-inspection count Schedule the time and commit to doing it right Do what works for you and your facility Self-inspection is not difficult if you don’t let the process sit idly until the week before the DSS assessment Can’t do it sitting down 27