Friday, March 20, 2009
On my first day as an FSO at a defense contractor, I came across a situation that I did not like very well. It was after walking the floor and talking to employees that I became introduced to a security container. As part of my inspection, I wanted to verify all documents were properly marked and stored appropriately. Upon asking for the custodian to open the container, he pulled out his cell phone and began scrolling. I asked what he had been looking for an he stated: "I can't remember the combination, but I'm sure that it's in here somewhere."
Whoa! Hold the presses. I immediately changed the combination and took possession of the security container in my office. I also providing a clear policy and training agenda and that problem disappeared. The story has been altered to change the exact situation, but the story may sound familiar to you. But here's the question: Do your employees really understand how to protect classified information? Some younger and less mature defense contractors may require extra and unrelenting training and diligence to make sure such situations never happen. The above example is a good demonstration of what could happen when the security program is only run through the FSO. More successful programs include training conducted by managers and supervisors as they apply to the employee specific duties.
So who has access to your security containers? Do you limit it to only security personnel or do cleared program employees have it as well. This access depends on your program. Regardless of who has access, authorized employees having access to combinations or keys should be kept to the bare minimum amount necessary.
Agencies and contractors maintain administrative records and tight control for a sound security system designed to protect the classified information and to demonstrate effectiveness during security inspections. The security specialists also maintain a log of those with knowledge of combinations, change combinations, and fill out the Security Container Information Form, Standard Form 700. Combinations are meant to be memorized and not written down or stored in computers, phones or Personal Data Assistant devices. The combination is protected at that same level of the contents in the security container. If the contents are CONFIDENTIAL, then so is the combination. To ease in memorization, many who assign combinations use a six letter word or the first six letters of a longer word.
Instead of memorizing a long six digit number, they create a word and use a phone for the corresponding numbers. Many have magnetic combinations reminders similar to telephone touch pads. For example the number 2 corresponds with ABC, three with DEF, etc. If the memorized word is CORKIE, then the combination is 26-75-43. When persons have access to multiple safes, they may commit security violations by writing the combinations down. Using combination word clues and providing an administrative security container helps reduce the risk of such violations. You can see my website as listed below for examples of these magnetic reminders.
So, see if you can answer this question. How often should you change combinations according to the NISPOM?
The answer: Change combinations upon initial use, change in status of authorized users, compromise or suspected compromise of container or combination, when safe is left open or when required by FSO or CSA. Did anyone say "annually"? If so, better check the NISPOM. 5-309. Changing Combinations