Thursday, November 12, 2009

Need to Know-the Rest of the Story or Establishing Need to Know within the National Industrial Security Program

According to E.O. 12869, no one can have access to classified information unless they have been determined eligible for a security clearance and have “need to know”. Access is a determination made by an expert based on the results of a proper investigation. This eligibility is easy to determine after the U.S. Government provides the notification of a granted security clearance or upon validation of an approved cognizant security agency database. When an employee is granted a CONFIDENTIAL, SECRET or TOP SECRET clearance they are eligible for access to classified information at the level of clearance and below.
However, the rest of the story concerns “need-to-know”. Need to know is a determination made by the possessor of classified information. This cleared employee not only has to determine that recipients of the information have the proper clearance, but that the cleared person is authorized to perform classified work based on a true government requirement. Just as security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work.
A Facility Security Officer conducted a preliminary inquiry to determine whether or not a security incident led to the loss, compromise or suspected compromise of classified information. She had received a phone call from an employee stating that a co-worker had left classified information out on his desk. Investigation revealed that a worker had left for lunch and asked a co-worker to “keep an eye on” her classified information. Not too much time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk.
At first glance, the unattended classified information is the most obvious security incident. However, once the inquiry concluded another incident came to light. The co-workers shared he same office, but did not work on the same contract. The first co-worker entrusted the safeguarding of classified information to an employee cleared at the proper level, but who did not have the “need to know”.

No comments: