Thursday, February 4, 2010

How Contractors Get Facility Security Clearances

Having a Facility Clearance (FCL) makes a business attractive, but that desire does not provide the needed justification for obtaining a security clearance. The FCL is strictly contract based and demonstrates an enterprise’s trustworthiness. A company is eligible for a facility security clearance after the award of a classified contract. The FCL is a result of a lengthy investigation and the subsequent government’s determination that a company is eligible to have access to classified information.
A company can bid on a classified contract without possessing a facility clearance, but is sponsored for a clearance after the contract is awarded. The interested company cannot simply request its own FCL, but must be sponsored by the Government Contracting Activity (GCA) or a prime contractor. Once the need to conduct classified work is determined, the next requirements are administrative. The company has to submit proof that they are structured and a legal entity under the laws of the United States, the District of Columbia or Puerto Rico and have a physical location in the United States or her territories. The enterprise has to be in good business standing and neither the company nor key managers can be barred from participating in U.S. Government contracts.
The company being sponsored for a clearance should immediately obtain the federal regulations necessary to determine the government’s guidance for working with classified material. For Department of Defense contractors, the National Industrial Security Program Operating Manual (NISPOM) is the most frequently used. The sooner the contractor obtains their copy of the regulations, the quicker they will begin to understand their expected role in protecting the nation’s secrets.
A critical piece of the sponsorship program revolves around the Cognizant Security Agency (CSA) having a good understanding of the subject company and their mission. To do this, the CSA will need to review organizational structure and governance documentation to determine who can commit the company and make decisions. This information includes: articles of incorporation, stock records, corporate by-laws and minutes.
The senior company officer, FSO and other key management employees will be processed for a security clearance. The CSA may also want to see proof of citizenship and other information to determine eligibility for a clearance. The other officers and board members may be excluded from the security clearance process if they will not have influence over cleared contractor decisions.
Aside from corporate entity documentation, the CSA will collect and complete additional forms sometime during the FCL process. These forms include, but are not limited to the Department of Defense Security Agreement (DD Form 441), and the Certificate Pertaining to Foreign Interests (SF328). The CSA will advise the contractor on how to fill out the forms and answer any questions the contractor may have.
The DD Form 441 lists the responsibilities of both the cleared contractor and the government. The contractor agrees to implement and enforce the security controls necessary to prevent unauthorized disclosure of classified material in accordance with the NISPOM. The contractor also agrees to verify that the subcontractor, customer, individual and any other person has the proper need to know and possesses the security clearance necessary to access classified information. The Government will also instruct the contractor on the proper handling, storage and disposition of classified material usually in the form of the DD Form 254 (Figure 2-3). The Government also agrees to provide security clearances to eligible contractor employees.
The SF 328 is used by the contractor and the CSA to determine whether or not and to what extent the cleared contractor falls under Foreign Ownership Control and Influence (FOCI). The primary concern is always protecting classified information from unauthorized disclosure. In today’s changing world it is not unusual for a cleared company to be involved with international business. If classified contracts are under the control of a foreign entity, the classified information could be in jeopardy of unauthorized disclosure. Additionally, items that fall under the International Traffic and Arms Regulation (ITAR) could be in jeopardy of unauthorized export. If a contractor falls under FOCI, the CSA will evaluate their ability to mitigate the extent of foreign influence concerning classified information and approve, deny or revoke the FCL. Companies that are determined to fall under FOCI can still compete for classified work; however, there are measures to be taken to ensure that only U.S. persons control the scope of classified work.
The FCL is a determination that a legal entity is trustworthy and able to safeguard classified information. This FCL relates to an organization and not a physical location or building. For example, a cleared contractor organization can move locations and keep the FCL. The FCL remains in place until either party terminates it. If for some reason the contractor no longer needs access or is no longer eligible for access to classified material or either party terminates the FCL, the contractor must return or destroy any classified material to the GCA.

When is accountability of classified information required in NISPOM?

The FSO designs a policy to maintain strict control over classified material. The NISPOM requires control of classified information at the TOP SECRET level. However, all material entering the facility, produced, reproduced or entering the facility in any fashion should be brought into possession for control, audit and inventory purposes. The NISPOM does address the cleared contractor responsibility of maintaining an information management system to protect and control classified information. This control and accountability facilitates visibility of the classified material and allows for preventative measures against unauthorized disclosure or identification of security violations.
Once the material is received and the delivery inspected against the receipt, the FSO or security specialist can input the information into the information management system or in other words, a retrievable database. This database can be something as simple as logging the information into a notebook or through technology such as software sold on the market. Some companies and federal agencies have developed internal forms and examples are available on the internet.
The FSO is charged with protecting classified material and an accountability record is an excellent tool for controlling classified information introduced into the company. With the accountability record, document disposition is annotated with additional receipting action. Some accountability records track document dispositions from inception to dissemination on the same record. Contractors are not limited to a certain method of document control other than the ability to track the status of classified information the cleared facility possesses.
The benefit of creating a database using any of the input (title, document number, contract number, reception date, and etc) is great. The database will facilitate retrieving the classified material and be able to produce documentation and classified information within a reasonable amount of time as required by NISPOM. The use of a database to meet the information management system aids in tracking classified information offering increased protection and accountability.
An information management system can help facilitate an annual inventory of all levels of classified information. Because of the positive identification and control involved, inventories aid in the protection of classified information. If during the course of a normal inventory, a document is not readily found, a more thorough search takes place. Any part of the information management system record is part of a growing data warehouse that may prove beneficial in finding the misplaced product.

Should Only the FSO Have a NISPOM

Presidential Executive Orders established the National Industrial Security Program to provide cleared contractors guidance on protecting classified information. After all, the government has an obligation to protect what it owns, directs or controls. In this case, classified contracts and all associated classified information. The National Industrial Security Program Operating Manual (NISPOM) was developed to instruct cleared employees on how to request and maintain clearances, process and protect classified information and much more. Though the Facility Security Officer (FSO) implements and directs a security program to protect classified information, many of the functions of NISPOM are not executed by the FSO.
If the NISPOM applies to all, why not make it available to all? For example, it is the cleared employee who performs the classified work such as marking, wrapping, writing contracts, reading, assembling or deriving classified information or other functions of working with classified products. The FSO has oversight, trains, briefs, and ensures compliance. However, part of the security awareness training could involve showing employees how to consult the NISPOM. Same goes for providing marking and wrapping guides and tools necessary to work on the classified information.
If a manager approaches an FSO about an opportunity, the FSO should consult NISPOM; with them. Experience and credibility allows the FSO to guide the decisions. Also the FSO ensures there is a strong corporate policy based on the organizations business model and how it applies to NISPOM. In other words, not all the NISPOM applies to every cleared contractor. It is important to know that cleared contractors do not need to consult chapter 8 if they don't perform classified processing. For many, only NISPOM Chapters 1, 2, 3 parts of 5 and 6 apply.
Performing well on classified contracts is the business of cleared contractors. Being technically proficient by knowing NISPOM requirements for PERFORMING classified work may enable business to flow more efficiently. The FSO isn't always there, but the NISPOM requirements are. Consider initial training and annual security awareness training. They are both required, but most of the training happens on the job; manager to employee.
FSOs have their role and should assume it with authority. Reports, inspections, training, briefing, contractor to GCA or CSO relationships and etc are functions of the FSO. Other details are performed by the cleared employees performing on contract and the NISPOM and corporate policies are great tools. In that capacity, the NISPOM should be part of their library.
Also, consider small organizations where the FSO may be a senior executive, contracts manager, HR professional, engineer etc. Wouldn't it make good business sense to have the entire organization work as "force multipliers" for security or should that senior executive perform all the functions?
Employees should not run the security program, just to be enabled to make informed decisions about classified work. The FSO runs the security show, but the cleared employee performing on contracts is responsible for protecting it. Consider providing NISPOM, International Traffic in Arms Regulation (ITAR), Occupational Safety and Health Administration (OSHA) and other regulations for reference may also prove beneficial.