Thursday, February 4, 2010

Should Only the FSO Have a NISPOM

Presidential Executive Orders established the National Industrial Security Program to provide cleared contractors guidance on protecting classified information. After all, the government has an obligation to protect what it owns, directs or controls. In this case, classified contracts and all associated classified information. The National Industrial Security Program Operating Manual (NISPOM) was developed to instruct cleared employees on how to request and maintain clearances, process and protect classified information and much more. Though the Facility Security Officer (FSO) implements and directs a security program to protect classified information, many of the functions of NISPOM are not executed by the FSO.
If the NISPOM applies to all, why not make it available to all? For example, it is the cleared employee who performs the classified work such as marking, wrapping, writing contracts, reading, assembling or deriving classified information or other functions of working with classified products. The FSO has oversight, trains, briefs, and ensures compliance. However, part of the security awareness training could involve showing employees how to consult the NISPOM. Same goes for providing marking and wrapping guides and tools necessary to work on the classified information.
If a manager approaches an FSO about an opportunity, the FSO should consult NISPOM; with them. Experience and credibility allows the FSO to guide the decisions. Also the FSO ensures there is a strong corporate policy based on the organizations business model and how it applies to NISPOM. In other words, not all the NISPOM applies to every cleared contractor. It is important to know that cleared contractors do not need to consult chapter 8 if they don't perform classified processing. For many, only NISPOM Chapters 1, 2, 3 parts of 5 and 6 apply.
Performing well on classified contracts is the business of cleared contractors. Being technically proficient by knowing NISPOM requirements for PERFORMING classified work may enable business to flow more efficiently. The FSO isn't always there, but the NISPOM requirements are. Consider initial training and annual security awareness training. They are both required, but most of the training happens on the job; manager to employee.
FSOs have their role and should assume it with authority. Reports, inspections, training, briefing, contractor to GCA or CSO relationships and etc are functions of the FSO. Other details are performed by the cleared employees performing on contract and the NISPOM and corporate policies are great tools. In that capacity, the NISPOM should be part of their library.
Also, consider small organizations where the FSO may be a senior executive, contracts manager, HR professional, engineer etc. Wouldn't it make good business sense to have the entire organization work as "force multipliers" for security or should that senior executive perform all the functions?
Employees should not run the security program, just to be enabled to make informed decisions about classified work. The FSO runs the security show, but the cleared employee performing on contracts is responsible for protecting it. Consider providing NISPOM, International Traffic in Arms Regulation (ITAR), Occupational Safety and Health Administration (OSHA) and other regulations for reference may also prove beneficial.

No comments: