Wednesday, August 25, 2010

FSO 101-How to manage the security of classified contracts

For defense contractors, there can be nothing more than winning a contract and providing a great product or service. For those cleared defense contractors, landing the classified contract improves their opportunities. However, these opportunities have more requirements that must be addressed. Contractors performing on classified contracts are required to protect this information according to the National Industrial Security Program (NISP).

The NISP was established in 1993 under Executive Order 12829. The purpose of the NISP is to protect classified information at the proper level whether it is in the hands of the U.S. Government or a defense contractor. The NISP provided reciprocal protection of the same information no matter which organization owned it. In other words similar classified information should be protected the same whether at a government or defense contractor location. The NISP provided the minimum standards for everyone to abide by. Even though some organizations may implement more rigorous security measures, they could not violate the minimum standards.

The NISP also directs the creation of the NISP Operating Manual (NISPOM). This is the government’s guidance for protecting classified information at Department of Defense contractor organization. Additionally, each government agency created its own security guidance reflecting requirements of the NISP.

Each government agency created security specialists positions to establish and enforce security measures to protect classified information. Similarly, the NISPOM requires a cleared contractor to appoint a Facility Security Officer (FSO). The defense contractor can hire a full time security employee or simply appoint an employee to the position as an additional duty. Whether operating as the security manager full time or on as needed basis, the responsibilities of the FSO ensure that classified information is protected.

For small contractors, this can be more challenging. I’ve visited some defense contractor facilities made up of five engineers in a small building doing great things. While focused on the eureka moment, they still are responsible for protecting both classified and unclassified government information. While large corporations can hire and train a group of security specialists, such protection may prove a difficult endeavor for very small defense contactors with a single point of contact FSO who has no experience with basic security concepts.

While on the surface this may prove difficult, there are ways to make the job more manageable. The first place to start is with the Defense Security Services (DSS) industrial security representative. They oversee the NISP implementation for the Department of Defense at cleared contractor facilities. They also help FSOs get the required FSO Program Management Course. DSS offers this online training for cleared facilities whether or not authorized to possess classified information. Training is available at DSS also offers bite size courses that can be completed in less than an hour on topics including: marking, transporting, safeguarding and disseminating classified information. A complete novice can learn the appropriate mind set in a short amount of time.

The next step is to determine which parts of the NISPOM apply. For the most part, Chapters 1, 2, 3, and parts of 5 apply to all cleared contractors. However other chapters may apply on a case by case basis. FSOs can make more effective use of time by developing security measures tailored to applicable parts of the NISPOM. For example, if a non-possessing contractor only maintains employee security clearances, there is not much call to apply security measures to protect classified information or processing. In this case the FSO would do well to ensure they are practicing personnel security as outlined in NISPOM and inspected by DSS. To help focus direction, the customer provides the cleared contractor with the how to perform on the classified contract in the DD Form 254 and the contract. The DD Form 254 specifically addresses the protection of classified information. If additional help is needed, the defense contractor can also contact a reputable consultant or join a professional organization.

Additional FSO duties may include exports compliance. This position is assumed by many FSOs and requires knowledge of defense items and services that require special permissions prior to export. The State Department has jurisdiction. The NISPOM does cover export compliance, but the International Traffic in Arms Regulations (ITAR) is the State Departments regulation. The ITAR provides in depth guidance.

The cleared contractor is responsible for implementing and directing the protection of classified information as it relates to NISPOM, DD Form 254, security agreements and contract as they apply to the cleared facility mission. The NISPOM provides the guidance. The FSO is the appointed responsible position to ensure the cleared contractor applies the NISP. This is a tough job, but there are resources available to make it a more focused and efficient effort.


Unknown said...

Thank for the FSO 101 insight. However, I am having some difficulty in locating the Key Management Personnel criteria. Is the KMP based on percentage of ownership, voting percentage, decision maker status??

Is there a link I find this criteria? I have perused the NISPOM and DSS with no luck.

Thank you


jeff said...

HI Kimberly,

Thanks for commenting. I apologize for responding a year later, but I was unaware the comment was posted.
I've experienced the same situation. I've asked DSS and looked up criteria in NISPOM. The best answer I can give is for KMPs to be key decision makers concerning work on classified contracts. If these senior managers influence a contract, perhaps they should be considered as KMPs and documented.