Friday, July 1, 2011

Risk Management and NISPOM

     The risk assessment helps FSOs focus countermeasures to protect classified information from actual identifiable threats by probability. Risk management helps the FSO determine how to protect the classified information above and beyond the NISPOM guidance. The same approach should be used in determining which parts of the NISPOM apply to an FSO’s facility. For example, a non possessing facility that performs classified work at another facility should not focus security efforts on protecting classified processing.          
      However, they should focus their efforts on NISPOM chapters 1, 2, 3 and 6 parts of chapter 5 and Appendices A and C; the parts of NISPOM that apply to ALL cleared contractors.
      The NISPOM’s first chapter is dedicated to general industrial security concerns. The chapter is divided into three sections which provide the introduction, general and reporting requirements.
     Chapter two is divided into three sections that cover facility clearances, personnel clearances and foreign ownership control and influence (FOCI) information. In this chapter FSOs can find instructions on how facility clearances are awarded and learn reasons to process personnel clearances and when to do so. Finally, it discusses the factors and procedures to apply when a company is partially or fully under foreign control.
     Chapter three instructs how to conduct security training and briefings. It gives detail to what type of training is required and the necessary topics to train.
     Chapter five gives proper methods of safeguarding classified information. It provides general safeguarding practices such as oral communication, perimeter controls and emergency procedures.
     Chapter six distinguishes between classified visits and meetings and provides information how how each is conducted.
     Appendix A. Cognizant Security Office Information-lists contact information for the CSOs for the four CSAs under the NISP.
     Appendix C. Definitions Provides an alphabetical list of key industrial security definitions. Some terms and phrases have a unique meaning in the context of the NISP.
     FSOs can use a simple question and answer session to determine which addtional chapters apply to their cleared facilities. These questions are based on the cleared contractor’s DD Forms 254. If the answer to any of the following is yes, the FSO can refer to the corresponding NISPOM chapter or section.

  •      Does the cleared facility provide classification markings? See NISPOM chapter 4 
  •       Does the cleared facility store, disseminate, or destroy classified information? See NISPOM chapter 5 
  •       Is the cleared facility a prime contractor with classified subcontracts? See NISPOM chapter 7 
  •      Does the cleared contractor process classified information using an information system? See NISPOM chapter 8 
  •      Does the cleared facility have contracts that involve special handling such as Restricted Data (RD), Formerly Restricted Data (FRD), Critical Nuclear Weapon Design Information (CNWDI), Intelligence information or Communications Security (COMSEC) information. See NISPOM chapter 9 
  •      Do cleared employees perform international operations, store foreign government information or transfer classified information to foreign entities? See NISPOM chapter 10 
  •      Does the cleared facility have contracts that include TEMPEST, Defense Technical Information Center (DTIC) or involved in independent research and development (IR&D) efforts that involve classified information? See NISPOM chapter 11

     FSOs should become familiar with the NISPOM. However trying to implement parts of NISPOM that do not apply to the types of classified contracts involved may waste effort and resources. Leading purposeful and efficient security begins with an assessment of both risk and identifying applicable parts of the NISPOM.

No comments: