Thursday, September 8, 2011

2 Steps to Determining Need to Know

Take a look at the following dramatization. A Facility Security Officer (FSO) is engaged in an inquiry to determine whether or not a security violation led to the loss, compromise or suspected compromise of classified information. A cleared employee had left classified information out on his desk. A cleared employee asked another cleared employee to “keep an eye” on a classified document while she left for lunch.
A short time later, the second employee was summoned to his bosses office to answer some questions. He left in a hurry, forgetting about the classified information on the desk. At first glance, the unattended classified information is the most obvious violation. However, once the inquiry concluded another issue became evident. The co-workers did not work on the same contract or share in any kind of project relationship. The first co-worker entrusted the safeguarding of classified information to an employee who held the proper security clearance, but who did not have need to know.
Holders of classified information should verify two things prior to releasing it to another party. They should determine the recipient’s active security clearance level whether or not they have a valid need to possess the classified information. Determining clearance level can be easily accomplished by the FSO, Personnel Security Officer or equivalent. They can access the Department of Defense’s Joint Personnel Adjudication System (JPAS) for that information.  However, that’s just half of the requirement. To complete the process, the holder has to identify whether or not the recipient has need to know.
So, how does one determine need to know? Is it the FSO’s job? Is it the program manager’s job? Whose job is it? “Need to know” can be established using these 2 principals

1. Who determines need to know-Need to know is a determination exclusively made by the holder. Those in possession of classified information are responsible for the proper release or disclosure.
2.  How to determine need to know- Verifying contract number, performance on a project or program, validation by a project manager, access roster and other methods can be used to determine need to know.

Security clearances should be kept to the minimum amount necessary to perform the classified work, access to that classified information must be kept to only those with a valid need to perform on the government work. JPAS or even security clearance verification cannot provide need to know. Just because one has a clearance doesn’t mean they should be authorized access. Need to know is based on a contractual or work performance basis.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership The Ranger Handbook The Army Physical Readiness Manual Drill and Ceremonies The ITAR The NISPOM

No comments: