Thursday, November 17, 2011

Three Excellent Ways to Meet Category Six of NISP Enhancement

National Industrial Security Program (NISP) Enhancement Category 6 is: Classified Material Controls/Physical Security. DSS can quantify a cleared contractor’s ability to track classified information throughout its lifecycle, implement countermeasures to deny access to sensitive information, and provide accountability of all classified information through this process. The FSO’s ability to demonstrate such capability is impactful and can help DSS determine whether or not the cleared facility is going “above and beyond NISPOM requirements.  Below are three ways an FSO can demonstrate going above and beyond the NISPOM requirements:

1.  Track location and disposition of classified information-This can be done on the cheap or with a decent Information Management System (IMS) such as software provided by vendors like SIMSSoftware. The point is for the FSO to not only know what they know about classified information moving within and without of the cleared facility, but to also demonstrate the capability to track it. A small organization can develop a tracking sheet to record the reception or creation of classified information.

a. Inexpensive methods-a small company or one with a tight security budget can create a tracking sheet (such as Microsoft Excel) that captures information as classified information is developed or received into the company. Useful information includes:
  • ·        item name
  • ·        item tracking number
  • ·        item type (hard drive, paper, CD/DVD, hardware, etc)
  • ·        contract number
  • ·        date item created or received
  • ·        amount of copies made
  • ·        disposition (shipped, couriered, destroyed just leave room for updates)
  • ·        receipts of disposition
  • ·        Location of item (security container number)
  • ·        Other information as needed

b. Vendor provided software. Software exists that can automatically track classified items as long as information such as listed above is provided to the database. Some (like SIMSsoftware) can generate and save receipts and disposition data for recall.

2.  Implement countermeasures-these countermeasures can be documented that protect classified items, unclassified technical data, export controlled items or personal identifiable information and proprietary information. Countermeasures include:
  • Conduct inventory-determine regularly that items are where they should be and protected according to government or company requirements (NISPOM for classified, ITAR for export controlled, company policy for intellectual property, etc).
  • Limit access-provide barriers to items that need protection and ensure only authorized persons are able to enter. For classified information, follow guidance provided by NISPOM. However, an FSO can go further to protect other sensitive data. This can be done by posting guards, placing signs identifying off limits areas, and locking intellectual property away. In other words, limit limiting knowledge and access to only those who need it. Does an executive assistant need to know the special fabric weave even if it is unclassifed? Does the financial officer need to know the algorithm that gives your product a capability? If not, ensure procedures are in place to prevent access.

3.  Conduct a regularly scheduled inventory. NISPOM does not require an accountability system for classified information SECRET level and below. However it does require the ability to retrieve classified information within a reasonable amount of time. To do this, conduct a regularly scheduled inventory. Use the spreadsheet to do this manually or automated IMS to either locate the classified item or account for the disposition.  Some IMS provide bar code capability to ease inventory requirements.

Though wrapped up in three steps, there are a lot of implied tasks to demonstrating above and beyond as outlined in category 6. If a cleared facility is authorized to store and process classified information, this is a fundamental basis for created a good information management program. This article covers the protection of classified and unclassified information for your use. Be sure to document and demonstrate your capability.
More information can be found in the book DoD SecurityClearance and Contracts Guidebook.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: