Tuesday, December 18, 2012

Proscribed Regulations and a Sensible Security Assessment, Cleared Contractor Protection Measures

Cleared contractor facility security officers (FSO) and security specialists have a unique challenge. They protect classified information and have lots of guidance on how to do so. However, they also have to figure out how to best protect sensitive information based on competitive budget requirements. Some of the forces acting on the budget include NISPOM, ITAR and other regulatory requirements as well as actions required by a thorough risk assessment

The NISPOM is a proscriptive policy, meaning that FSOs and security specialists have a list of “to do” countermeasures to protect Government identified classified contract information. For example, a secret document should be stored in a GSA approved security container.

Other solutions that appear proscribed are standard practices. Some industry standards include access control, alarms and CCTV. One might think they were required based on the general acceptance and wide use. For example, the NISPOM states that SECRET should be stored in a GSA approved container. However, some might find it shocking that alarms are NOT required. It is important to distinguish the difference as non-proscribed countermeasures protect classified information, but the trade off is high cost and focus on the wrong protection measures.

Security is meant to provide the right amount of countermeasures at the right place. Blanket countermeasures are costly and burdensome; thereby abusing the intent of NISPOM.

Assigning security measures without real risk or security assessment seemingly provides protection and makes us feel better.  Such actions result in construction or modifications of cleared facilities to create reinforced security fortresses built to withstand repeated break in attempts. However, the threat of these break-ins has not be established.

It makes sense to provide overwhelming physical security; if the security assessment requires it. However, there may be more pressing issues and real threats to address that compete with the same budget. Following the proscriptive measures of NISPOM may be the minimum and engaging tougher physical security measures may be the wrong course of action.

Suppose your risk assessment determines that the greatest threat to sensitive information is forgetful and irresponsible employees. Adding badge readers and alarms to negate the actions of a non existing threat of theft doesn’t address the insider issue.

However an aggressive procedure, policy and training program to focus on the real threat (bad habits) does help. For example, the real threat may be lack of understanding of protecting intellectual property. How do cleared employees work with, discuss, or demonstrate their technology through reports, tradeshows, patents or press release without inadvertently transferring technical information? An intellectual property identification, security training and compliance program would do more to protect the information than guns and guards.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: