Saturday, April 20, 2013

NISPOM Change 1-Derivative Classification Decisions

What has changed?
According to NISPOM Change 1, the cleared defense contractor has the responsibility to provide training for cleared employees who make derivative classification decisions. Where NISPOM used to state that training is the FSO’s responsibility, Change 1 omits the FSO as the responsible party and identifies only the contractor entity. Mere oversight or purposeful instruction?

This designation represents an important distinction. Now the FSO can strengthen their role in the enterprise and ship from administrator to leader. It is great opportunity for the FSO to shift the training responsibility from performance to oversight.

Who should perform the training?
At a technical level, the derivative classification training is best provided by the subject matter experts actually performing on classified contracts, programs and projects.

For example, an experienced FSO or designated trainer with a strong security background may be the best choice for the initial security briefing. Initial security training covers the National Industrial Security Program and how to protect classified information in general. However, a security specialist or FSO may not be the best trainer as they may not understand intimate details of the contract requirements. In that setting, who then is best able to train a derivative classification decision maker, than the supervisor, chief engineer, program manager or other person performing the technical work?

Remember that NISPOM Change 1 identifies derivative information as …classification of information based on guidance, which may be either a source document or classification guide.

In essence, a derivative classifier is a cleared employee (engineer, program manager, technician, etc.) creating a document, end item, service or other function where they are performing based on a statement of work, DD Form 254, as instructed by customer and with classification guidance based on marked source documents or as provided in a security classification guide. This is a technical performance issue. If a cleared employee wears dual hats as a subject matter technical expert and FSO, they may be right for the training. However, if not, then the training could be the responsibility of the subject matter technical expert.

Why is this important?
The subject matter technical expert can give real world technical examples as well as hands on NISPOM training. This removes the training from a lecture to performance oriented training, providing the cleared employee with a fantastic opportunity to understand what is required of them as a derivative classifier.

The FSO, in turn, could focus on documenting the training for both compliance and enhancement. Here are three recommended responsibilities by position to reflect NISPOM Change 1:

FSO responsibility:
  • Require from managers a list of cleared employees authorized to make derivative classification decisions. This list can also act as justification for clearances and as a base line for future training.
  • Provide guidance to the subject matter experts to instruct identified cleared employees on the derivative classification responsibilities:
  • To identify themselves by name and position, or by personal identifier, on documents they derivatively classify.
  • To practice observing and respecting original classification decisions.
  • To carry forward the pertinent classification markings to any newly created documents.
  • To provide a listing of source material declassification instructions to reflect the longest period of classification among multiple sources as well as list the multiple sources.
  • To train derivative classifiers at least once every 2 years covering classification levels, duration of classification, identification and markings, classification prohibitions and limitations, sanctions, classification challenges, security classification guides, and information sharing.
  • To refrain from conducting derivative classification until they receive training.
  • Provide employees with derivative classification decison access to relevant classification guidance.

Subject matter expert trainer responsibility:
Perform derivative classifier training for identified cleared employees that tie Change 1 requirements as identified by the FSO, to classified contract performance standards. This training should include: 
  • Demonstrate how to read, understand and apply original classification decisions to derived products, providing date or event of declassification and source materials.
  • Provide information on classification levels, duration of classification, identification and markings, classification prohibitions and limitations, sanctions, classification challenges, security classification guides, and information sharing as it relates to the classified contract or project.

Supervisor responsibility:
  • Quality control and discipline of employee requirements-Supervisors are responsible for team development, performance and accountability. Training and performance can be tied to annual reviews and salaries. They are clearly the ones that ensure employees are performing to standard. Leaders provide incentives and discipline measures.
  • Identification of derived classification-Supervisors set the standard. Where the FSO teaches the National Industrial Security Program policies and procedures, the leaders instruct how to identify what needs to be protected. Technical documents, statements of work, DD Forms 254, security classification guides and other instructions provide the reference. Technically proficient leaders know what to identify and how to do so and help employees understand their own responsibilities.
  • Marking of derivative classification-Once derivative information is identified, and training is conducted, supervisors can hold teams accountable for performance.
  • Training-Supervisors don’t have to give the training, but they can require and enforce training. Once completed, they ensure proper documentation is provided to the FSO.
Implementing a security program to protect classified information is the FSO’s responsibility. However, they don’t have to do everything themselves. The enterprise is built upon teamwork and there are plenty of capable people who can get the job done.

Jeffrey W. Bennett, ISP is the owner of Red Bike Publishing Red Bike Publishing . Jeff is an accomplished writer of non-fiction books, novels and periodicals. He also owns Red bike Publishing. Published books include: "Get Rich in a Niche-Insider's Guide to Self Publishing in a Specialized Industry" and "Commitment-A Novel". Jeff is an expert in security and has written many security books including: "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training" See Red Bike Publishing for print copies of: Army Leadership, The Ranger Handbook, The Army Physical Readiness Manual, Drill and Ceremonies, The ITAR,and The NISPOM

No comments: