Tuesday, April 15, 2014

Access Authorizations

We can apply the “Elements of Inspection” that are common to ALL cleared companies participating in the NISP. There are a few more elements that might be applied at unique cleared facilities, but facility security officers in those situations can adapt these articles to those specific needs. According to DSS’ The Self-Inspection Handbook for NISP Contractors, the five elements are:

(A) Facility Security Clearance (FCL)
(B) Access Authorizations
(C) Security Education,
(E) Classification

This third article in the series will address how to integrate the access authorizations into the overall security program designed to protect classified information.

Here are some questions from the handbook and ways to address the topics:

Are the numbers of clearances held to a minimum consistent with contractual requirements?

The facility security clearance is tied to a contract. Typically this tie-in is carried down to the cleared employee. However tying in a personnel security clearance to ONLY a contract might not be the right answer. For example, where a DD Form 254 and classified contract statement of work demonstrate that classified work is to be performed, these references do not dictate how many cleared employees are needed to conduct the work.

The best way to do measure “minimum consistent” is to tie the personnel security clearances (PCL) with the contract and establish need to know (there is a great article in clearancejobs.com that covers need to know as a justification for security clearances). Many people are required to make a contract successful, but don’t need a clearance. These might include buyers, assistants, engineers, program analysts and others support the contract, but may not actually perform on classified work.

For example, suppose 20 employees support a government contract which includes performing in a classified environment. The actual classified work is off site and involves five employees conducting testing on a new missile. The test results are classified and the five employees are the only ones to ever engage with the classified product.

In this situation, the easy course would be to just provide clearances for all employees and tie the justification to the contract number. However, the end result would be committing enterprise, industry and national security resources to supporting an unjustifiable additional 15 cleared persons. Though the contract involves classified work, the justification should be on the need to know and not necessarily the classified contract.

Here is a link to an earlier post about how to justify clearances. It even includes a sample form that can be duplicated, used and presented to DSS.


Are employees in process for security clearances notified in writing that review of the SF 86 is for adequacy and completeness only and that the information will be used for no other purpose within the company?

This is an administrative task that can be demonstrated with a signed memo. Write up the requirement and agreement of the SF 86 purpose, have the employee sign it and file it away to demonstrate not only compliance, but a workable process.

Are original, signed copies of the SF 86 and releases retained until the applicant’s eligibility for access to classified information has been granted or denied, and then destroyed?

This is an important question. Many years ago (2006-2007), groaning resonated from the facility security officer (FSO) community about the arduous task of removing all the files and the loss of “valuable” information upon the destruction of such a massive record base. NISPOM, Industrial Security Letters, DSS reviews, JPAS, and personal identifiable information protection requirements have provided guidance and helped build a new standard of releasing that information for tightly gripped fists.

Now, all contractors should now have a process in place to ensure that the SF-86 is destroyed as soon as a final determination of the employee's eligibility for access to classified information has been made.

Are all pre-employment offers based on acceptance to begin employment within 30 days of granting eligibility for a Personnel Clearance (PCL)?

For this, you can go directly to ISL 2009-02, #2 Pre-employment Clearance Action under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/personnel-clearances.html

According to the NISPOM 2-205 a cleared company can submit a PCL request on an prospective employee as long as there is a written agreement that the employee will begin work within 30 days of the clearance being granted. This requirement can be met with human resources or the FSO filing a signed memo offering the prospective employee a job and their commitment to begin work once the clearance is granted.

Has citizenship been verified for each initial PCL applicant? RESOURCE: ISL 2011-02 Acceptable Proof of Citizenship under Industrial Security Letters at:


Citizenship can be verified by any means listed in NISPOM 2-208. Primarily, certified U.S. birth certificates; certificate of naturalization, U.S. State Department certificates of citizenship and etc. This is an easy question to answer, but unless you are willing to make photocopies of all the citizenship verification documents, it’s hard to demonstrate. The best thing to do is document this requirement somewhere in company policy and be prepared to address how you meet the requirement during the DSS review. Be prepared to identify the documents and what you would check to ensure they were certified.

Preparing for the annual review can only strengthen your security program. Take the topics from The Self-Inspection Handbook for NISP Contractors and see where yours can be improved. 

For more ideas, see our books, "Insider's Guide to Security Clearances" and "DoD Security Clearances and Contracts Guidebook", "ISP Certification-The Industrial Security Professional Exam Manual", and NISPOM/FSO Training". 

No comments: