Friday, August 28, 2015

Storing SECRET Classified Information

This article continues the series on the self-inspection guidance found in the Defense Security Service’s Self-Inspection Handbook for NISP Contractors. This article addressed the storage of information classified as SECRET.

5-303, 307 Is all SECRET and Confidential material being stored in GSA- approved security containers, approved vaults, or closed areas?

RESOURCES: ISL 2012-04 GSA Storage Equipment and SECRET Storage under Industrial Security Letters at:

GSA Security Container

SECRET material should be stored in a GSA approved security container or as authorized by the Cognizant Security Agency, in open storage or bin storage in an approved closed area or vault. When SECRET information is approved for open bin storage stored in a closed area, supplemental controls or an approved guard force are required. However NISPOM does not require supplemental controls SECRET stored in a GSA approved container.

Open Shelf or Bin Storage.

NISPOM paragraph 5-306b states that “open shelf or bin storage (hereinafter referred to as “open storage”) of SECRET and CONFIDENTIAL documents in closed areas requires Cognizant Security Agency (CSA) approval”. For the Department of Defense, the CSA is the Defense Security Agency (DSS)

So what is the CSA or DSS considering as demonstrations of compliance?

  • DSS reviews the following prior to providing approval: 
  • Size of the material and storage are-The area is large enough and limited to the space required to store the material or operational requirements. Also, the material may be too large for a standard GSA approved storage container. 
  • Since open storage environments enable visual access to classified information, access to the storage area is limited to those with access and need to know to preclude unauthorized access 
  • As with approved GSA Security Containers, the entrance doors to the open storage area should be secured by built-in GSA-approved electromechanical combination locks that meet Federal Specification FF-L-2740. 
  • SECRET information should be protected by supplemental controls such as an approved intrusion detection system with a 30-minute response time, and any DSS determined security in depth requirements. 

The DSS determined security in depth is based on the following criteria:

  • Perimeter controls that limit access to open storage those with proper clearance and need to know 
  • Access technology that helps recognize access and need to know in cases where the organization is too large for individual or personal recognition 

Safeguarding the SECRET Information

The FSO should design a policy to maintain strict control over classified material. “The NISPOM requires accountability and control of classified information at the TOP SECRET level. However, all material entering the facility, produced, reproduced or entering the facility in any fashion should be brought into possession for control, audit and inventory purposes. Contractors should consider maintaining an information management system (IMS) to protect and control classified information. This provides visibility over the classified material and allows for preventative measures against unauthorized disclosure or identification of security violations”.-DoD Security Clearance and Contracts Guidebook

The FSO should employ a security training and discipline program to compel cleared employees to act as force multipliers increasing security effectiveness. In that role, cleared employees will know to deliver all newly introduced classified material to the FSO for accountability purposes and into the IMS. When security personnel practice good customer service and enforce procedures, good relationships develop making procedures easy to follow as well as rewarding for all employees.

An accountability record or IMS is an excellent tool for controlling classified information introduced into the defense contractor facility. With the accountability record, documents are managed with additional receipting action. Some accountability records track document status from introduction to dissemination on the same record.

Is a GSA Approved Container Really Enough?

Though the NISPOM only requires a GSA approved storage container for protecting information classified as SECRET, the environment may require additional security in depth based on a risk assessment. This risk management process could consider such factors as threat reports, increased threat activity, high crime area, natural disasters, or temporary events such as business closures, increased construction projects, or any other issues requiring increased levels of security. The point is, the NISPOM is a guide, DSS evaluates security plans, but the holder of the classified information is responsible for protecting classified information based on the operating environment.

However, security should be risk based and not dependent on best practices. For example, a defense contractor sufficiently stores SECRET information in a GSA approved container based on an average level of risk. A sister cleared contractor might implement additional controls and increased security in depth based on unique risks in the working environment. Providing an argument that both cleared contractors should protect the classified information with additional protection measures above what is required in NISPOM would ignore the risk management process. If an alarm or guard force is desired, it should be introduced as the result of a thorough risk assessment according to data provided from crime statistics, threat assessments, as identified in this section or as required by contract. Once the data is in, the FSO can address the issues.

In review, information classified as SECRET, should at a minimum be stored in a GSA approved security container. If approved for open storage, then supplemental protections apply. When a risk assessment calls for or the CSA directs security in-depth, document the actions and ensure self-inspections validate compliance and effectiveness.

VALIDATION: Demonstrate knowledge of where SECRET information is stored, GSA container approval documentation, and where GSA approved containers are located throughout the facility. Where security in-depth is applied, document the specific layered and complementary security controls sufficient to deter and detect unauthorized entry and movement within the facility, or specified portion of the facility in which open storage is approved. During self-inspections, document the effectiveness of these controls and report any changes affecting those controls to DSS.

No comments: