Earlier articles addressed documenting the authorized persons having access to the combinations. Determining who needs access to the combination is one part of a successful formula. This article addresses when to and who does change the combinations.
In this article continuing the coverage of the Defense Security Service (DSS) Self Inspection Handbook for NISP Contractors, we'll review the National Industrial Security Program Operating Manual (NISPOM), Paragraph 5-308b-d.
5-309 Are combinations to security containers changed by authorized persons when required?
RESOURCE: ISL 2006-02 Changing Combinations under Industrial Security Letters at: http://www.cdse.edu/toolkits/fsos/safeguarding.html
The question seems to emphasize whether or not the person changing the combination is authorized. However a further review of NISPOM and the Industrial Security Letter require focusing the actual effort on the combination change event. The point is to protect the classified information from unauthorized disclosure through proper security container maintenance practice.
Earlier articles discussed methods of determining who should have access to combinations. Careful consideration ensures the enforcement of releasing classified information to those with proper security clearances, but limiting the access to those with need to know. As surely as the combination access is protected, the proper maintenance and setting of the combination is equally important.
Those authorized to change combinations should be aware of circumstances requiring a combination. Some are more obvious than others, but a good plan to manage the combination will help meet requirements outlined in NISPOM. Expanding a good security awareness training program to include combination changing events could create a more effective program to protect classified information.
The NISPOM states:
Combinations shall be changed by a person authorized access to the contents of the container, or by the FSO or his or her designee. Combinations shall be changed as follows:
a. The initial use of an approved container or lock for the protection of classified material.
b. The termination of employment of any person having knowledge of the combination, or when the clearance granted to any such person has been with-drawn, suspended, or revoked.
c. The compromise or suspected compromise of a container or its combination, or discovery of a container left unlocked and unattended.
d. At other times when considered necessary by the FSO or CSA.
Again, rationale for combination changes may be obvious such as point a. A security manager or any organization should change the combination’s factory setting for something less obvious and more secure.
Point b is almost as obvious. Employees no longer employed, or having had their clearance and or need to know revoked no longer need access to the combination. The most secure, desired, and required method is to change the combination and this goes right along with basic physical security practices. After all, a hotel guest should expect that a previous guest’s access card will not open the current guest’s door. They have “checked out” and no longer have authorized access to the room.
ISL 2006-02 makes a good point. The person must have had knowledge of the combination, not just access to the container’s contents. For point b, it is not necessary to change any or all combinations unless the employee had access to the combination.
Combinations must be changed upon the termination of employment of any person having knowledge of those combinations. Having knowledge and having access are not the same thing. A locksmith has access to every combination but may not have knowledge of any combinations other than his or her own. It is not realistic to require a contractor to change hundreds of combinations when a locksmith leaves. The only combinations which require changing are those for which the locksmith had personal knowledge and the combination to the container(s) housing the master list or copies of combinations.
Point c may not be as obvious, but any compromise of the security container warrants and change of the combination. This is because the combination resides in security container documentation (SF 700). The combination is written on the SF 700 and protected according to instructions found on the SF 700. The SF 700 is also updated every time the security container combination is changed. The classified SF 700 Part 2 is to be protected at the same classification level of the information it protects; inside a GSA approved container. If a container is left open, there is no guarantee that unauthorized personnel did not gain access to a combination and classified contents.
When the combination or security container has been compromised or is suspected of being compromised, then the combination must be changed and an investigation conducted.
A special note about admin security containers-Some FSOs with multiple security containers keep a folder of all combinations in one of the security containers. If that container is left unsecure, ALL combinations must be changed.
Security violations occur when combinations are revealed to unauthorized or non-cleared persons. Combinations spoken out loud, written down, or otherwise broadcast in an unauthorized manner put classified material at risk of compromise. Likewise security containers that no longer work properly or have suffered damage significant enough to affect the required security capability may make compromise a possibility.
Point d is based on guidance from those in authority. If they say change the combination, the n change it. Local policy may go above and beyond NISPOM and create requirements to automatically change combinations after a certain event or time period.
- Document names of those authorized to change combination with rationale for the decision
- Document date approved container or lock is put into initial use. Add additional or new container to other inspection and security container management documents and information management systems
- Ensure enterprise policy includes notification of terminated or resigning employees. Local policy should include JPAS review and combination authorization. A process should be in place to trigger combination changes. Document combination changes and update SF 700
- Document compromises or suspected compromises of a container or its combination. Ensure policy is in place to trigger security container documentation. Update SF 700 and other security container maintenance documentation.
- Document directed combination changes. Consider internal policy for other event or time driven combination change requirements
- Update security awareness training to include required combination changes.