Friday, June 3, 2016

NISPOM Change 2 Guidance and Self-Inspections For NISP Contractors

Self-Inspection Handbook
For the past two years, we’ve been writing articles with the goal of helping FSOs manage their security programs. Hopefully we’ve provided a useful service and hope to continually do so. The greatest driver of our articles has been the Self-Inspection Handbook for NISP Contractors. This format has provided plenty of material for articles that the reader can implement immediately. Fortunately there have been many updates to the NISPOM and related guidance and tools.

Recently the National Industrial Security Program Operating Manual (NISPOM) has incorporated Change 2 and the Center for Development of Security Excellence (CDSE) has released the updated 2016 Self-Inspection Handbook for NISP Contractors. This handbook covers the latest NISPOM incorporating Change 2 and is an outstanding tool for novice and seasoned FSOs to perform a risk based assessment of their security program to protect classified information. We will continue to write articles and do our best to stay current and up to date with industry changes. As such, the following article describes a very recent update that FSOs should be prepared to implement.

Self-Inspection Requirement

According to NISPOM Paragraph 1-207b and subparagraphs. “Contractors shall review their security system on a continuing basis and shall also conduct a formal self-inspection, including the self-inspection required by paragraph 8-101h of chapter 8 of this Manual, at intervals consistent with risk management principles.”

This requirement provides a new element to the FSOs responsibilities. Additional documentation, coordination, and subtasks outlined in the NISPOM Change 2 add technical difficulty to the self-inspection requirement. Additional time and resources should be pre-planned to close the loops on what the NISPOM requires and what the Cognizant Security Agency (CSA) (DSS for DoD Contractors) will inspect. To meet the need, Defense Security Service’s Center for Development of Security Excellence (CDSE) has provided the 2016 Self-Inspection Handbook for NISP Contractors as a tool for planning, conducting and coordinating the contractor self-inspection. Used correctly, it can help facilitate inspection execution and documentation.

For example, detailed self-inspection requirements word for word:

(1) These self-inspections will be related to the activity, information, information systems (ISs), and conditions of the overall security program, to include the insider threat program; have sufficient scope, depth, and frequency; and management support in execution and remedy.

(2) The contractor will prepare a formal report describing the self-inspection, its findings, and resolution of issues found. The contractor will retain the formal report for CSA review through the next CSA inspection.

(3) A senior management official at the cleared facility will certify to the CSA, in writing on an annual basis, that a self-inspection has been conducted, that senior management has been briefed on the results, that appropriate corrective action has been taken, and that management fully supports the security program at the cleared facility.

(4) Self-inspections by contractors will include the review of representative samples of the contractor’s derivative classification actions, as applicable.

Interpretation and Application

Requirement (1) describes what is subject to inspection and includes a few updates. The newly redesigned NISPOM Chapter 8 and Insider Threat sections offer topics the FSO should be aware of prior to conducting the self-inspection. The goal is a holistic approach to demonstrating the effectiveness of the security program designed to protect classified information; each element is equally important.

Requirement (2) provides guidance on what to do with self-inspection results. This is where the added resources and time come in. The NISPOM is clear on how the contractor should demonstrate compliance; provide a report and make it available for the next CSA review. The size, details, and essence of the report are up to the contractor. However, using the handbook to facilitate the inspection, annotating the checklist, taking notes, and recording findings immediately takes care of the raw data. The FSO can then transcribe the findings, perhaps word for word, into a Microsoft Word document.

Requirement (3) requires buy in from senior management. If the FSO is not actively engaged with senior management because of corporate structure or other issues, this is the time to bridge the gap. The handbook data can be used to provide Microsoft PowerPoint or other type of presentation to brief management of the results, mitigations, and information necessary to get their full support. Another idea is to have the senior management members sign the self-inspection report, demonstrating their acknowledgement of the findings and support of the program.

Requirement (4) should not be too much of an operation change as DSS regularly reviews classified documents for markings and other issues.

How to Implement

While the self-inspection process is a NISPOM requirement, there is not a requirement to use the handbook. However, the handbook is an excellent resource to inform security and NISPOM training topics, train the inspection team, keep track of inspection topics, document results, and take notes. According to CDSE, “This Self-Inspection Handbook is designed as a job aid to assist you in complying with these requirements. It is not intended to be used as a checklist only; rather, it is intended to assist you in developing a viable self-inspection program specifically tailored to the classified needs of your cleared company”.

Instead of trying to develop a new inspection process, FSOs should use the handbook as an established process to prepare the required reports, briefings, and senior leadership buy-in. The FSO should save all inspection results, artifacts, notes and reports for at least a year and the next DSS review.

Download your copy from DSS or purchase a professionally printed version here.

No comments: