Thursday, November 24, 2016
This article continues the series covering the Self-Inspection Handbook For NISP Contractors and guidance found in the National Industrial Security Program Operating Manual (NISPOM) Incorporating Change 2.
The transmission of classified information is an important concern. Classified information should be controlled as it enters and leaves each facility. Each facility that has a CAGE Code should have it’s own transmission process meeting NISPOM requirements. How is yours doing? Lets find out.
5-401 Is classified information properly prepared for transmission outside the facility?
Here’s what NISPOM says on the subject. Our narrative follows:
5-401. Preparation and Receipting
a. Classified information to be transmitted outside of a facility shall be enclosed in opaque inner and outer covers. The inner cover shall be a sealed wrapper or envelope plainly marked with the assigned classification and addresses of both sender and addressee. The outer cover shall be sealed and addressed with no identification of the classification of its contents. A receipt shall be attached to or enclosed in the inner cover, except that CONFIDENTIAL information shall require a receipt only if the sender deems it necessary. The receipt shall identify the sender, the addressee and the document, but shall contain no classified information. It shall be signed by the recipient and returned to the sender.
b. A suspense system will be established to track transmitted documents until a signed copy of the receipt is returned.
c. When the material is of a size, weight, or nature that precludes the use of envelopes, the materials used for packaging shall be of such strength and durability to ensure the necessary protection while the material is in transit.
The classification level should be the first consideration when determining how to disseminate classified information. Dissemination of TOP SECRET has more restrictions than does SECRET and CONFIDENTIAL. Likewise SECRET has more restrictions than CONFIDENTIAL. According to the NISPOM, classified information should be wrapped with opaque durable material such as cardboard, envelopes, or boxes. It should be transmitted in a way to prevent accidental and unauthorized disclosure and detect tamper.
The NISPOM does not discuss whether or not seams of packages should be reinforced. A good practice is to cover seams with rip-proof opaque tape or other similar material.
Next, the preparer should mark the package on the top and bottom of all sides with the proper classification level.
Then they should add the “to” and “from” addresses with two copies of receipts either attached to the first layer or inside the first layer. The preparer should always coordinate with the intended receiver to notify of delivery and verify mailing addresses. If the package is being sent to a cleared DoD contractor, the address could be verified online through the Industrial Security Facilities Database (ISFD) available through the Defense Security Service (DSS) website.
DSS recommends hat the address on all inner wrappers contain the name and office symbol of the intended recipient to expedite accurate delivery.
Internal contents that come in contact with the wrapper could be imaged or observed in certain situations. To prevent this, the preparer can place wrapping paper, patterned paper, receipts or fold the documents in such a way that they cannot be read through the wrapping. DSS recommends using classification level cover sheets such as the Standard Form 703 (TOP SECRET), 704 (SECRET), or 705 (CONFIDENTIAL) can be used to prevent and adversary from reading or imaging the information during technical scanning. However, though protecting the actual information being scanned, this could disclose the information as classified. If using cover sheets, be sure to use the SF appropriate for the classification level of information inside.
The outer wrapper is the second line of defense for the classified information.
Once the classified information leaves the cleared facility, the level of protection is severely reduced. The wrapping requirements are similar to those of the inner wrapper and should be the same size to prevent looseness or movement that could fray or damage the inner wrapping’s seams. The outside label should not identify the recipient by name. Office numbers or symbols should be used to prevent associating a classified package with a particular person. When addressing shipment labels to contractors, the outer label should be addressed to “FSO” or “Security”. When addressing shipment labels to military agencies, the outer package labels should be “Commander”.
Additionally, addressing deliveries to an authorized department ensures the package is received by authorized persons. Providing a person’s name on the outside label could cause problems if they are not around to receive it and could result in returned packages.
Large sizes, bulk, weight, mission requirements or other structural make up could prevent transmission of items by traditional means. These could be machines, vehicles, aircraft, missiles, or other cumbersome, odd shaped, heavy or odd sized items. Brief cases, canvas courier bags, hard cases, shipping crates, large tarps and other types of containers can serve as proper wrapping provided they are approved by DSS. The containers are a part of the process to provide multiple layers of protection, deny accidental access, detect tampering and ensure expedited transport.
· Chose a designated location to prepare classified information for shipment
· Publish comprehensive instructions, processes, and policies for sound security practices
· Post reminders and instructions in designated areas
· Use information management system or similar technology to keep pedigree of transmittal receipts
· Demonstrate that processes are taught to authorized employees in security awareness training or refresher training